Please tell your friends about federated social media site that speaks several fediverse protocols thus serving as a hub uniting them, hubzilla.eskimo.com, also check out friendica.eskimo.com, federated
macroblogging social media site, mastodon.eskimo.com a federated microblogging site, and yacy.eskimo.com an uncensored federated search engine. All Free!
Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen. It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users.
Small companies which use old laptops with Windows might be bitten hard by this because they can become locked out of their hardware with no way to update it, or even make a backup!
And by the way, Intel motherboards which are running your Linux system may contain a copy of Minix - yes, the Minix from the historic Tanenbaum vs. Torvalds debate - which runs below the OS in the system management mode engine and is controlled by the vendor, which can e.g. update firmware via the network. SMM is normally not visible by the user but it can cause problems e.g. for real-time applications because it has higher privileges than the kernel and can interrupt all of the kernel at any time.
Are you reading this on a machine running a GNU/Linux distribution? A Windows machine? Or perhaps an Apple OS? It doesn’t really matter, because your computer is probably running MINIX anyway…
For a home desktop that's never left unattended with anyone untrustworthy, I don't see that Secure Boot is worth the effort in setting up.
Given that you have to re-sign the boot image every time you upgrade, any malware already running with root privileges on the machine could easily slip itself into the new signed image.
The best security is not running untrusted software to begin with.
Can you explain the detailed reason why you think that? Voicing opinions is nice of course but explaining the thought process and logic is, I think, almost always more interesting to other people.
To start with, what do you think is the "normal users" threath model? And, for example, if one happens to be a member of any of the various minorities that authoritarian governments of every color happen to single out and persecute in your countries case, what would you want to protect from? Or if you are, say, a lawyer, and have a professional obligation to protect sensitive data from theft?
Actually, I would love for you to explain to me how Secure Boot alone would protect someone from any of that. If you want to protect files, you need full disk encryption, not Secure Boot.
Or are you seriously expecting a government-level threat actor to bother to:
Sneak into your home while you're away or asleep;
Overwrite your bootloader or UEFI with a rootkitted image of the same version so it's impossible to tell;
Wait for you to boot your computer and enter your disk encryption password, then:
Use the rootkit to read the decrypted files off your disk?
That's the great thing about fascist governments, is they have no need to be that sneaky. They can just change the laws to make whatever you're doing illegal and jail you until you agree to give up your documents, or simply hit you with a $5 wrench until you tell them the password.
Secure Boot is a really contrived and, frankly, bad defense against an attack that is extremely difficult to execute in reality and does not happen often (are there any examples of a bootloader replacement against a home desktop in the wild?).
An actually good solution would be firmware support for LUKS-style FDE (with a password-encrypted key which then encrypts the rest of the disk), so that your bootloader is encrypted with the rest of your system and impossible to substitute without erasing the rest of the disk, until you enter the password. This way there's no need for key enrolment into firmware, and firmware manufacturers don't have to just trust MS. (the firmware of course needs to be protected too, by signing it with the manufacturer's key; if you flash something unsigned, a warning pops up Android-style before every boot).
If you are hiding something from the state (like your sexual orientation or something), your energy is much better spent encrypting your communications online and keeping your identities anonymous. If you are already suspicious enough to try and pull a bootloader replacement attack on you, any authoritarian state which would do that in the first place will just throw you in jail and fabricate evidence as needed.
If secure boot is off, and you run malware on your pc, it can change the boot process to escalate privileges.
This probably requires root or admin in the first place, but if they can install a malware loader, they can establish persistence so that even if you remove the os-level components, they'll be reinstalled on reboot.
Yeah, but the malware can just wait for a system upgrade where you sign a new boot image and slip itself in then.
It works for Windows because theoretically only Microsoft would have the signing key and it's not just sitting on disk somewhere. But then you're just trusting Microsoft, and also subject to vendor lock-in.
If secure boot is off, and you run malware on your pc, it can change the boot process to escalate privileges.
This is technically correct, but on a desktop system, malware executing in user space is normally already game over. It can exfiltrate and send your passwords or ssh private keys, change browser certificates or browser software, add user systemd sessions or crontab entries and can generally e.g. do everything a banking trojan would like to do.
As commenters on the LWN thread said, I doubt that many firmwares even bother to check anyway. My motherboard happens to have had a bug where you can corrupt the RTC and end up in 2031 if you overclock it wrong. I didn't use secure boot then though so I don't know if it would have still booted Windows. But I imagine it would.
That said, I've always just enrolled my own keys. I know some other distros that make you enroll their keys as well like Bazzite. At least that way you don't depend on Microsoft's keys and shim or anything, clean proper secure boot straight into UKI.
As commenters on the LWN thread said, I doubt that many firmwares even bother to check anyway. My motherboard happens to have had a bug where you can corrupt the RTC and end up in 2031 if you overclock it wrong.
