|
|
|
|
|
|
by josteink
2767 days ago
|
|
|
> I think this can't be stated enough. The fact of the matter is that pre T2, evil maid attacks were ridiculously easy. Factually and objectively wrong. This does nothing for end-user security which wasn’t already solved by UEFI Secure boot half a decade ago. The only difference here is that Apple now insist on owning all the keys, taking away any aspect of end-user freedom which may have been present in the UEFI spec. This is all bad, all regression for the PC-platform and Apple should definitely not be applauded. |
|
|
UEFI Secure Boot is a noop security-wise if you don't have a TPM to store keys and validate signatures, otherwise it's trivial to bypass. This whole thing implements UEFI Secure Boot, and T2 is the TPM.
Secure Boot can be disabled to install Linux, the only difference from before T2 was introduced on Macs being that Linux fails to initialise/access† internal storage behind T2. Using either a pre-signed loader with MOKs in NVRAM or your own signing keys is terribly involved[0][1] and adding keys or disabling SB is not always supported, even on PCs.
† For reasons yet unknown which could be any of a) bug in T2, b) lack of hardware support within Linux, c) intentional security measure, d) intentionally crippled feature. Judgement as to whether this is a glitch, undocumented hardware behaviour, or a mischievous scheme is currently impossible and an open question; stating anything one way or the other is currently based purely on personal beliefs, not facts.
[0] https://wiki.archlinux.org/index.php/Secure_Boot
[1] http://www.rodsbooks.com/efi-bootloaders/secureboot.html#fin...