[Hydrocarb0n]

IMO secure boot is a waste of time for most scenarios, if theres closed source EUFI code running god knows what in the background, it dosn't matter how signed and secure your OS kernel is.

Ive never been sucessfully able to dual boot windows and linux on a mobo with secure boot turned on, it seems that is a feature not a bug I'm sure MS would never influence hardware vendors to make it dissadvantage a growing number of linux users.

[wongarsu]

TLAs from major powers probably have backdoors in your UEFI, mainboard or OS. But even if they do that doesn't mean they will use them on everyone, they probably keep the good stuff for the most valuable cases. Each use of an attack carries the risk of the attack vector being discovered and prevented in the future. And besides, there are threat actors besides TLAs of the USA, Russia and China.

If you use full disk encryption secure boot is pretty essential, otherwise an attacker can modify the code that asks for your credentials to also log them somewhere easily accessible, circumventing your entire encryption. If you don't do full disk encryption it's still a decent protection against some bootkits.

It can absolutely be more trouble than it's worth. It's not that useful in most desktop computers. But if you are traveling with a laptop it's probably worth some effort to keep secure boot working on that system (and make it more difficult to disable)

[account42]

> If you use full disk encryption secure boot is pretty essential, otherwise an attacker can modify the code that asks for your credentials to also log them somewhere easily accessible.

In what threat model? If the attacker has access to your PC they can just as well install a physical keylogger intercepting the signals from the keyboard.

The main use case for disk encryption is preventing data loss when the device is stolen. That's a realistic threat that people face, not boogeyment coming into your house and replacing your bootloader with a malicious one.

[mordae]

If I am ever traveling to US, I am wiping the system, installing a clean, stock Linux distribution without any encryption, keeping everything valuable at home.

Once I am behind the border, I am reinstalling the system with encryption, then proceed to download key material and other important stuff from home over the internet.

I am never letting anyone near my unlocked laptop and if I ever find it turned off e.g. while visiting office toilet, I just assume it has been infected with firmware level rootkit and I am wiping it without decrypting.

If it's removed from my sight during the border check, I assume the same, purchase a new one in a brick-and-mortar shop and sell the infected one when I am back home.

[gorjusborg]

I've been using 'secure boot' with Debian for a while now. They use a signed first-stage boot loader that allows booting the OS.

I have similar doubts on whether my system is significantly more secure as a result of using it.

[1oooqooq]

agree its a waste of time, but we pay the paranoid cost is special occasion. it does make breaking FDE just a little bit more annoying/expensive.

the only time it's worth the hassle for we to enable it: travel to the USA, Russia and most of africa (if the country have USA backed airport security, like uganda). pause updates, enable secure boot with a disposable key we don't store anywhere. that on top of the usual FDE with plausible deniability dual boot.

but we still prefer to just fly contributors with blank devices if we can.