"If you can turn off secure boot with a couple of clicks how is it secure" is a question I got asked today that I did not have a good answer for.
-
@mhoye also: anxiety around should I mess with it, do I turn it off, do I leave it off .... will turning it back on break my installation, is it insecure to leave it off ... omg what are these other bios settings ....
-
"If you can turn off secure boot with a couple of clicks how is it secure" is a question I got asked today that I did not have a good answer for.
@mhoye Narrator: "it wasn't actually secure" https://www.schneier.com/blog/archives/2024/07/compromising-the-secure-boot-process.html
-
@suetanvil @mhoye If an attacker can "borrow" your computer to overwrite GRUB or the kernel with a backdoored one - they can also "borrow" your computer to quickly open it up and intercept the keyboard port. Or just hide a PCI-E to USB adapter and an Arduino inside the case that claims to be an USB HID and will do whatever the attacker wants on next power up.
That latter approach is actually slightly _easier_ than backdooring a kernel.
@divVerent @suetanvil @mhoye Joke's on them; my computer case is held together with spite and things that were once solid plastic but have since realized that solid and plastic are near-antonyms. It would never go back together without very obvious increases in the number of component parts. I think the case for secure boot (or whether there is any) would be clearer if folks were clear on what, exactly, they don't want happening. But I rarely see it discussed outside of "how to turn it off" so when you say there is a specific threat model it applies to, I actually don't know how to evaluate whether that is complete or what that model is clearly enough to determine whether it applies to me.
-
I know the theory, I get it, but when you watch an absolute nonspecialist, wholly new to Linux or installing an OS at all encounter secureboot for the first time, and what they learn is "this is an obstacle to me doing something I want with my computer, but I can turn it off with three clicks", a reasonable person might reasonably conclude that this might be some bullshit that isn't protecting anyone from anything real.
@mhoye most people have probably forgotten that Microsoft leaked their signing keys back in 2022.
https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/
Given how the industry is going lately I would be entirely unsurprised if this had happened a few more times since without it being detected. -
To be fair, it actually *is* some bullshit that isn't protecting anyone from anything real.
(The primary goal of SB is to protect your data from a specific type of high-cost targeted attack that affects C-level executives and nobody else. If you're not carrying investment plans or nuclear launch codes, turn it off and use full-disk encryption instead. That's all you need.)
@suetanvil @mhoye it can also be used as defense against 'abusive spouse/parent covertly installs stalkerware on their victim' but none of the implementations care avout this sort of threat of course. (so many chip datasheets only talk about preventing readout and modification of 'intellectual property', lmao)
in non-embedded computers, secure boot is often meant to be used in conduction with the TPM. disabling secure boot would change the PCR measurements, and thus render (for example) the disk encryption keys inaccessible
-
I know the theory, I get it, but when you watch an absolute nonspecialist, wholly new to Linux or installing an OS at all encounter secureboot for the first time, and what they learn is "this is an obstacle to me doing something I want with my computer, but I can turn it off with three clicks", a reasonable person might reasonably conclude that this might be some bullshit that isn't protecting anyone from anything real.
@mhoye and they would be right
-
@suetanvil @mhoye it can also be used as defense against 'abusive spouse/parent covertly installs stalkerware on their victim' but none of the implementations care avout this sort of threat of course. (so many chip datasheets only talk about preventing readout and modification of 'intellectual property', lmao)
in non-embedded computers, secure boot is often meant to be used in conduction with the TPM. disabling secure boot would change the PCR measurements, and thus render (for example) the disk encryption keys inaccessible
This (in-home abuse) is a legitimate use case but even then, it's pretty unlikely for an abuser to know how to install a compromised kernel but not (e.g.) a physical keylogger or a hidden camera pointed at the keyboard.
TPM is for CEO LARPers, because *of course* it is.
(For abuse, you want something that's hidden AND encrypted AND deniable. E.g. local VM images that you use for schoolwork but are easy to accidentally set to encrypted.)
-
I know the theory, I get it, but when you watch an absolute nonspecialist, wholly new to Linux or installing an OS at all encounter secureboot for the first time, and what they learn is "this is an obstacle to me doing something I want with my computer, but I can turn it off with three clicks", a reasonable person might reasonably conclude that this might be some bullshit that isn't protecting anyone from anything real.
@mhoye that's a reasonable question, but there is a common parallel: freezing one's own credit at your bank. It's an undoable action, but the step of unfreezing it requires a bit of extra verification. Same thing with secure boot, in theory.
But at this point I think it's pretty clear that Secure Boot as a technology has done exactly what the critics have said since its original proposal: it offers a modest theoretical security increase but delivers a huge vendor lock-in tool. Net negative.
-
@mhoye that's a reasonable question, but there is a common parallel: freezing one's own credit at your bank. It's an undoable action, but the step of unfreezing it requires a bit of extra verification. Same thing with secure boot, in theory.
But at this point I think it's pretty clear that Secure Boot as a technology has done exactly what the critics have said since its original proposal: it offers a modest theoretical security increase but delivers a huge vendor lock-in tool. Net negative.
@mhoye in the most positive light Secure Boot offers to a very small subset of computer users, who have the technical wherewithal and the disposable free time to understand the security trade-offs and the mechanisms offered by the tool, an increment of extra security against system compromise by... software which those same people have the skills and time to evaluate critically? Attackers with physical system access, who somehow don't want to use that access to just rob the place?
-
@mhoye in the most positive light Secure Boot offers to a very small subset of computer users, who have the technical wherewithal and the disposable free time to understand the security trade-offs and the mechanisms offered by the tool, an increment of extra security against system compromise by... software which those same people have the skills and time to evaluate critically? Attackers with physical system access, who somehow don't want to use that access to just rob the place?
@gnomon Yeah. Couple that with the part where SecureBoot keys keep leaking out, and the only real utility of Secure Boot for anyone outside of a Mission Impossible Movie Scenario is to spook people into not replacing Windows.
-
P pixelate@tweesecake.social shared this topic
