• SzethFriendOfNimi@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    3 months ago

    I think Secure boot is intended to check that the boot loader itself is signed.

    This is a way to mitigate viruses and malware that infects the boot loader so it can reinstall itself if it’s removed by AV, or something else.

    If you can create a boot loader that is signed in such a way that secure boot can’t tell it’s invalid then you can do some nasty stuff.

    Closest analogy I can think of is verisigns private key being leaked and there’s no fast and easy way to revoke and replace it without wreaking havoc on currently installed OS’s machines.