[necovek]

It's mostly about your UEFI firmware coming with a set of trusted CAs to verify bootloader is built by one of the trusted parties like Microsoft or Canonical or Redhat or...

You can turn it off, or make it into trust-once and sign your own bootloader, and avoid the risk of bootkit getting installed ever, except with exploits like these.

[josefx]

Unless the software vendor requires it to be locked down hard. Microsofts certification requirements for ARM devices back in 2012 explicitly required secure boot and prohibited custom certificates.

[c0l0]

It would be fine it were only that. The actual problem is that software vendors can and do use Secure Boot to also check if you, the machine's owner, "decided" to "trust" this set of special CAs - and if you did not (and limited your freedom to execute any code you want in any way you want it on your machine in doing so), make the software you bought/licensed from them - or any other software you would like to run on top of these vendors' platforms - refuse to work on your machine.

[mjg59]

Which vendors?

[tom1337]

As example, FaceIT Anti Cheat only works if Secure Boot is enabled. I guess their argument is that they can ensure you only boot genuine Windows and thus they can better check if you've tampered with anything.

[mjg59]

I've found no evidence that it checks the set of trusted certs, only that secure boot is enabled (which is trivial to fake).

[tom1337]

well then thats on me and i misunderstood. I thought that with secure boot enabled a tampered operating would not boot and therefore the anti cheat can expect that if secure boot is enabled the os is legit. but yea if secure boot enrollment can be faked then my point doesn't stand anymore.

[Y_Y]

https://www.theguardian.com/technology/blog/2006/jul/14/wind...

I see Microsoft's malicious erosion of the meaning of "genuine" is going well.

[c0l0]

Microsoft, with Windows 11. No, the "LabConfig" bs does not count.

[mjg59]

Where does Windows 11 check the set of trusted certificates?