←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 2 comments | 18 Jul 25 03:53 UTC | HN request time: 0.654s | source
Show context
greatgib ◴[18 Jul 25 06:46 UTC] No.44601921[source]
It's totally crazy that we have to go through Microsoft to sign things to be able to have our OS run on third parties computers, and that Microsoft manage to win about this so easily as it was never seriously challenged.
replies(7): >>44601962 #>>44602085 #>>44602088 #>>44602288 #>>44602373 #>>44602674 #>>44615523 #
sugarpimpdorsey ◴[18 Jul 25 07:50 UTC] No.44602288[source]
It makes more sense if you view it for what it is: Honest Satya's Certificate Authority.

Microsoft showed they can semi-competently run a PKI. The end.

Now had the Linux folks stepped up to the plate early on, instead of childishly acting like Secure Boot was the computing antichrist, the story might be different. But they didn't. We only have shim because some people at Red Hat had the common sense to play ball.

replies(7): >>44602337 #>>44602402 #>>44602511 #>>44602526 #>>44602770 #>>44603173 #>>44604349 #
ACCount36 ◴[18 Jul 25 08:35 UTC] No.44602526[source]
Secure Boot is the computing antichrist, and Linux folk were 100% right to rally against it. As well as a whole bunch of other "Trusted Computing" garbage.
replies(4): >>44602678 #>>44604560 #>>44617843 #>>44656080 #
froh ◴[18 Jul 25 09:13 UTC] No.44602678[source]
mind to elaborate?

I'd love to know if my machine has been compromised with early boot stage "meta-hypervisor" or not.

the promise of secure boot and trusted computing is backdoor-free boot.

what is in your eyes evil and garbage about that?

replies(3): >>44602710 #>>44602712 #>>44602956 #
fsflover ◴[18 Jul 25 09:19 UTC] No.44602712[source]
Consider using Heads with TPM and Librem Key to detect possible compromise of your boot stage. It doesn't obey MS but you.
replies(2): >>44602806 #>>44618724 #
1. flexagoon ◴[18 Jul 25 09:38 UTC] No.44602806[source]
With Heads, the firmware measures itself and sends the results to the TPM. If an attacker flashes a modified firmware that simply lies about the measurement results, the entire security system will be bypassed.
replies(1): >>44603106 #
2. fsflover ◴[18 Jul 25 10:30 UTC] No.44603106[source]
This is not true:

https://forum.qubes-os.org/t/discussion-on-purism/2627/187

https://forum.qubes-os.org/t/discussion-on-purism/2627/177