SUSE and Secure Boot: The Details (SUSE Blog)
Posted Aug 12, 2012 17:00 UTC (Sun) by khim
In reply to: SUSE and Secure Boot: The Details (SUSE Blog)
Parent article: SUSE and Secure Boot: The Details (SUSE Blog)
Possibly having the BIOS cache the boot sector, and completely refuse to boot if the boot sector is modified, unless they go into the BIOS in advance to say "okay, boot any boot sector once", would be helpful.
This approach was tried more then decade ago. It does not work. Either user knows nothing about BIOS menus (that's the majority of them!) and only creates needless pressure on support channel or s/he have enough knowleadge to open BIOS menu and boot anyway — in this case they WILL open menu and boot anyway even on malware infected system.
You really don't want to give knobs to normal user. Knobs for some geeks (think ChromeOS devices with a switch under battery) are Ok and in fact can be considered security feature (it severely reduces pool of the people who want to crack your boot process), but normal user should never see “yes/no” message.
to post comments)