Seems it compares the expiration date of the UEFI key with the signature date of the bootloader / OS keys. (See the comments on the LWN article, some are far more knowledgeable than I am.) So, no, it does not require a working on-board clock to lock you out if you are not extremely careful and fully understand each part.
That does not help if the master key in the key chain is expired.
Sure you can disable Secure Boot. But a password-protected BIOS is secured by TPM again. High levels of security always carry a risk of locking oneself out.
I don't think you understand what "enrolling your own keys" means in the context of Secure Boot.
The key affected here is specifically for the Linux shim signed by Microsoft. It is used by GRUB and some distros to work with Secure Boot.
Enrolling your own key means you add a new certificate to the key store. This is completely separate from the one provided by Microsoft and controlled only by you. The common recommendation is to remove all built-in keys and only add your own, to make this system as secure as possible.
OK, now you are talking about something a bit different - registering own keys in the UEFI system, which is significantly more involved than updating the BIOS, and also requires firmware support, and the firmware also needs to match the motherboard. And the whole issue with ACPI support for Linux shows clearly that having reams of specufications is not enough, the implementation of the BIOS needs to match that specification which whether thsz's the case you will only learn after you bought the hardware.
That said, I've always just enrolled my own keys. I know some other distros that make you enroll their keys as well like Bazzite. At least that way you don't depend on Microsoft's keys and shim or anything, clean proper secure boot straight into UKI.
I didn't start talking about it, this was many comments above
At least that way you don't depend on Microsoft's keys and shim or anything,
The whole point of the article is that you do depend on their expired root key. You have produced a lot of text without even understanding the key issue. At that point I am wondering whether all that text was produced by an LLM?
I don't know that you've understood the issue either, and you're being kind of a jerk? My understanding is this mainly affects installation media. If you disable Secure Boot, install a Linux distro, enrol that distro's keys and then reenable it, you're fine. That seems to be what the commenter you're replying too is suggesting.
Please don't troll and come back to the topic. GP was completely missing the topic, do you want to avoid it?
. If you disable Secure Boot, install a Linux distro, enrol that distro's keys and then reenable it, you're fine.
Um, given that Secure Boot prevents any modification of your computer's boot chain - including installing another boot loader or OS - that's not how it works.
I'm not trolling, you called them an LLM, they clearly aren't, you're being a jerk. I'm not going to engage with someone who thinks they're the smartest person in the room.
That's the whole point of enrolling your own keys in the firmware. You can even wipe the Microsoft keys if you want. You do that from the firmware setup, or within any OS while secure boot is off (such as sbctl on Linux).
That's a feature that is explicitly part of the spec. The expectation is you password protect the BIOS to make sure unauthorized users can't just wipe your keys. But also most importantly that's all measured by the TPM so the OS knows the boot chain is bad and can bail, and the TPM also won't unwrap BitLocker/LUKS keys either.
Secure boot is to prevent unauthorized tampering of the boot chain. It doesn't enforce that the computer will only ever boot Microsoft-approved software, that's a massive liability for an antitrust lawsuit.
That is far more complex than a firmware update and also depends on a correct implementation of the spec in the BIOS - which, given the experiences with ACPI for Linux, is not at all something one can rely on.
I just tried to distro-hop and found my BIOS had been locked with a password. Assuming I didn't set a password that I subsequently forgot (and that isn't one of the many I have memorized), I figured this might have something to do with the age of the laptop (I have a HP 4540s). If certificate expiration is already affecting people then this might be it.
EDIT: I just forgot I set a password, and it took me 2 days to realize that I was stupid enough to have set the password that I used for everything when I was 12 years old.
You can self-sign and self-enroll secure boot keys. Can’t say it’s an easy process, though - I had a lot of misery with it on my Surface Go 1st Gen. Might be better on my Thinkpad.
Microsoft's keys are pre-installed to all motherboards, so boot binaries signed by Microsoft are trusted by default. afaik Microsoft keys often can't be removed, but not because it's not possible, but because it can brick devices. you can create your own MOK or Machine Owner Keys and set up your linux system to sign your bootloader and kernel with it, but that is in addition to Microsoft keys.
That's bullshit. ARM is an architecture and by itself does not specify secure boot any more than x86 does. Raspberry Pis don't have secure boot. You can unlock the bootloader on a Pixel, install GrapheneOS, and relock the bootloader just fine. Several other manufacturers allow bootloader unlocks no problem. The main reason you can't on some popular phones is US carriers, even international Samsungs you can unlock the bootloader and flash whatever you want on it.
I'm literally typing this comment on a phone running a custom OS (LineageOS on a OnePlus 8T). I'm literally 2 versions of Android ahead of the latest supported version. I also have a Galaxy S7 running Android 15, a phone that officially tops out at Android 8 and launched with Android 6. Both you literally just toggle the bootloader unlock option in the settings, no hacks no craziness, it's literally a feature.
