Pros and cons of disabling the default Microsoft key:
(Assuming you have secure boot enabled, and want the security that comes from that)
pros:
You control your own key and have full choice over what software can start up on your computer, software cannot be approved by anybody else.
Your secure boot security model is not vulnerable to the risk of booting 3rd party software with known security vulnerabilities.
Sophisticated attackers with physical access to your computer cannot carry out an evil maid attack on your computer and convince it to trick you or steal your data.
cons:
You need to have software installed to manage the key. There is software available for Ubuntu and NixOS.
There are many buggy UEFI implementations out there that require the Microsoft key to load built-in oproms during standard boot, potentially bricking your computer.
Software that gains root access to your computer could steal your signing key, potentially negating the benefits of secure boot against non-evil maid attacks.
There are many buggy UEFI implementations out there that require the Microsoft key to load built-in oproms during standard boot, potentially bricking your computer.
From what I’ve found looking into this before, nvidia graphics cards have these oproms so your own secure boot key + nvidia will brick your shit. Can anyone confirm or deny this? Are modern AMD cards any better for this? I’ve been itching to use my own keys for ages and this is the only thing holding me back
Pros and cons of disabling the default Microsoft key:
(Assuming you have secure boot enabled, and want the security that comes from that)
pros:
cons:
From what I’ve found looking into this before, nvidia graphics cards have these oproms so your own secure boot key + nvidia will brick your shit. Can anyone confirm or deny this? Are modern AMD cards any better for this? I’ve been itching to use my own keys for ages and this is the only thing holding me back