Secure boot, fTPM security benefits in Jan 2025?

July 2023:

Secure boot does not protect the boot chain for linux.
Turning it off is not a downgrade in security.
Noob here, I have some questions about Secure Boot - #6 by barryascott

What is the situation today, does it provide security benefits?

Does fTPM provide benefits?

I also don’t know how to interpret this.

Because the Secure Boot key is available locally on your computer, (by default it’s in /etc/pki/akmods) you might need to consider encrypting your rootfs as appropriate in order to protect the key. Please consider this as a mandatory requirement
Howto/Secure Boot - RPM Fusion

What am I protecting the key from? A person with physical access to the computer? Malware that gets run on the same computer (seems unlikely because how would encrypting root, that would be decrypted during use help)?

Physical access is what full disk encryption protects against.

1 Like

My analysis still stands. Once we have main stream support for UKI, unified kernel images, in Fedora then secure boot will have value.

Recent changes in systemd UKI support are promising as is work Redhat is doing. I have not seen any change proposal for f42 to support UKI for normal installs yet.

1 Like

FDE protects against physical disk access (I always use it). That is clear. Can you confirm that this is also what’s meant in the quote from RPM Fusion as that’s the part I was confused by?

I appreciate the details and good to learn that’s on its way.

FDE prevents access to the secure boot signing key from a powered down disk. I think this is what rpmfusion means.

1 Like