(lwn.net)

253 points pabs3 | 1 comments | 18 Jul 25 03:53 UTC | HN request time: 0s | source

Show context

saidinesh5 ◴[18 Jul 25 06:54 UTC] No.44601960[source]▶

Just out of curiosity, how good is the secure boot experience these days?

I've had to disable it on all my installations because of either nvidia drivers or virtual box modules. In general Arch based distros didn't seem too friendly for secure boot set up.

replies(11): >>44602000 #>>44602120 #>>44602279 #>>44602520 #>>44602559 #>>44602593 #>>44602696 #>>44602761 #>>44602773 #>>44603004 #>>44607063 #

bravetraveler ◴[18 Jul 25 07:01 UTC] No.44602000[source]▶

>>44601960 #

Signature maintenance for modules can be fully automated. Enrollment requires navigating a mildly-intimidating interface a single time to accept the new PKI.

Fine for systems you physically manage, anything remote in a datacenter I wouldn't bother (without external motivation)

replies(1): >>44602333 #

mormegil ◴[18 Jul 25 07:59 UTC] No.44602333[source]▶

>>44602000 #

Which is strange because secure boot should be useful in _exactly_ the situation you don't have physical control of the HW, shouldn't it? I guess the threat model for a common not-that-important company does not include evil data center (and it's dubious if SecureBoot would protect you in reality), but wasn't that one of the motivations?

replies(3): >>44602388 #>>44602396 #>>44602630 #

1. bravetraveler ◴[18 Jul 25 08:10 UTC] No.44602388{3}[source]▶

>>44602333 #

Aye, though an evil maid has higher barriers and more paperwork in a DC.

I hesitate based on that mitigation and the untold operational pain. Sometimes it's worth it, other times it isn't.

↑

Linux and Secure Boot certificate expiration