Linux

8602 readers

735 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

Microsoft's Secure Boot UEFI bootloader signing key expires in September, posing problems for Linux users (www.tomshardware.com)

submitted 3 days ago by cm0002@programming.dev to c/linux@programming.dev

14 comments fedilink hide all child comments

top 14 comments

sorted by: hot top controversial new old

[–] kbal@fedia.io 24 points 3 days ago

manufacturers could add support for the new key by updating the KEK database

Oh right, the KEK database. They are literally trolling us aren't they.

[–] the_riviera_kid@lemmy.world 19 points 3 days ago (3 children)

Not if you disable it, "secure boot" is a joke anyway.

[–] Badabinski@kbin.earth 27 points 3 days ago (3 children)

I mean, Secure Boot does actually help defend against evil maid attacks if paired with FDE. Someone can't just fuck with your /boot (CVE-2016-4484 nonwithstanding) to do naughty things with your system if you have Secure Boot enabled. Does that fit with most people's threat model? I dunno, probably not. It does actually do something useful though.

My work computer has it enabled and I feel better for it. The issue described in the article is easily dealt with if you just keep up with your firmware updates using fwupd.

[–] Maiq@lemy.lol 3 points 3 days ago

Just so I have this right, fwupd will update the firmware with the new keys. Just fuzz on if you have to create a new secure-boot key yourself?

[–] sylver_dragon@lemmy.world 1 points 2 days ago (1 children)

Ya, Secure Boot is really only useful for corporate devices or very specific people who might actually be targeted by state level attackers. For most of us, it's not worth the hassle.

[–] noxypaws@pawb.social 4 points 2 days ago

we are all currently being surveiled by state level attackers.

[–] possiblylinux127@lemmy.zip 1 points 2 days ago

It would be nice if system76 did firmware updates via fwup

It doesn't nor does it protect against tampering what so ever

[–] possiblylinux127@lemmy.zip 3 points 2 days ago

It can be a major security benefit when done correctly.

I'm not sure if there is a single vendor doing it correctly

[–] Prime@lemmy.sdf.org 0 points 2 days ago

Cannot always be disabled

[–] Ooops@feddit.org 18 points 3 days ago

The actual problem is (and has been for a long time) the enormous amount of absolute trash-level uefi implementations.

Updating keys is easy. Alas... a lot of them are completely broken beyond repair and fail everything but running with the pre-installed keys, which includes updating (or adding new) keys (bonus points for the really screwed up devices that even sign some their own hardware with the pre-installed MS keys thus bricking themselves if those keys are changed).

[–] 17lifers@sopuli.xyz 3 points 3 days ago (1 children)

not a problem

[–] kbobabob@lemmy.dbzer0.com 1 points 2 days ago

Never was

[–] thann@lemmy.dbzer0.com 2 points 2 days ago (1 children)

If you use linux and are dependant on M$, youre doing it wrong

[–] possiblylinux127@lemmy.zip 2 points 2 days ago

Well I think we are all doing it wrong then