182
submitted 19 hours ago by beep@piefed.world to c/technology@lemmy.world
top 42 comments
sorted by: hot top new old
[-] huggingstars@programming.dev 3 points 2 hours ago

Microsoft gave up over a decade ago so this seems about right. If you want something secure get a Mac.

[-] CriticalMiss@lemmy.world 50 points 15 hours ago

Arch Wiki had pointed out for years that Secure Boot is a flawed mechanism.

[-] Kongar@lemmy.dbzer0.com 88 points 17 hours ago

Unpopular opinion but I’m dying on this hill. Secure boot creates more problems than it solves.

[-] goferking0@lemmy.sdf.org 5 points 2 hours ago

That's like saying windows 11 doesn't need tpm chips, an extremely popular opinion

[-] JiveTurkey@lemmy.world 54 points 16 hours ago

I'd argue this is actually a popular opinion. IMO secureboot has just become a way for Microsoft to leverage it's position and keep a strangle hold on industries they have no business being in.

The whole kernel level anti-cheat on win11 bullshit in the gaming industry is a good example. Essentially locking games to its platform and willing to sacrifice security to do so at our expense.

[-] defaultusername@lemmy.dbzer0.com 14 points 13 hours ago

This is especially true on computers where it is impossible to change the signing keys. Smartphones, game consoles, many laptops, some desktops, smart TVs, IoT devices, modern cars, etc.

[-] RiverFox7@lemmy.world 2 points 5 hours ago

I think that key can be changed on Google Pixels. I run GrapheneOS and reverting to stock would require erasing the key.

[-] defaultusername@lemmy.dbzer0.com 3 points 5 hours ago

Kind of. You can change the signing key for the operating system, but you cannot change the signing key of the primary bootloader, as that is baked into the SoC.

I'm assuming this is why it will forever "warn" me that my phone is running an "insecure" OS?

[-] defaultusername@lemmy.dbzer0.com 1 points 9 minutes ago

That's moreso because it's using an unofficial key, so the device manufacturer (Google in the case of Pixels) cannot verify the authenticity of the OS you're running.

If you were able to replace that bootloader with a custom one, then you would be able to disable that message or just use a completely different bootloader like UBoot or EDK2 if it was ported, though.

[-] ILikeBoobies@lemmy.ca 4 points 15 hours ago

Only in tech circles, it says secure and that's enough for most people.

[-] ExLisper@lemmy.curiana.net 11 points 14 hours ago

Outside of tech circles most people think secure boot looks something like this

[-] Gsus4@mander.xyz 5 points 16 hours ago
[-] chaogomu@lemmy.world 6 points 14 hours ago

Popular is the wrong question, the correct question is, how many machines is this default on.

[-] A_norny_mousse@piefed.zip 25 points 16 hours ago

11 old and forgotten UEFI shim bootloaders at versions 0.9 and below that can be used to bypass UEFI Secure Boot on any UEFI-based machine that trusts Microsoft’s Microsoft Corporation UEFI CA 2011 third-party UEFI certificate authority (CA) certificate, regardless of the installed operating system (OS).

This "Trust" is one of my pet peeves. It's $$$.

[-] evadersnack@sopuli.xyz 1 points 1 hour ago

A PKI without a CRL will eventually become exploitable.

[-] naticus@lemmy.world 14 points 16 hours ago

I get why you'd dislike that wording, but this is also how all certificate stores work, regardless of whether we're talking Secure Boot, Windows or Linux. Gotta trust the top level as providing legitimate certificates to then trust everything underlying as coming from the correct parties.

Certificate are something I work with constantly at work and I fucking hate resolving issues with them lol.

[-] A_norny_mousse@piefed.zip 13 points 16 hours ago

I get why you’d dislike that wording

It's not just the wording.

this is also how all certificate stores work

Precisely.

Check out cacert.org and why it never gained "Trust". Hint: $$$

[-] JiveTurkey@lemmy.world 5 points 16 hours ago

Add this to the pile of reasons why M$ is a joke and people should stop using them. Nothing they make is so good that you need to stick around.

[-] orclev@lemmy.world 5 points 14 hours ago* (last edited 14 hours ago)

MS has mastered the one thing businesses love which is being perfectly mediocre. If you present a business two pieces of software one that does one thing really well but nothing else, and one that does three things terribly, they'll pick the one that does three things terribly every time. That's the MS design, it smears a thin coating of suck across as broad a surface as possible and then advertises that it does everything.

[-] krigo666@lemmy.world 12 points 18 hours ago

All it takes for it to be 'broken' is to be from Microslop.

[-] victorz@lemmy.world 1 points 18 hours ago

IMO, broken ≠ vulnerable. Broken to me means it doesn't work. There's a difference, to me. 🤷‍♂️

[-] dracc@discuss.tchncs.de 40 points 18 hours ago

If the "working" definition is "is secure", and there's 11 ways in which it's not, is it not "insecure", aka. "not working" then?

[-] sp3ctr4l@lemmy.dbzer0.com 7 points 16 hours ago

Secure boot is supposed to be a lock.

Turns out there are 10 year old tricks that bypass that lock.

A lock that cannot deny access to people without proper key... is a bad lock.

[-] victorz@lemmy.world 1 points 16 hours ago

Yes.

Is UEFI shim = secure boot?

[-] sp3ctr4l@lemmy.dbzer0.com 3 points 15 hours ago* (last edited 15 hours ago)

No.

Secure Boot is basically a 'lock', on the UEFI.

UEFI - Shim is basically a 'lockpick'.

UEFI is the first step in your computer booting, turning on.

So, if Secure Boot is supposed to be a 'lock', that limits who can access the UEFI ... but it turns out that there are many, old, UEFI - Shims, that defeat that 'lock'... then Secure Boot is not a good 'lock'.

I don't mean to be rude but it seems like there might be a bit of language confusion going on here... In English, a 'shim' is a kind of crude/simple tool that can be used to break or bypass some actual physical locks.

So 'UEFI-Shim' basically means 'a thing that breaks into your UEFI'.

[-] victorz@lemmy.world 2 points 12 hours ago* (last edited 12 hours ago)

I don't think there's a language barrier here. I'm fluent in English, and I know what a shim is, both IRL and in the software world. I've just not run into it in a boot loader context before. And I'm not really knowledgeable when it comes to secure boot, either. Just trying to understand. 🙂

Are you sure that's a good phrasing though, "that breaks into your UEFI"?

A shim is usually something that you use to add or modify functionality by interception, right? Like a middle-ware, almost. So these old shims, are they responsible for functionality that directly has to do with Secure Boot, or something else?

If so, they are broken — i.e. not fulfilling their purpose.

If something else, they are not broken. They are just breaking something else, or making it vulnerable.

Am I making sense? Does it not make sense? Because after all, I don't know much about the details of the subject matter. 😁

[-] imecth@fedia.io 0 points 16 hours ago

There's like dozens of ways to open a lock without the proper key, it's probably not the best comparison...

[-] sp3ctr4l@lemmy.dbzer0.com 2 points 15 hours ago

I think that Victor may not have English as his primary/first language, I am trying to use a simple comparison that is more likely to convey the general, fundamental concepts.

[-] A_norny_mousse@piefed.zip 1 points 16 hours ago

Forgotten UEFI shims undermining Secure Boot

Better?

[-] victorz@lemmy.world -1 points 16 hours ago

I guess? I dunno. I'm not very good at boot systems.

this post was submitted on 15 Jul 2026
182 points (98.4% liked)

Technology

86364 readers
3223 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots


founded 3 years ago
MODERATORS