At this point you're just straight up making shit up.
The only one I can't find for sure is whether there's any lockdown on the firmware for the Microsoft Surface and Copilot+ laptops, but I'm also not finding any sources pointing that it would be. But at this point you're buying Microsoft hardware, what do you expect.
Some people argue that one can work around such locking down of PC hardware. Do this or that to avoid issues with substantial tinkering.
But that is not a bug but a feature. Sure, as a technical Linux user you can work around some nastiness. Like working around privacy invasion on Facebook or Linkedin by "adjusting" settings, or "adjust" settings in Wimdows to make it more private and so on. The thing is: working against the platform becomes quickly a losing game, because you don't control the platform - Microsoft does. And it does not help you if you manage to re-gain control of your device after some hours of tinkering if 99.9% of people around you don't have the knowledge and time and store your data, photos, Emails on OneDrive and so on. Freedom is very much a collective thing and software freedom is no exception.
And this does not mean that the thinkering and hacking is in vain - but it is not enough. We need the practical right to control our devices.
By effectively erecting a shield around Israel, Iron Dome and other defense systems grant Israel the impunity to act without restraint. That doesn't save lives, it takes them away by the thousands.
Also I found a copycat of Graphene OS on the arell.ai domain. Do Not Follow GrapheneOS@mastodon.arell.ai as it's fake. The real Graphene OS is GrapheneOS@grapheneos.social: disabled.social/@Aaidanbird/11…
@Linux@mastodon.au @ai6yr@m.ai6yr.org Yep, that's the way. I have the whole domain blocked. We even got them to take down their Digital Ocean droplet because it is no longer resolving.
according to my pihole it pulls 9.9.9.9#53 from it but it goes nowhere and ends up getting no data amd browsers get dns_probe_finished_nxdomain not showing anything
🎙️ LINUX AND OPEN SOURCE NEWS PODCAST: Listen to the latest Linux and open source news, with more in depth coverage, and ad-free! podcast.thelinuxexp.com
00:00 Intro 00:43 Sponsor: Proton 01:54 Linux Mint is working on Wayland 03:26 Youtube's adblock blocker might not be legal 04:52 Fedora 39 gets delayed twice 06:09 OpenSUSE wants to replace its logo 07:41 KDE & GNOME Updates 09:22 New accessibility framework for Linux 10:40 Performance improvements for Linux and drivers 12:57 Gaming News: SteamVR, 3DS emulator perf boost 14:31 Sponsor: Get a PC made to run Linux 15:39 Support the channel
Recently I highlighted that the Nintendo 3DS emulator Citra was doing a big move over to Vulkan, giving it a modern rendering system to keep on pushing performance. The latest updates also give a big boost for Linux / Steam Deck.
Did you know that there is not only Matt Godbolt's Compiler Explorer at godbolt.org, but also a Decompiler Explorer, appropriately named dogbolt.org, which compares the output of Ghidra, BinaryNinja, IDA and other decompilers?
@Iffine the devs are the guys who made basically every Nintendo Picross game so naturally it is good. Once you clear it you can get more from their own IP picross game Logiart Grimoire
I actually picked up Logiart Grimoire back when it was listed as early access on steam. Definitely a solid title though I do prefer picross games with more focused themes.
A secret, religious arbitration between two Israeli businessmen reveals that they had 'invested' as much as $25 million in President Enrique Peña Nieto of Mexico.
into the light of the night you take me baby over the dark you excite, lady under the moon make me cry together in the sunlight forever you wake me up tonight
Nextcloud Integration v0.3 Tool • Open WebUI Community - With this tool, you can access your Nextcloud, list your calendars, create events, and review your files. It's an early experiment.
Saying you support funding Israel's "defensive weapons" while opposing sending it "offensive weapons" is as nonsensical as saying you would never give a mass shooter guns and ammunition, but you would give him body armor to keep him safe from the police.
Experience the heartfelt emotion of Avril Lavigne's "When You're Gone," a touching ballad from her album "The Best Damn Thing." This poignant track beautifully captures the feelings of loss and longing, showcasing Avril's powerful vocals and songwriting talent. Dive into the depth of this song that resonates with anyone who has experienced separation.
🎵 L Y R I C S 🎵: I always needed time on my own I never thought I'd need you there when I cry And the days feel like years when I'm alone And the bed where you lie is made up on your side
When you walk away, I count the steps that you take Do you see how much I need you right now?
When you're gone, the pieces of my heart are missing you When you're gone, the face I came to know is missing too When you're gone, the words I need to hear To always get me through the day And make it okay I miss you
I've never felt this way before Everything that I do reminds me of you And the clothes you left, they lie on the floor And they smell just like you I love the things that you do
When you walk away, I count the steps that you take Do you see how much I need you right now?
