←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 7 comments | 18 Jul 25 03:53 UTC | HN request time: 0s | source | bottom
Show context
omnibrain ◴[18 Jul 25 08:23 UTC] No.44602459[source]
I'm sure this is a naive take, but why is it not possible to enter a new key into the BIOS (dating myself, I know it's EFI) by hand?
replies(4): >>44602517 #>>44602569 #>>44602734 #>>44603003 #
1. nottorp ◴[18 Jul 25 08:34 UTC] No.44602517[source]
You'd have control over what boots on your computer then...
replies(2): >>44602571 #>>44602581 #
2. nicman23 ◴[18 Jul 25 08:48 UTC] No.44602571[source]
you literally have though. you can self sign everything and set up uefi to only boot your signature
replies(1): >>44612585 #
3. ozgrakkurt ◴[18 Jul 25 08:50 UTC] No.44602581[source]
That would be a disaster. Or imagine what would happen if you just disabled secure boot, your computer will be infected with viruses and your bank account emptied instantly I reckon
replies(1): >>44602920 #
4. Dead_Lemon ◴[18 Jul 25 09:57 UTC] No.44602920[source]
Secure boot doesn't stop user-space malicious activity.

I'd argue that it only helps check a tick box on corporate security manifest, as it indicates the kernel being booted, is not tampered with.

replies(1): >>44604420 #
5. OldfieldFund ◴[18 Jul 25 13:27 UTC] No.44604420{3}[source]
OP was being sarcastic
6. const_cast ◴[19 Jul 25 04:25 UTC] No.44612585[source]
Only on x86 secure boot implementations. On most devices with trusted boot, you don't have this option.
replies(1): >>44614688 #
7. nicman23 ◴[19 Jul 25 11:46 UTC] No.44614688{3}[source]
uefi on non x86 is a non starter for most people anyways. not that uboot is better