Comment by jcgl
22 days ago
Agreed in general. But regarding secure boot, it's not like shim actually helps with real security either afaiu, right?
22 days ago
Agreed in general. But regarding secure boot, it's not like shim actually helps with real security either afaiu, right?
AFAIU (I haven't looked much into it) shim basically exists so that MS signs the shim once (or only a few times when updated), which has the distro public key embedded, which does further verification of the chain (bootloader/kernel) which gets updated more frequently.
That's basically my understanding too. But since you can still boot any shim-supported distro, Secure Boot + shim practically gains you nothing. An adversary can simply boot their own own copy of shim with whatever OS they like.
> An adversary can simply boot their own own copy of shim with whatever OS they like.
They'd need to get MS to sign it first, but otherwise yea. That's why I remove the MS keys on my non-windows systems.
2 replies →