Announcement

Collapse
No announcement yet.

Lennart Poettering Talks Up A "Brave New Trusted Boot World" For Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Lennart Poettering Talks Up A "Brave New Trusted Boot World" For Linux

    Phoronix: Lennart Poettering Talks Up A "Brave New Trusted Boot World" For Linux

    Systemd lead developer Lennart Poettering has written a lengthy blog post entitled a "brave new trusted boot world" in which he outlines current issues with the Linux boot process and how there is a trajectory for providing the Linux boot experience with more robustness, simplicity, and trust...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    And of course, the UKI must include systemd, that will take over as a UEFI payload and control everything in the system!

    Comment


    • #3
      Great. Some of the reasons I can't stand Windows.

      Comment


      • #4
        Originally posted by doragasu View Post
        And of course, the UKI must include systemd, that will take over as a UEFI payload and control everything in the system!
        Weel, you cant expect the systemd devs to also write the non-systemd alternative. that job is for those who want the alternative.

        I remember a similar tension in DRM and kernel driver code over a decade ago when it started focussing more on linux and the BSD's couldnt drop it in without tweaks. However they were not sanguine and accepted that they would need to do the work to adapt the drivers.

        Comment


        • #5
          Originally posted by doragasu View Post
          And of course, the UKI must include systemd, that will take over as a UEFI payload and control everything in the system!
          Next year's new systemd plugin, same old story.

          Comment


          • #6
            About time Linux caught up with other OS's in terms of ease-of-use, verifiability and/or evil maid resistance.

            Comment


            • #7
              At this rate we are going to end up like macOS, the UKI is signed and trusted, the system is compartmentalized into read only volumes managed by ostree, signed and trusted of course. Everything encrypted, with automatic TPM decryption.

              And it sounds great to be honest. macOS has gotten pretty far ahead of everyone else simply because Apple is willing to throw compatibility under the bus and put their trillion dollars behind stuff that doesn't even sell. It does also fuck with the ability of the user to mess with their system, which I guess is fine on Apple, but that is non-negotiable on Linux. Add all security you want, but we must be able to disable it for any reason we can imagine.

              Anyways, anything is better than the clusterfuck with initramfs and GRUB we have now... A few times I have had systems break because a kernel update went mysteriously wrong. Configuring decryption with TPM is also annoying when it really should be just a checkbox.

              Comment


              • #8
                How about no, especially if it makes it harder to build your own kernels or to make changes to the initrd

                Comment


                • #9
                  No, thanks. I'll opt to continue configuring and building my kernels (and initramfs) locally. Unsigned, very true. Trusted by .... me
                  And yes, running an OpenRC system here.

                  Comment


                  • #10
                    Originally posted by kbios View Post
                    How about no, especially if it makes it harder to build your own kernels or to make changes to the initrd
                    That's the fly in the ointment. The whole trusted boot and execution system requires end users to be able to load their own keys into the UEFI boot key store. Not all hardware allows that. For that matter not all PC hardware even allows for it. The only way this works is if there's some way to require OEMs to allow third party keys other than those signed by a megacorp. Apple and Microsoft will fight that with every dirty trick, lawsuit, and just plain underhandedness they can - and not enough users will even notice to bother to protest - so it's unlikely there would be any effective regulatory process to stop it. Think of the kids. Think of the corporate bottom lines. Think of national security. Think of...

                    Comment

                    Working...
                    X