I really dislike this headline. A vulnerability was found, responsibly disclosed, and the vendor was responsive and is planning/pushing a fix. The headline drowns a successful mitigation in flowery language of controversy. The article also shows how this can happen on other vendor devices, but the headline here looks like just Framework messed up, when they’re the only vulnerable vendor with a fix in the pipeline (based on the info in the article). I really hate headline-bait journalism.
Titling choice probably fueled by their otherwise unrelated ongoing controversy, if I had to guess.
More blood for the blood god.
I have still yet to see a good argument for why anyone needs secure boot, I went to a talk about it at a conference this summer and if anything it made me like it less
It’s mostly for use cases where you can lose physical access to the computer like overnight at the office, at a hotel while travelling, in a shared server room, etc. It’s extra assurance that the computer runs the software you expect it to run and nothing else without at least being somewhat noisy about it.
This can in turn be used to use the TPM to get a disk encryption key, so you can do full disk encryption but still boot to a normal login screen without entering a password. It will only hand out the key with the correct signed boot chain.
If you have a desktop PC at home that nobody untrusted touches, then yeah there isn’t that much value to it for you.
I feel like if someone else has had physical access to the computer though secure boot isn’t going to really protect you. It could have a hardware keylogger in it now for all you know. I mean that’s probably unlikely, but is it really that much more unlikely than someone sneakily replacing kernel modules and things instead of just installing user mode malware that secure boot wouldn’t catch?
It’s meant to protect the software, not the hardware. Of course you can still put a hardware keylogger on it.
You’re also only considering the use case of the owner and user being the same person. In a business context, the user and the owner are two different persons. It can be used to ensure the company’s MDM and security software aren’t tampered with, for example if you try to exfiltrate company data. In that situation, even if you have a keylogger, it doesn’t help you much, it still won’t allow you root access on the machine, because the user of the machine doesn’t have root access either.
Same with servers: you don’t even care if the hardware is keylogged, nobody’s ever using the local console anyway. But it’ll tell you if a tech at the datacentre opened the case, and they can’t backdoor the OS during a planned hardware maintenance.
Same with kiosk machines: you can deface the hardware all you want, the machine’s still not gonna let you order a free sandwich. If you buy one off eBay you can bypass secure boot and wipe it and use it, but it won’t let you sneak a USB on it while nobody’s watching and attack the network or anything like that.
But yes, for most consumers it’s a bit less useful and often exploited in anti-consumer ways.
The secure the boot for a good bootlicking.
Joke’s on them, I have Secure Boot OFF so I can use hibernate! 😂
