117

With Linux, are you using secure boot? (discuss.tchncs.de)

submitted 1 week ago* (last edited 1 week ago) by gandalf_der_12te@discuss.tchncs.de to c/asklemmy@lemmy.world

31 comments fedilink hide all child comments

For those of you who are using linux: Are you using secure boot? I.e. is your bootloader configured to only decrypt your disk and boot your OS, while blocking all "booting from USB stick" and such?

I'm asking because i'm considering a very specific attack vector, through which a sufficiently skilled agent (e.g. FBI, CIA) could install a keylogger into your OS and get access to your sensitive data that way, even when your disk is encrypted and without your knowledge.

all 33 comments

sorted by: hot top controversial new old

[-] mlfh@lm.mlfh.org 48 points 1 week ago

A partial solution to this evil-maid attack vector is Heads firmware (a replacement for the bios/uefi itself), which lets you sign the contents of your unencrypted boot partition using a gpg key on a hardware token, and verify the integrity of the firmware itself using a totp/hotp key stored in the tpm.

All the benefits of secure boot, but you get to control the signing keys yourself instead of relying on a vendor. It's great stuff.

[-] gandalf_der_12te@discuss.tchncs.de 13 points 1 week ago

this is exactly what i was looking for.

[-] Willoughby@piefed.world 28 points 1 week ago

Keep your OS updated, make regular backups, use full-disk-encryption, and nuke and pave whenever things get cluttery. You'll be alright.

Were it me and I just went through a TSA screening and they took it and returned,... I may nuke the laptop.

[-] grue@lemmy.world 16 points 1 week ago

If I had that sort of threat model and let the government get their hands on my computer, I would never trust the hardware again. Too many components with their own SoCs containing firmware blobs where an exploit could lurk and reinfect even after a 'nuke.' GPUs, disk controllers, WiFi chips, etc.

[-] Willoughby@piefed.world 4 points 1 week ago* (last edited 1 week ago)

Good thinking, shoot it with a 12ga slug.

but seriously, time and sense are a factor there. A few seconds? In front of me? I'd waver that action under a few conditions.

[-] SpikesOtherDog@ani.social 1 points 1 week ago

Wipe and resell on local buy/sell/trade. They will monitor someone else. Otherwise, put it on a separate subnet and use a bot to reshare every scrap of social media it can touch.

[-] tal@lemmy.today 17 points 1 week ago

If someone can plant a camera somewhere that they can see your keyboard, they can probably obtain your password.

[-] gandalf_der_12te@discuss.tchncs.de 3 points 1 week ago

good point. I hadn't even considered the whole USB keylogger problem.

[-] CaptainBasculin@lemmy.dbzer0.com 14 points 1 week ago

Unless you run your mobo with a password (no one really does), the attack vector always exists by disabling secure boot physically; and even the BIOS password could be reset through ways so I don't really see the point in secure boot.

[-] gandalf_der_12te@discuss.tchncs.de 14 points 1 week ago

Secure boot can be made secure in principle. The internal disk is encrypted, the bootloader stores the cryption key internally. When you change which OS is booted, the bootloader refuses to give out the key or deletes the key altogether. For one, you would immediately noticed that your OS was tampered with. For two, even when an alternative OS manages to boot, it can't read your data.

[-] queerlilhayseed@piefed.blahaj.zone 13 points 1 week ago

I'll enable FDE during the install for systems with sensitive data, but I don't bother with secure boot. If I were deploying machines in unsecured areas (i.e. not my house) that also had sensitive data on board, I might look into it.

[-] oyzmo@lemmy.world 12 points 1 week ago

[-] BradleyUffner@lemmy.world 11 points 1 week ago* (last edited 1 week ago)

Nope. Things break on my system when it gets turned on. I just updated the BIOS last week, which somehow resulted in it getting turned back on. That silently broke my graphics card driver and it took me like an hour to figure out what was going on since there was no obvious error message.

[-] daggermoon@piefed.world 11 points 1 week ago

I never even used it on Windows.

