Re: [DNG] UEFI and Secure Boot

Am Donnerstag, 26. Oktober 2017 schrieb John Morris: > On Tue, 2017-10-24 at 09:01 +0200, marc wrote: > > > Secureboot is designed for them, not for you. You might come > > up with a really exotic use case, where it might help you. But > > if you look at it carefully enough, it relies on

Re: [DNG] UEFI and Secure Boot

On 10/23/2017 09:12 PM, zap wrote: no blobs of any kind with regard to wifi especially! Yes! and of course a an open source firmware with fully open source silicon init. (ex: TALOS 2, KCMA-D8, KGPE-D16, Novena and a few others with the G505S being the most free modern laptop with IOMMU and no

Re: [DNG] UEFI and Secure Boot

On Mon, 2017-10-23 at 17:06 +0200, Didier Kryn wrote: > I've read previously on this list that secureboot doesn't prevent > booting from a usb key... Or did I misunderstood? Correct, so long as the boot loader on the USB key is signed by a key the system trusts. And you didn't disable

Re: [DNG] UEFI and Secure Boot

On Tue, 2017-10-24 at 09:01 +0200, marc wrote: > Secureboot is designed for them, not for you. You might come > up with a really exotic use case, where it might help you. But > if you look at it carefully enough, it relies on secureboot > redefining root to something weaker than what we want, and

Re: [DNG] UEFI and Secure Boot

Hello > > If you are worried that somebody who has > > compromised your OS remotely will hack your bootloader, then > > reconsider their motives: They are already on a running host OS > > as root and can look inside your encrypted disk volumes too - > > you have lost already. > > Secureboot is

Re: [DNG] UEFI and Secure Boot

El 23/10/17 a les 21:42, John Franklin ha escrit: > >> On Oct 23, 2017, at 2:37 PM, goli...@dyne.org wrote: >> >> On 2017-10-23 09:41, Steve Litt wrote: >>> To get Windows 10 certification, you have to have Secure Boot but >>> there's no requirement for an off switch. >>> SteveT >> >> If that is

Re: [DNG] UEFI and Secure Boot

On 23.10.2017 11:50, Simon Hobson wrote: [U]EFI in itself isn't all that bad - what some manufacturers do with it, and the hash they make of it, is often bad. It always had been bullshit. A good technical solution would be OF + device tree. Board vendors should just provide the board init

Re: [DNG] UEFI and Secure Boot

On 2017-10-23 20:12, zap wrote: firetools is how you use your web browser/internet connecting applications your web browser is firefox based with the garbage disabled but still regularly updated fsmithred has a neat text interface for firejail at:

Re: [DNG] UEFI and Secure Boot

On 10/23/2017 04:18 PM, Edward Bartolo wrote: > Quote: "secure operating system" > > Where can I get that? Linux does have vulnerabilities. Together with > that, a kernel alone doesn't do much. Other packages are needed which > add up more attack surface area. > > You do remember when kernel.org

Re: [DNG] UEFI and Secure Boot

> On Oct 23, 2017, at 6:44 PM, Rick Moen wrote: > > Quoting John Franklin (frank...@tux.org): > > Technically, a rootkit is not a threat but rather a minor after-the-fact > sequel to a threat and succesful attack. It does not embody an attack, > itself. Rather, it's a

Re: [DNG] UEFI and Secure Boot

Quoting John Franklin (frank...@tux.org): Technically, a rootkit is not a threat but rather a minor after-the-fact sequel to a threat and succesful attack. It does not embody an attack, itself. Rather, it's a method of hiding from the legitimate administrator the covert activity of an intruder

Re: [DNG] UEFI and Secure Boot

> On Oct 23, 2017, at 6:13 PM, Steve Litt wrote: > > > And by the way, I had a Win8 box that wouldn't accept Linux, but > luckily it was for one of my kids who wanted Windows. > Brand and model? Why wouldn’t it accept Linux? jf -- John Franklin frank...@tux.org

Re: [DNG] UEFI and Secure Boot

> On Oct 23, 2017, at 5:34 PM, marc wrote: > >> kato...@freaknet.org writes: >>> And what if you want to use your own unsigned bootloader? Why should >>> you ask someone else the permission to boot your own machine? o_O >> >> Because I want deny people with physical access

