On Tue, 17 Oct 2017 at 14:08:20 +0100 Arnt Gulbrandsen <[email protected]> wrote:
> Alessandro Selli writes: >> Plus, it's purported security is mostly a mith. It only checks if the >> first-stage bootloader was signed by a known, authorized key, >> everything else >> is as exposed to malware and rootkits as it's always been. It protects >> from one of the smallest attack vectors that was used to compromize >> machines. > > Isn't it the ONLY way to protect against that? Yes and no. * )Yes, signing the first-stage bootloader is probably the best way to protect the system from attacks targetting it. *) No, the way they implemented it (only two preloaded keys, no way to let board owners load their own key, one of the keys owned by Microsoft) is definitively *not* the only way to implement a first-stage bootloader protection mechanism. -- Alessandro Selli http://alessandro.route-add.net VOIP SIP: [email protected] _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
