On Thursday, July 9, 2020 3:38:54 AM MST Richard Hughes wrote:
> On Wed, 8 Jul 2020 at 22:19, John M. Harris Jr <joh...@splentity.com>
> wrote:
> > This is not something that's beneficial here, it's only
> > harming our users.
> That seems exceedingly myopic to me. I'm guessing you've not been
> following the last few years of security research, where attacking the
> firmware is now the best way to own a machine. And please don't
> lecture me on why BIOS is more secure than UEFI, "compatibility" mode
> is implemented *on top of* the UEFI bios these days, rather than as a
> completely different software stack.

"Attacking" the firmware has always been the best option, even with BIOS boot 
systems. For example, coreboot is technically a hostile payload, to the OEM. 
That doesn't mean that it makes any sense to prevent the end user from 
actually owning the hardware they've purchased, and doing with it what they 

> > If you've got root, you can STILL do almost anything to the hardware,
> > including disabling various "firmware protection technologies".
> I don't think you understand what enabling SecureBoot actually does.

"Secure Boot" doesn't make root non-uid 0, and can't keep root from 
controlling system devices, even uploading unsigned firmware to peripherals. 
At the point that anything but the end user gets root on a Fedora install, all 
of these "security gains" provided by creating needless headache for those 
running under "Secure Boot" are null and void.

John M. Harris, Jr.

devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

Reply via email to