|
|
|
|
|
|
by sudosysgen
1060 days ago
|
|
|
You can edit UEFI drivers from the operating system's bootloader, and you can even flash the UEFI itself from the OS in most computers. While secure boot. Failing that, you can shim a preloader between the bootloader and the UEFI and load arbitrary drivers despite secure boot, like is done here : https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk Any sufficiently motivated attacker can make a UEFI rootkit happen, and it's in the wild right now. TPM really do offer no protection to users, either against userspace malware, or rootkits. It's purely about DRM. |
|
|
Secure Boot and TPM do offer tangible security benefits and is security features you can take ownership of.
Secure Boot allows your own key hierarchy, and TPM allows you to take ownership.
The linked boot disk isn't really proof that Secure Boot is useless. If you don't set a MOKManager password (as you should), and you change the security state of the machine while present at the keyboard. Yes you can boot things.
This is intended to make sure people can actually decide to trust things. And having insecure defaults makes this less useful. Not very surprising.
EDIT: The bootdisk won't work with a recent shim nor a recent grub. The old shim it was using should be revoked if you have any remotely updated machine as well.
TPMs could also prevent attacks like this on your machine.
Incidentally I've invested quite a bit of time in making user-friendly Secure Boot tooling as well. https://github.com/Foxboron/sbctl