Qualifier: for personal computers that you don't take regular backups of, test backups, etc
Qualifier: for personal computers that you don't take regular backups of, test backups, etc
I also wouldn't really say it's much trouble. If you have a TPM and use systemd, you can set it up to unlock FDE automatically on boot, otherwise, you just have to input an extra password when turning on your machine.
I don't understand that sentence. So instead of a bootloader in the ROM that starts the next bootloader and verifies that it is signed (I think that's how it is on Android?), on a laptop the first bootloader can be installed by the user and nothing checks its signature?
EDIT: what I read here [1] is that Secure Boot is verified from the ROM to the moment it starts "the Windows kernel" (on Windows). But it's not completely clear to me: say on Linux, if Secure Boot verifies up to my /boot partition (does it?), then it should be okay because I have FDE on the rest, right?
[1]: https://learn.microsoft.com/en-us/windows/security/operating...
It should be signed by the manufacturer, so you shouldn't be able to. Loaded by a shim even smaller in the CPU, part of Boot Guard and Platform Secure Boot, if I'm not remembering wrong.
> say on Linux, if Secure Boot verifies up to my /boot partition (does it?)
No. It verifies one signed file, usually Grub EFI shim. Which then should check everything you want. Unlike Windows, desktop Linux distros rarely have the best SB system. Poettering has described this issue in depth.