"If you can turn off secure boot with a couple of clicks how is it secure" is a question I got asked today that I did not have a good answer for.
-
@notyourfanboy So our threat model here is people who have never touched a computer before?
-
I know the theory, I get it, but when you watch an absolute nonspecialist, wholly new to Linux or installing an OS at all encounter secureboot for the first time, and what they learn is "this is an obstacle to me doing something I want with my computer, but I can turn it off with three clicks", a reasonable person might reasonably conclude that this might be some bullshit that isn't protecting anyone from anything real.
@mhoye wait until they research it more and find out that "secure" just means "approved by Microsoft"
-
I know the theory, I get it, but when you watch an absolute nonspecialist, wholly new to Linux or installing an OS at all encounter secureboot for the first time, and what they learn is "this is an obstacle to me doing something I want with my computer, but I can turn it off with three clicks", a reasonable person might reasonably conclude that this might be some bullshit that isn't protecting anyone from anything real.
@mhoye also: anxiety around should I mess with it, do I turn it off, do I leave it off .... will turning it back on break my installation, is it insecure to leave it off ... omg what are these other bios settings ....
-
@mhoye wait until they research it more and find out that "secure" just means "approved by Microsoft"
@aburka Yeah, I mentioned that. Their reply was "I'm already getting rid of windows."
-
@aburka Yeah, I mentioned that. Their reply was "I'm already getting rid of windows."
@mhoye "you can't radicalize me I'm already radicalized"
-
@notyourfanboy So our threat model here is people who have never touched a computer before?
@mhoye @notyourfanboy It's at rest encryption. It's only useful while the system is off. If you have access to disable it then don't you already have access to the data it's protecting?
-
@mhoye @notyourfanboy It's at rest encryption. It's only useful while the system is off. If you have access to disable it then don't you already have access to the data it's protecting?
@admin @notyourfanboy That's... not a meaningful sentence in this context.
-
@admin @notyourfanboy That's... not a meaningful sentence in this context.
@mhoye @notyourfanboy Oh shit sorry I was thinking of bitlocker actually...yeah secureboot is bullshit anyway
(GF had a bitlocker issue recently, which she had never enabled...I had a mild panic attack that she'd lost everything to some ransomware but it was more of a manufacturer's default password situation -- so similarly bullshit lol)
-
I know the theory, I get it, but when you watch an absolute nonspecialist, wholly new to Linux or installing an OS at all encounter secureboot for the first time, and what they learn is "this is an obstacle to me doing something I want with my computer, but I can turn it off with three clicks", a reasonable person might reasonably conclude that this might be some bullshit that isn't protecting anyone from anything real.
@mhoye I know what it is. I know how it works. I’ve used it across literally thousands of machines. I still turn it off personally because it’s a variable I don’t want to need to manage. Swing and a miss.
-
I know the theory, I get it, but when you watch an absolute nonspecialist, wholly new to Linux or installing an OS at all encounter secureboot for the first time, and what they learn is "this is an obstacle to me doing something I want with my computer, but I can turn it off with three clicks", a reasonable person might reasonably conclude that this might be some bullshit that isn't protecting anyone from anything real.
To be fair, it actually *is* some bullshit that isn't protecting anyone from anything real.
(The primary goal of SB is to protect your data from a specific type of high-cost targeted attack that affects C-level executives and nobody else. If you're not carrying investment plans or nuclear launch codes, turn it off and use full-disk encryption instead. That's all you need.)
-
I know the theory, I get it, but when you watch an absolute nonspecialist, wholly new to Linux or installing an OS at all encounter secureboot for the first time, and what they learn is "this is an obstacle to me doing something I want with my computer, but I can turn it off with three clicks", a reasonable person might reasonably conclude that this might be some bullshit that isn't protecting anyone from anything real.
@mhoye I always turn it off. I think having a single for-profit monopolist approve what I can run is bad...
-
I know the theory, I get it, but when you watch an absolute nonspecialist, wholly new to Linux or installing an OS at all encounter secureboot for the first time, and what they learn is "this is an obstacle to me doing something I want with my computer, but I can turn it off with three clicks", a reasonable person might reasonably conclude that this might be some bullshit that isn't protecting anyone from anything real.
@mhoye I think the idea is that only someone with physical access to the computer can turn it off. Malware running on the computer can't, or at least it's not supposed to be able to¹, and so it can't shove itself into the boot chain before the OS gets control.
¹ some disclaimers apply, maybe lots of disclaimers in practice given various UEFI implementation bugs and etc, never mind servers that have IPMI/BMC access to UEFI settings and etc etc.
