efi file must be signed, but it can be self-signed) You can see how this is very bad!! A backdoor, which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere! Specific Secure Boot policies, when provisioned, allow for testsigning to be enabled, on any BCD object, including element as well, which allows bootmgr to run what is effectively an unsigned. Now on the other hand, it LUKS itself prevents some of the UEFI vulnerabilities, maybe I will push more in the direction of fixing that "No operating system found" post UEFI LUKS partition install.| a w r i t e u p r e l e a s e b y r o l | So in the end I was like, hmm, ok, Legacy is ok for now for the possible security advantages in Legacy mode itself as well as the fact that I could install to a single LUKS partition. When I try to install Ubuntu on this laptop in UEFI after I reboot after install I get "No operating system found." (I haven't studied up on what files to configure to fix this yet.) So in that scenario I was forced to load Windows first and put Ubuntu as a dual boot in UEFI mode and due to the multi partition I was unable to choose a LUKS partition. I can get Ubuntu to install in Legacy mode properly on my laptop and then I'm able to choose LUKS since there's no other partition on the HDD. This is kind of a multi tiered question in my progression of choosing how my OS is booted into. Am I correctly digesting that a LUKS ext4 partition would prevent a potentially compromised \efi partition from effecting the OS? You have to decide for yourself, that which is lost and what is gained.Ĭan you touch more on the LUKS. Some people see this(and other 'advances') like a sporting event, cheering for the newest technology regardless of the fist creeping up their asshole. Most people are lazy and would rather roll the security dice and hope for the best. Everyone has a different threshold of comfort. Security is about minimizing the risks while balancing accessibility. And regardless, that grants access to the bios, not the drive. That's not to say that BIOS's don't allow State actors entrance via WOL coded options, but in the normal course of publicly available trojans, that isn't an issue. They can bang on it all they want, and there is no back door to slip into. If you want security, you do it yourself with a LUKS encrypted drive, minus secure boot, and just hitting the BIOS firmware. That may change over time, but that time isn't here yet. But it is standalone firmware, separated from any partitioned space.Īnd practically speaking, Linux can interface with a BIOS more predictably than UEFI(it can read the hardware better). Nothing else at this point in time.Ĭonversely, Legacy BIOS's deal in MBR which has limitations on boot drive size and on partition table mapping via GRUB. And lastly you can update your firmware directly via the UEFI interface. It allows GPT partitioning and NVME support and it's pretty. The advantage of UEFI is it's function and ease of use. Or rather, that a Golden Key exists in the first place. UEFI has secure boot enabled usually, which is great if you trust the people that created secureboot(Microsoft), but not so great if you know the plot of Lord of the Rings- and know that their Golden Key is in the wild. I've seen rootkits/trojans infecting the uefi partition, and thereby reinfecting every OS on the machine. I suppose my main query lies in the security aspect and then any other pros/cons of using UEFI vs Legacy IDE. I understand that UEFI runs at twice the speed as Legacy IDE. Is UEFI the Powershell of Windows so to speak, allowing more security vulnerabilities?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |