Hey why are you shipping laptops that don't trust the Microsoft 3rd party UEFI CA by default
17
41
228
Conversation
Basically any security technology can be abused to restrict user freedom - that means we need to push back against such abuses, not that we should necessarily reject the technologies in the first place
1
51
Needing to manually enable trusting third party boot chains is a minor inconvenience at most and not a restriction on what you can do. Their ecosystem has almost entirely theatrical implementations of secure boot and attestation. Many things would have to be fixed, this is one.
1
3
Proper approach would be only trusting first party boot chain by default, having a very easy way for users to add public key of other operating systems and filling in all the stuff that's missing like downgrade protection for secure boot itself. Attestation doesn't replace it.
1
3
It's an incomplete implementation of secure boot where there are multiple things missing for both firmware and the OS. One of the things they would need to do to turn it into a serious implementation is exactly this. Shim bootloader has no place in a serious implementation of it.
If a laptop is shipped with a Linux distribution, it should only trust the key for that specific Linux distribution by default. Same thing applies to Windows. Having whole bunch of trusted parties by default and all kinds of trivial bypasses SHOULD get fixed along with the rest.
1
With the latest kernel release you *need* a shim if you want to enable lockdown mode and sign kernel modules.
There is simply no other way for you as a user to enroll a set of trusted keys in the kernel keyring at the moment.
I find this absurd.
2
1
In order for verified boot to actually work properly, it has to cover far more of the OS than the kernel. Lockdown mode isn't enough to actually provide users with any real security properties. It's overly inflexible too since it's entirely based on an insecure/useless approach.
1
Show replies