Am Donnerstag, 26. Oktober 2017 schrieb John Morris: > On Tue, 2017-10-24 at 09:01 +0200, marc wrote: > > > Secureboot is designed for them, not for you. You might come > > up with a really exotic use case, where it might help you. But > > if you look at it carefully enough, it relies on secureboot > > redefining root to something weaker than what we want, and > > running some complex infrastructure which you are unaware > > of behind it. If you want a weak root, run a virtual machine > > instead. > > Not at all. Right now if you install Fedora or Ubuntu you get the > protection of secure boot. You already trust them if you are installing > their OS, correct? Everyone signs the kernel package at the package > manager stage so we can all use untrusted mirrors. So now they also put > a signature on a grub-efi package with a key signed by the UEFI CA that > embeds their company keys. Now your system validates that GRUB is clean > and it checks the kernel hasn't been tampered with before executing > either of them, > > Eventually Debian will begin shipping signed grub-efi and kernel > packages. Devuan would have to pay $100 to get a signed grub-efi of its > own (with a Devuan kernel signing key embedded) to ship kernels built by > them if they don't just pass on the Debian grub and kernel packages > unmodified. That is it, one can argue how much security benefit it > brings but it is non-zero and requires minimal effort to achieve. I > think you have to pay again if your grub-efi package changes but it > doesn't seem to churn much. >
Maybe I did get something wrong, but some years ago the lin foundation provided a sined bootloader for secure boot: https://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/ There's also a signed "shim.efi" and some others, that boots any kernel you like: https://www.rodsbooks.com/efi-bootloaders/secureboot.html Just neither debian nor devuan provide an installer image, that uses these. But the fundamental problem of secure boot persists: do you trust your bios vendor? (I don't.) Nik -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
