So there you have it: recommending idly Secure Boot for all systems requiring intermediate security level accomplishes nothing, except maybe giving more work to system administrators that are recompiling their kernel, while offering exactly no measurable security against many threats if UEFI Administrative password and MOK Manager passwords are not set. This is especially true for laptop systems where physical access cannot be prevented for obvious reasons. For servers in colocation, the risk of physical access is not null. And finally for many servers, the risk of a rogue employee somewhere in the supply chain, or the maintenance chain cannot be easily ruled out.
The author makes a compelling case, but my knowledge on this topic is too limited to confidently present this article as a good one. I’ll leave it to those among us with more experience on this subject to shoot holes in the article, or to affirm it.
I wouldn’t have minded secure boot as much if owners had been fairly represented in it’s development. All the design decisions in secure boot seemed to point to a desire to control owners rather than empower us. After public outcry MS gave owners the explicit right to disable secure boot on their own x86 machines. Still the standard leaves a lot to be desired. It provides vendors with standard secure mechanisms to install their keys, but there are no provisions in the standard for owners to do this at all! And I think it speaks to the intent of designers that the standard itself disregarded the notion of owner control completely. Thankfully some BIOS vendors gave us this control anyways. Most of us are extremely fortunate that forced secure boot didn’t pan out and I hope it never does. I’m all for real security, but not when “security” is a euphemism for a walled garden.
Excuse my French but the real question with Secure Boot (or SB) is this….does it in anyway keep Grandma from getting her PC screwed? If so then it’s a good thing, if not then it’s not.
And as much as I would like to agree with ya Alfman as someone who has spent waay too many years dealing with PC customers? You really have to take a lot of control away from the “owners” as they are the ones who install malware and fall for every “You won a $1000 gift card!” scam on the planet. Why do ya think Chromebooks are so popular? Because the ID10T sitting at the desk can’t just install a cryptominer pretending to be a “free Netflix Ripper” and hose the entire system.
So while I agree there should always be a way for the smart PC user to disable anything like SB like with installing another OS on a Chromebook sadly it can’t be “clicky clicky” simple or Joe and Jane Normal will be easily duped into spreading the next malware all over the net.
bassbeast,
I would say no it doesn’t. Of all the ways that “grandma” might fall victim to ransomware/human social engineering/malware attacks, secure boot hasn’t really helped with those things. All it can do is protect the bootloader, but that’s rarely the entry point for malware these days. It only provides marginal protection against rare attack vectors and even then it’s only marginally effective. There are better security mechanisms to protect the owner’s data and software as the author suggests.
Some people are dead set on taking away individual control for their own security. “Security” has been the goto argument authoritarians use to justify taking control away from people. “We know better than you do. We need to take away your individual control in order to protect you”. I vehemently disagree with this philosophy, not only is the security provided disingenuous, but the mass consolidation of power over society is extremely dangerous from our freedoms. Owners shouldn’t require somebody else’s permission to do something on their own hardware.
I suspect the real answer is because they’re so darn cheap…and I mean significantly cheaper than windows computers. I was looking for cheap laptops, after sorting them by price 100% of those that come up first were chromebooks. I can definitely see why people strapped for cash would by those. Actually my wife’s uncle bought a chromebook and I don’t think he realized how different it would be compared to windows. It gave him lots of trouble. It was incompatible with his existing hardware and software (which is an obvious “duh” to us, but it wasn’t to him). And funnily enough it still got infected with browser hijacking malware, the same kind that used to be more prevalent in windows (my guess is that the malware came in through software installed by his grandson who shares the chromebook). Chromebook, while having an equivalent feature to “secure boot” made no difference.
I’m very glad you said this because we can agree. 🙂 Put it behind a big scary prompt only available at boot for those who are specifically looking for it. My biggest thing is that owners have the ultimate say when it comes to their own hardware.
So many fallacies in the linked article and this post it’s quite sad really.
Secure boot on PC has never been about control, it’s about making sure you’re not running MBR-like malware/rootkits which run on top of your OS without you ever knowing you’re deeply compromised.
For Linux, unless the evil maid attack is tackled (initrd tampering), secure boot continues to be mostly a security theater, however for Windows and MacOS secure boot works near perfectly.
Artem S. Tashkinov,
I understand how it works, My objections are not a fallacy. I’ve got no problem with a secure mechanisms in principal to verify boot loaders, my objection is with the way it was built for vendor control rather than owner control. It’s actually quite difficult to give owners control over their own machines only using the methods within the spec. It was not part of the standard and systems that share verification keys across many units have no methods to securely transfer control to the owners, none at all. This was a stupid omission. And I do not think engineers were incompetent, rather the companies behind secure boot wanted an ability to lock owners out and that’s what the spec delivers. This is the environment from which secure boot was born. BIOS vendors ended up giving owners more control after the fact, thankfully, but this wasn’t part of the standard and consequently secure boot is both less secure and less consistent than it should be.
Why should secure boot be OS specific at all? IMHO owners need to have control over their computer’s policy when it comes to who to trust. I want to be clear this is not always just about opening up the security policy, but also tightening it down.
As it stands most linux distros are only able to boot under secure boot because microsoft allows them to apply to microsoft to boot under their secure boot keys. This is kind of a precarious arrangement for linux for obvious reasons. But also it dilutes the security of secure boot as a whole including for windows users. Consider that now an attacker doesn’t have to limit themselves to exploiting the vulnerabilities of the OS that the owner is using. An attacker is now able to use an exploit from any of the operating systems that microsoft has signed. The attack surface is vastly larger and secure boot will happily let the attacker chose the tools to facilitate an attack.
This would be easier to fix if the owners had direct control over which operating systems could boot. But secure boot was not designed to give a crap about what the owner wants and it renders secure boot security less effective.
That incorrect use of the word null grated at me enough for me to login to complain about it.
I probably would use “nil” there, but I’m no english savant so I don’t be pandemic about such things. My spell checker is flagging my use of english just now. Oh noes it did it again…
I find it hilarious that this one word grated you when the whole internet is so full of errors. You must be doing barrel rolls in your sleep! Just like there’s a metric for number of errors per thousand lines of code, there ought to be a metric for number of errors per thousand sentences. Mine would be pretty high 🙂
BTW somehow I doubt a smiley emoji is a grammatically acceptable way to terminate a sentence, but I do it all the time since I don’t like the period there :). <- ugh
You either get it or you don’t.
It’s not any old word. It’s a trauma trigger.
Any coder who has had to inherit a codebase that has a badly thought out DB schema on top of code that was clearly written by someone who doesn’t understand null will know 🙂
Are you the Noid? You know the patron saint of people who have to tell other people Null is not a valid value in a database.
https://noid.fandom.com/wiki/The_Noid_(2021)?file=Tenor.gif
It depends who are “we”. People have different needs and expectations. When it comes to the security and “security”.
It was intended to lock Linux and other non-Windows OSes out, but they relaxed the rules. So yeah, now it does nothing.