Announcement

Collapse
No announcement yet.

Debian Fixes Secure Boot For 64-bit ARM After Being Broken For Two Years

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Debian Fixes Secure Boot For 64-bit ARM After Being Broken For Two Years

    Phoronix: Debian Fixes Secure Boot For 64-bit ARM After Being Broken For Two Years

    While Debian and its derivatives are quite popular with ARM single board computers, the ARM64 Secure Boot support has been broken for at least two years. But a fix is on the way and it should appear for this year's Debian 12 "Bookworm" release...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    Two whole years.

    AArch64 is declining. All focus these days is on RISC-V.

    I don't mind that.

    Comment


    • #3
      Originally posted by ayumu View Post
      Two whole years.

      AArch64 is declining. All focus these days is on RISC-V.

      I don't mind that.
      I also wouldn't mind but rather it might be that:
      1. Debian is not used for AArch64, it's probably mostly Ubuntu and RHEL
      2. Secure boot is not used much for AArch64. For embedded it's not really used and for servers I guess it's also not really needed and used.

      Comment


      • #4
        So much so for one of the most stable distros on earth...

        I'm pretty sure other distros don't have this issue.

        Comment


        • #5
          Originally posted by mcirsta View Post
          1. Debian is not used for AArch64, it's probably mostly Ubuntu and RHEL
          Nah, RasperryPI alone would suggest a big AA64 userbase.

          2. Secure boot is not used much for AArch64. For embedded it's not really used and for servers I guess it's also not really needed and used.
          That sounds much more like a possibility. Secure boot is only helpful in one specific situation, if an attacker has physical access. If you can prevent physical access in another way, there is no benefit from SecBoot.

          Comment


          • #6
            maybe, just "maybe", nobody wants the overcomplicated mess that is EFI (and ACPI) on modern, non-x86 ISAs like ARM and RISCV ? https://www.youtube.com/watch?v=tkOZ2DrDu6U

            Comment


            • #7
              Originally posted by rene View Post
              maybe, just "maybe", nobody wants the overcomplicated mess that is EFI (and ACPI) on modern, non-x86 ISAs like ARM and RISCV ? https://www.youtube.com/watch?v=tkOZ2DrDu6U
              Yep, atleast for now. Given that I still have to tinker with any SOC, I prefer to use a device tree and some simple bootloader.

              Comment


              • #8
                In 2023 SecureBoot is barely a thing.

                Get back to ye olde Windows RT you retro piece of sillyness

                Comment


                • #9
                  Originally posted by mcirsta View Post

                  I also wouldn't mind but rather it might be that:
                  1. Debian is not used for AArch64, it's probably mostly Ubuntu and RHEL
                  2. Secure boot is not used much for AArch64. For embedded it's not really used and for servers I guess it's also not really needed and used.
                  1. Plenty of people use it, but most ARM64 systems probably aren't using UEFI/Secure Boot. They're using whatever the OEM uses to bring the board up.
                  2. SB is used on corporate servers, but most corporate servers are Intel/AMD based, not ARM. ARM OEMs use a variety of ways of securing the boot chain - but in those cases it's more to restrict 3rd party ROMs and vendor lock-in rather than securing the boot chain.
                  3. Corporate users are also more likely to be using something other than Debian - (first party) contract support is a Big Thing and Debian doesn't really have that where-as IBM/RedHat, SUSE, and Canonical do.
                  4. Debian's broken SB might have made its way to Ubuntu's repository at one point because it's suspiciously like a similar breakage when I tried to re-install 22.04 a while back on my PC. There's was a certificate change associated with a shim upgrade that can for some strange reason I never really got to the bottom of result in 22.04.1 install image not booting in a secure boot environment in some circumstances on PCs with a bad cert error.
                  5. It's definitely a problem with Debian derivatives. Windows, RHEL, and Fedora had no problems booting in the same environment.
                  Last edited by stormcrow; 25 April 2023, 01:22 PM.

                  Comment

                  Working...
                  X