I want an equivalent of boot guard that I hold the keys to. Presented only with ...

kachapopopow · 2026-01-25T12:17:44 1769343464

that defeats the point, having the "keys" allows malicious actors to perform the same kind of attacks... trust is protected by trusted companies...

certificate companies sell trust, not certificates.

fc417fc802 · 2026-01-25T13:15:19 1769346919

Me managing my own (for example) secure boot keys does not inherently enable malicious actors. Obviously unauthorized access to the keys is an attack vector that whoever holds them needs to account for. Obviously it's not risk free. There's always the potential that a user could mismanage his keys.

There's absolutely no excuse for hardware vendors not to provide end users the choice.

> trust is protected by trusted companies...

The less control of and visibility into their product you have the less trustworthy they are.

kachapopopow · 2026-01-25T17:17:07 1769361427

the hardware is made by asus, asus signs with their key backed by a trusted company.

asus gives out keys to sign bios firmware, now aliexpress can not only counterfeit, but provide tampered hardware.

you can enroll your own secure boot keys so that's not really relevant.

fc417fc802 · 2026-01-25T18:13:27 1769364807

Secureboot was being used as an example to illustrate the issue with your claim that a user controlling the keys must necessarily undermine security.

I'll grant that if the user is given control then compromise within the supply chain does become possible. However the same hypothetical malicious aliexpress vendor could also enroll a custom secure boot key, install "definitely totally legit windows", and unless the user inspects he might well never realize the deception. Or the supply chain could embed a keylogger. Or ...

kachapopopow · 2026-01-25T20:00:45 1769371245

you don't have to trust software, but you have to trust your firmware and hardware.