> It was a minuscule problem even before SB and even today still is without SB.
This is just a cheap way to handwave the problem away without even providing any reasoning whatsoever.
It wouldn't be this minuscule if that attack venue wouldn't have been made so much less worthwhile. We have real life examples of these types of attacks, how are you seriously trying to claim that it wouldn't have gotten widespread? In what universe would malware makers agree not to abuse something so high-reward if allowed?
> For most people who are exploited up to the point were malware _can write directly to the boot hard disk_, "boot chain safety" is at that point the least of the user's problems.
It's not that absolute. It's certainly bad when things have gotten that far, but it doesn't mean it isn't a good idea to protect against deeper infection. "Oh they got infected, let's just abandon it all" is just so overly reductionist and is really of no substance.
> The only scenarios were boot chain integrity would apply are evil maid scenarios where the attacker can write to the boot disk externally
Blatantly false.
> This is a just cheap criticism without even providing any reasoning whatsoever.
It's not a criticism even, it's an astute observation.
> Most if not all Linux distros do their own CA already. They sign packages, after all.
That's an even worse look for them, then, bunch of those distributions not shipping at least a signed shim (MOK enrollment excluded for now) and a signed installer.
For now I'll also skip over the fact that your average distro's package signing is way below the standards a trusted commercial CA has to follow.
This is just a cheap way to handwave the problem away without even providing any reasoning whatsoever.
It wouldn't be this minuscule if that attack venue wouldn't have been made so much less worthwhile. We have real life examples of these types of attacks, how are you seriously trying to claim that it wouldn't have gotten widespread? In what universe would malware makers agree not to abuse something so high-reward if allowed?
> For most people who are exploited up to the point were malware _can write directly to the boot hard disk_, "boot chain safety" is at that point the least of the user's problems.
It's not that absolute. It's certainly bad when things have gotten that far, but it doesn't mean it isn't a good idea to protect against deeper infection. "Oh they got infected, let's just abandon it all" is just so overly reductionist and is really of no substance.
> The only scenarios were boot chain integrity would apply are evil maid scenarios where the attacker can write to the boot disk externally
Blatantly false.
> This is a just cheap criticism without even providing any reasoning whatsoever.
It's not a criticism even, it's an astute observation.
> Most if not all Linux distros do their own CA already. They sign packages, after all.
That's an even worse look for them, then, bunch of those distributions not shipping at least a signed shim (MOK enrollment excluded for now) and a signed installer.
For now I'll also skip over the fact that your average distro's package signing is way below the standards a trusted commercial CA has to follow.