When you're gone, the pieces of my heart are missing you When you're gone, the face I came to know is missing too And when you're gone, the words I need to hear To always get me through the day And make it okay I miss you
We were made for each other Out here forever I know we were, yeah-yeah And all I ever wanted was for you to know Everything I do, I give my heart and soul I can hardly breathe, I need to feel you here with me, yeah
When you're gone, the pieces of my heart are missing you When you're gone, the face I came to know is missing too When you're gone, the words I need to hear Will always get me through the day And make it okay I miss you, mmm
Album Artist: Avril Ramona Lavigne Album(s): The Best Damn Thing Written by: Avril Lavigne, Butch Walker Music genre(s): Pop, Rock Released: 2007 Decade for first release: #2000sMusic
Get ready to turn up the heat with Avril Lavigne's "Hot," a vibrant anthem from her album "The Best Damn Thing." This energetic track showcases Avril's playful side and catchy pop-rock sound, making it a fan favourite. Dive into the fun and excitement of this song that perfectly captures the essence of youthful exuberance.
🎵 L Y R I C S 🎵: Oh, oh, oh You're so good to me baby, baby
I wanna lock you up in my closet When no one's around I wanna put your hand in my pocket Because you're allowed I wanna drive you into the corner And kiss you without a sound I wanna stay this way forever I'll say it loud
Now you're in, and you can't get out
You make me so hot Make me wanna drop It's so ridiculous I can barely stop I can hardly breathe You make me wanna scream You're so fabulous You're so good to me baby, baby You're so good to me baby, baby
I can make you feel all better Just take it in And I can show you all the places You've never been And I can make you say everything That you've never said And I will let you do anything Again and again
Now you're in, and you can't get out
You make me so hot Make me wanna drop It's so ridiculous I can barely stop I can hardly breathe You make me wanna scream You're so fabulous You're so good to me baby, baby You're so good to me baby, baby
Kiss me gently Always I know Hold me, love me Don't ever go Oh, yeah yeah
You make me so hot Make me wanna drop You're so ridiculous I can barely stop I can hardly breathe You make me wanna scream You're so fabulous You're so good to me
You make me so hot Make me wanna drop You're so ridiculous I can barely stop I can hardly breathe You make me wanna scream You're so fabulous You're so good to me baby, baby You're so good to me baby, baby
You're so good
Album Artist: Avril Ramona Lavigne Album(s): The Best Damn Thing Written by: Avril Lavigne, Evan Taubenfeld Music genre(s): Pop, Rock Released: 2007 Decade for first release: #2000sMusic
Provided to YouTube by The Orchard EnterprisesListen To The Blues · Isaac ScottBig Time Blues Man℗ 2006 Red Lightnin RecordsReleased on: 2006-12-12Auto-gener...
Provided to YouTube by Malaco RecordsA Right To Sing The Blues · Little MiltonReality℗ 1991 Malaco Records, Inc.Released on: 1991-06-20Contributor: Milton Ca...
Silence Screams: The Zionist-Washington Empire Unveils Technocratic Blueprint for War & Escalates Domestic Surveillance thealtworld.substack.com/p/sil…
Vanessa Beeley- Syria's Fall Into Israeli Hands, US-Zionist Entity Targets Hezbollah, Abraham Shields Forges On, Trump's Big Beautiful Bill Points To War With Iran, Russia, China & Warrantless Surveil
I love that there's more noticers around but fuck me, I hate having to explain 50 times that the word "berg" being in a Germanic name doesn't make someone a jew, espesially when THIS is who's being talked about
Lyrics: I'm standing on the bridge I'm waiting in the dark I thought that you'd be here by now There's nothing but the rain No footsteps on the ground I'm listening but there's no sound
Isn't anyone trying to find me? Won't somebody come take me home?
It's a damn cold night Tryin' to figure out this life Won't you take me by the hand Take me somewhere new? I don't know who you are, but I I'm with you I'm with you, mm
I'm looking for a place I'm searching for a face Is anybody here I know? 'Cause nothing's going right And everything's a mess And no one likes to be alone
Isn't anyone trying to find me? Won't somebody come take me home?
It's a damn cold night Trying to figure out this life Won't you take me by the hand Take me somewhere new? I don't know who you are, but I I'm with you I'm with you, yeah-yeah
Oh, why is everything so confusing? Maybe I'm just out of my mind Yeah-yeah-yeah, yeah-yeah Yeah-yeah, yeah-yeah, yeah
It's a damn cold night Trying to figure out this life Won't you take me by the hand Take me somewhere new? I don't know who you are, but I I'm with you I'm with you
Take me by the hand Take me somewhere new I don't know who you are, but I I'm with you I'm with you
Take me by the hand Take me somewhere new I don't know who you are, but I I'm with you, oh I'm with you I'm with you
Avril Ramona Lavigne is a Canadian singer-songwriter. Body shape: Banana Dress size (US): 2 Breasts-Waist-Hips: 86-60-86 cm (34-24-34 inches) Shoe size (US): 7 Bra size: 32B Cup size (US): B Heig...
