←back to thread

OpenGL 3.1 on Asahi Linux

(asahilinux.org)
512 points simjue | 8 comments | 06 Jun 23 13:46 UTC | HN request time: 1.285s | source | bottom
Show context
nightski ◴[06 Jun 23 14:20 UTC] No.36213208[source]
This is great work and I commend it. But in other threads people are acting like Asahi Linux hardware support is 100% complete. My fear is that if I were to go this route and purchase the hardware I'd be seeing fraction of the performance and capability I would in Mac OS. To be honest this blog post seems like the project has a long ways to go, not that it is nearly completion.

I just can't justify buying hardware from a company that is so hostile to developers and hackers as nice as it may be.

replies(9): >>36213287 #>>36213309 #>>36213359 #>>36213764 #>>36213841 #>>36214046 #>>36214150 #>>36214656 #>>36221582 #
GeekyBear ◴[06 Jun 23 14:54 UTC] No.36213764[source]
You don't create a new bootloader that allows users the freedom to run an unsigned third party OS without having it degrade the system's security if and when they boot the native OS because you are "hostile to developers and hackers".
replies(1): >>36217189 #
1. fsflover ◴[06 Jun 23 18:35 UTC] No.36217189[source]
My laptop can use TPM and a hardware key with my keys and free software. Where is the degraded security?
replies(2): >>36217460 #>>36219735 #
2. hedora ◴[06 Jun 23 18:57 UTC] No.36217460[source]
I could trick you into adding a hardware key, then install a tampered version of Windows with it.

(Also, the last time I looked, TPM keys could be grabbed with ~ $100 of hardware, but I think that's fixed by some newer standard.)

But, yeah, it's not a big tradeoff in practice. I think their point was that Apple had to expend effort to enable the use case, which isn't "hostile" toward the use case.

replies(1): >>36217844 #
3. GeekyBear ◴[06 Jun 23 19:24 UTC] No.36217844[source]
> I could trick you into adding a hardware key, then install a tampered version of Windows with it.

There are other issues as well.

For instance, on a PC the security settings are applied per machine and not per partition, so you can't mix an unsigned OS on one partition with full security on another partition.

Also:

> On Wednesday, researchers at security firm ESET presented a deep-dive analysis of the world’s first in-the-wild UEFI bootkit that bypasses Secure Boot on fully updated UEFI systems running fully updated versions of Windows 10 and 11.

Despite Microsoft releasing new patched software, the vulnerable signed binaries have yet to be added to the UEFI revocation list that flags boot files that should no longer be trusted.

https://arstechnica.com/information-technology/2023/03/unkil...

replies(1): >>36228459 #
4. rodgerd ◴[06 Jun 23 22:10 UTC] No.36219735[source]
You seem unfamiliar with the Alder Lake compromise.
replies(1): >>36227581 #
5. fsflover ◴[07 Jun 23 14:56 UTC] No.36227581[source]
Indeed. Care to give a link? Quick DuckDuckGo search returned nothing.
replies(1): >>36233838 #
6. hedora ◴[07 Jun 23 15:51 UTC] No.36228459{3}[source]
> For instance, on a PC the security settings are applied per machine and not per partition, so you can't mix an unsigned OS on one partition with full security on another partition.

This wasn't true for a low-end Acer I bought a while ago, and it's not true on an Asus motherboard I use. You can add keys to the bios, and then it'll let you run with either key. That lets you use the grub shim key. On the Acer, you can even tell it to screw PKI, and just check that the hash of the bootloader hasn't changed.

7. rodgerd ◴[07 Jun 23 21:31 UTC] No.36233838{3}[source]
Sure: https://arstechnica.com/information-technology/2023/05/leak-...

The gaggle of moving parts that are involved in the PC world make security and privacy substantially more challenging because of nonsense like this - a vendor with rubbish security (not even an HSM for critical signing keys!) compromising the broader world.

replies(1): >>36234111 #
8. fsflover ◴[07 Jun 23 21:51 UTC] No.36234111{4}[source]
Thanks. It seems this confirms that my own keys are more secure, because with them such problem couldn't occur.