On Thursday, July 9, 2020 3:38:54 AM MST Richard Hughes wrote: > On Wed, 8 Jul 2020 at 22:19, John M. Harris Jr <joh...@splentity.com> > wrote: > > This is not something that's beneficial here, it's only > > harming our users. > > > That seems exceedingly myopic to me. I'm guessing you've not been > following the last few years of security research, where attacking the > firmware is now the best way to own a machine. And please don't > lecture me on why BIOS is more secure than UEFI, "compatibility" mode > is implemented *on top of* the UEFI bios these days, rather than as a > completely different software stack.
"Attacking" the firmware has always been the best option, even with BIOS boot systems. For example, coreboot is technically a hostile payload, to the OEM. That doesn't mean that it makes any sense to prevent the end user from actually owning the hardware they've purchased, and doing with it what they please. > > If you've got root, you can STILL do almost anything to the hardware, > > including disabling various "firmware protection technologies". > > > I don't think you understand what enabling SecureBoot actually does. "Secure Boot" doesn't make root non-uid 0, and can't keep root from controlling system devices, even uploading unsigned firmware to peripherals. At the point that anything but the end user gets root on a Fedora install, all of these "security gains" provided by creating needless headache for those running under "Secure Boot" are null and void. -- John M. Harris, Jr. _______________________________________________ devel mailing list -- email@example.com To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://firstname.lastname@example.org