• yum13241@lemm.ee
    link
    fedilink
    arrow-up
    11
    arrow-down
    6
    ·
    11 months ago

    Secure Boot is an utter piece of bullshit from the depths of hell.

    • Pantherina@feddit.de
      link
      fedilink
      arrow-up
      3
      arrow-down
      4
      ·
      11 months ago

      Proprietary UEFI BIOS is, but for a secure system with local manipulation prevention it can be needed. Also secureboot is a security measurement against malware so no, its simply the best we have.

      Look at Coreboot if you want a secure modern system

      • novacustom
      • 3mdeb
      • starlabs
      • system76
      • yum13241@lemm.ee
        link
        fedilink
        arrow-up
        11
        arrow-down
        1
        ·
        11 months ago

        Secure Boot is just Bootloader Signature Enforcement controlled by M$, it’s not gonna prevent Superfish 2.0 from happening.

        Unfortunately, I don’t have a coreboot-able system. When I move out I’ll make that a priority.

          • yum13241@lemm.ee
            link
            fedilink
            arrow-up
            1
            ·
            11 months ago

            I never bought my current machines. Funnily enough, they don’t show any logos on bootup, (Windows Boot Manager is smth else)

            • Norah - She/They@lemmy.blahaj.zone
              link
              fedilink
              English
              arrow-up
              1
              ·
              11 months ago

              The vulnerability actually isn’t in Windows Boot Manager, it’s a flaw in the image-parsing code of the UEFI itself. That’s why it’s able to bypass SecureBoot.

              It just happens that for whatever reason you can easily update the image file from within Windows/Linux itself. The fact they don’t show a logo currently does not mean you’re immune, as the system might just be showing a black screen at that point. Code can be injected into an image file without perceptibly affecting the image output, so you’d likely be able to use a “black screen” logo. If your computer has a UEFI instead of a BIOS, which is pretty much everything from the last 10yrs, then you are more than likely at risk.

              My computer likely isn’t susceptible, and that’s because it’s a Dell workstation. While the bug still exists in the image parser, Dell has locked things down so it’s pretty much impossible to change the boot logo from userspace.

              • Flaky@iusearchlinux.fyi
                link
                fedilink
                English
                arrow-up
                1
                ·
                11 months ago

                FWIW, some firmware allow changing it during the update procedure. I remember having to update my ThinkPad’s firmware and it had that option.

              • yum13241@lemm.ee
                link
                fedilink
                arrow-up
                1
                ·
                11 months ago

                Yes, IK WBM is not the problem here. My systems don’t show a logo at all, and they don’t have a “hide logo” options.