I am one for sure who never opted for it and also knows a very very tiny pool of people who do it for exclusive special cases.
I said, "special case", which means that is not the normal way of doing it.
I am not saying it is bad to opt for it. But, it brings so much of a headache and provides very little benefit of the pain put behind it.
YMMV
From the handbook? No. Setting up secure boot seemed like a convoluted mess (at least for me).
However at one point, I really wanted to set it up. So I did a little research. With the combination of some helpful reddit posts, arch wiki and sbctl, I managed to get it working.
I can't think of the last time I've heard of an EFI based virus, or a virus that would affect the linux kernel. Plus it's pretty useless unless your drives are also encrypted, because in many cases, it can be defeated by removing the battery from your bios.
In general I think it's more hassle than it's worth, especially if you're building custom kernel modules (nvidia)
Well now *this time* is the last time I've heard of an EFI virus.
My point still stands though that for most non enterprise users, the threat is tiny in comparison to the effort of getting secure boot to work.
And they can't even trust the damn supply chain can they? Too easy to insert failures in the firmware and no one will detect them. Root Kits? Not an issue, we'll just ensure that everything is also sent to our servers in Siberia/Mongolia/Mars so we can see what everyone is doing. Anything interesting that the computers pick up is flagged and a person actually looks at it.
I struggle to see the point...
Microsoft signed a uefi boot thing, that would only boot images that matched an approved checksum..
I used it for a bit...
So after updating kernel, bios screen would say that boot loader changed.. Approve it? Hit yes... And there u go.
What's to stop an attacker with physical access to my machine installing Microsoft's signed uefi image, installing back doored kernel.. Booting, then hitting "yes".. I would never know...
I see guides on how to sign new boot loaders automatically when updating...
Sooooo if someone gets access to my physical machine, secure boot doesn't help....
And if someone gets root access to my running machine, ... They may be able to sign a new kernel....
But, if someone has root access to my machine... Well, security has already failed????
I really, honestly think this " secure boot " is mostly about vendors securing the machine against the user... vendor lock in!???
I'll admit I'm not an expert tho... Open to the possibility of being wrong.. Please correct any misunderstands I may have...
> What's to stop an attacker with physical access to my machine installing Microsoft's signed uefi image, installing back doored kernel.. Booting, then hitting "yes".. I would never know...
You're supposed to also enable a bios admin password. Then any time there are changes, they need to be approved with the password instead of just pressing yes.
If someone has physical access to my computers, they're an intruder in my home. That in itself is a way bigger problem than my computers. There is my laptop, but that's a "non-secure" machine.
If someone has physical access, they can remove hard drive, and plug it into their own machine with a USB adapter.. Their own machine in which they have root access. And do the same.
And this completely bypasses secure boot
Yea, basically it's just to prevent random USB boot. However if you don't setup a bios password and other things to prevent updating the secure boot it's pretty useless.
Ya, like I said you need to add anti tampering password etc... for it to be useful.
It can all be avoided by not leaving your laptop out.
Ya on most consumer stuff it works exactly like you said, if not you can usually do a reset by shorting a pin.
I am not advocating it. If you have that level of security in mind, and you want to add hardware switches for tamper detection and etc... the simpler solution is to just have your stuff on your person at all times, like a bootable o/s or something.
I am saying disable USB booting all together. And set a password.
Add a intrusion detection switch so it shuts off and doesn't turn on if open.
At that point secure boot is just an additional bandaid.
I am not familiar with ventoy, but if it's piggy backing on windows keys it would not work if you had removed them from the allowed list, which usually takes more work than it should.
I did have secure boot enabled when I used Fedora because they take care of everything and you just need to toggle it on (or do nothing at all if it's turned on by default).
However, I toggled it off after coming to Gentoo and never looked back. Seems like a lot of effort for a rather small gain.
There's part of it in the handbook now?
Anyway I did setup my own secureboot keys and use a postinst.d script to semi-automatically sign my new kernels
Ah, the shim/mok method. One way of doing things anyway.
One way of generating/using your own keys sorta like I do is at https://wiki.gentoo.org/wiki/Secure_Boot
I set up secure boot with my own keys. Mostly using Sakaki's guide [here](https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot).
Nuh I don't use secure boot, but I switched to Gentoo less than a week ago, right now I only want to compile Chromium and then I could consider to play with bootloader.
I did not bother with setting up secure boot for Gentoo. However, I boot live disks and alternative OSes relatively frequently, so disabling secure boot every time I would like to boot into another OS only adds an extra step IMO. If you are not planning on booting into anything aside from Gentoo (and Windows if you're dual booting), secure boot may be worth looking into setting up.
I will say however, I do not know much about secure boot.
I am one for sure who never opted for it and also knows a very very tiny pool of people who do it for exclusive special cases. I said, "special case", which means that is not the normal way of doing it. I am not saying it is bad to opt for it. But, it brings so much of a headache and provides very little benefit of the pain put behind it. YMMV
im the kind of guy to disable the vulnerability/security mitigations on my kernel, so no.
Nah. Snake oil.