TEHRAN, Jul. 19 (MNA) – Yemen’s military says it successfully targeted Israel’s Ben Gurion Airport with a hypersonic “Palestine-2” missile, prompting mass evacuations and flight suspensions.
I'm going to hold your hand when I say this. I don't give a fuck whether immigrants "came here literally" or not.
We live in a country run by billionaire pedos who are actively burning the planet to the ground for a few more dollars and pulling us all down into actual fucking fascism but somehow I'm supposed to care about Juan the gardener and his wife Maria who makes the absolute best fucking homemade empanadas I've ever eaten in my life and whether they filed form M-725-E before or after crossing an imaginary line in the sand?
Join the official CCR email list: http://found.ee/CCR_NewsletterMusic video by Creedence Clearwater Revival performing Born On The Bayou. (C) 2012 Concord Mu...
Pars Today – The Ambassador of the Islamic Republic of Iran to China has stated that Iran's active diplomacy is moving forward with a powerful strategic ap...
Then he brought in a toy to play with on top of the duvet, instead of burrowing inside. Somehow I got more scratched up the last 20 minutes in bed than the previous 12 hours.
@ninapaleyNext time he's on top of the covers - get in the blanket and move your foot around under the blanket or wiggle your hand from underneath...that will absolutely rock his world! 😊
@FemaleIsNotAFeelingMomo was apparently played with like that as a kitten. He thinks feet under covers=toys. He’s usually gentle but has attacked and wounded my feet. So I’m not gonna play this game with the new kitten, despite how entertaining it is.
If you only read one article today, make it this one.
Excerpt: The biggest problem with removing evil from American culture and what’s left of our civilization is, quite frankly, the Democratic Party. Their mantra calls evil good, and good evil, and it is imperative, for them, that they have as much human depravity as possible. That is the source of their political power. townhall.com/columnists/markle…
Make sure to download Opera for free using my link: https://opr.as/Opera-browser-mattstonieVideo sponsored by: OpreaWe tasted & ranked Every Single Gordon Ra...
US President Donald Trump sues the Wall Street Journal for $10 billion over its reporting on a 2003 birthday letter that Trump allegedly sent to Jeffrey Epstein.
Link to play: https://gamaverse.com/underwheels-game/Underwheels is a parody game based on the Asgore meme. Get behind the wheel as Asgore Dreemurr himself a...
Over a year ago, I posited that AI coding stuff isn't about coding or productivity. It's about some % of people who feel a stimulus-reward thing from using it, similar to how some people feel when gambling. It feels so overwhelmingly good to some % of people they don't even bother to measure if their AI stuff is actually doing anything useful, because of course it must be, because the feeling is so strong.
It seems more & more people are also finding this idea lately.
But I've also realized that it seems to apply to any of the prompt-style AI things, not just coding. There is some kind of slot machine playing mania (sorta, not exactly) thing it triggers in some % of people. I'm certain of it now.
If anything, it makes me feel a bit less angry and more sad towards the people with this AI prompt-query compulsion. It feels closer to when you see someone with a gambling addiction stuck at a gambling machine.
I've been pretty staunchly opposed to this wave of gen-AI since chatGPT launched in 2022, and never intentionally touched it until three months ago, when I finally felt like I needed to spend at least a little bit of time with it to understand/prove what I was opposed to. it almost *immediately* triggered an addiction response (of the gambling category, as you pointed out), to the point where within a week I could barely sleep, and all I could think about was prompting, explicitly like I needed to be using it 24/7 and trying to figure out the right way to extract quality output from it, under this sudden manufactured feeling of urgency.
luckily, i got burnt out on it pretty "quickly" (roughly a month) which forced me to step back, and had lived long enough to be able to identify what this cycle was. It was also tremendously helpful to both have had a long critical perspective built against the tech that I had now tested against, and a really high bar of personal work quality that I was able to use to categorize that output of these tools as "complete shit".
it's wild to me that as someone who was pretty publicly and vocally against the principle of the tech, this addiction loop still hit me at full force, on the very first prompt I ever fed it. for people without the life experience, critical lens, and body of high quality personal work to measure against, I can't imagine how many could possibly escape from the slot machine cycle. "if I can just figure out exactly how to word this prompt, it'll solve all my problems...". I wonder how those who do escape don't talk about it publicly out of shame (me, until this post).
the silver lining for me personally is that it did end up having some kind of positive effect on how I approach my work. reading through so much slop for a month re-lit a fire within me to be even more intentional and human in my work, whether through writing or code.
Me, I have next to no susceptibility to gambling-- for one thing, I understand too much about math, the odds of winning are so low the whole thing strikes me as contemptibly absurd-- and for another, I'm a digital artist so gut-wrenched by the uncanny valley effect of putting other people's work through a meat grinder and regurgitating it into a shambling frankenitation of art that it makes me feel physically ill, so I haven't even touched it. I've just been sitting here mystified like WHY EVEN...
