What other "trustable" things are "untrustable"?
Only all of them ...
@vertigo @theruran @thegibson @yojimbo Not that secure boot is necessarily a panacea, but check your code... how, exactly? And how do you catch some malicious firmware change before it ransomwares you or leaks all your secrets? One of the things secure boot tries to do is to check the code on every boot to make sure your computer is running the code you (or MS and Intel usually) think it is.
@thegibson @freakazoid @theruran @yojimbo In the case of the Kestrel, the system firmware is, as far as the FPGA is concerned, located in mask-programmed ROM. Not flash. There is *no* write ability from the Kestrel itself to the system's flash chip.
Meaning, the only way to compromise the flash is to gain physical access to the computer, take it apart, desolder the chip, solder a new chip in it's place (or reprogram and resolder).
@freakazoid @theruran @thegibson @yojimbo In practice, however, it doesn't protect anyone from ransomware (as evidence by the number of people still getting hit by it), and in my first-hand experience, only results in bricking the machine when trying to upgrade to a newer version of Linux when using ASUS motherboards.
Let's just agree to disagree on this matter. I don't foresee any of us coming to an agreement here.
@vertigo @theruran @thegibson @yojimbo I think the main threats secure boot is supposed to handle involve getting "underneath" the OS. Ransomware usually doesn't need to do that because of discretionary access control; it gets access to everything the user who executed it could access. The use case with ROM is for when you chain to some piece of software in mutable storage, which you almost always need to do.
A social network for the 19A0s.