←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 4 comments | 18 Jul 25 03:53 UTC | HN request time: 0s | source
Show context
porridgeraisin ◴[18 Jul 25 09:11 UTC] No.44602675[source]
Secure boot, disk encryption, etc are more trouble than they are worth IME. I have them all off.

Qualifier: for personal computers that you don't take regular backups of, test backups, etc

replies(1): >>44602932 #
flexagoon ◴[18 Jul 25 09:58 UTC] No.44602932[source]
Secure Boot's benefits are definitely not as strong (I don't think flashing custom backdoored firmware is a common attack vector for personal computers), but FDE is still useful in case your laptop gets stolen, because thieves looking for sensitive data on a hard drive is a thing that does actually happen.

I also wouldn't really say it's much trouble. If you have a TPM and use systemd, you can set it up to unlock FDE automatically on boot, otherwise, you just have to input an extra password when turning on your machine.

replies(1): >>44603074 #
zozbot234 ◴[18 Jul 25 10:23 UTC] No.44603074[source]
SB does not protect against backdoored firmware at all. You would need something like BootGuard which is a separate feature.
replies(1): >>44605979 #
1. palata ◴[18 Jul 25 15:41 UTC] No.44605979[source]
Can you elaborate on that? Isn't it the whole point of secure boot?

My understanding is that at least on Android you can't modify the system: you have to format everything if you want to make a change at this level.

replies(1): >>44607151 #
2. Avamander ◴[18 Jul 25 17:04 UTC] No.44607151[source]
No, SB starts with actually firmware already booting something. It is just one link in the chain. You can also look up Trusted Boot and Secure Launch, how this entire chain can/could be secured.
replies(1): >>44610052 #
3. palata ◴[18 Jul 25 21:30 UTC] No.44610052[source]
> SB starts with actually firmware already booting something.

I don't understand that sentence. So instead of a bootloader in the ROM that starts the next bootloader and verifies that it is signed (I think that's how it is on Android?), on a laptop the first bootloader can be installed by the user and nothing checks its signature?

EDIT: what I read here [1] is that Secure Boot is verified from the ROM to the moment it starts "the Windows kernel" (on Windows). But it's not completely clear to me: say on Linux, if Secure Boot verifies up to my /boot partition (does it?), then it should be okay because I have FDE on the rest, right?

[1]: https://learn.microsoft.com/en-us/windows/security/operating...

replies(1): >>44623377 #
4. Avamander ◴[20 Jul 25 09:36 UTC] No.44623377{3}[source]
> on a laptop the first bootloader can be installed by the user and nothing checks its signature?

It should be signed by the manufacturer, so you shouldn't be able to. Loaded by a shim even smaller in the CPU, part of Boot Guard and Platform Secure Boot, if I'm not remembering wrong.

> say on Linux, if Secure Boot verifies up to my /boot partition (does it?)

No. It verifies one signed file, usually Grub EFI shim. Which then should check everything you want. Unlike Windows, desktop Linux distros rarely have the best SB system. Poettering has described this issue in depth.