Comment by swe02
7 days ago
As someone who uses systemd, "boot security" is pointless. If someone has enough access to your hardware to try booting a different kernel, they have time to load a signed shim that passes secure boot and launches unsigned code.
The only boot security real users need is disk encryption.
"on a system not configured for boot security, you get no boot security" is indeed correct. If you care about boot security, your local platform doesn't give you the chance to boot custom kernels and not passing secure boot doesn't give you decryption keys.
There are multiple possible configurations. Only the most basic will permit an arbitrary payload as you describe.
I've never been entirely clear about the security model when the signed shim is permitted. I assume I'm missing some nuance.
Disk encryption alone won't protect you from either persistent malware (remote) or evil maids (local).
> The only boot security real users need is disk encryption.
Which becomes easy to bypass without boot security. If an adversary can modify code that executes in the boot process, they can steal your keys.
An adversary can usually only modify code that executes in the boot process if they already have root privileges, or if they have physical access. In either of those cases the game is already over anyway.
> or if they have physical access.
If you're not worried about physical access, then why would you encrypt your disk at all?
1 reply →
> signed shim
How would they sign such a shim without my keys? I don't leave Microsoft keys enrolled on my laptop.
You don't but 99.99% of people do :) Especially because most Linux distros use a key signed by Microsoft by default.
The “people” don’t really matter.
Anyone who needs a secure boot environment is having their own MOK and probably a private CA.