[-] degenerate_neutron_matter@fedia.io 9 points 1 week ago

I don't see it as necessary. I have full disk encryption set up, which is sufficient to protect my data at rest. Even if I had secure boot set up, a sufficiently skilled agent could physically install a USB sniffer in my keyboard, flash a malicious BIOS to my motherboard, or just install a hidden camera to watch me type my password. And many TPMs have vulnerabilities that I'm sure government agencies are able to exploit.

[-] gandalf_der_12te@discuss.tchncs.de 2 points 6 days ago

that is a really interesting point, actually. i had not considered the option that attackers can actually just physically alter your device. of course, if they install a keyboard sniffer, you'd never be able to detect that, and also they could read all the data. there's no protection against that; once the device was in the hands of an (sufficiently skilled) attacker, you can't trust it anymore, no matter what software you have/had installed.

[-] IAmYouButYouDontKnowYet@reddthat.com 7 points 1 week ago

I just assume they can do that without physical access.

[-] thisbenzingring@lemmy.today 5 points 1 week ago

look up CIS Benchmark for your OS and it will tell you how to harden your linux system against intrusion

[-] nothingcorporate@lemmy.today 4 points 1 week ago

Nothing else about me is secure, why should my boot get to be?

[-] gandalf_der_12te@discuss.tchncs.de 2 points 6 days ago

fair point

[-] cheat700000007@lemmy.world 3 points 1 week ago

You want AIDS? That's how you get AIDS

[-] nothingcorporate@lemmy.today 2 points 1 week ago

I don't get this joke, but it made me laugh anyway. Upvote.

[-] cheat700000007@lemmy.world 2 points 1 week ago

Boot not secure = Unprotected buttsex

[-] nothingcorporate@lemmy.today 2 points 1 week ago

I guess that all tracks. Me and my computer do both love butt sex.

[-] Libb@piefed.social 4 points 1 week ago

no. Full disk encryption is enough to protect my privacy from anyone stealing my computer/disks, it's what matters to me.

If some secret agency want to access said data, they would just need to ask me, with a smile and a nice warrant. At least here in France, not complying is severely punished.

[-] partial_accumen@lemmy.world 4 points 1 week ago* (last edited 1 week ago)

Well, I'm running Asahi Linux on a Macbook which can't boot from USB even if I wanted to.

However, if you're really worried about state-level threat actors, like FBI or CIA, I don't believe there is much you could do to protect yourself anyway. They likely have entire catalogs of unpublished and undisclosed side-band attack exploits they could draw from to gain access to your machine and execute a privilege escalation to install whatever they want.

[-] 30p87@feddit.org 3 points 1 week ago

Configured it successfully on my Laptop, then bricked my PCs MB trying to configure it on that. Never tried again. After all, it only works for you if you trust the closed source UEFI anyway. If you want actual security, desolder the flash chip

[-] 4grams@awful.systems 2 points 1 week ago

No, everything I have is connected to the internet anyway so has far more easily compromised vectors. If I had any data sensitive enough I would not trust any security other than physical with it. I assume with physical access, a motivated enough attacker could gain access, there’s loopholes in everything.

So, if I had that sort of data, it would be on an offline machine, no wireless, never connected to a network. I would only trust it in so far as I could guarantee I am the only one who can access it.

[-] LodeMike@lemmy.today 2 points 1 week ago

Yes. I have fully self-managed keys too.

[-] MintyFresh@lemmy.world 2 points 1 week ago

I've got two machines, one with, one without. The one without is a glorified media box. The one with has documents and emails and such

[-] vortexal@sopuli.xyz 1 points 1 week ago

I have secure boot enabled in the bios, if that's what your asking. I pretty much exclusively use Linux with secure boot enabled. The only time I've ever disabled it was to try and get Virtual Box working in Linux Mint but it stops working as soon as I re-enable secure boot, so I don't use Virtual Box.

this post was submitted on 13 Apr 2026

117 points (100.0% liked)

Ask Lemmy

39205 readers

1082 users here now

A Fediverse community for open-ended, thought provoking questions

Rules: (interactive)

1) Be nice and; have fun

Doxxing, trolling, sealioning, racism, toxicity and dog-whistling are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them

2) All posts must end with a '?'

This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?

3) No spam

Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.

4) NSFW is okay, within reason

Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].

5) This is not a support community.

It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.

6) No US Politics.

Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online

Reminder: The terms of service apply here too.