Originally posted by birdie
View Post
Announcement
Collapse
No announcement yet.
GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help
Collapse
X
-
-
Originally posted by patrakov View Post
No it doesn't, unless the Microsoft certificate is distrusted (and yes that's what I do and that's why I support the recent change of distrusting it by default in the newer laptops). But so far all distributions configure their Secure Boot support packages for easy installation, i.e. for compatibility with the default Microsoft certificate, and make it hard to switch to my own keys.
SecureBoot isn't perfect, but it's a lot better than nothing.
- Likes 1
Comment
-
Originally posted by patrakov View Post
No it doesn't, unless the Microsoft certificate is distrusted (and yes that's what I do and that's why I support the recent change of distrusting it by default in the newer laptops). But so far all distributions configure their Secure Boot support packages for easy installation, i.e. for compatibility with the default Microsoft certificate, and make it hard to switch to my own keys.
Two examples:
Let's suppose that on this machine I installed Ubuntu. It boots via Microsoft-signed shim. Fedora does this too. But installing a Fedora kernel on my machine, and booting into it (with Ubuntu userspace still), would be an unauthorized change from my perspective - and Secure Boot with the default keys allows this.
Let's suppose that on this machine I installed Arch Linux. To boot Arch Linux with Secure Boot enabled, I would need to add my own keys to the firmware, and sign the unified kernel image. So far so good. But then, unless I explicitly remove the Microsoft certificate, somebody can copy the Fedora boot chain (shim + grub + kernel) to my machine, but with a trojaned initramfs, and (because this ancient system doesn't have a TPM and I am forced to use a passphrase - but look, we are talking about Secure Boot, not TPM, here) steal my LUKS passphrase. This is definitely unauthorized.
Just to reword this: for a security-conscious person, any shim signed by Microsoft is malware (because it can boot grub which can boot a properly-signed kernel with an arbitrary trojaned inintramfs).
- Likes 1
Comment
-
-
Are you people so hostile to secure boot even half way paying attention to what it does, or are you assuming you know because some rando on the Internet told you Microsoft is behind it so it's got to be bad? Have you shoved your head under a rock for the past 5 years on Linux security? If so maybe it'll hit you on the skull and knock some sense into you, cuz it seems that's the only way some of you are going to learn. Linux by itself is no more secure than any other OS, and probably significantly less so than a few I can name.
Most viable Linux malwares out there are designed to achieve persistence via installing kernel modules. What does secure boot defend against when properly implemented? Compromising the running kernel and kernel modules. No it's not designed to secure against malicious user space software, there are other tools to handle that. What user and kernel space can't manage is to make sure its own boot process isn't compromised! That's ALL that secure boot does and what it's meant to do - and it works. Can it be bypassed? Absolutely. Is it easy to bypass? No. You have to replace the firmware and/or keys to do so. That's a non-trivial exploit.
It stops anyone without signed kernel and module packages from successfully booting a compromised kernel and that's going to be most attackers using this vector. It's only a tool and it serves a single purpose, not the end all and be all of PC security - no one with half a brain would have thought it to be so. So stop acting like security is some monolithic monument that you plop down in a computer that cures all ills at once and all tools must do all things or it's somehow useless. Security doesn't work that way.
Now that's said there are some things that could be improved. I do wonder how System76 is going to handle this option since afaict, Pop! doesn't implement secure boot compatibility but relies on Gnome for its environment.
- Likes 11
Comment
-
Originally posted by Leopard View PostSo; they are basically preparing to do a disservice to many of their Nvidia end users?
- Likes 3
Comment
Comment