> On Tue, 2017-10-24 at 09:01 +0200, marc wrote: > > > Secureboot is designed for them, not for you. You might come > > up with a really exotic use case, where it might help you. But > > if you look at it carefully enough, it relies on secureboot > > redefining root to something weaker than what we want, and > > running some complex infrastructure which you are unaware > > of behind it. If you want a weak root, run a virtual machine > > instead. > > Not at all. Right now if you install Fedora or Ubuntu you get the > protection of secure boot. You already trust them if you are installing > their OS, correct? Everyone signs the kernel package at the package > manager stage so we can all use untrusted mirrors. So now they also put > a signature on a grub-efi package with a key signed by the UEFI CA that > embeds their company keys. Now your system validates that GRUB is clean > and it checks the kernel hasn't been tampered with before executing > either of them,
But what does that buy us ? If the .deb is already signed, an extra vmlinuz signature doesn't make any difference. The bad guys can install their code in the pre or post-install scripts and get root on your system - a signed kernel isn't going to help. As explained before, if somebody has root the game is over. I am puzzled that this is tricky to understand. Signatures are a tool which can be used for good or bad. Signed .deb or .rpms are probably a good use of the tool. Proprietary and complex BIOSes enforcing signatures are a bad thing for the free software world - you are running an extra layer of software you don't understand and which wants to control you. > Eventually Debian will begin shipping signed grub-efi and kernel > packages. That would be terrible, though consistent with the trajectory they are on. > Devuan would have to pay $100 to get a signed grub-efi of its > own (with a Devuan kernel signing key embedded) to ship kernels built by > them if they don't just pass on the Debian grub and kernel packages > unmodified. I would hope collectively Devuan is smarter than that. Paying for a signed bootloader lends legitimacy to the concept that some party other than the owner of the computer is entitled to decide what boots on a particular machine. The next Linus in Malaysia or Nepal might not be able to afford the $100 to boot his amazing new operating system (nevermind authenticate well enough to get one), and if some distribution is somehow instrumental in helping the next wikileaks, payment processors or cert authorities might refuse to accept the payment for certificate. The point is a signed bootloader helps centralises power, which makes the world more unequal and undemocratic. > That is it, one can argue how much security benefit it > brings but it is non-zero and requires minimal effort to achieve. You are only looking for the positives, and neglect to consider to the downsides. I would argue that summing features and misfeatures up one ends up at a net loss. regards marc _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng