For those of you who are using linux: Are you using secure boot? I.e. is your bootloader configured to only decrypt your disk and boot your OS, while blocking all “booting from USB stick” and such?

I’m asking because i’m considering a very specific attack vector, through which a sufficiently skilled agent (e.g. FBI, CIA) could install a keylogger into your OS and get access to your sensitive data that way, even when your disk is encrypted and without your knowledge.

  • mlfh@lm.mlfh.orgEnglish
    50·
    6 days ago

    A partial solution to this evil-maid attack vector is Heads firmware (a replacement for the bios/uefi itself), which lets you sign the contents of your unencrypted boot partition using a gpg key on a hardware token, and verify the integrity of the firmware itself using a totp/hotp key stored in the tpm.

    All the benefits of secure boot, but you get to control the signing keys yourself instead of relying on a vendor. It’s great stuff.

  • Willoughby@piefed.worldEnglish
    30·
    6 days ago

    Keep your OS updated, make regular backups, use full-disk-encryption, and nuke and pave whenever things get cluttery. You’ll be alright.

    Were it me and I just went through a TSA screening and they took it and returned,… I may nuke the laptop.

    • grue@lemmy.world
      17·
      6 days ago

      If I had that sort of threat model and let the government get their hands on my computer, I would never trust the hardware again. Too many components with their own SoCs containing firmware blobs where an exploit could lurk and reinfect even after a ‘nuke.’ GPUs, disk controllers, WiFi chips, etc.

      • Willoughby@piefed.worldEnglish
        4·
        6 days ago

        Good thinking, shoot it with a 12ga slug.

        but seriously, time and sense are a factor there. A few seconds? In front of me? I’d waver that action under a few conditions.

        • SpikesOtherDog@ani.socialEnglish
          11·
          5 days ago

          Wipe and resell on local buy/sell/trade. They will monitor someone else. Otherwise, put it on a separate subnet and use a bot to reshare every scrap of social media it can touch.

  • Liketearsinrain@lemmy.ml
    6·
    5 days ago

    I am but with self enrolled keys. People wildly misunderstand secure boot, it’s more for kernel/boot level malware and so it can be used with module signing.

  • tal@lemmy.todayEnglish
    17·
    6 days ago

    If someone can plant a camera somewhere that they can see your keyboard, they can probably obtain your password.

  • queerlilhayseed@piefed.blahaj.zoneEnglish
    13·
    6 days ago

    I’ll enable FDE during the install for systems with sensitive data, but I don’t bother with secure boot. If I were deploying machines in unsecured areas (i.e. not my house) that also had sensitive data on board, I might look into it.

  • CaptainBasculin@lemmy.dbzer0.com
    141·
    6 days ago

    Unless you run your mobo with a password (no one really does), the attack vector always exists by disabling secure boot physically; and even the BIOS password could be reset through ways so I don’t really see the point in secure boot.

    • gandalf_der_12te@discuss.tchncs.deOP
      14·
      6 days ago

      Secure boot can be made secure in principle. The internal disk is encrypted, the bootloader stores the cryption key internally. When you change which OS is booted, the bootloader refuses to give out the key or deletes the key altogether. For one, you would immediately noticed that your OS was tampered with. For two, even when an alternative OS manages to boot, it can’t read your data.

    • Liketearsinrain@lemmy.ml
      2·
      5 days ago

      You can have it set so it fails to boot with secure boot disabled. Not part of my threat model but AFAIK it’s default even for Windows FDE.

  • BradleyUffner@lemmy.worldEnglish
    11·
    6 days ago

    Nope. Things break on my system when it gets turned on. I just updated the BIOS last week, which somehow resulted in it getting turned back on. That silently broke my graphics card driver and it took me like an hour to figure out what was going on since there was no obvious error message.

  • MintyFresh@lemmy.world
    2·
    4 days ago

    I’ve got two machines, one with, one without. The one without is a glorified media box. The one with has documents and emails and such

  • Lucy :3@feddit.org
    3·
    5 days ago

    Configured it successfully on my Laptop, then bricked my PCs MB trying to configure it on that. Never tried again. After all, it only works for you if you trust the closed source UEFI anyway. If you want actual security, desolder the flash chip

  • degenerate_neutron_matter@fedia.io
    9·
    6 days ago

    I don’t see it as necessary. I have full disk encryption set up, which is sufficient to protect my data at rest. Even if I had secure boot set up, a sufficiently skilled agent could physically install a USB sniffer in my keyboard, flash a malicious BIOS to my motherboard, or just install a hidden camera to watch me type my password. And many TPMs have vulnerabilities that I’m sure government agencies are able to exploit.

    • gandalf_der_12te@discuss.tchncs.deOP
      2·
      3 days ago

      that is a really interesting point, actually. i had not considered the option that attackers can actually just physically alter your device. of course, if they install a keyboard sniffer, you’d never be able to detect that, and also they could read all the data. there’s no protection against that; once the device was in the hands of an (sufficiently skilled) attacker, you can’t trust it anymore, no matter what software you have/had installed.