>Not in any novel way. An attacker could disable Secure Boot and install a backdoored bootloader, just as they could with physical access.
I don't think this is actually possible with physical access — a properly configured system will at least require a supervisor password to disable Secure Boot.
>modify your initramfs (because that's not signed even if you're using UEFI Secure Boot)
This is not true if you've rolled your own Platform Keys and sign&boot plain kernel images (with initramfs bundled into them).
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2017-05-01 11:08 pm (UTC)I don't think this is actually possible with physical access — a properly configured system will at least require a supervisor password to disable Secure Boot.
>modify your initramfs (because that's not signed even if you're using UEFI Secure Boot)
This is not true if you've rolled your own Platform Keys and sign&boot plain kernel images (with initramfs bundled into them).