Announcement

Collapse
No announcement yet.

Oracle Sends Out Latest Linux Patches So Trenchboot Can Securely Launch The Kernel

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Oracle Sends Out Latest Linux Patches So Trenchboot Can Securely Launch The Kernel

    Phoronix: Oracle Sends Out Latest Linux Patches So Trenchboot Can Securely Launch The Kernel

    Trenchboot continues to be worked on for providing boot integrity technologies that allow for multiple roots of trust around boot security and integrity. Oracle engineers on Friday sent out their latest Linux kernel patches so it can enjoy a "Secure Launch" by the project's x86 dynamic launch measurements code...

    https://www.phoronix.com/scan.php?pa...nux-Patches-v2

  • #2
    Why would Linux accept patches from Oracle? Oracle is just going to sue them for using their intellectual property. They've fully established they hate it when anyone uses their products, just like how AT&T wanted nothing more than for nobody to ever use UNIX.

    Comment


    • #3
      How is Trenchboot different to UEFI Secure Boot?

      On my UEFI computer the only keys installed are from Microsoft and Ubuntu boots with keys signed from Microsoft, so I can't run the daily kernel builds without disabling UEFI Secure Boot.
      There seems to be no way to disable a key without deleting it.
      It is not obvious how to install keys, nor does it seem to exist any tool that does it for you without you doing it manually from the UEFI setup screen. I am not aware of any manufacturer or operating system or distribution with their own keys.

      Considering all the Meltdown, Spectre, and related vulnerabilities in CPUs, I don't really feel like any of this secure/trusted boot technology makes me feel any more secure.

      Comment


      • #4
        Originally posted by Ironmask View Post
        Why would Linux accept patches from Oracle? Oracle is just going to sue them for using their intellectual property. They've fully established they hate it when anyone uses their products, just like how AT&T wanted nothing more than for nobody to ever use UNIX.
        Oh noes. My poor, poor BTRFS root.

        Comment


        • #5
          Originally posted by uid313 View Post
          How is Trenchboot different to UEFI Secure Boot?

          On my UEFI computer the only keys installed are from Microsoft and Ubuntu boots with keys signed from Microsoft, so I can't run the daily kernel builds without disabling UEFI Secure Boot.
          There seems to be no way to disable a key without deleting it.
          It is not obvious how to install keys, nor does it seem to exist any tool that does it for you without you doing it manually from the UEFI setup screen. I am not aware of any manufacturer or operating system or distribution with their own keys.

          Considering all the Meltdown, Spectre, and related vulnerabilities in CPUs, I don't really feel like any of this secure/trusted boot technology makes me feel any more secure.
          Trenchboot required hardware validation, and a TPM, but can verify every part of the boot process including config files and initrd.

          If I recall correctly with secure boot, custom keys are possible, but you essentially need to restart of certificate chain with your own PEK.

          And I agree regarding meltdown, it's like double deadbolts on the front door while the basement window is unlocked and cracked open.

          Comment

          Working...
          X