If that's the type of effect it's having on people who aren't wired like me... good gawd, we're in deep shit.
Giant defense contractors like Lockheed Martin are angling for a piece of President Trump's "Golden Dome" funding. Cenk Uygur and Ana Kasparian discuss on Th...
💬 0 🔁 15 ❤️ 49 · Saw this brought up on Twitter but no, women aren't emotionally free. Women are not totally free to express their emotions unlike cis guys.
They accused women of "Hysteria" an…
Burger King is absolute trash in Charleston SC. Nothing but the most vile nig-nogs work there. They ended up closing all but a couple of locations because of that. The few left have the same problem and are dirty and nasty.
We dont have an In N Out Burger or a Whataburger.
Culvers (new to area with White Staff) and 5 Guys (also White Staff) are overrated...but at least it's White people.
I usally go for a Cookout Burger. The burger is decent, the fixings are fresh and they are staffed by White people as well.
HaraldvonBlauzahn
in reply to HaraldvonBlauzahn • • •The details are complex; it has humorously been called "security by security".
Hobby Linux users could, as far as I understand , simply disable UEFI secure boot (after weigthing carefully what secure boot provides to them, and what it does not provide). Otherwise, they'll need a firmware upgrade before any upgrade to a new OS / bootloader chain.
Small companies which use old laptops with Windows might be bitten hard by this because they can become locked out of their hardware with no way to update it, or even make a backup!
specification that defines a software interface between an operating system and platform firmware
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)HaraldvonBlauzahn
in reply to HaraldvonBlauzahn • • •(Nearly) All Your Computers Run MINIX
HackadayTechnus
in reply to HaraldvonBlauzahn • • •For a home desktop that's never left unattended with anyone untrustworthy, I don't see that Secure Boot is worth the effort in setting up.
Given that you have to re-sign the boot image every time you upgrade, any malware already running with root privileges on the machine could easily slip itself into the new signed image.
The best security is not running untrusted software to begin with.
HaraldvonBlauzahn
in reply to Technus • • •Can you explain the detailed reason why you think that? Voicing opinions is nice of course but explaining the thought process and logic is, I think, almost always more interesting to other people.
To start with, what do you think is the "normal users" threath model? And, for example, if one happens to be a member of any of the various minorities that authoritarian governments of every color happen to single out and persecute in your countries case, what would you want to protect from? Or if you are, say, a lawyer, and have a professional obligation to protect sensitive data from theft?
Technus
in reply to HaraldvonBlauzahn • • •Actually, I would love for you to explain to me how Secure Boot alone would protect someone from any of that. If you want to protect files, you need full disk encryption, not Secure Boot.
Or are you seriously expecting a government-level threat actor to bother to:
That's the great thing about fascist governments, is they have no need to be that sneaky. They can just change the laws to make whatever you're doing illegal and jail you until you agree to give up your documents, or simply hit you with a $5 wrench until you tell them the password.
Security
xkcdbalsoft
in reply to HaraldvonBlauzahn • • •Secure Boot is a really contrived and, frankly, bad defense against an attack that is extremely difficult to execute in reality and does not happen often (are there any examples of a bootloader replacement against a home desktop in the wild?).
An actually good solution would be firmware support for LUKS-style FDE (with a password-encrypted key which then encrypts the rest of the disk), so that your bootloader is encrypted with the rest of your system and impossible to substitute without erasing the rest of the disk, until you enter the password. This way there's no need for key enrolment into firmware, and firmware manufacturers don't have to just trust MS. (the firmware of course needs to be protected too, by signing it with the manufacturer's key; if you flash something unsigned, a warning pops up Android-style before every boot).
If you are hiding something from the state (like your sexual orientation or something), your energy is much better spent encrypting your communications online and keeping your identities anonymous. If you are already suspicious enough to try and pull a bootloader replacement attack on you, any authoritarian state which would do that in the first place will just throw you in jail and fabricate evidence as needed.
SheeEttin
in reply to Technus • • •If secure boot is off, and you run malware on your pc, it can change the boot process to escalate privileges.
This probably requires root or admin in the first place, but if they can install a malware loader, they can establish persistence so that even if you remove the os-level components, they'll be reinstalled on reboot.
Technus
in reply to SheeEttin • • •Yeah, but the malware can just wait for a system upgrade where you sign a new boot image and slip itself in then.
It works for Windows because theoretically only Microsoft would have the signing key and it's not just sitting on disk somewhere. But then you're just trusting Microsoft, and also subject to vendor lock-in.
HaraldvonBlauzahn
in reply to SheeEttin • • •This is technically correct, but on a desktop system, malware executing in user space is normally already game over. It can exfiltrate and send your passwords or ssh private keys, change browser certificates or browser software, add user systemd sessions or crontab entries and can generally e.g. do everything a banking trojan would like to do.
