undefined | Better HN

0 pointsjauntywundrkind1y ago0 comments

They'd also need to know every user has upgraded the boot loader such that the system doesn't depend on those compromised keys!

That does make it quite difficult to pull off any kind of key rotation. I'm not sure, but I think (well known Secure Boot tool) sbctl is saying that you can sign a bootloader with multiple keys, which would permit creating a bootloader that would work with the compromised & the new root-of-trust, which at least opens some window of possibility. https://github.com/Foxboron/sbctl/blob/master/docs/sbctl.8.t...

0 comments

hollerith1y ago

This consumer (me) values security highly enough that he would prefer for the firmware update to render the machine unbootable (as long as it remains possible to render the machine bootable again by re-installing software).

j / k navigate · click thread line to collapse

0 comments

hollerith1y ago

j / k navigate · click thread line to collapse