Is it safe to use UEFI Secure Boot and disk encryption without burning any fuse keys to protect my data on the disk?

Hello,

I’d like to know if it is safe to protect my data on the disk by using only disk encryption with UEFI Secure Boot but without burning any fuse keys.

Here are my thoughts: If I use disk encryption without burning fuse keys and without UEFI Secure Boot, an attacker might modify the initrd to unlock the disk. However, if I enable UEFI Secure Boot (signing the initrd), I am wondering if this setup is secure enough to protect my data. Can attackers somehow bypass UEFI Secure Boot because I haven’t burned any fuse keys?

Thank you.

I’m sorry for the misunderstanding. I have corrected some words and emphasized them.

hello pinyu.wang,

UEFI SecureBoot and Disk Encryption they’re able to enable without fusing keys.

Although UEFI secure boot can be independently enabled from a low-level bootloader secure boot…
We strongly recommended users enable bootloader secure boot so that the root-of-trust can start from the BootROM.
for instance, An attacker with physical access to QSPI flash can manipulate anything and everything. If the keys itself get overwritten or deleted, all protection goes away.

Please see-also developer guide, SecureBoot.
the root-of-trust that uses the NVIDIA SoCs fuses to authenticate boot codes ends at the Bootloader. After this, the current Bootloader (UEFI) will use UEFI’s Security Keys scheme to authenticate its payloads.

I appreciate the example of the attack. It clearly illustrates the importance of starting secure boot from the BootROM. Thank you for your assistance.