This is an issue with these half-baked security solutions.
Don’t get me wrong: the setup protects against some very common threats (i.e. device gets stolen). But they’re unsuited for evil maid attacks.
Secure Boot isn’t flawless, but it can improve system security if used correctly; unfortunately, most distributions don’t go all the way as demonstrated here. I guess this can be solved via UKIs, but anything built on the users machine like an initramfs can’t be signed properly if no user TPM keys are enrolled and available during generation.
The issue I have with all this is that these distributions don’t really tell you that the security they provide is ultimately limited. Personally, I have custom TPM keys, the initramfs is signed, I unlock via TPM PIN and the emergency mode is disabled. Also UEFI needs to be password protected so that an attached can’t modify your booting parameters, though this couldn’t be done undetected because it’d break TPM supported boot.
This is an issue with these half-baked security solutions.
Don’t get me wrong: the setup protects against some very common threats (i.e. device gets stolen). But they’re unsuited for evil maid attacks.
Secure Boot isn’t flawless, but it can improve system security if used correctly; unfortunately, most distributions don’t go all the way as demonstrated here. I guess this can be solved via UKIs, but anything built on the users machine like an initramfs can’t be signed properly if no user TPM keys are enrolled and available during generation.
The issue I have with all this is that these distributions don’t really tell you that the security they provide is ultimately limited. Personally, I have custom TPM keys, the initramfs is signed, I unlock via TPM PIN and the emergency mode is disabled. Also UEFI needs to be password protected so that an attached can’t modify your booting parameters, though this couldn’t be done undetected because it’d break TPM supported boot.