Originally posted by M@GOid
View Post
Announcement
Collapse
No announcement yet.
GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help
Collapse
X
-
Secure Boot is cool but its implementations are nonsense. I've tried enrolling user keys and signing the kernel on a few machines, and the story was the same --- verification was working ok, but a fw reset (removing CMOS battery, proper switch on the motherboard) was enough to jump back to the default SB state with my keys deleted.
So it is either this or using a machine with MS keys baked in, with a MS-approved bootloader blob, not a substantially tempting option.
I suspect the same story applies to all other switches this tool checks; without coreboot one has to trust the firmware, and these are traditionally totally unreliable, most vendors are more concerned with bloating them with kitsch fan animations that moving their quality anywhere higher than "somewhat seems to work for us".
- Likes 19
Comment
-
Nice, I hope they'll continue borrowing features from KDE Plasma and maybe one day Gnome will become a usable DE.
Last edited by openminded; 29 July 2022, 08:44 AM.
- Likes 4
Comment
-
Originally posted by milkylainen View PostSo. Technically, what is this protecting against?
Unauthorized change of kernel? Because it sure doesn't protect any userspace.
Afaiu, there is no problem re-signing a kernel?
So if someone can change your kernel your're screwed either way, privilige-wise.
And if we're talking physical access changes, you're screwed no matter what.
As far as re-signing the kernel, that depends on how you manage the SecureBoot keys and how the private keys are protected. If you leave the keys on the machine and they are unprotected, without being encrypted with a passphrase or some other mechanism, then yes it's a significantly weaker security enhancement but does still prevent drive-by kernel/initramfs changes.
Physical access is a whole other can of worms, but with firmware integrity features on newer chips (for Intel things like FD0V, BootGuard) the situation is getting better.
The most unfortunate reality of current SecureBoot implementations is that you usually have to keep the Microsoft certificate as a KEK or you may not be able to run certain hardware option ROMs (used for UEFI device drivers, like if you want to network boot,configure hardware RAID, etc) as they are typically signed for the widest compatibility. Sometimes you get vendors who re-sign them to their certificate (I've experienced that with HPE in particular) which isn't much better but it's not Microsoft.
When this lands I'll probably take the time to actually switch over to systemd-boot with a UKI and enable SecureBoot finally. Been coasting for too long with GRUB.
- Likes 3
Comment
-
Originally posted by birdie View PostSecure boot in Linux is a security theater anyways because only the kernel image and its modules are signed. Everything else is not, not a single binary or library on the disk.
This week there has been a lot of news about a flaw in Windows that could be used by web sites to easily gain access to a visitor's Windows login name and password. This article explains how this flaw works and how you can prevent it.
2016
This week there has been a lot of news about a flaw in Windows that could be used by web sites to easily gain access to a visitor's Windows login name and password. When I tested this flaw it was downright scary.
Using a test site for this flaw, the site was able to get my test Microsoft Account login name and the hash of its password in a few seconds. Then it took the site less than 30 seconds to crack the password! What is even scarier, is that this flaw is not new and was discovered in March 1997!
- Likes 9
Comment
Comment