Announcement

Collapse
No announcement yet.

GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by birdie View Post
    I hate the idea of giving the user a false sense of security. Once Linux distros get their act together and start signing all system binaries, then we can have a conversation.
    I know you are just trolling again, but you truly have no clue what you are talking about. Please educate yourself so that you can troll more productively in the future.

    Comment


    • #32
      Originally posted by xcom View Post
      I thought SecureBoot and TPM are M$'s crap. Why show it now?
      IBM was one of the main contributors and the first company to implement TPM. They also wrote the Linux drivers and software. And they own Red Hat.

      Comment


      • #33
        Originally posted by patrakov View Post

        No it doesn't, unless the Microsoft certificate is distrusted (and yes that's what I do and that's why I support the recent change of distrusting it by default in the newer laptops). But so far all distributions configure their Secure Boot support packages for easy installation, i.e. for compatibility with the default Microsoft certificate, and make it hard to switch to my own keys.
        I did mention the fact that you may have to keep the Microsoft key and how unfortunate that is, though I didn't spell out the ramifications of it quite the way you did. I also did endorse fully replacing the keys (otherwise how are you going to sign anything, your motherboard vendor definitely didn't give you the private key to their default PK certificate).

        SecureBoot isn't perfect, but it's a lot better than nothing.

        Comment


        • #34
          Originally posted by patrakov View Post

          No it doesn't, unless the Microsoft certificate is distrusted (and yes that's what I do and that's why I support the recent change of distrusting it by default in the newer laptops). But so far all distributions configure their Secure Boot support packages for easy installation, i.e. for compatibility with the default Microsoft certificate, and make it hard to switch to my own keys.

          Two examples:

          Let's suppose that on this machine I installed Ubuntu. It boots via Microsoft-signed shim. Fedora does this too. But installing a Fedora kernel on my machine, and booting into it (with Ubuntu userspace still), would be an unauthorized change from my perspective - and Secure Boot with the default keys allows this.

          Let's suppose that on this machine I installed Arch Linux. To boot Arch Linux with Secure Boot enabled, I would need to add my own keys to the firmware, and sign the unified kernel image. So far so good. But then, unless I explicitly remove the Microsoft certificate, somebody can copy the Fedora boot chain (shim + grub + kernel) to my machine, but with a trojaned initramfs, and (because this ancient system doesn't have a TPM and I am forced to use a passphrase - but look, we are talking about Secure Boot, not TPM, here) steal my LUKS passphrase. This is definitely unauthorized.

          Just to reword this: for a security-conscious person, any shim signed by Microsoft is malware (because it can boot grub which can boot a properly-signed kernel with an arbitrary trojaned inintramfs).
          The shim shouldn't have existed probably, or rather they should have signed only the whole thing.

          Comment


          • #35
            Still waiting to see someone influential raise a demand for consortium consisting of major OS and hardware vendors that grants keys instead of leaving all control to microsoft

            Comment


            • #36
              Originally posted by osw89 View Post
              It looks like GNOME devs will add the most unimportant features instead of doing something about a certain 18 year old issue.
              All men want this and it's digusting. Gtk to have thumbnails in it's file picker

              Comment


              • #37
                There is a lot of over-obsession with security. It's like how you get murdered on windows11 news websites if you still use xp or win7.

                Comment


                • #38
                  Are you people so hostile to secure boot even half way paying attention to what it does, or are you assuming you know because some rando on the Internet told you Microsoft is behind it so it's got to be bad? Have you shoved your head under a rock for the past 5 years on Linux security? If so maybe it'll hit you on the skull and knock some sense into you, cuz it seems that's the only way some of you are going to learn. Linux by itself is no more secure than any other OS, and probably significantly less so than a few I can name.

                  Most viable Linux malwares out there are designed to achieve persistence via installing kernel modules. What does secure boot defend against when properly implemented? Compromising the running kernel and kernel modules. No it's not designed to secure against malicious user space software, there are other tools to handle that. What user and kernel space can't manage is to make sure its own boot process isn't compromised! That's ALL that secure boot does and what it's meant to do - and it works. Can it be bypassed? Absolutely. Is it easy to bypass? No. You have to replace the firmware and/or keys to do so. That's a non-trivial exploit.

                  It stops anyone without signed kernel and module packages from successfully booting a compromised kernel and that's going to be most attackers using this vector. It's only a tool and it serves a single purpose, not the end all and be all of PC security - no one with half a brain would have thought it to be so. So stop acting like security is some monolithic monument that you plop down in a computer that cures all ills at once and all tools must do all things or it's somehow useless. Security doesn't work that way.

                  Now that's said there are some things that could be improved. I do wonder how System76 is going to handle this option since afaict, Pop! doesn't implement secure boot compatibility but relies on Gnome for its environment.

                  Comment


                  • #39
                    Originally posted by Leopard View Post
                    So; they are basically preparing to do a disservice to many of their Nvidia end users?
                    I take it you are unaware that you can choose to enroll your own signing key and use it for the modules you build? Or just disable the warning should you choose that. You have many other choices too.


                    Comment


                    • #40
                      Originally posted by stormcrow View Post
                      Linux by itself is no more secure than any other OS, and probably significantly less so than a few I can name..
                      I would say Linux is indeed significantly less secure than at least Microsoft Windows.

                      Comment

                      Working...
                      X