On Tue, 17 Oct 2017 at 14:08:20 +0100
Arnt Gulbrandsen <arnt@???> wrote:

> Alessandro Selli writes:
>> Plus, it's purported security is mostly a mith. It only checks if the
>> first-stage bootloader was signed by a known, authorized key,
>> everything else
>> is as exposed to malware and rootkits as it's always been. It protects
>> from one of the smallest attack vectors that was used to compromize
>> machines.
>
> Isn't it the ONLY way to protect against that?

Yes and no.

* )Yes, signing the first-stage bootloader is probably the best way to protect
the system from attacks targetting it.

*) No, the way they implemented it (only two preloaded keys, no way to let
board owners load their own key, one of the keys owned by Microsoft) is
definitively *not* the only way to implement a first-stage bootloader
protection mechanism.


--
Alessandro Selli http://alessandro.route-add.net
VOIP SIP: dhatarattha@???