| HN Mirror

this is simply not true

only using self verifying of PCRs is not an effective protecting against most attacks. (Against which a secure boot chain is supposed to help.)

Sure it depends a bit on what you want from secure boot. But in general if you need PCRs you also need to make sure only verified code can run. If you don't, you likely don't need PCRs either, and some simple flawed secure module key storage would work as good.

In a certain way having a trust verification of the boot loader is the most important part. Everything after that depends on how the boot loader is implemented, through having PCRs is still helpful.

Through this is where secure boot failed (very hard), as long as you don't enroll your own keys you are not really getting a secure boot chain. Something which IMHO is fundamental requirement for any company laptops and similar. (Or, instead of using custom PKs, you are MS and disable all 3rd party keys and disable any BIOS option to add/enroll 3rd party keys, like they did on some older ARM devices).

I.e. IMHO a secure boot chain and protocols related to it are a must have, but the current implementation is garbage, especially for most Windows users.

If you want to know in which direction things could be done you could look a ARM Mac Books more specifically the documentation Asahi Linux created for it. Through just the direction not the exact design.

Basically for PCs (even in huge companies with MDA) you don't need global trust chains, just local per-system trust automatically setup on first boot after "reset" and making sure a "reset" is roughly like a wipe (by using full disk encryption) is all you need (and want). The devil is in the details, but it isn't really that hard to make it work.