Am 29.03.2017 um 14:46 schrieb Anton Aylward:
(snip) What actual protection does a 'secure boot' bring when compared to, say, an encrypted drive, and how complex are each to implement?
I do not disagree with any point you made ;-) Luks and encfs are tools I use each day. Oh, I´d also consider to encrypt /tmp and /var. Secure boot in the first place is a play field for me to learn about it. But, do not underestimate it. A remote attacker could very well be able to reboot your machine with his own malicious kernel, if he gains the necessary rights he does not need to sit in front of your machine. Ok, before doing that, he has tried many other things before. Inhibiting loading malicious kernel modules may be much more important and can be done without secure boot. And secure boot has one interesting feature, it can store a list of hashes in its db key store. This way you can ensure certain important apps have not been tampered with, not only boot loaders. I think this feature is even more interesting than signing boot loaders. Imagine, you protect important system apps or files with hashes that are stored in your system hardware, an attacker will have a hard time to replace them with malicious code. This feature sound very very interesting to me. regards Malte -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org