[michaelt]

> Then the question becomes, what do you personally do to protect your computers boot firmware?

I have a multi-stage strategy.

First and most important, physical security. My computer is valuable enough that if I left it unattended in public, someone would probably nick it and put it on ebay. So I only leave it unattended in places with good enough physical security.

Secondly, I avoid doing anything that would impose spy-thriller-movie-level security requirements on my equipment. My employer wants to secure a critical code signing key? I'll be happy to sort them out with their own HSM in their own properly secured data centre, or their own USB stick in a bank vault, or whatever their requirements dictate. My personal security research? I anonymously publish anything interesting I find right away. And I strictly avoid going to countries where I think the government ought to be overthrown.

Therefore, the chances of an attack targeting my boot firmware are exceptionally small.

Finally, I embrace the reality that the TPM wouldn't have helped me anyway. Firstly the security the TPM offers depends on the security of the BIOS, and we all know that's a joke. Secondly, even if the TPM worked perfectly and the BIOS was secure and so on, an attacker in a position to mess with my firmware could just as easily install a physical keylogger, or a hidden camera pointing at my keyboard, or just have masked goons hit me with a $5 wrench until I tell them the password.

[kobalsky]

You have to understand that if you don't need this kind of security on your computer, the question wasn't addressed to you.

"just don't do risky stuff on it" doesn't cut it for those who need it.

Leave room for real discussion about the topic.

[michaelt]

I'm not saying you shouldn't do risky things.

I'm saying you shouldn't do things so risky that a squad of spies would get sent to monitor you, learn your routine, pick your house's locks while you're at work, sneak in, dismantle your computer, image your encrypted hard disk, overwrite the bootloader with a special version that will record the FDE password next time you enter it and send it to them, reassemble your computer and sneak out undetected.

Because that's what an "evil maid attack" means, once you've got basic physical security in place.

As I'm not Ross Ulbricht or Julian Assange, I'm willing to take my chances.

[PrimaryAlibi]

I don't think it's such an rare adversary to have. Organized crime can easily have several experienced hackers in their "organization". It's common knowledge that gangs actually do monitor peoples routines who are inside their territory and they do it for several reasons, one of them being to rob your apartment or do an evil maid attack on your computer.

It's also common knowledge that all adversaries view people who have higher security than the average person as a person of interest or a mark. If they are spies they think you don't need privacy if you have nothing to hide and if you are trying to hard to hide then you must have something important to hide. Criminals think if you have security then you must have something valuable to protect.

Also some of the methods described her this thread seem impractical and extreme but one you go down this rabbit hole of security and privacy, you become used to gradually putting in a little more extra effort for better security and privacy. Normal users can't understand how someone can survive with having to toggle scripts on/off with the noscripts extension but for most people who are interested in security and privacy that is easy and effortless like breathing air.