|
|
|
|
|
|
by lloeki
2761 days ago
|
|
|
> Factually and objectively wrong. This does nothing for end-user security which wasn’t already solved by UEFI Secure boot half a decade ago. UEFI Secure Boot is a noop security-wise if you don't have a TPM to store keys and validate signatures, otherwise it's trivial to bypass. This whole thing implements UEFI Secure Boot, and T2 is the TPM. Secure Boot can be disabled to install Linux, the only difference from before T2 was introduced on Macs being that Linux fails to initialise/access† internal storage behind T2. Using either a pre-signed loader with MOKs in NVRAM or your own signing keys is terribly involved[0][1] and adding keys or disabling SB is not always supported, even on PCs. † For reasons yet unknown which could be any of a) bug in T2, b) lack of hardware support within Linux, c) intentional security measure, d) intentionally crippled feature. Judgement as to whether this is a glitch, undocumented hardware behaviour, or a mischievous scheme is currently impossible and an open question; stating anything one way or the other is currently based purely on personal beliefs, not facts. [0] https://wiki.archlinux.org/index.php/Secure_Boot [1] http://www.rodsbooks.com/efi-bootloaders/secureboot.html#fin... |
|
|