Raising the Costs of Migrating

Dec. 17, 2020 [technology] [proprietary]

I hate to make pages just to state what is probably already obvious, but I feel this deserves being said. Secure Boot has little to do with securing the boot process. At least in the sense of the word as most people understand it.

The industry push raised around Secure Boot has way more to do with securing their product from running non-vendor approved platforms than anything to do with protecting you individually. Big tech always likes to paint things as though it is for safety when in reality it is almost always about control.

Why is it that some mainboards allow user management of keys or that users are allowed to “disable secure boot”? Simply because it would be too obvious, and too much too soon. The trend is always towards more control and more centralization and so I think hardware designs over the coming years will only reflect this.

And it is already good enough for powerful players that when the odd user takes up interest in running something other than Windows, they must now first disable the big scary sounding Secure Boot before being allowed to proceed. Who wants to make their computer less secure, right? This also checks the box of making competitors, GNU/Linux, BSD and others acquire signed keys, special authorization to be allowed to boot while leaving the anti-feature enabled.

Does all of this mean that securing the boot process, as specified through UEFI, has no meritt? Of course not. I just do not buy that this was ever the primary intention. As mentioned earlier it can present an opportunity to further harden a device but only wherever users control their own keys. A realistic model of the threat must be noted and the boot process represents a very small window of time while those attacking the boot sequence generally need physical hardware access.