Does “Secure Boot” actually benefit the end user in any way what so ever? Genuine question
For you? No. For most people? Nope, not even close.
However, it mitigates certain threat vectors both on Windows and Linux, especially when paired with a TPM and disk encryption. Basically, you can no longer (terms and conditions apply) physically unscrew the storage and inject malware and then pop it back in. Nor can you just read data off the drive.
The threat vector is basically ”our employees keep leaving their laptops unattended in public”.
(Does LUKS with a password mitigate most of this? Yes. But normal people can’t be trusted with passwords and need the TPM to do it for them. And that basically requires SecureBoot to do properly.)
That’s only one use of secure boot. It’s also supposed to prevent UEFI level rootkits, which is a much more important feature for most people.
True. Personally, I’m hoping for easier use of SecureBoot, TPM and encryption on Linux overall. People are complaining about BitLocker, but try doing the same on Linux. All the bits and pieces are there, but integrating everything and having it keep working through kernel upgrades isn’t fun at all.
With LUKS, your boot/efi partition is still unencrypted. So someone could install a malicious bootloader, and you probably wouldn’t know and would enter your password. With secure boot, the malicious bootloader won’t boot because it has no valid signature.
Exactly. The malware can do whatever, but as long as the TPM measurements don’t add up the drive will remain encrypted. Given stringent enough TPM measurements and config you can probably boot signed malware without yielding access to the encrypted data.
In my view, SecureBoot is just icing on the cake that is measured boot via TPM. Nice icing though.
Yes, as long as you get the option to disable it. And use custom keys.
It’s uh, more secure.
It’s so secure that the first thing under Wikipedia’s entry for Secure boot is Secure boot criticism
Yes this is a real, I’m not joking.
It’s not the first thing, it’s in the middle.
under Wikipedia’s entry for Secure boot
What’s the first thing under the “Secure boot” section? The section that it automatically scrolls to when clicking my link?
Secure Boot
The UEFI specification defines a protocol known as Secure Boot, which…
…
UEFI shell
…
Classes
…
Boot stages
…
Usage
…
Application development
And finally
Criticism
Secure Boot
See also: Secure Boot criticism
It’s right there under the header
It prevents rootkit malware that loads before the OS and therefore is very difficult to detect. If enabled, it tells your machine to only load the OS if it’s signed by a trusted key and hasn’t been tampered with.
You can set it to run only specifically signed binaries on boot.
Specifically signed by anyone with a key - which, considering multiple where leaked over time - is everyone.
Using the capital punishment symbol instead of the killed in action symbol suggests windows was executed after the war (likely by installing linux lol)
I had this problem at work a week ago or so, at least with Fujitsu PCs. For them, the main cause isn’t an empty CMOS battery, but rather that Fujitsu generally had too little BIOS cache, since there is nothing about it in the UEFI standard. The update basically overfilled that cache, rendering the BIOS completely unusable. The POST doesn’t even go through fully.
The PC are sort of bricked, you gotta put the mainboard into recovery mode, put the ROM file on a freeBSD formatted stick and wait until you see instructions on the screen. Follow them, restart the PC. I recommend setting the BIOS to the optimized default settings, as not doing that might make the boot of Windows pretty slow in some cases. I did hear that it can delete the keys from the TPM, but I haven’t seen that with my PCs at work.
JFC
What all am I looking at here? Or is this all meme?
It’s a meme about how draining the cmos battery bricked some PC’s, I think. It’s formatted like the Wikipedia sidebar summary for articles on wartime battles.
Here for the replies
It’s a meme about how draining the cmos battery bricked some PC’s, I think. It’s formatted like the Wikipedia sidebar summary for articles on wartime battles.
Oh wow thanks
You’re in linuxmemes did you not expect a meme? xD
Also: Yes it’s a meme based on a true story (see the other comments for more details)
The meme itself is based on https://knowyourmeme.com/memes/historical-battle-shitposts-decisive-victory
most competent Microsoft developer
You mean Bing AI
David Plummer
Wow what a super cool website without cookie opt-out.
