> It's a minuscule problem right now because of SB. Why spend time and effort if it's likely you'll encounter a protected system.
It was a minuscule problem even before SB and even today still is without SB. For most people who are exploited up to the point were malware _can write directly to the boot hard disk_, "boot chain safety" is at that point the least of the user's problems. Their data is already uploaded to a Russian server, ransomware installed, their webcam turns on without the warning LED, and all their OS security including the root account has been compromised up to the point that the attacker can start erasing off-site backups without the owner even noticing (no need and no point to compromise the boot chain).
The only scenarios were boot chain integrity would apply are evil maid scenarios where the attacker can write to the boot disk externally, i.e. _not from the user's OS itself_, and these are way outside the worries of the immense majority of users. Correctly, IMHO.
> Not really massive, mostly like absolute bare minimum [effort], if you've read them. But okay.
> most Linux distros barely support existing Secure Boot which requires much less effort than running your own CA does.
This is a just cheap criticism (even insulting) without even providing any reasoning whatsoever. And I say that as someone who has criticized Linux distributions from trying to play under the arbitrary MS rules.
Most if not all Linux distros do their own CA already. They sign packages, after all.
> It was a minuscule problem even before SB and even today still is without SB.
This is just a cheap way to handwave the problem away without even providing any reasoning whatsoever.
It wouldn't be this minuscule if that attack venue wouldn't have been made so much less worthwhile. We have real life examples of these types of attacks, how are you seriously trying to claim that it wouldn't have gotten widespread? In what universe would malware makers agree not to abuse something so high-reward if allowed?
> For most people who are exploited up to the point were malware _can write directly to the boot hard disk_, "boot chain safety" is at that point the least of the user's problems.
It's not that absolute. It's certainly bad when things have gotten that far, but it doesn't mean it isn't a good idea to protect against deeper infection. "Oh they got infected, let's just abandon it all" is just so overly reductionist and is really of no substance.
> The only scenarios were boot chain integrity would apply are evil maid scenarios where the attacker can write to the boot disk externally
Blatantly false.
> This is a just cheap criticism without even providing any reasoning whatsoever.
It's not a criticism even, it's an astute observation.
> Most if not all Linux distros do their own CA already. They sign packages, after all.
That's an even worse look for them, then, bunch of those distributions not shipping at least a signed shim (MOK enrollment excluded for now) and a signed installer.
For now I'll also skip over the fact that your average distro's package signing is way below the standards a trusted commercial CA has to follow.
It was a minuscule problem even before SB and even today still is without SB. For most people who are exploited up to the point were malware _can write directly to the boot hard disk_, "boot chain safety" is at that point the least of the user's problems. Their data is already uploaded to a Russian server, ransomware installed, their webcam turns on without the warning LED, and all their OS security including the root account has been compromised up to the point that the attacker can start erasing off-site backups without the owner even noticing (no need and no point to compromise the boot chain).
The only scenarios were boot chain integrity would apply are evil maid scenarios where the attacker can write to the boot disk externally, i.e. _not from the user's OS itself_, and these are way outside the worries of the immense majority of users. Correctly, IMHO.
> Not really massive, mostly like absolute bare minimum [effort], if you've read them. But okay.
> most Linux distros barely support existing Secure Boot which requires much less effort than running your own CA does.
This is a just cheap criticism (even insulting) without even providing any reasoning whatsoever. And I say that as someone who has criticized Linux distributions from trying to play under the arbitrary MS rules.
Most if not all Linux distros do their own CA already. They sign packages, after all.