pull down to refresh

Secure boot, UEFI, and the OS allowed by secure boot are actually the malware. You're better of disabling secure boot, installing a really secure open source operating system on a password protected encrypted device, and setting up a strong incremental backup policy on at least two (I currently keep four of them) different password protected encrypted devices, one kept locally and the second one kept off-site.
^^ exactly
You need a laptop with the Intel Management Engine (IME) disabled. The following vendors can help:
Next you need to pick a setup that has a USB key to verify that your bootloader wasn't modified (Measured Boot). This will require PIN entry to load your OS after every upgrade.
And for a final layer of protection, if you're comfortable with linux, consider Qubes!
reply
Thanks, great resources, I did only know of purism so far. I will look into it. I've made no distinction between Secure Boot and Measured Boot so far. But by now it's obvious to me that an open source firmware is a key requirement.
reply
No doubt about it. If your main board is supported by one, your'e much better off replacing it.
reply
Secure Boot allows to detect evil maid attacks, I can also employ my own key in the laptop firmware and sign my self-compiled kernel with it (maybe not on every laptop but the ones I came across offered this). Learning more on this topic I understand that it may also mean depending on Microsoft and proprietary firmware which I clearly do not want. I want to make sure that noone changed any software on my computer while I was away.
Even the best "really secure open source operating system" can be replaced by a rootkit without you noticing.
I have to admit, using Secure Boot requires trusting the UEFI software but you have to do that anyways. Open Source firmware implementations might be the answer. The reply by @ln123 offers great advice in this direction.
reply
If you have secure boot on, you're almost guarantied to already have some piece of malware on your computer. :-)
reply