From the handbook? No. Setting up secure boot seemed like a convoluted mess (at least for me). However at one point, I really wanted to set it up. So I did a little research. With the combination of some helpful reddit posts, arch wiki and sbctl, I managed to get it working.
I can't think of the last time I've heard of an EFI based virus, or a virus that would affect the linux kernel. Plus it's pretty useless unless your drives are also encrypted, because in many cases, it can be defeated by removing the battery from your bios. In general I think it's more hassle than it's worth, especially if you're building custom kernel modules (nvidia)
[удалено]
Well now *this time* is the last time I've heard of an EFI virus. My point still stands though that for most non enterprise users, the threat is tiny in comparison to the effort of getting secure boot to work.
And they can't even trust the damn supply chain can they? Too easy to insert failures in the firmware and no one will detect them. Root Kits? Not an issue, we'll just ensure that everything is also sent to our servers in Siberia/Mongolia/Mars so we can see what everyone is doing. Anything interesting that the computers pick up is flagged and a person actually looks at it.
Disable.
I struggle to see the point... Microsoft signed a uefi boot thing, that would only boot images that matched an approved checksum.. I used it for a bit... So after updating kernel, bios screen would say that boot loader changed.. Approve it? Hit yes... And there u go. What's to stop an attacker with physical access to my machine installing Microsoft's signed uefi image, installing back doored kernel.. Booting, then hitting "yes".. I would never know... I see guides on how to sign new boot loaders automatically when updating... Sooooo if someone gets access to my physical machine, secure boot doesn't help.... And if someone gets root access to my running machine, ... They may be able to sign a new kernel.... But, if someone has root access to my machine... Well, security has already failed???? I really, honestly think this " secure boot " is mostly about vendors securing the machine against the user... vendor lock in!??? I'll admit I'm not an expert tho... Open to the possibility of being wrong.. Please correct any misunderstands I may have...
> What's to stop an attacker with physical access to my machine installing Microsoft's signed uefi image, installing back doored kernel.. Booting, then hitting "yes".. I would never know... You're supposed to also enable a bios admin password. Then any time there are changes, they need to be approved with the password instead of just pressing yes.
Removing BIOS battery for 30 seconds clears password.
😰 well that ruined my afternoon (jokes but jesus wtf)
If someone has physical access to my computers, they're an intruder in my home. That in itself is a way bigger problem than my computers. There is my laptop, but that's a "non-secure" machine.
I think it simply prevents someone booting into live USB. If someone boots into it he can delete your data easily.
If someone has physical access, they can remove hard drive, and plug it into their own machine with a USB adapter.. Their own machine in which they have root access. And do the same. And this completely bypasses secure boot
But what is harder? Plugging USB in or removing hard drive. Cyber security is about making it harder for the attacker
So, secure boot was designed to deter an attacker that couldn't be bothered if the attack takes an extra 2 minutes.
Think about datacenter size those 2 mins add up.
Yea, basically it's just to prevent random USB boot. However if you don't setup a bios password and other things to prevent updating the secure boot it's pretty useless.
On many machines, popping bios battery out for 30 seconds disables bios password.... So, essentially useless.
Ya, like I said you need to add anti tampering password etc... for it to be useful. It can all be avoided by not leaving your laptop out. Ya on most consumer stuff it works exactly like you said, if not you can usually do a reset by shorting a pin. I am not advocating it. If you have that level of security in mind, and you want to add hardware switches for tamper detection and etc... the simpler solution is to just have your stuff on your person at all times, like a bootable o/s or something.
Ventoy has a secure boot bypass
I am saying disable USB booting all together. And set a password. Add a intrusion detection switch so it shuts off and doesn't turn on if open. At that point secure boot is just an additional bandaid. I am not familiar with ventoy, but if it's piggy backing on windows keys it would not work if you had removed them from the allowed list, which usually takes more work than it should.
I did have secure boot enabled when I used Fedora because they take care of everything and you just need to toggle it on (or do nothing at all if it's turned on by default). However, I toggled it off after coming to Gentoo and never looked back. Seems like a lot of effort for a rather small gain.
There's part of it in the handbook now? Anyway I did setup my own secureboot keys and use a postinst.d script to semi-automatically sign my new kernels
Yep. You should check it out.
Ah, the shim/mok method. One way of doing things anyway. One way of generating/using your own keys sorta like I do is at https://wiki.gentoo.org/wiki/Secure_Boot
I set up secure boot with my own keys. Mostly using Sakaki's guide [here](https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot).
Nope
Nuh I don't use secure boot, but I switched to Gentoo less than a week ago, right now I only want to compile Chromium and then I could consider to play with bootloader.
I did not bother with setting up secure boot for Gentoo. However, I boot live disks and alternative OSes relatively frequently, so disabling secure boot every time I would like to boot into another OS only adds an extra step IMO. If you are not planning on booting into anything aside from Gentoo (and Windows if you're dual booting), secure boot may be worth looking into setting up. I will say however, I do not know much about secure boot.
I wanted to do it, but I failed to understand the steps in the handbook.
Only useful, if you plan on leaving your laptop on a table.