|
|
|
|
|
|
by sanlyx
2882 days ago
|
|
|
That's the way to go I guess. But secure boot has obvious advantages in comparison. As a rule of thumb I do not trust any client-side "authentication" or passphrase input as long as there's no crypto involved. In legacy BIOS this passphrase can be bypassed easily, for instance |
|
|
Combined with a TPU that wipes keys when secure boot is enabled/disabled gives a pretty secure system, that still allows you to "eject" to an unsigned boot when needed.