| ▲ | saghm 7 hours ago | |||||||
I've honestly always kept secure boot off on my machines (which also use Arch). I don't really feel like the level of threat from someone (or me, by accident) booting an image I don't want them to on my hardware is particularly worth the hassle it brings; nobody else should ever be using my machines in the first place, and if they are, I'm going to have larger issues than what OS they decide to try to boot. | ||||||||
| ▲ | cesarb 3 hours ago | parent | next [-] | |||||||
> nobody else should ever be using my machines in the first place, and if they are, I'm going to have larger issues than what OS they decide to try to boot. The threat model secure boot was actually designed to protect against is not someone else booting a different OS in your hardware; the real threat model it protects against is malware loading before the OS can start the antivirus. With UEFI, malware could in theory run even when you boot from your OS install media, making it much harder to detect and remove. That's the reason installing your own secure boot key requires a one-time confirmation through a physical input device (which malware can't fake). Unfortunately, protecting against that threat model (persistent malware loading before the OS) created another threat model, which IMO is a bigger worry: that you could one day be forbidden from running your own OS in your own devices. AFAIK, there have already been a few devices where secure boot cannot be disabled, your own secure boot keys cannot be enrolled, and the "third party" (aka "non-Microsoft") key is not available. | ||||||||
| ▲ | drnick1 6 hours ago | parent | prev [-] | |||||||
I'm inclined to agree when it comes to desktops or servers. However I feel like a laptop needs better security, including secure boot and full disk encryption, since you could lose it and cannot be sure what it went through even if you get it back somehow. | ||||||||
| ||||||||