Re: [DNG] UEFI and Secure Boot

On Mon, 23 Oct 2017 15:42:00 -0400 John Franklin wrote: > > On Oct 23, 2017, at 2:37 PM, goli...@dyne.org wrote: > > > > On 2017-10-23 09:41, Steve Litt wrote: > >> To get Windows 10 certification, you have to have Secure Boot but > >> there's no requirement for an off

Re: [DNG] UEFI and Secure Boot

> kato...@freaknet.org writes: > >And what if you want to use your own unsigned bootloader? Why should > >you ask someone else the permission to boot your own machine? o_O > > Because I want deny people with physical access the ability to boot unsigned > bootloaders. > > I am both the owner of

Re: [DNG] UEFI and Secure Boot

>> If that is true, it sounds like a class action law suit to me. Anyone want >> to take it on? > Can you identify any vendors where you can’t install Linux? If you can’t, > this just a bunch of FUD. > > jf > It sounds like something that windows 10 vendors would love to do. The idea of

Re: [DNG] UEFI and Secure Boot

> On Oct 23, 2017, at 2:37 PM, goli...@dyne.org wrote: > > On 2017-10-23 09:41, Steve Litt wrote: >> To get Windows 10 certification, you have to have Secure Boot but >> there's no requirement for an off switch. >> SteveT > > If that is true, it sounds like a class action law suit to me.

Re: [DNG] UEFI and Secure Boot

On 2017-10-23 09:41, Steve Litt wrote: To get Windows 10 certification, you have to have Secure Boot but there's no requirement for an off switch. SteveT If that is true, it sounds like a class action law suit to me. Anyone want to take it on? golinux

Re: [DNG] UEFI and Secure Boot

On Mon, Oct 23, 2017 at 10:41:29AM -0400, Steve Litt wrote: > On Mon, 23 Oct 2017 10:50:54 +0100 > Simon Hobson wrote: > > > > Two ways : > > 1) You simply turn off secure boot and it'll boot your unsigned > > binary. If your machine doesn't have that then it's a bug and

Re: [DNG] UEFI and Secure Boot

Didier Kryn writes: I've read previously on this list that secureboot doesn't prevent booting from a usb key... Or did I misunderstood? People spread too much FUD. Various people have asserted, without naming names, that some/most vendors do not allow you to delete keys from the list of

Re: [DNG] UEFI and Secure Boot

Le 23/10/2017 à 16:35, Arnt Gulbrandsen a écrit : Didier Kryn writes: For me the things which need to be protected are 1) the data 2) the OS, to avoid backdoors I can't see any need to protect a motherboard against booting from a "foreign" disk. To access the data: Boot

Re: [DNG] UEFI and Secure Boot

El 23/10/17 a les 16:35, Arnt Gulbrandsen ha escrit: > Didier Kryn writes: >>     For me the things which need to be protected are >> >>     1) the data >>     2) the OS, to avoid backdoors >> >>     I can't see any need to protect a motherboard against booting from >> a "foreign" disk. > > To

Re: [DNG] UEFI and Secure Boot

On Mon, 23 Oct 2017 10:50:54 +0100 Simon Hobson wrote: > Two ways : > 1) You simply turn off secure boot and it'll boot your unsigned > binary. If your machine doesn't have that then it's a bug and you > should complain to the retailer - and return the machine (which by

Re: [DNG] UEFI and Secure Boot

taii...@gmx.com writes: No you aren't. Intel ME + "Secure" boot non-owner controlled firmware code signing enforcement (probably hardware enforced via boot guard, so one couldn't even spend the thousands to have it removed via a coreboot platform port) If you can't execute whatever you

Re: [DNG] UEFI and Secure Boot

Didier Kryn writes: For me the things which need to be protected are 1) the data 2) the OS, to avoid backdoors I can't see any need to protect a motherboard against booting from a "foreign" disk. To access the data: Boot from foreign media, modify or replace the usual boot

