We need to return to BIOS. It was as primitive as it should be. In some regards even more clever than needed. Clever things were done by OS anyway. EFI just added problems while not resolving any issues.
If I managed to get root, either by compromising account credentials or using some sort of escalation exploit, I could write whatever I wanted to the boot sector. Secure boot will prevent that modified boot sector from booting.
We need to return to BIOS. It was as primitive as it should be. In some regards even more clever than needed. Clever things were done by OS anyway. EFI just added problems while not resolving any issues.
Does BIOS have secure boot? Or can secure boot be built upon anything?
No. And that is a good thing.
Yes, the kernel loader can do whatever check you want.
Why is that a good thing?
Sure. If you want your boot sector to be a super effective attack vector.
It is already late if your boot sector is writable by anyone who wants to. Moreover, the boot sector isn’t writable if you get access just to the FS.
If I managed to get root, either by compromising account credentials or using some sort of escalation exploit, I could write whatever I wanted to the boot sector. Secure boot will prevent that modified boot sector from booting.
“More security is a bad thing” is a weird take