-
To be fair, it actually *is* some bullshit that isn't protecting anyone from anything real.
(The primary goal of SB is to protect your data from a specific type of high-cost targeted attack that affects C-level executives and nobody else. If you're not carrying investment plans or nuclear launch codes, turn it off and use full-disk encryption instead. That's all you need.)
@suetanvil @mhoye If an attacker can "borrow" your computer to overwrite GRUB or the kernel with a backdoored one - they can also "borrow" your computer to quickly open it up and intercept the keyboard port. Or just hide a PCI-E to USB adapter and an Arduino inside the case that claims to be an USB HID and will do whatever the attacker wants on next power up.
That latter approach is actually slightly _easier_ than backdooring a kernel.
-
@mhoye also: anxiety around should I mess with it, do I turn it off, do I leave it off .... will turning it back on break my installation, is it insecure to leave it off ... omg what are these other bios settings ....
-
"If you can turn off secure boot with a couple of clicks how is it secure" is a question I got asked today that I did not have a good answer for.
@mhoye Narrator: "it wasn't actually secure" https://www.schneier.com/blog/archives/2024/07/compromising-the-secure-boot-process.html
-
@suetanvil @mhoye If an attacker can "borrow" your computer to overwrite GRUB or the kernel with a backdoored one - they can also "borrow" your computer to quickly open it up and intercept the keyboard port. Or just hide a PCI-E to USB adapter and an Arduino inside the case that claims to be an USB HID and will do whatever the attacker wants on next power up.
That latter approach is actually slightly _easier_ than backdooring a kernel.
@divVerent @suetanvil @mhoye Joke's on them; my computer case is held together with spite and things that were once solid plastic but have since realized that solid and plastic are near-antonyms. It would never go back together without very obvious increases in the number of component parts. I think the case for secure boot (or whether there is any) would be clearer if folks were clear on what, exactly, they don't want happening. But I rarely see it discussed outside of "how to turn it off" so when you say there is a specific threat model it applies to, I actually don't know how to evaluate whether that is complete or what that model is clearly enough to determine whether it applies to me.
-
I know the theory, I get it, but when you watch an absolute nonspecialist, wholly new to Linux or installing an OS at all encounter secureboot for the first time, and what they learn is "this is an obstacle to me doing something I want with my computer, but I can turn it off with three clicks", a reasonable person might reasonably conclude that this might be some bullshit that isn't protecting anyone from anything real.
@mhoye most people have probably forgotten that Microsoft leaked their signing keys back in 2022.
https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/
Given how the industry is going lately I would be entirely unsurprised if this had happened a few more times since without it being detected. -
To be fair, it actually *is* some bullshit that isn't protecting anyone from anything real.
(The primary goal of SB is to protect your data from a specific type of high-cost targeted attack that affects C-level executives and nobody else. If you're not carrying investment plans or nuclear launch codes, turn it off and use full-disk encryption instead. That's all you need.)
@suetanvil @mhoye it can also be used as defense against 'abusive spouse/parent covertly installs stalkerware on their victim' but none of the implementations care avout this sort of threat of course. (so many chip datasheets only talk about preventing readout and modification of 'intellectual property', lmao)
in non-embedded computers, secure boot is often meant to be used in conduction with the TPM. disabling secure boot would change the PCR measurements, and thus render (for example) the disk encryption keys inaccessible
-
I know the theory, I get it, but when you watch an absolute nonspecialist, wholly new to Linux or installing an OS at all encounter secureboot for the first time, and what they learn is "this is an obstacle to me doing something I want with my computer, but I can turn it off with three clicks", a reasonable person might reasonably conclude that this might be some bullshit that isn't protecting anyone from anything real.
@mhoye and they would be right
-
@suetanvil @mhoye it can also be used as defense against 'abusive spouse/parent covertly installs stalkerware on their victim' but none of the implementations care avout this sort of threat of course. (so many chip datasheets only talk about preventing readout and modification of 'intellectual property', lmao)
in non-embedded computers, secure boot is often meant to be used in conduction with the TPM. disabling secure boot would change the PCR measurements, and thus render (for example) the disk encryption keys inaccessible
This (in-home abuse) is a legitimate use case but even then, it's pretty unlikely for an abuser to know how to install a compromised kernel but not (e.g.) a physical keylogger or a hidden camera pointed at the keyboard.
TPM is for CEO LARPers, because *of course* it is.
(For abuse, you want something that's hidden AND encrypted AND deniable. E.g. local VM images that you use for schoolwork but are easy to accidentally set to encrypted.)
