> kato...@freaknet.org writes: > >And what if you want to use your own unsigned bootloader? Why should > >you ask someone else the permission to boot your own machine? o_O > > Because I want deny people with physical access the ability to boot unsigned > bootloaders. > > I am both the owner of my hardware and the person who usually has physical > access. Requiring signed boot loaders is way to transfer rights from latter > role to someone else ??? in my case I'd prefer to transfer them to the > former for all portable hardware, so for my next laptop I'm going to do the > MOK stuff described on this list last week.
So I might be missing something, but I really don't get the point of having a signed boot infrastructure for the technically competent computer owner. If you want to prevent somebody from booting some random unsigned code, then a BIOS from 1999 will do: You just configure the BIOS to boot your selected internal disk only and then set a password on the BIOS and the bootloader. Then nobody can insert a memory stick and boot their evil code. If your threat model includes somebody who is capable of opening your computer and messing with its internals, then no amount of EFI will protect you - the bad guy can just replace your entire motherboard. If you are worried that somebody who has compromised your OS remotely will hack your bootloader, then reconsider their motives: They are already on a running host OS as root and can look inside your encrypted disk volumes too - you have lost already. As far as I can tell, signed bootloaders have advantages for people who need to roll out images to remote PCs via untrusted channels, and are worried that the people sitting in front of their PCs will install the "wrong" kernel. In other words, microsoft, large corporates and maybe even some linux distributions. However, for those weirdos who like to own the computer they sit in front of, there is no benefit. Only downside: The kernel that enthusiasts build themselves is the "wrong" one to those who wish to lock down the computing world with DRM and related nonsense. regards marc _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng