Hacker News new | past | comments | ask | show | jobs | submit login

So that would be undesirable if true, but how would it be less secure than not having secure boot?

Of course, most/all SB BIOSes enable setting your own platform key.






Because it can lock the door behind itself in an opaque hardware-dependent layer users have no control over.

If i were to design security from the ground up it would be a small external sdcard for firmware and kernel (with a hardware r/w toggle), and optionally a external sdcard adapter that verifies the hash of the content.

Everything else is as dumb as bricks and gets its firmware loaded from the sdcard.

We didn't do that because secure boot was solving the problem of large orgs with remote administration in mind, and designed by orgs happy to sell yearly advanced cybersecurity protection shield plus certification subscriptions.

Designing for remote administration by an IT department will.. increase the attack surface for attackers to remote administrate my device.


> If i were to design security from the ground up

You might be interested in Librem Key, based on free firmware?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: