Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It makes absolutely no sense to do that. You get no added security at the cost of having to use non-free software.


To be honest secure boot has very little to do with actual security anyway.


In theory, if you enable signature checking in Grub, sign your kernel, add that key to Grub, sign Grub, import that key into the UEFI, delete all the stock (Microsoft) keys and use full disk encryption (use the luks module in grub and place an unlocking key in the initrd) .. then in theory, it should be very difficult for someone to reformat and fency your stolen laptop.

I've got the full disk encryption working with luks/grub (you do have to unlock the device twice, one for grub to read its stage2 and one in the initrd for the kernel), I just haven't gotten around to trying to re-enable secure boot.


I get that. But as you can surely see, this is not a common use case at all. Less than 1% (number pulled out of the ass) of regular consumers get their laptop stolen. Then among those, very little percentage of people actually care (enough to pay somebody to to secure the laptop properly) about the data stored in the machine. Mandating secure boot and making legit consumers to go through all that just to run their own os is simply bullshit. It's just a method to lock down the machine.


Your ass-pull laptop theft rate of 1% is still roughly four times the use rate of Linux in the Steam Hardware Survey. Installing your own OS is not a common use case at all, either.


Steam is a bit of an ass-pull itself, not at all being an accurate representation of an average computer user. Real figures tend to be around 2-3%, for example: https://www.netmarketshare.com/operating-system-market-share...


That doesn't really change the point much, does it? Installing your own non-Windows OS on a machine is a very small part of the market. Providing security for the people who will never install a new OS on their machine (not even a new version of Windows) is serving a much larger part of the market.


Providing security for the much larger part of the market does not mean, that it is necessary to lock out the minority.

Otherwise, why have the antitrust laws at all? The dominant market players provide useful services, why should we care about the minor players? (Not only in operating systems, but in general).


> then in theory, it should be very difficult for someone to reformat and fency your stolen laptop.

The solution is to attach a SPI programmer (eg a RasPi) and flush the UEFI variable store. UEFI will reset to factory defaults, incl Secure Boot.

The complicated part of that is opening the device.


The average fencer will not know how to do this and will most likely toss the laptop or strip it for parts.


Why use GRUB if you're on UEFI? Just boot the kernel directly, no need for "boot loaders" or any of that silliness.


Your firmware probably does not know how to do full-disk encryption.


It is very much a security tool, it has some bad defaults but otherwise the theory is sound and safe.

I don't see why it's not actual security.


It sounds like it makes sense if you look at it from the perspective of Microsoft wanting to hold onto the keys in case they ever want to lock the door.

And fair's fair, Microsoft was the one that pushed UEFI so hard.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: