More corporate crap being foisted on gnome, for home users it's all a waste of space.
Announcement
Collapse
No announcement yet.
GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help
Collapse
X
-
Originally posted by mb_q View PostSecure Boot is cool but its implementations are nonsense. I've tried enrolling user keys and signing the kernel on a few machines, and the story was the same --- verification was working ok, but a fw reset (removing CMOS battery, proper switch on the motherboard) was enough to jump back to the default SB state with my keys deleted.
So it is either this or using a machine with MS keys baked in, with a MS-approved bootloader blob, not a substantially tempting option.
I suspect the same story applies to all other switches this tool checks; without coreboot one has to trust the firmware, and these are traditionally totally unreliable, most vendors are more concerned with bloating them with kitsch fan animations that moving their quality anywhere higher than "somewhat seems to work for us".
- Likes 2
Comment
-
-
Originally posted by Dar13 View PostSecureBoot protects against unauthorized changes of the kernel (and if you use a Unified Kernel Image, the initramfs as well). This authorization is done by the platform owner which is usually the owner of the machine, so in the case of your laptop/desktop it would be you.
Two examples:
Let's suppose that on this machine I installed Ubuntu. It boots via Microsoft-signed shim. Fedora does this too. But installing a Fedora kernel on my machine, and booting into it (with Ubuntu userspace still), would be an unauthorized change from my perspective - and Secure Boot with the default keys allows this.
Let's suppose that on this machine I installed Arch Linux. To boot Arch Linux with Secure Boot enabled, I would need to add my own keys to the firmware, and sign the unified kernel image. So far so good. But then, unless I explicitly remove the Microsoft certificate, somebody can copy the Fedora boot chain (shim + grub + kernel) to my machine, but with a trojaned initramfs, and (because this ancient system doesn't have a TPM and I am forced to use a passphrase - but look, we are talking about Secure Boot, not TPM, here) steal my LUKS passphrase. This is definitely unauthorized.
Just to reword this: for a security-conscious person, any shim signed by Microsoft is malware (because it can boot grub which can boot a properly-signed kernel with an arbitrary trojaned inintramfs).Last edited by patrakov; 29 July 2022, 10:15 AM.
- Likes 13
Comment
-
I won't be happy until Gnome implements the Cortana voice assistant and forces users to beg the desktop environment to do a full restart into uefi/bios.
"Please let me change my uefi settings Gnome..."
"I'm sorry Dave, I'm afraid I can't do that"Last edited by andyprough; 29 July 2022, 10:11 AM.
- Likes 5
Comment
-
Comment