Linux and Secure Boot certificate expiration

(lwn.net)

253 points pabs3 | 1 comments | 18 Jul 25 03:53 UTC | HN request time: 0.236s | source

Show context

greatgib ◴[18 Jul 25 06:46 UTC] No.44601921[source]▶

It's totally crazy that we have to go through Microsoft to sign things to be able to have our OS run on third parties computers, and that Microsoft manage to win about this so easily as it was never seriously challenged.

replies(7): >>44601962 #>>44602085 #>>44602088 #>>44602288 #>>44602373 #>>44602674 #>>44615523 #

nine_k ◴[18 Jul 25 07:16 UTC] No.44602088[source]▶

>>44601921 #

Basically every x64 computer is intended to be able to run Windows. Hence MS had to be involved, and I suppose nobody else with serious money wanted the burden.

AFAICT you can still disable Secure Boot in most UEFI firmware, and boot anything you like (or not like, if an attacker tampers with your system).

replies(3): >>44602233 #>>44602369 #>>44604472 #

blkhawk ◴[18 Jul 25 08:06 UTC] No.44602369[source]▶

>>44602088 #

Secure boot belongs to a class of security that while clearly giving a theoretical benefit in practice it falls far short of providing any benefit whatsoever at least to the user of a system. Its introduction was mostly part of a wider (probably partially defunct and failed regarding mobile x86) strategy to lock down the PC so the Microsoft store and purchased apps through it would be more secure from the end-user. Secondary was in my opinion better security for handheld phones and tablets running x86 but there the "App store" aspect is even more clear.

"attacker tampers with your system" does not happen at least in the way you think it does or it does not protect you against meaningful attack at all.

replies(2): >>44602686 #>>44603806 #

1. msgodel ◴[18 Jul 25 12:09 UTC] No.44603806[source]▶

>>44602369 #

Anything that locks you out of your own computer is at absolute best an availability failure but more often than not forces you to use compromised system software.

↑