Not only that, if you try to click any of the links, like the partner list or privacy statements, it takes you to another page with the same pop-up over it… So you have to accept the shit to read their disclosures… What a shitty website, unless the purpose was to keep the information a secret, then it works great because I sure as shit didn’t read it.
The URL (borncity) has nothing to do with the topic (Windows Update), that’s a sign of an SEO content farm
Well the website (and the guy maintaing it) is pretty old. I think the blog posts reach back till Windows Vista. The guy itself wrote some books about Win95 so he has some experience.
The site is quite popular in Germany and the information is usually good summarized and helpful IMHO.
Anyway as always I recommend an adblocker when using the internet.
Use Reader View in Firefox. I never accepted the cookies. 😉
I learned one morning that a cmos battery could become a resistor. It can fail in a way that it’s not working nor completely dead but passes just enough current to make a server motherboard that otherwise might A: Work, B: detect it’s dead/missing and boot anyway with defaults to instead C: just freeze and not do anything. That was a fun full day of time wasted.
When I was 12, I thought I had broken the family computer trying to get Ultima III to run. I read every MS-DOS manual I could find trying to fix it before someone found me out. It was the frikin CMOS battery. I learned a lot of DOS that summer.
I have a motherboard in a state where it won’t boot unless you pull and reinsert the cmos battery. After this it will boot exactly once.
It will also boot without issue if you don’t have a cmos battery at all. This is obviously not ideal.
I wonder if these issues are related? I purchased the motherboard second hand in this state about a year ago. So it is far too early for this update, but it remains a mystery.
Have you tried putting in a new battery?
Ain’t nobody got time for that
First thing I tried yeah, I tested a few and verified with a multi meter. It isn’t that sadly :(
I had something kiind of similar once, where it would only boot after trying to boot once, letting it run a bit in idle, and then rebooting where it would actually succeed. Turned out I forgot to put the clear cmos jumper back to neutral after i reset cmos.
So my best guess (other than new battery) is check the jumpers maybe
Y’know the setting in the bios where you can choose boot on power restore, stay off or last state? This relies on a capacitor on the motherboard near the bios battery to store the last state. This 5 cent capacitor can die and sometimes behave like you are saying. I had a repair guy fix it cheap and that server worked normally after that.
Allen&Heath sound controllers on Ubuntu had a funny failure too. It’s touchscreen and extra screen would show nothing on boot although the sound controls (for one surface config) works. In order to fix that, you need a replacement battery, a keyboard to boot into it’s BIOS and a password they don’t disclose publicly. I revived a couple of these by a pure luck of discovering someone posting said passwords 5+ years ago. It’s so hostile I hate it.
Wait… Microsoft is shit?!
I still get the shakes
This feels like https://lemmy.sdf.org/c/unix_surrealism
Is this for real?
Yes, multiple of our Windows laptops today couldn’t boot and displayed a BitLocker error message and all affected laptops somehow had an empty BIOS battery…
Can it at least be fixed with a new battery? Or does that get drained quickly too?
AFAIK a new battery + entering the Bitlocker recovery key fixed the problems.
Usually these batteries hold for years. I have a 15+ year old laptop where I had to replace the battery after ~10 years.
However the affected laptops are now a few years old, aren’t designed properly (I heard weird stuff happening like adding additional RAM somehow causes the display to fail) and somehow just have a CR2016 battery installed, not a bigger CR2032. And yes these are buisness-laptops designed for companies -.-
But how many civilians cannibalized?
we prefer to classify that a ‘charitably donated meals’
There are no civilians when profit is involved.
What? The penguin bird is so fat that it is bigger than a window? Or… I know: “Stick penguin into hole!” But why? Nah… Hey, can somebody read ancient Egyptian?
