| ▲ | greatgib 15 hours ago | |
Basically a little bit yes. Especially for an entity located in US and with strong links to the basic government. But in the case of secure boot, this is worse, because Microsoft is just a "software" editor. But its root certificate and probably a few random others are distributed in countless of devices produced by manufacturers unrelated to them, but also, a few number of software distributors will also have subkeys to be able to sign their os/software. All of that, with zero transparency. And in the end, if I buy a Lenovo laptop, to have Linux OS running on it, there is no reason and no trust to have my OS be signed by Microsoft, that has the key to run whatever they want on my laptop. Think about it and you will see that it makes no sense at all, if you don't trust Microsoft for your OS, to have to trust them for ensuring a secure boot... | ||
| ▲ | AstralStorm 14 hours ago | parent [-] | |
Technically you can revoke the default root of trust and install your own. Then manually sign your bootloader. This feature is available at least in my Gigabyte mainboard, but is not particularly easy to use, which is why bootloaders come pre-signed with a known root of trust. There's nothing stopping the installer from generating the root of trust on the fly, except for the default settings in many machines. Can also preload measurements for hardware while at it so that nobody swaps a PCIe device for an evil twin. | ||