On Thu, 2023-07-13 at 12:08 +0100, Polarian and on Thu, 2023-07-13 at 07:21 -0400, Dmitry Yershov wrote: > https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Hi, especially care for the cons link, provided by the Arch Wiki and note that it just mentions pros, but doesn't link to anything related to those pros. "[...] This also makes patching the fault impossible, since any patch can be replaced (downgraded) by the (signed) exploitable binary. Microsoft [...] has released two patches; however, the patches do not (and cannot) remove the vulnerability, which would require key replacements in end user firmware to fix. [...]" - https://en.wikipedia.org/wiki/UEFI#Secure_Boot_2 The problem isn't that there is a vulnerability, it's even not a problem that it cannot be fixed. Shit happens! Fortunately not all machines are affected by this vulnerability. The problem is the Microsoft mindset, providing a weak mitigation and then pretending they solved something with it. IMO this is the greatest security risk imaginable. IMO it's way more secure to disable it and instead to rely on signed checksums and to assume that there is no African prince who wants to give you $5 billion. Regards, Ralf
