This may be seems to be kind of a paranoiac question, but whole secure boot brings me one question. How can I be sure I really enter BIOS and my Secure Boot settings are real. Isn’t it possible that machine is infected and it boots immediately with fake BIOS. As from my understanding BIOS is kind of software which is stored even if I deatach all disks and network. Just unattended moment and somebody can “upgrade” my BIOS with software which will not allow to override with true BIOS and have control over in early state of booting. I could imagine special BIOS reset button (like on motherboard circutbreaker or router reset switch) which will restore original BIOS version stored somewhere in modifiable memory. Or is it common to have signed BIOS and fake BIOS will not be allowed to upgrade.
You are probably confusing UEFI boot-loader (shim) with the BIOS firmware provided by your Machine’s manufacturer. If you are worried about the first, then you can always reformat the UEFI partition and restore it with a trusted image before every boot. If you are worried about the later, then it might be okay to become terrified whenever a hardware engineer working for the Manufacturers is in the neighborhood.
I’m outta here
Your BIOS setup/firmware is never open source, so even if you install a BIOS firmware from a manufacturer it may be “fake” or compromised or whatever.
If you want more control of that interface, you need to buy a machine that comes with OpenBIOS or coreboot. If I am not wrong, system76 released a laptop with an open-source BIOS, have a look…
Stallmann uses librebios on Thinkpad T400s: https://stallman.org/stallman-computing.html
More stuff to read from the FSF: https://www.fsf.org/news/freebios.html
We all agree that this question is off-topic, let’s see if it remains open…
I mean paranoiac version - fake BIOS. People are people and it can be even not so much paranoiac to assume that hackers are in possession of BIOS source code or reverse engineered it. Or am I wrong and it is not possible to hack BIOS.
Of course its possible, anything is possible. The issue is how to inject the hacked firmware onto your BIOS chip. The manufacturer (or whereever you download firmware updates) can do this easily.