Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Depends how hard it is to change the bios setting I suppose.

At this rate it prevents someone from booting in a 'malicious' OS quickly.



Changing the setting and booting an OS signed with the 3rd party signing key will result in a different PCR 7 measurement, which will result in the TPM refusing to release any secrets that would be required for the system to boot.


Anyone enabling BitLocker or any FDE really, should know to back up their recovery key so that they can access their data, should automatic unlocking fail.


Well yeah, but you asked about ordinary everyday users. And the best I can come up with is that it's marginally harder to load a foreign OS and access an unencrypted drive. You can't just plug in a USB stick and power cycle the thing.

Though I'm not sure if it's worth it, especially not if changing the bios is just a matter of seconds anyway (ordinary users probably won't put a password on it).


Windows enables TPM-backed Bitlocker by default on initial boot these days.


And most OEMs have enabled/pre-provisioned it by default for almost a decade, since Windows 8 times.


But can you password-protect the access to the setting for whether it allows booting from j random fob?


Oh yeah absolutely. Any docs advising people to set a password for security should also advise people to set the "Trust the Microsoft 3rd Party UEFI CA" parameter appropriately.


Probably when it fails to boot from your fob, it should explain how to find that setting.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: