Announcement

Collapse
No announcement yet.

GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help

    Phoronix: GNOME To Warn Users If Secure Boot Disabled, Preparing Other Firmware Security Help

    GNOME and Red Hat developers are working on integrating firmware security tips and recommendations into the desktop for warning users about platform/firmware security issues like if UEFI Secure Boot is disabled and other possible avenues their system could be exploited...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    Let's hope that this can be disabled...

    Comment


    • #3
      GNOME is preparing to warn users if Secure Boot is disabled, among other steps for trying to ensure the system state is at least secure at the platform level.
      So; they are basically preparing to do a disservice to many of their Nvidia end users? Is it just because they are so detached from reality or a combo of that and urge to "show" a security oriented side after all Windows 11 TMP,secure boot news made waves.

      Because i assume most of the NV users are not into this process to just being able to enable Secure Boot and having a functioning NV driver as well.

      Signing the NVIDIA Kernel Module


      Some kernels may require that kernel modules be cryptographically signed by a key trusted by the kernel in order to be loaded. In particular, many distributions require modules to be signed when loaded into kernels running on UEFI systems with Secure Boot enabled. nvidia-installer includes support for signing the kernel module before installation, to ensure that it can be loaded on such systems.
      Continues with wall of text.

      Comment


      • #4
        If secure boot is the end all be all of security then why doesn't OpenBSD even support it? It's leader Theo has sworn it off.

        Comment


        • #5
          Would be useful if other distros implemented this safe feature.

          Comment


          • #6
            Originally posted by tildearrow View Post
            Let's hope that this can be disabled...
            Because this was hard to find

            This work proposed a warning image and critical notification in GDM login dialog when secure boot is disabled. After the user login to a secure boot disabled system, a notification with a button will be shown and takes the user to the firmware security setting panel for the details. Also, the notification in the user workspace can be disabled by the user through gsettings. If "org.gnome.shell.sb-check" is set to false, the notification in the user workspace will be disabled. It also can be disabled globally for system testing reasons through kernel parameters. If "sb-check=false" is put to kernel parameter, all the checks of the secure boot will be utterly disabled.

            Comment


            • #7
              I never thought I would see the day where Linux developers would sheer for Microsoft control over our hardware...

              Comment


              • #8
                This is great!
                I would also want support for:
                • Secure attention key, i.e. Ctrl+Alt+Del to login.
                • Authentication using fingerprint or FIDO/U2F authentication hardware token.
                • Authentication via Android device.
                • Integration with third-party antivirus software as is done by Windows Security.
                • See open ports and firewall configuration.
                • Application-based firewall where applications cannot connect out unless allowed.
                • Ability to restrict installation of software to only Snap and/or Flatpaks, something similar to Windows S mode.

                Originally posted by tildearrow View Post
                Let's hope that this can be disabled...
                It can via the "sb-check=false" kernel parameter, but let's hope they remove that so that it cannot be disabled, else it maybe could be disabled by malware.

                Originally posted by kylew77 View Post
                If secure boot is the end all be all of security then why doesn't OpenBSD even support it? It's leader Theo has sworn it off.
                UEFI Secure Boot is not the end all be of all security, it is not a magic bullet, such thing doesn't exist, it is a layer of security in a multi-layered approach to security. Defense in depth.

                Originally posted by MorrisS. View Post
                Would be useful if other distros implemented this safe feature.
                With this code being upstreamed, I think it will eventually become standard in all Linux distributions.

                Comment


                • #9
                  While I believe Secure Boot is not a very significant enhacement to security, I still think warning about those things (like TPM or IOMMU status, etc) is the right thing to do, even though enabling Secure Boot can cause some headaches, especially if you have a dual-boot system on the same disk or you use Nvidia hardware.

                  Comment


                  • #10
                    So. Technically, what is this protecting against?

                    Unauthorized change of kernel? Because it sure doesn't protect any userspace.
                    Afaiu, there is no problem re-signing a kernel?
                    So if someone can change your kernel your're screwed either way, privilige-wise.
                    And if we're talking physical access changes, you're screwed no matter what.

                    Comment

                    Working...
                    X