[losingom]

>Authentication of boot loaders is done via cryptographic signatures [...] the cryptographic certificates that may be used to validate these signatures are then signed by Microsoft

This is what concerns me. While Microsoft are indeed dominant, surely them signing these is a conflict of interest? Why can't there be an external body that signs these, including those for Microsoft?

[g_p]

The "default" boot chain is using a Microsoft CA key, but you can easily change it. In fact, the "root" for your system is the platform key, which is most probably signed by your OEM.

Pragmatically speaking, I'd be more worried about my OEM's platform key being compromised when someone leaks their UEFI firmware build tree through a ransomware attack or similar.

The biggest issue of the Microsoft "CA root", is that they sign everything - there was a good example [1] of them signing a Kaspersky rescue CD that could effectively break the secure boot chain.

The good news is you can load your own keys into your motherboard. It's only really a solution for enterprises or tech-savvy individuals, but it at least is a viable option and helps you to "own" your own platform.

[1] https://habr.com/en/post/446238/

[dane-pgp]

> Why can't there be an external body that signs these

Just wait a few years, and it will be the government that decides which OSes can run on your hardware. Hint: It will be OSes that only allow "approved" apps to run.

[mjg59]

> Why can't there be an external body that signs these, including those for Microsoft?

There can be, and I strongly suspect Microsoft would prefer there to be - reviewing and signing all the UEFI drivers consumes significant resources. Nobody else with sufficient resources to do this job has stepped forward.