For those of you who are using linux: Are you using secure boot? I.e. is your bootloader configured to only decrypt your disk and boot your OS, while blocking all “booting from USB stick” and such?

I’m asking because i’m considering a very specific attack vector, through which a sufficiently skilled agent (e.g. FBI, CIA) could install a keylogger into your OS and get access to your sensitive data that way, even when your disk is encrypted and without your knowledge.

  • BradleyUffner@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    3 months ago

    Nope. Things break on my system when it gets turned on. I just updated the BIOS last week, which somehow resulted in it getting turned back on. That silently broke my graphics card driver and it took me like an hour to figure out what was going on since there was no obvious error message.

  • CaptainBasculin@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    3 months ago

    Unless you run your mobo with a password (no one really does), the attack vector always exists by disabling secure boot physically; and even the BIOS password could be reset through ways so I don’t really see the point in secure boot.

    • gandalf_der_12te@discuss.tchncs.deOP
      link
      fedilink
      arrow-up
      8
      ·
      3 months ago

      Secure boot can be made secure in principle. The internal disk is encrypted, the bootloader stores the cryption key internally. When you change which OS is booted, the bootloader refuses to give out the key or deletes the key altogether. For one, you would immediately noticed that your OS was tampered with. For two, even when an alternative OS manages to boot, it can’t read your data.

  • partial_accumen@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    3 months ago

    Well, I’m running Asahi Linux on a Macbook which can’t boot from USB even if I wanted to.

    However, if you’re really worried about state-level threat actors, like FBI or CIA, I don’t believe there is much you could do to protect yourself anyway. They likely have entire catalogs of unpublished and undisclosed side-band attack exploits they could draw from to gain access to your machine and execute a privilege escalation to install whatever they want.

  • MintyFresh@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    3 months ago

    I’ve got two machines, one with, one without. The one without is a glorified media box. The one with has documents and emails and such

  • vortexal@sopuli.xyz
    link
    fedilink
    arrow-up
    1
    ·
    3 months ago

    I have secure boot enabled in the bios, if that’s what your asking. I pretty much exclusively use Linux with secure boot enabled. The only time I’ve ever disabled it was to try and get Virtual Box working in Linux Mint but it stops working as soon as I re-enable secure boot, so I don’t use Virtual Box.