Enable or disable Secure Boot?

Ip Man

I'm preparing for installing pfSense on a new system. Do I have "Secure Boot" enabled or disabled in BIOS? According to the FreeBSD web site https://wiki.freebsd.org/SecureBoot there is no support for Secure Boot yet.

doktornotor

Yeah you should definitely disable that POS.

Ip Man

@doktornotor:

Yeah you should definitely disable that POS.

Great! Thank you for being so clear about it.

kpa

It's not useful for anything on a system that you have set up yourself, it's like questioning yourself if you trust yourself to lock the doors of your house when you leave for work in the morning.

Ip Man

@kpa:

It's not useful for anything on a system that you have set up yourself, it's like questioning yourself if you trust yourself to lock the doors of your house when you leave for work in the morning.

Yeah, nothing a healthy man of action would do.

pppfsense

@Ip:

@kpa:

It's not useful for anything on a system that you have set up yourself, it's like questioning yourself if you trust yourself to lock the doors of your house when you leave for work in the morning.

Yeah, nothing a healthy man of action would do.

Close, but not quite so. Secure boot is more against attacks to your BIOS, Boot files and drivers.

You don't need physical access to modify the Bios, Boot or Driver files, do you?

It may not prevent the attack, but it simply won't boot your system if it detects changes on any of the protected files (BIOS, Boot & Driver files).
This is the last step to maintain the integrity of a system. Hard Drive encryption is great, but useless if you can modify the BIOS, boot or driver files to steal the HD password. So, Secure Boot/TPM, plus Hard Drive encryption, does give you a level of trust in the system/files/configuration.

It is a pain, true, but in this day, the more locks and obstacles against malware/attacks, the better.

I predict Secure-Boot/TPM/HD-encryption will be the default for any trusted installation of any software in the coming years.
For people with a firewall in their basement? Maybe not, but I'm pretty sure it will become the norm for co-location, VMs and critical installs.

Ip Man

@pppfsense:

@Ip:

@kpa:

It's not useful for anything on a system that you have set up yourself, it's like questioning yourself if you trust yourself to lock the doors of your house when you leave for work in the morning.

Yeah, nothing a healthy man of action would do.

Close, but not quite so. Secure boot is more against attacks to your BIOS, Boot files and drivers.

You don't need physical access to modify the Bios, Boot or Driver files, do you?

It may not prevent the attack, but it simply won't boot your system if it detects changes on any of the protected files (BIOS, Boot & Driver files).
This is the last step to maintain the integrity of a system. Hard Drive encryption is great, but useless if you can modify the BIOS, boot or driver files to steal the HD password. So, Secure Boot/TPM, plus Hard Drive encryption, does give you a level of trust in the system/files/configuration.

It is a pain, true, but in this day, the more locks and obstacles against malware/attacks, the better.

I predict Secure-Boot/TPM/HD-encryption will be the default for any trusted installation of any software in the coming years.
For people with a firewall in their basement? Maybe not, but I'm pretty sure it will become the norm for co-location, VMs and critical installs.

I don't know if it is possible to access the BIOS without physical access. Maybe it is. I try to protect my system by disabeling the ability to boot from USB and CD-ROM and then setting a strong BIOS password.

pppfsense

@Ip:

@pppfsense:

@Ip:

@kpa:

It's not useful for anything on a system that you have set up yourself, it's like questioning yourself if you trust yourself to lock the doors of your house when you leave for work in the morning.

Yeah, nothing a healthy man of action would do.

Close, but not quite so. Secure boot is more against attacks to your BIOS, Boot files and drivers.

You don't need physical access to modify the Bios, Boot or Driver files, do you?

It may not prevent the attack, but it simply won't boot your system if it detects changes on any of the protected files (BIOS, Boot & Driver files).
This is the last step to maintain the integrity of a system. Hard Drive encryption is great, but useless if you can modify the BIOS, boot or driver files to steal the HD password. So, Secure Boot/TPM, plus Hard Drive encryption, does give you a level of trust in the system/files/configuration.

It is a pain, true, but in this day, the more locks and obstacles against malware/attacks, the better.

I predict Secure-Boot/TPM/HD-encryption will be the default for any trusted installation of any software in the coming years.
For people with a firewall in their basement? Maybe not, but I'm pretty sure it will become the norm for co-location, VMs and critical installs.

I don't know if it is possible to access the BIOS without physical access. Maybe it is. I try to protect my system by disabeling the ability to boot from USB and CD-ROM and then setting a strong BIOS password.

Of course it is possible to alter the BIOS without physical access.

Have you not ever upgraded a BIOS from within Linux/Windows??
If your machine gets infiltrated remotely, they can run proper code to change the BIOS, so, in theory, even if you do an OS re-install, the
BIOS would still be compromised.

How much can they do with the BIOS?
Boot from a different source/disk/UEFI image?
Change your ILO password maybe?
Maybe more now that we have more functionality in UEFI?

Remember, it is all software. Just because the BIOS is 'present' at boot time, it does not mean that is 'gone' at run-time.
You just need to know how and where to poke!

kpa

If you are an attacker with such access to a system where you can alter the boot files/BIOS/firmware you are already at the position where you can do a whole bunch of much more sneakier stuff than try to play games with the BIOS or the firmware of the system, the game is already over and it makes no difference if the system has secure boot or not.

Harvy66

@kpa:

If you are an attacker with such access to a system where you can alter the boot files/BIOS/firmware you are already at the position where you can do a whole bunch of much more sneakier stuff than try to play games with the BIOS or the firmware of the system, the game is already over and it makes no difference if the system has secure boot or not.

Secure boot can prevent those situations from occurring the first place. For one, tt can prevent "drive by" attacks. There is also a class of attack where the boot sequence can get altered, then the next time the system reboots, the malware loads itself first, then lets the OS load. At this point, the attacker can siphon data from your system without you knowing.

Ip Man

It is interesting to read about all your views about Secure Boot and security concerns but If I understand it correctly freeBSD and therefore also pfSense have no support for Secure Boot yet so even if there are some benefits of using it the discussion is purely academic from a pfSense perspective.
Does a strong BIOS password offer protection even against attacks with no physical access? Perhaps this is an option to be considered?