Comment by gzread
9 hours ago
Only if I get to set the keys or no keys - under all circumstances.
There should be a physical button inside the case labeled "set up secure boot"
9 hours ago
Only if I get to set the keys or no keys - under all circumstances.
There should be a physical button inside the case labeled "set up secure boot"
Just like with HTTPS, you can enrol your own keys in the TPM module, or sign your binaries with a key thats already trusted by your system.
This is just establishing chain of trust, and does not prevent you from doing anything on your system.
True, this could be hypothetically extended to disallow booting third party binaries, but I would say that's just extrapolation for now and not reality.
under the doctrine that software "trust" is needed YOU are the attacker. It's entirely about stripping your control (thus ownership) from the hardware you paid for (see the safetynet shitshow).
There's a second use whereby I somehow bind my own OS hash to my own data encryption key, so nobody who changes the OS can read the data. The technical distinction between this and the previous: if it's designed for the device owner's protection, the device owner can reset the system.