I know, after I posted that I was looking at their outages and worrying that my 1/month estimate was an exaggeration cause they hadn’t had a big one in a bit.

I wasn’t the original person that replied.

Could start with the fact that they go down about once a month now and take half the Internet with them.

Yeah, but the malware can just wait for a system upgrade where you sign a new boot image and slip itself in then.

It works for Windows because theoretically only Microsoft would have the signing key and it’s not just sitting on disk somewhere. But then you’re just trusting Microsoft, and also subject to vendor lock-in.

Actually, I would love for you to explain to me how Secure Boot alone would protect someone from any of that. If you want to protect files, you need full disk encryption, not Secure Boot.

Or are you seriously expecting a government-level threat actor to bother to:

1. Sneak into your home while you’re away or asleep;
2. Overwrite your bootloader or UEFI with a rootkitted image of the same version so it’s impossible to tell;
3. Wait for you to boot your computer and enter your disk encryption password, then:
4. Use the rootkit to read the decrypted files off your disk?

That’s the great thing about fascist governments, is they have no need to be that sneaky. They can just change the laws to make whatever you’re doing illegal and jail you until you agree to give up your documents, or simply hit you with a $5 wrench until you tell them the password.

For a home desktop that’s never left unattended with anyone untrustworthy, I don’t see that Secure Boot is worth the effort in setting up.

Given that you have to re-sign the boot image every time you upgrade, any malware already running with root privileges on the machine could easily slip itself into the new signed image.

The best security is not running untrusted software to begin with.