Announcement

**justinkb** · 30 July 2022, 01:26 AM

Originally posted by You- View Post

I have to say this one has been entertaining, one of the most luddite threads on phoronix.

kind of like "don't look up!".

This feature doesnt change anything about secure boot. It just informs you of the status of what you have. However it is making some people on here feak out.

standard of comments on this website has always been quite low. the lion's share of people who post stuff under articles here are ill-informed and just ape whatever bullshit they read on some rabid ideologue's blog about systemd, secure boot, you name it. completely fact-free rants all day every day

**Waethorn** · 30 July 2022, 02:34 AM

Originally posted by kylew77 View Post

If secure boot is the end all be all of security then why doesn't OpenBSD even support it? It's leader Theo has sworn it off.

Theo is an ass. That's the nicest way to say it. If you dealt with him before, you'd know what I'm talking about.

**Waethorn** · 30 July 2022, 02:40 AM

Originally posted by xcom View Post

I thought SecureBoot and TPM are M$'s crap. Why show it now?

Microsoft sees the most malware of any OS vendor, and there's some real doozies out there. If you can contaminate a whole boot process at the firmware level, would you rather leave your OS security up to obscurity?

If you moved out to the country would you stop locking your front door?

**Waethorn** · 30 July 2022, 02:43 AM

Originally posted by mb_q View Post

Secure Boot is cool but its implementations are nonsense. I've tried enrolling user keys and signing the kernel on a few machines, and the story was the same --- verification was working ok, but a fw reset (removing CMOS battery, proper switch on the motherboard) was enough to jump back to the default SB state with my keys deleted.
So it is either this or using a machine with MS keys baked in, with a MS-approved bootloader blob, not a substantially tempting option.

I suspect the same story applies to all other switches this tool checks; without coreboot one has to trust the firmware, and these are traditionally totally unreliable, most vendors are more concerned with bloating them with kitsch fan animations that moving their quality anywhere higher than "somewhat seems to work for us".

Firmware needs a lot of work, yes. It's a common problem because hardware vendors all want to maintain some level of secret IP. This is why Microsoft worked to help develop UEFI standards. The hardware vendors won't give up their closed-source motivations, so this is at least a framework that makes it somewhat uniform. It's an ongoing development though. At least it's not like ARM. ARM hardware init and boot processes are completely un-uniform shit.

**Waethorn** · 30 July 2022, 02:45 AM

Originally posted by wsippel View Post

IBM was one of the main contributors and the first company to implement TPM. They also wrote the Linux drivers and software. And they own Red Hat.

TPM under the current specifications. VIA had hardware RNG and crypto engines early on though.

**Waethorn** · 30 July 2022, 02:47 AM

Originally posted by ClosedSource View Post

There is a lot of over-obsession with security. It's like how you get murdered on windows11 news websites if you still use xp or win7.

If nobody gave a crap about security, you'd still be using XP SP0 and automatically getting Blaster or Sasser after being online for <20 mins.

**Waethorn** · 30 July 2022, 02:50 AM

Originally posted by birdie View Post

I hate the idea of giving the user a false sense of security. Once Linux distros get their act together and start signing all system binaries, then we can have a conversation.

Secure Boot support in Linux prevents the installation of closed-source modules (drivers) on Linux. If this pushes NVIDIA to advance their open-source driver development, why wouldn't users of Linux support the move?

**Waethorn** · 30 July 2022, 02:55 AM

Originally posted by sinepgib View Post

Agreed on everything, specially the need for Coreboot.

Does Coreboot prevent third-party closed-source modules from running on Linux? If running an open-source operating system stack from top to bottom is important to you, this should be part of your consideration.

**Waethorn** · 30 July 2022, 02:57 AM

Originally posted by andyprough View Post

Yes, that's why all those millions of compromised desktop boxes in the massive botnet swarms are always Linux systems.

Oh wait, no - they are all Windows boxes. How odd.

Don't be facetious. There are lots of Linux systems that get compromised too - but those are servers. You'd think they'd be more secure than they are.

**Waethorn** · 30 July 2022, 03:01 AM

Originally posted by mdedetrich View Post

Yup exactly, the core principles behind SecureBoot and TPM are actually quite sound its just the implementation is absolute s**t. I think this is more of a result of crappy software that motherboard makers produce rather than Microsoft specifically (obviously the BIOS will have Microsoft keys as default and there isn't really such a thing as a "linux key" unless its a shim at which point SecureBoot is kinda pointless).

Most motherboard makers don't write the firmware code. AMI and Phoenix do. Motherboard companies just tell them which setting options to include and give them copies of logos and graphics.

Announcement

GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment