On 09/08/2017 04:51 AM, [email protected] wrote: > One can use coreboot with grub's kernel signing features on an owner > controlled non PSP/ME PC such as the Lenovo G505 (laptop) or KCMA-D8 > (workstation), then after coreboot is working you enable the flash write > restriction so that it can't be flashed internally (an attacker would > have to have physical access for around 10mins to reflash) - this is > technically superior to "secure boot" as it is owner controlled by you > instead of microsoft.
Just a datapoint: secure boot is *not* microsoft-controlled (unless you assume the manufacturer put in some kind of backdoor, in which case you're screwed anyway). Secure boot *by default* runs with keys owned by microsoft. You can (and should) replace them with a key you own and you use to sign new GRUBs, if you want to. The option to do so is usually somewhere in the BIOS menu. Once you have removed microsoft's golden key and put your own instead, there is no longer any link between your secure boot and microsoft. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4f6892f2-e515-75f5-e93d-d77d3e5df29a%40gaspard.io. For more options, visit https://groups.google.com/d/optout.
