Re: Secure Boot
"Secure boot throws away any hope of security."
Using a TPM / PIN with Secure Boot and Bit Locker is as secure as it gets on standard hardware. It's one of the best practical options there currently is, and certainly doesn't make things worse for security.
"Old style BIOS is sufficiently small and stupid that it cannot do much more than read and execute a boot sector. "
That's all it needs to do - the TPM won't allow release of the keys to allow execution of the boot sector if it has changed.
"hide something that can man-in-the-middle an ethernet port and provide remote exfiltration invisible from inside the computer."
All encryption solutions require the device to be in a secure state at point of installation. Once Bitlocker / Secure Boot is applied with a BIOS password, PIN, TPM lockdown, etc, such changes become much harder to achieve.
"Bit locker keys can be read by an external device via a 1394 or thunderbolt DMA channel."
Not without physical access to a powered on and authenticated machine. In which case they might as well just grab it from you while unlocked.
"The keys can often be found in memory left over from the previous boot."
RAM content degrades rapidly after power down. The window for such an exploit is seconds, and it's therefore not a practical attack if due care is taken.
Biting the hand that feeds IT
