I’ve seen people advocating for both options, but since I’m still new to Linux I’m not sure what to do. I’m currently installing Mint on my laptop to try it out, and I’m not sure if I should enable secure boot or not.
I’ve seen people advocating for both options, but since I’m still new to Linux I’m not sure what to do. I’m currently installing Mint on my laptop to try it out, and I’m not sure if I should enable secure boot or not.
Tpm is for crypto and secure generation and storage of values for use in encryption generally. Secureboot is just firmware verification of loaded binaries from boot on out, they’re 2 different pieces and are not really relevant to each other, unless you’re like me and have a fully customized bootloader with keys in TPM and an EFI module with support for the TPM and unlocking your boot drive.
You are quite mistaken. TPM is used as a key pair, and not just generation.
Let give you a specific example: built a hardware platform for a company, and they wanted to make sure that the storage and device were secure on their own, as well as being separated to prevent somebody pulling it apart to try and channel attack all the different things.
On install, the encrypted disk generates a signature. TPm has its own clean keys set to verify that it’s paired at various levels with various pieces of onboard hardware. Then you pair a bootloader combination of those signatures to generate a three-part signature to make sure that what is in TPM matches both the onboard signatures of what is hardwired in, along with the key generated by the new encrypted volume on the drive.
Anyone takes that drive out, it’s mostly useless, because it can’t boot without the signatures verified by TPM, and they’ll never be able to match the combination of the other 15 keys stored there for the hardwired components.
That’s how it’s intended for use. Not just for signature generation and verification. It’s more of a key/value store than anything, like a physical hardware token device.
Cool story bro. And I am one of the 9 people that worked on the team at Intel to implement your modern EFI/UEFI.
I just don’t have the time or energy to sit here and explain the whole fucking stack to a bunch of people who mostly could care less. But, Secureboot, it’s a good thing, and the tools on linux get better every hour. Check out lanzaboote.
https://github.com/nix-community/lanzaboote