Ahoj, Dňa Sun, 13 Jul 2014 09:49:40 -0700 Noah Meyerhans <noahm@debian.org> napísal: > On Sun, Jul 13, 2014 at 11:23:11AM +0200, Slavko wrote: > > By this, i see, that the secure boot is good for corporate > > environment, don't affect average home users. For others there is > > more simple to disable it, than always sign any experiment ;) > > In practice, I'm sure most non-corporate users will disable it, yes. > It is simply more convenient to do so. However, there are benefits to > enabling it, even for home users. Malware that infects the earliest > phases of the boot process by modifiying boot blocks (grub's phase1, > etc), etc, exists and is very hard to detect. "Know what you're > booting" is basically the goal of UEFI secure boot, and all users can > benefit from that. From my point of view: Who will know what i am booting – i or signing company (in mean who is signing what)? Is there universal way to generate valid key by self on (e.g.) daily/weekly base? Who will prevent malvare producers to buy signing key and then boot their modifications? I see no security advantages, only companies advantages. In other words, rely on third party is as secure as your believe to it, but security is not a religion, there is not reason to believe to unknown third party groups, because next days can ends in that only NSA will know what i am booting. Yes, when i will sign my systems, then i will know what i am booting, but until this, disabling it provides the same security level as system signed by someone other. Or i am bad? -- Slavko http://slavino.sk
Attachment:
signature.asc
Description: PGP signature