Re: [DNG] UEFI and Secure Boot

Le 23/10/2017 à 11:47, Arnt Gulbrandsen a écrit : Because I want deny people with physical access the ability to boot unsigned bootloaders. I am both the owner of my hardware and the person who usually has physical access. Requiring signed boot loaders is way to transfer rights from latter

Re: [DNG] UEFI and Secure Boot

kato...@freaknet.org writes: Yes, but what about *adding* your own keys? This does not seem to be a popular option, AFAIK. Of course it isn't. Who has a reason to talk about it? Microsoft doesn't talk much about that, because Microsoft wants most users to use Windows Upgrade and get timely

Re: [DNG] UEFI and Secure Boot

On Mon, Oct 23, 2017 at 11:16:50AM +0100, Arnt Gulbrandsen wrote: > kato...@freaknet.org writes: > >I don't know much about signed bootloaders, and i will try to re-read > >the thread to fully understand your statement. > > The short version: You can remove keys, so that only your own key is

Re: [DNG] UEFI and Secure Boot

kato...@freaknet.org writes: I don't know much about signed bootloaders, and i will try to re-read the thread to fully understand your statement. The short version: You can remove keys, so that only your own key is valid for booting. If you're then careful about that key, then later physical

Re: [DNG] UEFI and Secure Boot

On Mon, Oct 23, 2017 at 10:50:54AM +0100, Simon Hobson wrote: > KatolaZ wrote: > > > And what if you want to use your own unsigned bootloader? Why should > > you ask someone else the permission to boot your own machine? o_O > > Two ways : > 1) You simply turn off secure

Re: [DNG] UEFI and Secure Boot

On 10/23/2017 05:47 AM, Arnt Gulbrandsen wrote: kato...@freaknet.org writes: And what if you want to use your own unsigned bootloader? Why should you ask someone else the permission to boot your own machine? o_O Because I want deny people with physical access the ability to boot unsigned

Re: [DNG] UEFI and Secure Boot

On Mon, Oct 23, 2017 at 10:47:31AM +0100, Arnt Gulbrandsen wrote: > kato...@freaknet.org writes: > >And what if you want to use your own unsigned bootloader? Why should > >you ask someone else the permission to boot your own machine? o_O > > Because I want deny people with physical access the

Re: [DNG] UEFI and Secure Boot

KatolaZ wrote: > And what if you want to use your own unsigned bootloader? Why should > you ask someone else the permission to boot your own machine? o_O Two ways : 1) You simply turn off secure boot and it'll boot your unsigned binary. If your machine doesn't have that

Re: [DNG] UEFI and Secure Boot

kato...@freaknet.org writes: And what if you want to use your own unsigned bootloader? Why should you ask someone else the permission to boot your own machine? o_O Because I want deny people with physical access the ability to boot unsigned bootloaders. I am both the owner of my hardware

Re: [DNG] UEFI and Secure Boot

On Mon, Oct 23, 2017 at 11:24:12AM +0200, Edward Bartolo wrote: > Contrary to the main argumentative line of this thread, I found EFI > far better than BIOS booting. The fact that a dedicated partition is > used to hold the primary boot loaders, is a great advantage. With > BIOS, the booloader was

Re: [DNG] UEFI and Secure Boot

Contrary to the main argumentative line of this thread, I found EFI far better than BIOS booting. The fact that a dedicated partition is used to hold the primary boot loaders, is a great advantage. With BIOS, the booloader was placed in the first sector's initial 446 bytes of data with the

Re: [DNG] UEFI and Secure Boot

+1 I perform a lot of GNU+Linux installs each month, and 99% of them are absolutely wiping SecureBoot & UEFI. El 22/10/17 a les 19:06, Steve Litt ha escrit: > Hi all, > > I basically said UEFI is junk and Secure Boot is an anti-small-distro > monopolistic practice. These were, and continue to

Re: [DNG] UEFI and Secure Boot

> From: sl...@troubleshooters.com > To: dng > > Hi all, > > I basically said UEFI is junk and Secure Boot is an anti-small-distro > monopolistic practice. These were, and continue to be, my opinions, but > they're just one man's opinion. I can see use cases where Secure Boot >