It’s mostly for use cases where you can lose physical access to the computer like overnight at the office, at a hotel while travelling, in a shared server room, etc. It’s extra assurance that the computer runs the software you expect it to run and nothing else without at least being somewhat noisy about it.
This can in turn be used to use the TPM to get a disk encryption key, so you can do full disk encryption but still boot to a normal login screen without entering a password. It will only hand out the key with the correct signed boot chain.
If you have a desktop PC at home that nobody untrusted touches, then yeah there isn’t that much value to it for you.
I feel like if someone else has had physical access to the computer though secure boot isn’t going to really protect you. It could have a hardware keylogger in it now for all you know. I mean that’s probably unlikely, but is it really that much more unlikely than someone sneakily replacing kernel modules and things instead of just installing user mode malware that secure boot wouldn’t catch?
It’s meant to protect the software, not the hardware. Of course you can still put a hardware keylogger on it.
You’re also only considering the use case of the owner and user being the same person. In a business context, the user and the owner are two different persons. It can be used to ensure the company’s MDM and security software aren’t tampered with, for example if you try to exfiltrate company data. In that situation, even if you have a keylogger, it doesn’t help you much, it still won’t allow you root access on the machine, because the user of the machine doesn’t have root access either.
Same with servers: you don’t even care if the hardware is keylogged, nobody’s ever using the local console anyway. But it’ll tell you if a tech at the datacentre opened the case, and they can’t backdoor the OS during a planned hardware maintenance.
Same with kiosk machines: you can deface the hardware all you want, the machine’s still not gonna let you order a free sandwich. If you buy one off eBay you can bypass secure boot and wipe it and use it, but it won’t let you sneak a USB on it while nobody’s watching and attack the network or anything like that.
But yes, for most consumers it’s a bit less useful and often exploited in anti-consumer ways.
It’s mostly for use cases where you can lose physical access to the computer like overnight at the office, at a hotel while travelling, in a shared server room, etc. It’s extra assurance that the computer runs the software you expect it to run and nothing else without at least being somewhat noisy about it.
This can in turn be used to use the TPM to get a disk encryption key, so you can do full disk encryption but still boot to a normal login screen without entering a password. It will only hand out the key with the correct signed boot chain.
If you have a desktop PC at home that nobody untrusted touches, then yeah there isn’t that much value to it for you.
I feel like if someone else has had physical access to the computer though secure boot isn’t going to really protect you. It could have a hardware keylogger in it now for all you know. I mean that’s probably unlikely, but is it really that much more unlikely than someone sneakily replacing kernel modules and things instead of just installing user mode malware that secure boot wouldn’t catch?
It’s meant to protect the software, not the hardware. Of course you can still put a hardware keylogger on it.
You’re also only considering the use case of the owner and user being the same person. In a business context, the user and the owner are two different persons. It can be used to ensure the company’s MDM and security software aren’t tampered with, for example if you try to exfiltrate company data. In that situation, even if you have a keylogger, it doesn’t help you much, it still won’t allow you root access on the machine, because the user of the machine doesn’t have root access either.
Same with servers: you don’t even care if the hardware is keylogged, nobody’s ever using the local console anyway. But it’ll tell you if a tech at the datacentre opened the case, and they can’t backdoor the OS during a planned hardware maintenance.
Same with kiosk machines: you can deface the hardware all you want, the machine’s still not gonna let you order a free sandwich. If you buy one off eBay you can bypass secure boot and wipe it and use it, but it won’t let you sneak a USB on it while nobody’s watching and attack the network or anything like that.
But yes, for most consumers it’s a bit less useful and often exploited in anti-consumer ways.