[Bradford] Laptop security

[Matt Fleming]

On Sat, 14 Nov, at 06:06:16PM, Alice . wrote:
> Hi Bradlug,
> 
> I recently bought a new laptop and I'm trying to make it as secure as I
> can. There's a couple of areas I'm struggling with that I thought I'd ask
> you lot about. For reference it's a Thinkpad T420 with the latest Fedora.
> 
> First UEFI. I understand UEFI secureboot will protect me against evil maid
> attacks better than the legacy BIOS. I've not spent much time trying to get
> this working yet, but it doesn't work out of the box and I'm wondering just
> how much better it is than a password protected bios?
 
Actually, Secure Boot won't prevent evil maid attacks because having
physical access to your laptop has always been sufficient privilege to
disable Secure Boot and/or add your own keys to the database.

For instance, it was a requirement for Windows 8 that you could
disable Secure Boot in the BIOS menu. This was lobbied for hard by the
Linux communities, etc.

You should use BIOS passwords in conjunction with Secure Boot.

Where Secure Boot helps considerably is in preventing the execution of
malicious programs during boot. So if I trick you into downloading
some malware that wants to execute during boot but isn't signed by a
key in the Secure Boot database, it won't be run.

It prevents escalated OS privileges at runtime from turning into boot
time attacks because you can't diddle with the key database at
runtime.