You are not logged in.
- Topics: Active | Unanswered
#1 2020-04-01 14:07:40
- Dreamkey
- Member
- Registered: 2010-08-28
- Posts: 53
Security of secure boot without a TPM chip?
Hello,
I was looking to activate secure boot on my laptop. If I understand correctly, I can either use shim with my MOK, or add my own keys.
Without a TPM chip that would check if a BIOS option was not modified, the only thing that could prevents an attacker to disable secure boot, reactivate the USB boot menu or add its own keys would be a BIOS password, but it can easily be cleared.
So except slowing down an attacker and the "better than nothing" argument, am I missing something?
Offline
#2 2020-04-01 19:26:07
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 15,096
Re: Security of secure boot without a TPM chip?
Clearing a efi/bios firmware password can only be done by a reset of the memory where the password is stored.
Usually that requires opening the case to get to the memory reset 'switch' .
On a desktop that would be easy, for a laptop it's harder.
Do you expect an attacker to have the opportunity to do that ?
In other words : what are you trying to defend against ?
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#3 2020-04-01 23:20:34
- Dreamkey
- Member
- Registered: 2010-08-28
- Posts: 53
Re: Security of secure boot without a TPM chip?
I don't have a specific usage, I wanted to be sure that I understood how the security is supposed to work.
Right now I disabled secure boot on my laptop and the partitions are not crypted. I am planning to use LUKS on all of them, but I was wondering if reactivating secure boot and signing the kernel was worth the trouble.
My data would be safe if the hard disks are removed, the only attack could be from an evil maid, which would only be slowed down if secure boot is activated *and* USB boot disabled, with a BIOS password.
Offline
#4 2020-04-02 01:00:58
- Xyne
- Forum Fellow
- Registered: 2008-08-03
- Posts: 6,965
- Website
Re: Security of secure boot without a TPM chip?
You would still know that the system has been compromised if the efi/bios password is reset and you can then choose to shut it down instead of decrypting your disks, which keeps your data safe.
Just keep in mind that once you reach the point where someone is trying to compromise your system as soon as you turn your back on it, rubber-host cryptanalysis is probably an increasing risk.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline