I mean, Secure Boot does actually help defend against evil maid attacks if paired with FDE. Someone can’t just fuck with your /boot (CVE-2016-4484 nonwithstanding) to do naughty things with your system if you have Secure Boot enabled. Does that fit with most people’s threat model? I dunno, probably not. It does actually do something useful though.
My work computer has it enabled and I feel better for it. The issue described in the article is easily dealt with if you just keep up with your firmware updates using fwupd.
Ya, Secure Boot is really only useful for corporate devices or very specific people who might actually be targeted by state level attackers. For most of us, it’s not worth the hassle.
Not if you disable it, “secure boot” is a joke anyway.
It can be a major security benefit when done correctly.
I’m not sure if there is a single vendor doing it correctly
Cannot always be disabled
I mean, Secure Boot does actually help defend against evil maid attacks if paired with FDE. Someone can’t just fuck with your
/boot(CVE-2016-4484 nonwithstanding) to do naughty things with your system if you have Secure Boot enabled. Does that fit with most people’s threat model? I dunno, probably not. It does actually do something useful though.My work computer has it enabled and I feel better for it. The issue described in the article is easily dealt with if you just keep up with your firmware updates using
fwupd.Ya, Secure Boot is really only useful for corporate devices or very specific people who might actually be targeted by state level attackers. For most of us, it’s not worth the hassle.
we are all currently being surveiled by state level attackers.
Just so I have this right, fwupd will update the firmware with the new keys. Just fuzz on if you have to create a new secure-boot key yourself?