Re: Secure boot?
Looks like UEFI secure boot is the new bogeyman for some people.
The purpose of the secure boot is to establish a chain of trust from the power ON. The purpose of this is to help prevent modification of the boot files >in deployment<. However, if you own or have the access to the trusted certificate, you can make your own bootloader which does whatever you want to. System OEMs can put their certificates in the UEFI firmware and validate whatever they want.
Also, secure boot does not prevent an OS from launching anything after boot which is trusted (or not trusted but allowed by the system security policy). Once the OS is booted, it is completely up to the said OS configuration / security policy what to launch or not. If you, as a root/admin or OEM, install malware which does MITM - UEFI secure boot will not stop you (and it is not even designed to do that).
Now, if you have only trusted certificates installed - in UEFI firmware, validating OS files and in OS certificate store, validating executables run by the OS, then you have a system which has one more hurdle for a potential adversary to crack.
Biting the hand that feeds IT