Max-P
in reply to HaraldvonBlauzahn • • •As commenters on the LWN thread said, I doubt that many firmwares even bother to check anyway. My motherboard happens to have had a bug where you can corrupt the RTC and end up in 2031 if you overclock it wrong. I didn't use secure boot then though so I don't know if it would have still booted Windows. But I imagine it would.
That said, I've always just enrolled my own keys. I know some other distros that make you enroll their keys as well like Bazzite. At least that way you don't depend on Microsoft's keys and shim or anything, clean proper secure boot straight into UKI.
HaraldvonBlauzahn
in reply to Max-P • • •Seems it compares the expiration date of the UEFI key with the signature date of the bootloader / OS keys. (See the comments on the LWN article, some are far more knowledgeable than I am.) So, no, it does not require a working on-board clock to lock you out if you are not extremely careful and fully understand each part.
HaraldvonBlauzahn
in reply to Max-P • • •That does not help if the master key in the key chain is expired.
Sure you can disable Secure Boot. But a password-protected BIOS is secured by TPM again. High levels of security always carry a risk of locking oneself out.
don't like this
Mark doesn't like this.
exu
in reply to HaraldvonBlauzahn • • •I don't think you understand what "enrolling your own keys" means in the context of Secure Boot.
The key affected here is specifically for the Linux shim signed by Microsoft. It is used by GRUB and some distros to work with Secure Boot.
Enrolling your own key means you add a new certificate to the key store. This is completely separate from the one provided by Microsoft and controlled only by you. The common recommendation is to remove all built-in keys and only add your own, to make this system as secure as possible.
like this
Mark likes this.
HaraldvonBlauzahn
in reply to exu • • •And exactly that Linux shim signed by Microsoft is no longer valid because the Microsoft signature in the UEFI firmware is expired.
HaraldvonBlauzahn
in reply to exu • • •OK, now you are talking about something a bit different - registering own keys in the UEFI system, which is significantly more involved than updating the BIOS, and also requires firmware support, and the firmware also needs to match the motherboard. And the whole issue with ACPI support for Linux shows clearly that having reams of specufications is not enough, the implementation of the BIOS needs to match that specification which whether thsz's the case you will only learn after you bought the hardware.
Here is a description of that process:
docs.bell-sw.com/alpaquita-lin…
Moreover, for any change of the boot chain, bootloader, posdibly also kernel, this needs to be repeated.
Do you think that's accessible to normal users? Considering most have probably not even ever done a firmware update?
Using Your Own Keys in Secure Boot
docs.bell-sw.comexu
in reply to HaraldvonBlauzahn • • •From the first post in this chain
I didn't start talking about it, this was many comments above
HaraldvonBlauzahn
in reply to Max-P • • •The whole point of the article is that you do depend on their expired root key. You have produced a lot of text without even understanding the key issue. At that point I am wondering whether all that text was produced by an LLM?
don't like this
Mark doesn't like this.
Norah (pup/it/she)
in reply to HaraldvonBlauzahn • • •HaraldvonBlauzahn
in reply to Norah (pup/it/she) • • •Please don't troll and come back to the topic. GP was completely missing the topic, do you want to avoid it?
Um, given that Secure Boot prevents any modification of your computer's boot chain - including installing another boot loader or OS - that's not how it works.
don't like this
Mark doesn't like this.
Norah (pup/it/she)
in reply to HaraldvonBlauzahn • • •like this
Mark likes this.
Max-P
in reply to HaraldvonBlauzahn • • •That's the whole point of enrolling your own keys in the firmware. You can even wipe the Microsoft keys if you want. You do that from the firmware setup, or within any OS while secure boot is off (such as
sbctlon Linux).That's a feature that is explicitly part of the spec. The expectation is you password protect the BIOS to make sure unauthorized users can't just wipe your keys. But also most importantly that's all measured by the TPM so the OS knows the boot chain is bad and can bail, and the TPM also won't unwrap BitLocker/LUKS keys either.
Secure boot is to prevent unauthorized tampering of the boot chain. It doesn't enforce that the computer will only ever boot Microsoft-approved software, that's a massive liability for an antitrust lawsuit.
HaraldvonBlauzahn
in reply to Max-P • • •That is far more complex than a firmware update and also depends on a correct implementation of the spec in the BIOS - which, given the experiences with ACPI for Linux, is not at all something one can rely on.
Max-P
in reply to HaraldvonBlauzahn • • •HaraldvonBlauzahn
in reply to Max-P • • •ACPI modules - ArchWiki
wiki.archlinux.orgEugenia
in reply to HaraldvonBlauzahn • • •Tenderizer78
in reply to Eugenia • • •I just tried to distro-hop and found my BIOS had been locked with a password. Assuming I didn't set a password that I subsequently forgot (and that isn't one of the many I have memorized), I figured this might have something to do with the age of the laptop (I have a HP 4540s). If certificate expiration is already affecting people then this might be it.
