What are the practical consequences of turning off Secure Boot in BIOS/UEFI? #asknostr
Discussion
none
nobody does bootsector viruses anymore, and tampering with the kernel is fairly impractical from a remote attacker perspective
they are just local physical access controls really, like passwords on the bios and suchlike
That’s kinda what I’m thinking. The Secure Boot was giving me issues trying out different USB bootable distros.
yeah you can't run most linux distros without disabling it... i think mostly only Ubuntu works with it on, and other distros forked from it and many you can enable it but only after install
I'm pretty sure even the red hat spooks are whitelisted in secureboot
there is some circuitous process that can be performed to access a "free" KYC signature on kernels a bit like LetsEncrypt for SSL/TLS
you can also add a CA to your bios and sign with that
Lol, classic DIY CA.
If I’m gonna do that, I should just launch Honest Jimbo’s Discount Certificate Authority and sell certs for sats. 🤔
not really any need, you can make them for your own gear in a few minutes
I think everything based on certificate authority is fiat and should be abolished.
Better landlock hardware on software with my sign (or a sign I decide to trust). The whitelist in uefi db is pretty much the list of orgs that I wouldnt trust to make my hardware not porposefully explode.
it's a deliberate obfuscation of the problem of physical security
if your computer is physically accessible to strangers, then they can tamper with it, and this is what the whole thing is for... but a simple fucking encryption key and bios password will do this for you, and even if they flip the bios battery out physically the encryption stops them from seeing your stuff... and they can do this even with UEFI, so it's a total sham, the only security for physical access is a fucking encryption key, and that means a strong password and not a physical token
if your computer is behind locked doors and should be physically secure none of this is needed and anyway, only full disk encryption actually works, assuming a decent fucking password
lol, this thing about hardware exploding is gonna become a meme now
those heebies in ISI did something that their entire cabal is gonna regret
they have shredded confidence in hardware
literally blowing up is what everyone was afraid of about computers when i was a kid with boundless curiosity to press buttons, and most of the time stuff didn't break, but sometimes it did
but literal blowing up, oh yes there is gonna be a problem from this
That option is used mostly when you install a new OS. Secure boot is linked to UEFI partition if I am not mistaken.
secure boot is a uefi feature, not present in legacy bios; it is really limited and is just a whitelabel-based signature check on firmware and other software that are loaded at boot.
They are mostly useful to lock-in users and prevent utilizing their hardware with "not-approved software"; the security aspect is mostly a joke.
If your machine is recent and the hardware is still supported by vendor you may consider keep secure boot on, to have some security on what software is loaded in your machine.
If your hardware is old enough, maybe you want to disable it and replace all the software your machine runs with the update community maintained updated versions, installing linux, foss bootloader, even foss bios with coreboot if its supported.
yeah it is literally the same grade of "security" as bios passwords, just a way for hardware vendors to lock in users to their contracted OS supplier, ie microsoft
Secure boot makes sure only signed copy of OS is booted .. you can have many images .. but that's my definition.. can be totally wrong :-)