> Typically you would only be able to manage the keys via the UEFI > firmware UI, only accessible at boot time. Now of course an attack can UEFI doesn't define UI. Which is a problem for getting any kind of sanity here > be mounted against the firmware, but these are often set up to only > initialize the minimum hardware necessary to run the boot loader. I > don't think you can reduce the attack surface much more than that, and > it's a good thing to keep it contained. Correct. Any arrangement like this needs physical proof of presence. The disabling of the "secure" mode likewise. A similar example is the switch on the Chromebook - you can't software flip it. Alan -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