EDIT: I just forgot I set a password, and it took me 2 days to realize that I was stupid enough to have set the password that I used for everything when I was 12 years old.
drspod
in reply to Tenderizer78 • • •Tenderizer78
in reply to drspod • • •deadcatbounce
in reply to HaraldvonBlauzahn • • •Being beholden to Microsoft doesn't sound like something anyone needs.
Until that ends I'm doing best to avoid secure boot. I don't want to.
data1701d (He/Him)
in reply to deadcatbounce • • •deadcatbounce
in reply to data1701d (He/Him) • • •I thought it was a Microsoft centric thing in that the certificate authority was either Microsoft or signed by Microsoft?
Maybe I need to read about it more? Can you direct me to the general area?
WhyJiffie
in reply to deadcatbounce • • •Microsoft's keys are pre-installed to all motherboards, so boot binaries signed by Microsoft are trusted by default. afaik Microsoft keys often can't be removed, but not because it's not possible, but because it can brick devices. you can create your own MOK or Machine Owner Keys and set up your linux system to sign your bootloader and kernel with it, but that is in addition to Microsoft keys.
wiki.archlinux.org/title/Unifi…
Unified Extensible Firmware Interface/Secure Boot - ArchWiki
wiki.archlinux.orgdeadcatbounce
in reply to WhyJiffie • • •Thank-you. Recently rebuilt my Arch Rescue build and saw that section in doing the UKI dance.
I don't mind the Microsoft keys being there at all. I just don't think tying myself to them is particularly clever.
From your final part. I think I need to go back and reread it. Thank-you again.
☂️-
in reply to data1701d (He/Him) • • •HaraldvonBlauzahn
in reply to ☂️- • • •Max-P
in reply to HaraldvonBlauzahn • • •That's bullshit. ARM is an architecture and by itself does not specify secure boot any more than x86 does. Raspberry Pis don't have secure boot. You can unlock the bootloader on a Pixel, install GrapheneOS, and relock the bootloader just fine. Several other manufacturers allow bootloader unlocks no problem. The main reason you can't on some popular phones is US carriers, even international Samsungs you can unlock the bootloader and flash whatever you want on it.
I'm literally typing this comment on a phone running a custom OS (LineageOS on a OnePlus 8T). I'm literally 2 versions of Android ahead of the latest supported version. I also have a Galaxy S7 running Android 15, a phone that officially tops out at Android 8 and launched with Android 6. Both you literally just toggle the bootloader unlock option in the settings, no hacks no craziness, it's literally a feature.
At this point you're just straight up making shit up.
HaraldvonBlauzahn
in reply to Max-P • • •I mean Windows PCs with ARM CPUs which have Secure Boot, not Android smart phones or embedded devices.
Max-P
in reply to HaraldvonBlauzahn • • •Nope. Even Qualcomm themselves provide what's needed to run Linux on the Windows for ARM PCs.
The only one I can't find for sure is whether there's any lockdown on the firmware for the Microsoft Surface and Copilot+ laptops, but I'm also not finding any sources pointing that it would be. But at this point you're buying Microsoft hardware, what do you expect.
Qualcomm Snapdragon X Elite Benchmarks On Ubuntu Linux vs. AMD vs. Intel
www.phoronix.comHaraldvonBlauzahn
in reply to deadcatbounce • • •Here
en.m.wikipedia.org/wiki/UEFI#S…
is a list of problems and criticism on Secure Boot.
specification that defines a software interface between an operating system and platform firmware
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)deadcatbounce
in reply to HaraldvonBlauzahn • • •xia
in reply to HaraldvonBlauzahn • • •☂️-
in reply to xia • • •HaraldvonBlauzahn
in reply to ☂️- • • •There is even a whole section in Wikipedia on issues and criticism with secure boot:
en.m.wikipedia.org/wiki/UEFI#S…
Some people argue that one can work around such locking down of PC hardware. Do this or that to avoid issues with substantial tinkering.
But that is not a bug but a feature. Sure, as a technical Linux user you can work around some nastiness. Like working around privacy invasion on Facebook or Linkedin by "adjusting" settings, or "adjust" settings in Wimdows to make it more private and so on. The thing is: working against the platform becomes quickly a losing game, because you don't control the platform - Microsoft does. And it does not help you if you manage to re-gain control of your device after some hours of tinkering if 99.9% of people around you don't have the knowledge and time and store your data, photos, Emails on OneDrive and so on. Freedom is very much a collective thing and software freedom is no exception.
And this does not mean that the thinkering and hacking is in vain - but it is not enough. We need the practical right to control our devices.
specification that defines a software interface between an operating system and platform firmware
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)☂️-
in reply to HaraldvonBlauzahn • • •Decker108
in reply to HaraldvonBlauzahn • • •