1. 18
  1.  

  2. 1

    But by and large, hardware and firmware providers still aren’t spending enough resources to build defenses needed for products to effectively withstand attacks. Secure boot, because it only protects the boot process during run time, isn’t the answer. And security companies are only now starting to design scanning for mainstream users.

    Maybe i’m missing something but, Secure Boot would block any non-signed efi to start and that sumed up with firmware password and fastboot/“don’t boot usb” should be enough to NOT execute that suspicious EFI file.

    Yeah, UEFI isn’t a security panacea, but you cant criticize Secure boot as a “standalone component” of all the infrastrutcture that is part of UEFI. It’s like saying that locks don’t work on shōji doors(japanese room dividers).

    But i have to agree that not all users are aware of firmware passwords and boot options at all. And thank god my current UEFI provider isn’t AMI :)

    1. 2
      1. 1

        Same way you can easily keep your firmware updated…

        https://uefi.org/revocationlistfile and also MS16-094 and MS16-100.

        Some Linux laptops(mine included) running fwupd will have these key countermeasure as a dbx. https://github.com/fwupd/fwupd/pull/2325