221
Microsoft’s Secure Boot has been broken for a decade and no one noticed until now
(www.welivesecurity.com)
This is a most excellent place for technology news and articles.
I'm assuming this is why it will forever "warn" me that my phone is running an "insecure" OS?
That's moreso because it's using an unofficial key, so the device manufacturer (Google in the case of Pixels) cannot verify the authenticity of the OS you're running.
If you were able to replace that bootloader with a custom one, then you would be able to disable that message or just use a completely different bootloader like UBoot or EDK2 if it was ported, though.
Functionally, though, wouldn't it be the same as replacing the computer's SecureBoot bootloader, since it's Microsoft (in the case of SecureBoot) that doesn't like the unofficial key that Linux installs? Shouldn't the user be allowed to add or remove any key they desire from the allow list of official keys (maybe have some sort of decentralized verification system, if they user decides they want to verify it)?
I'm more thinking out loud here, trying to understand.
The difference is that with ARM TrustZone, there is an efuse burned with the key that the manufacturer set in the SoC itself that checks the signature of the primary bootloader, which cannot be modified.
Standard computers do not have such a hardware-level key, so if you wanted to replace the bootloader with something like coreboot if it has been ported to your board, then you can. On smartphones, you do not have that option.
Same thing goes for even more locked down systems like game consoles.