On 11/23/2017 07:55 AM, Leo Gaspard wrote:
Can you please avoid ranting against secure boot once again?
Secure boot is *not* useless. It *does* bring security benefits,
although not as good as measured boot with a TPM: it requires an
additional flaw somewhere in the {BIOS, bootloader} to bypass, instead
of just coming in and replacing a non-encrypted element of the bootchain
by taking the hard disk out of its case without ever being noticed. So
if you have no TPM, using secure boot is a definitive security enhancement.
The "linux" SB (ie: red hat signed grub) is only for signed grub it
doesn't sign the kernel or the initramfs, one can also mess with the
BIOS or ME which is well within the skill level of a state attacker such
as the MSS.
There are also a variety of SB exploits/bypasses.
Irregardless it'll be what eventually kills linux on the desktop for the
average person after the vendors stop including the linux signing key
(SB 2.0 specs don't obligate them to allow for owner control or even the
inclusion of the second key unlike SB 1.0 specs), if you desire such
features it would be much better to simply use a bios-embedded GRUB2 via
coreboot which supports kernel/initramfs signing features.
"Secure" Boot is a MS trojan horse.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/31975827-85c5-795b-df67-02fab881cb6e%40gmx.com.
For more options, visit https://groups.google.com/d/optout.
