The obvious answer to "Does UEFI Secure Boot add any actual security" is "Basically every cache of leaked documents from state-level actors or companies selling shit to them has included discussion of how to circumvent UEFI Secure Boot" and why would they bother if it didn't

@mjg59 The biggest problem I see is that the keys are in the hands of microsoft. I would rather see them at a better organisation like e.g. the EU

@JCWasmx86 Given the EU's apparent desire to force browsers to trust any CA the EU deems trustworthy regardless of their technical competence, I'm not sure I'd pick them, but yes, I'd prefer it not to be Microsoft - but nobody else with a reasonable degree of competence has offered

@JCWasmx86 Running the UEFI CA costs Microsoft a shitload of money and I'm sure they'd actually be happy to transfer it to a competent authority that offered to take over instead

@mjg59 @JCWasmx86 Maybe the Linux Foundation? They already sponsor Sigstore I think, they seem like they'd be a good home for it.

@jawnsy @JCWasmx86 They looked into it in 2012 and said no

@trdebunked If locks didn't provide security, there'd be much less interest in picking locks. Security isn't a binary state, it's heavily influenced by how skilled and funded your attackers are.

@mjg59 Yes, similarly as my door adds physical security for getting into my house. With the right set of tools it can be can be torn off the hinges, but still I feel safer having a door, an not just plain doorway...

@mjg59 Generally I think that the best way to practically understand "virtual" security and access control is to reflect that with physical security.

@jarkko @mjg59

My mother felt a lot safer with a screen door.

No lock on it; just a screen.

And she busted it, more than once, by simply accidently walking through it.

But still, she felt a lot safer with it there.

🙄