Announcement

Collapse
No announcement yet.

Debian Making Progress On UEFI SecureBoot Support In 2018

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Debian Making Progress On UEFI SecureBoot Support In 2018

    Phoronix: Debian Making Progress On UEFI SecureBoot Support In 2018

    UEFI SecureBoot support didn't make it for Debian 9.0 "Stretch" but progress is now being made on this "security" feature and it's looking like it could be squared away for the Debian 10.0 release expected next year...

    http://www.phoronix.com/scan.php?pag...ecureBoot-2018

  • #2
    Why quotes around "security"?

    Comment


    • #3
      Originally posted by tjukken View Post
      Why quotes around "security"?
      Usually when you read about UEFI and security in one sentence it means only the control by the hardware and content vendors, everything else is just marketing.

      We desperately need alternatives like coreboot!

      Comment


      • #4
        Originally posted by tjukken View Post
        Why quotes around "security"?
        Because UEFI isn't terribly safe (way too much bugs as normal with embedded closed source firmwares, but UEFI is also very complex, so it has more chance for bugs) and relying on it does not improve security that much.

        Comment


        • #5
          Originally posted by R41N3R View Post
          We desperately need alternatives like LinuxBoot!
          fixed.

          Comment


          • #6
            Why quotes around "security"?
            Originally posted by R41N3R View Post

            Usually when you read about UEFI and security in one sentence it means only the control by the hardware and content vendors, everything else is just marketing.

            We desperately need alternatives like coreboot!
            ^ this

            This UEFI secure boot stuff can be used to make it much harder or impossible for software to modify the boot loader without the user's permission. This is a desirable security feature for end users. However many of us have realised the potential this feature has to be used/abused by Microsoft and/or the hardware manufacturers to lock down and permission x86 PCs such that only officially endorsed operating systems can be run on them. In practise this may mean that you could buy a computer that is otherwise perfectly capable of running your favourite Linux distribution, but you are unable to install and use that distribution because the motherboard manufacturer has not signed your distributions boot-related files.

            Comment


            • #7
              Originally posted by starshipeleven View Post
              fixed.
              Agreed, the LinuxBoot approach could allow a faster and easier transition away from UEFI... but we need something that will work on normal hardware too.

              Comment


              • #8
                Originally posted by R41N3R View Post
                Agreed, the LinuxBoot approach could allow a faster and easier transition away from UEFI... but we need something that will work on normal hardware too.
                LinuxBoot is far easier to port to a new board if compared to Coreboot. That's the whole point of it. Coreboot is dead in the water for any device that isn't made by Google or other large company that can make the arrangements with Intel to get the blobs and info on how to use them properly. They could support up to Ivy Bridge because of an info leak years ago, but you can't count on that if you want a path for the future.

                To port a board to LinuxBoot you take the stock UEFI firmware, remove all that isn't low-level board initialization modules, and get this core to bootstrap LinuxBoot (a modified linux kernel) using the same interfaces it used to bootstrap the rest of the UEFI firmware, then reassemble a flashable image and flash it. It's similar to good old-fashioned BIOS modding.
                Last edited by starshipeleven; 01 May 2018, 02:59 PM.

                Comment

                Working...
                X