pull down to refresh

Hey guys, I've been looking a little into PC security lately and enabled Secure Boot on my Laptop. It's a good thing because it assures me that the software booting is not malware (it's actually quite nuanced but let's stick to this assumption for the sake of my topic).
My concern now is: How do I know that noone resettet the UEFI settings, disabled Secure Boot and installed some malware which looks and behaves exactly like my OS?
The only protection I can think of is the UEFI not allowing a complete factory reset by setting a password, which cannot be reset. But I am unable to find good information on this topic. Is there an overview web site of common UEFI manufacturers/versions and their reset options? Searching for this topic revealed that several UEFIs have actual backdoor admin passwords. Are there any vendors who clearly state that their UEFI password protection cannot be circumvented?
Thanks for your thoughts!
Secure boot, UEFI, and the OS allowed by secure boot are actually the malware. You're better of disabling secure boot, installing a really secure open source operating system on a password protected encrypted device, and setting up a strong incremental backup policy on at least two (I currently keep four of them) different password protected encrypted devices, one kept locally and the second one kept off-site.
reply
^^ exactly
You need a laptop with the Intel Management Engine (IME) disabled. The following vendors can help:
Next you need to pick a setup that has a USB key to verify that your bootloader wasn't modified (Measured Boot). This will require PIN entry to load your OS after every upgrade.
And for a final layer of protection, if you're comfortable with linux, consider Qubes!
reply
Thanks, great resources, I did only know of purism so far. I will look into it. I've made no distinction between Secure Boot and Measured Boot so far. But by now it's obvious to me that an open source firmware is a key requirement.
reply
No doubt about it. If your main board is supported by one, your'e much better off replacing it.
reply
Secure Boot allows to detect evil maid attacks, I can also employ my own key in the laptop firmware and sign my self-compiled kernel with it (maybe not on every laptop but the ones I came across offered this). Learning more on this topic I understand that it may also mean depending on Microsoft and proprietary firmware which I clearly do not want. I want to make sure that noone changed any software on my computer while I was away.
Even the best "really secure open source operating system" can be replaced by a rootkit without you noticing.
I have to admit, using Secure Boot requires trusting the UEFI software but you have to do that anyways. Open Source firmware implementations might be the answer. The reply by @ln123 offers great advice in this direction.
reply
If you have secure boot on, you're almost guarantied to already have some piece of malware on your computer. :-)
reply