Most active commenters
  • nicman23(3)

←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 11 comments | 18 Jul 25 03:53 UTC | HN request time: 0.332s | source | bottom
1. omnibrain ◴[18 Jul 25 08:23 UTC] No.44602459[source]
I'm sure this is a naive take, but why is it not possible to enter a new key into the BIOS (dating myself, I know it's EFI) by hand?
replies(4): >>44602517 #>>44602569 #>>44602734 #>>44603003 #
2. nottorp ◴[18 Jul 25 08:34 UTC] No.44602517[source]
You'd have control over what boots on your computer then...
replies(2): >>44602571 #>>44602581 #
3. nicman23 ◴[18 Jul 25 08:47 UTC] No.44602569[source]
it is
4. nicman23 ◴[18 Jul 25 08:48 UTC] No.44602571[source]
you literally have though. you can self sign everything and set up uefi to only boot your signature
replies(1): >>44612585 #
5. ozgrakkurt ◴[18 Jul 25 08:50 UTC] No.44602581[source]
That would be a disaster. Or imagine what would happen if you just disabled secure boot, your computer will be infected with viruses and your bank account emptied instantly I reckon
replies(1): >>44602920 #
6. jcgl ◴[18 Jul 25 09:24 UTC] No.44602734[source]
It should be, at least on higher-end boards, no?
7. Dead_Lemon ◴[18 Jul 25 09:57 UTC] No.44602920{3}[source]
Secure boot doesn't stop user-space malicious activity.

I'd argue that it only helps check a tick box on corporate security manifest, as it indicates the kernel being booted, is not tampered with.

replies(1): >>44604420 #
8. eqvinox ◴[18 Jul 25 10:09 UTC] No.44603003[source]
It's possible and it's what you should be doing. "sbctl" (https://github.com/Foxboron/sbctl) AFAIK has a reasonable frontend for doing that on Linux (don't know, I did it manually). You have to put the system in "secure boot setup mode" in BIOS/UEFI options before booting, which enables changing the PK (Platform Key) which is used to chain off all the other keys. (Setup mode should be automatically exited when you install a new PK.)

You can keep the Microsoft keys in there if you want to dual boot Windows, you just need to re-sign the keys themselves with your own PK.

9. OldfieldFund ◴[18 Jul 25 13:27 UTC] No.44604420{4}[source]
OP was being sarcastic
10. const_cast ◴[19 Jul 25 04:25 UTC] No.44612585{3}[source]
Only on x86 secure boot implementations. On most devices with trusted boot, you don't have this option.
replies(1): >>44614688 #
11. nicman23 ◴[19 Jul 25 11:46 UTC] No.44614688{4}[source]
uefi on non x86 is a non starter for most people anyways. not that uboot is better