Secure Boot

That's totally another thing... Absolutely irrelevant. It's like saying that disk encryption can save you from an attack over the internet. But it's good at its place, of course.

1 Like

Thanks @linux-aarhus
Haven't seen a bios-setup like this.

Your first screen shot shows you can 'enroll a efi image'.
Have you tried enrolling an OS efi in it?
Like grub.efi, boot.efi or perhaps even a core.efi (in /boot/grub/).
Perhaps this can set an entry in the bios firmware and perhaps in efibootmgr?
That will be neat (nice). :smile:

The second screen shot lets you set your own PUK key?
Then I wonder how you can tie in that key with our 'ordinary' grub - maybe the method how linux OS shim use Microsoft PUK keys, which I haven't found out, or want to find out).
But if you can add more what you know, that will be good. But if don't know, it's okay, no need to find out just for us. We're not going to use it, :laughing:, just for our knowledge.

Thanks again. Appreciate it. Cheers.

I have never tried - not enough incentive - or to much digging - I don't know - maybe I will get to it.

At the moment my twin brain cells are playing ping-pong on

1 Like

no it's not at all what I meant. i'm saying that packages and ISO images signed by manjaro developers are equally good protection to secure boot which cannot alone fully protect from an attack over the internet either, the vulnerabilities are far greater than a single boot signature can ever plug. even if you choose WHQL only mode in EFI, you can still over-ride that with the boot option to disable driver enforcement offered by Windows.

all secureboot does is look for a certificate upon boot and prevent booting without one. that certificate checking is rendered useless by the fact you can add a custom PUK key (necessary evil but it's where the vulnerability lies in the affected EFI firmware that's not been patched, the EFI capsule is always unlocked in those), also turn off signed driver enforcement anyway which is checked by the OS rather than EFI (which any attacker can code their infected code to do).

therefore the argument that secureboot is pointless is very strong.

1 Like

Okay, I probably won't too, if I were you. Just unnecessary 'features'. :rofl:
Just saw your encryption topic. I have the same thought (unnecessary features) - a plain encrypted data partition seems sufficient enough but to each his/her own.

Cheers.

3 Likes

Just adding to what you said.
What 'exploits' do we need to boot a 'secureboot' OS? Either Windows or Linux.
From another 'simple grub' or from any install media grub, we don't need any 'exploits' to go into it.

As said elsewhere, it is like putting a fancy padlock on a 1 meter fence.
And as said then, and the main point, using and defending microsoft's keys on our own OS is like defending our neighbour's locking our own house or ..... our own rapist. :rofl: Hor! Hor! Hor!!!!

2 Likes

From my experience - no exploits is needed - just access to the unprotected firmware

3 Likes

that metaphor cracked me up but i hope it doesn't land you in hot water with more sensitive types.

windows speak for the backdoors left open and used to circumvent this chocolate fireguard feature. linux users and windows users as well for that matter don't need to use the 'exploits' at all, just a keyboard and finger (or a paperclip too sometimes). the mostly OEM software with exploitable features (but also windows kernel itself has been patched a few times to counter this) resides solely in the windows domain and has supposedly been patched but like I said, repeatedly they find new holes.

2 Likes

Yet Another Secure Boot Topic (YASBooT) :rofl:

In my perspective, Secure Boot is one more (vendor/s) attempt to provide HW buyers with peace of mind, falsely believing that the HW they bought is secure.
This lowers the guards on security oriented behavior from the users side, which is the more vulnerable on security/protection issues.
Edit: This seems equivalent to the vehicle industry relevant issue about safety. What is the most returning investment for safety, dynamic or passive (if I express this properly)?


IMHO it would be more beneficial to users, if vendors would spent time and money on educating end-users about the importance of building a secure behavior. This is what Linux is doing, nevertheless.

For example, when MS tried first to enforce password entering for administrative actions, many users were acted against, expressing annoyance and discomfort. What was the response from the vendor? They stepped back, making password override as easy as a Right-click, select Run as Administrator, which educates about nothing the security irresponsible users (the majority?).

Have I told you about a great message during Win installation?

Leave everything to us!

Don't you get the message?

5 Likes

What the heck are you guys talking about? PK (Platform key)?

I think he meant to say secure boot makes him want to puk* :face_vomiting:

:wink: :smile: :rofl:

5 Likes

I got your humor but seriously to me it looks like the guys have no idea what are they talking about.
I'm sure about gohlip, and sure about you - you both clearly stated before that you had never neither tried nor wanted to try to set up SB. But micsim35's experience may be another story though.

On the other hand, my expertise is limited too - I only followed guides and manuals.

No offence I just don't like when people talk about things they are not into - it forms wrong picture.

3 Likes

GPLv3 is not all GPL, and it is in fact a monstrosity for operating systems that torvalds itself disowns.

Source?
The only "exploit" ever was the debug free pass bootloader leaking for ARM.

Do you even understand what a bootkit is? It's not an ISO thing and it hasn't even something to do with installation.

Funny thing I already provided you tons of links from different sources, all of them having actually worked with the interested code and difficulties, rather than simply deciding to puke once they heard microsoft, and somehow you are still repeating ad nauseam the claims that for as much as I remember you had already conceded not to be actually true.

Oh yes, debian, the famous commercial distribution sold to capital and profit and ****.

Yes. You. User with physical access.
Not Vlad, the hacker from ukraine.

It's almost like someone was willfully ignoring some piece of information.

It's a possibility on every firmware in fact. Shim was created in order to abstract the practical differences between each vendor.

Excuse me.
Are you referring to me? If this is the case what info have I been ignoring?

I'm not into rape. Can I speak out against it? :crazy_face:

5 Likes

Some other dear people in this thread.
Your empiricism is all but praiseworthy.

Oh, the famous crime running on x86

1 Like

Haha, this thread now is a real stand-up competition.
Thing is, one can argue when he/she has at least some expertise in the field of discussion. If not, it can only be an opinion.

1 Like

@mirth
There are some people we do not want to argue with.
There is a saying about arguing with...uhm...
Have a good day.

2 Likes

users coming from windows might find it reassuring to have, but it is not all that necessary

Using google to translate - it comes out quite negative.

Knowing that english is not native for many of us I have to ask:

What exactly do you mean by that?

Forum kindly sponsored by