Your kernel image is in plaintext on your disk openly accessible and modifiable by anyone. Any rando can put a USB in your computer and overwrite your vmlinuz with vmlinuz-pozzed and you'd be none the wiser, if you're not using Secure Boot.
my boot partition is encrypted and I don't leave my house
>>106628089>my boot partition is encryptedIt still needs to be decrypted by a bootloader which is saved unencrypted, so it's a matter of replacing grub with grub-pozzed instead of vmlinuz.
unless that plait contains treats i'm completely protected
*plate
>>106628083Mating press the evil maid.
>>106628083Why would anyone ever have access to my PC in the first place?
I'm sick and tired of security "features" and I'm a very unlikely target regardless.
>>106628150the purpose of "security updates" is to install the latest nsa backdoors
Secure Boot is the most anti-consumer thing ever, it does nothing for users, they have to make up implausible scenarios to justify it.It's just another way to prevent you from owning your own computer.If Secure Boot was a security measure it would block kernel anticheats. Instead kernel anticheats like vanguard actually require it. That should tell you all you need to know.
>>106628104where do you think grub is? on /boot, also encrypted
>>106628187Secure Boot lets you boot only whatever you allow it to, assuming your motherboard lets you enroll your own keys. I'm not sure about kernel anticheats, but maybe Microsoft signs their binaries for them.
>>106628191How do you think an encrypted grub is decrypted for use? It isn't, it remains unencrypted.
>>106628083>Any rando can put a USB in your computerI have zero visitors
>>106628083i'm using secure spring boot, sir
>>106628222that you know of
>>106628083Corpos keepTrying to take ownership of the machine outside their containment zones>>106628187This relatedSounds secure (for them, not me) boot
>>106628202I already boot only whatever I allow, by physically owning the computerAnd if someone wants to pwn me and has physical access to the computer, Secure boot won't stop themSecure boot does nothing for you
>>106628506My Windows 11/Ubuntu 24.04 machine configured to use Secure Boot with UEFI Lock does not have this problem
>>106628083I don't allow randos into my house.
>>106628540>Secure boot won't stop themIt will though. At least it prevents the easiest low hanging fruit vector, which is putting malware on /boot unhindered.
>>106628564Well shit, I'm gonna let Microsoft decide what can and cannot run on my computer just so I can defend against a scenario in which>someone has physical access to my computer and are trying to hack me>they are just competent enough to put malware on /boot>but not competent enough to disable secure boot or add new keys to itThis very real threat totally justifies putting some garbage on my computer that Microsoft is really pushing to put there
>>106628208not how full disk encryption (on UNIX) works, there's a previous layer before the bootloader that actually deals with the encryption
>>106628616You can run whatever you want as long as your motherboard allows you to enroll your own keys or to disable Secure Boot. Secure Boot can only be disabled and keys modified if you configure it in UEFI settings, which should be locked with a password.
>>106628616Anon, you don't have to use Microsoft's keys. You can sign your own keys and use those instead. It's kind of a pain in the ass so no one actually does it, but you can in fact truly ensure that your PC only runs your very own distro with three users (you, your laptop, and your mom's computer that she doesn't use after you "broke" it).
>>106628649>“Everything is Encrypted?” Not really, we encrypt as much as possible the disk but the UEFI Firmware requires an unencrypted EFI System Partition. From there the UEFI Firmware will load shim which subsequently loads grub.efi. grub.efi will then read its configuration file from the encrypted root file system.https://www.suse.com/c/full-disk-encryption-grub2-tpm/>>106628687It's not that difficult with sbctl.
>>106628222I'm going to visit you tonight and tamper with your hard ware until you have a buffer overflow
honeypot operations, my one weakness. cia please don't send a semon demon to extract all my secrets
>>106628083>evil maid tampers with har-*BOOM*
>>106628083>Any rando can put a USB in your computerIn the event of home invasion, my desktop's bootloader is the least of my worries.
>>106629027This
>>106628709Or you could just use MBR like a civilized person.
Im not using SecureBoot™, end of story.
>>106628616You know I was always on the fence regarding secureboot but you made a good argument here.I wouldn't even know where to start if I wanted to inject malware in someones grub. But if I had physical access to your computer, I can disable secure boot within 6 minutes max. The bar of knowing how to disable secure boot is so ridiculously low compared to what is actually needed to inject malware in the only unencrypted partition in the drive; that it genuinely makes me wonder what exactly is the point of secure boot.
>>106629115It's a trademarked name, you already know what's the point of SecureBoot™
>>106628672>which should be locked with a passwordwhich can be bypassed in 5 minutes.
>>106629115>>106629126>Secure Boot is easy to disableProof? Also "injecting" malware is just putting the malware on the unencrypted drive like any normal file.
>jump the password reset on your mobo while you're gone>turn off secureboot>infected :)
>>106629185>remove cmos battery for 5 minutes>bios resets to default and password is wiped>boot device and spam F2>click the disable secureboot button>doneAgain, if I had physical access to your device, secureboot actually going to protect you from anything.
https://wiki.cachyos.org/configuration/secure_boot_setup/it's easy af on cachyos specifically, no excuses
>>106629202secureboot won't* actually
>>106629191It depends on the mobo, some don't let you do this. It's still an additional layer of security in this case and you can harden your computer to be tamper-evident. Secure Boot at least stops the low effort skid from plugging in a Ubuntu live usb and drag and dropping vmlinuz-pozzed
>>106629219ubuntu's kernel is signed by microsoft so secureboot will allow it to boot.Same for debian and fedora.
>>106629202See here >>106629219 this doesn't work on all computers, and it still makes it harder, and it can be mitigated by hardening your computer.
>>106629227Yes but if they use it to drag and drop the malware, Secure Boot won't subsequently boot it.
>>106629228Explain this hardening? What does it do or how is it done?And if other hardening methods are required then secureboot already failed at its purported job.
>>106629246Tamper-evident screws for laptops for example. It's not required, it depends on your mobo whether this is necessary for Secure Boot to do its job. Secure Boot does its job in that it prevents malware from loading on your computer, but it doesn't stop physical keyloggers for example.
>>106628083I'm too lazy to find it, but I remember reading about a trivial exploit to bypass secure boot and unlock encrypted drive. There's not really a way to authenticate the whole boot process that has mainstream support right now. Seems like the Linux world is moving towards UKI with systemd boot to address this though. >>106628138Lol
>>106628083I am, but secure boot is actually flawed design. For one, it should not come with any keys by default, everyone should sign their own bootloader. How many people do you think clear the keys?
>>106628083We’ll see how much secure boot helps you when I SECURELY orgasm on your motherboard, UNLOADING my semen-ninjas to hijack your TPM
Security-wise, you're already fucked if Secure Boot is what stands between your computer and an attacker, it's pretty much pointless.
>>106628083>He lets literally anyone physically access his PCNGMI
