DrHu wrote:I actually have little idea why anyone running a home based PC (desktop or even notebook/netbook) would need a secure boot
--I mean we can already encrypt hard drives or directoriers/folders: what's the real(not philosophical) advantages of it (uefi..)
First, please do not conflate Secure Boot and UEFI. You began your question asking about Secure Boot and ended it asking about UEFI, and the two are very different, as are the answers to the question of what benefits each provides to a typical user. Since Secure Boot is just one optional
feature of UEFI, I'll begin by answering the question about UEFI and then move on to Secure Boot....
UEFI is a replacement for a 30-year-old firmware post-hoc standard (BIOS). BIOS is showing its age in many ways, such as its reliance on 16-bit code, its linkage to the x86 instruction set that restricts portability, and a boot loader model that's extremely primitive by today's standards. UEFI updates all of this, enabling booting in the processor's best mode (64-bit x86-64 instructions on most desktop, laptop, and server systems today), cross-platform portability, and boot loaders that need to do less low-level stuff and so can focus on higher-level functionality. None of these (or more obscure) benefits of UEFI have really direct bearing on most users' activities, in the sense that you don't sit down at your computer and think, "oh, I'm so glad I'm not using 16-bit code to boot!" These features do,
however, have effects that you might notice, either now or in the future. For instance, the most recent UEFI implementations often have a "fast boot" mode that works, in part, by disabling the "hooks" for BIOS-mode booting. Doing this enables the EFI firmware to do its startup tasks more quickly than a BIOS can, because the UEFI is written in 64-bit code without 16-bit limitations and without needing to do all the things that a BIOS must
do but that aren't required by modern OSes. Thus, as a user you can shave a few seconds off your boot time when you set the "fast boot" mode. The EFI boot loader model enables you to manage your boot loaders in a saner way, since they're files on a disk rather than code splatted into unmanaged areas of the disk. (In practice, though, this benefit isn't all it could be because of buggy EFI implementations; but once the worst of those bugs fade into history, it will become a solid plus for EFI.) On the balance, right now EFI's benefits for the end user are minor, and in many cases the drawbacks outweigh the benefits. This is especially true with buggy or limited implementations or when using OSes with poor EFI support. This is likely to change in the future as both EFI implementations improve and as support in OSes gets better.
Secure Boot is just one UEFI feature, and it's an optional one. Until Windows 8's debut, few UEFI-based computers supported Secure Boot. Secure Boot is not
about data encryption or otherwise protecting your files, except indirectly: Secure Boot is about keeping malware off your computer. For years, one class of malware has inserted itself into the boot process, typically by replacing the boot loader. The malware can then run "underneath" the OS and therefore hide itself from the OS -- the most sophisticated forms of such malware act something like a virtual machine, so that they can control the OS's access to hardware. This makes them difficult or impossible to detect or remove from within the infected OS. In theory they could be made in a cross-platform way, so as to infect multiple OSes, but I don't know if any actually work in that way. Secure Boot serves as protection against such malware; if a boot loader isn't signed by a recognized key, a system with Secure Boot enabled won't let the boot loader run. Thus, to insert itself early in the boot process, malware would have to be signed. That would require malware authors to either register themselves with Verisign and Microsoft (thus giving a nice trail to their front door for law enforcement when their malware is discovered) or trick users into disabling Secure Boot or altering its configuration (which adds a social engineering task to their malware distribution efforts, which will slow the spread of the malware and alert security professionals earlier in the process of its spreading). Thus, Secure Boot does
have real benefits to end users. At the moment, this benefit is admittedly somewhat theoretical, since UEFI is new enough that there are few or no malware packages that target it. This isn't something you want to be complacent or dismissive about, though -- new malware appears constantly, and with new PCs shipping with Windows 8 and UEFI, it's 100% certain that malware authors will soon target that combination, if they haven't done so already. That said, as Linux users, we have less to worry about, since the malware authors tend to target the most popular and/or least secure platforms, and on the desktop, that's Windows. If you're dual-booting Windows and Linux, Secure Boot can be a benefit to the Windows side, although the hassle of getting all but a few Linux distributions booting with Secure Boot enabled is great enough that disabling it makes sense for the time being.