Announcement

Collapse
No announcement yet.

Debian 10 "Buster" Working To Have UEFI SecureBoot In Good Shape

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Debian 10 "Buster" Working To Have UEFI SecureBoot In Good Shape

    Phoronix: Debian 10 "Buster" Working To Have UEFI SecureBoot In Good Shape

    While most major Linux distributions have been supporting UEFI SecureBoot for years already in order to work nicely on modern locked-down (generally Windows pre-loaded) PCs, Debian stable releases have yet to properly support SecureBoot but that should be changing with this year's release of 10.0 Buster...

    http://www.phoronix.com/scan.php?pag...ng-Secure-Boot

  • #2
    Who on earth installs Debian stable on a notebook or otherwise SecureBoot-ed PC?

    Comment


    • #3
      Originally posted by lucrus View Post
      Who on earth installs Debian stable on a notebook or otherwise SecureBoot-ed PC?

      Actually I have Debian stable running on my main gaming system + 2 laptops. The laptops aren't very good at gaming so there's not much need for cutting edge.

      Comment


      • #4
        Is there a way to sign the initramfs? Asking for Arch specifically, but could be anything. Right now, this is one of the only loopholes I have on my work computer's boot process. Someone could replace it and sniff my HDD decryption passphrase, for instance.

        I know I could use the TPM to store a decryption key, but that doesn't address other stuff that could be done with the initramfs.

        Comment


        • #5
          Secure boot is microsofts idea to prevent run anything else than windows in your PC. Disable it in the Bios and use MBR partitions for easy disk cloning.
          Last edited by debianxfce; 01-07-2019, 11:04 PM.

          Comment


          • #6
            Originally posted by debianxfce View Post
            Secure boot is microsofts idea to prevent run anything else than windows in your PC. Disable it in the Bios and use MBR partitions for easy disk cloning.
            You can do better - sign the entire kernel and boot it directly as an EFI application, see: https://github.com/andreyv/sbupdate

            With that you can have the encryption keys in TPM protected even with PCRs: https://aur.archlinux.org/packages/m...-tpm2-encrypt/

            Comment


            • #7
              Originally posted by debianxfce View Post
              use MBR partitions for easy disk cloning.
              GPT works fine with all disk cloning tools, don't post bullshit.

              Comment


              • #8
                Originally posted by starshipeleven View Post
                GPT works fine with all disk cloning tools, don't post bullshit.
                Remember, it's debianxfce, so all comments about his posts are waste of time.

                Comment


                • #9
                  I have a feeling Debian 10 is going to be a great release. Not just because of this.

                  Comment


                  • #10
                    Originally posted by towo2099 View Post
                    Remember, it's debianxfce, so all comments about his posts are waste of time.
                    It depends from the goal. Convincing debianxfce is a waste of time.

                    But bs has to be called as such, that's the only way others will not eventually believe them as true. This is not a waste of time.

                    Comment

                    Working...
                    X