• Kongar@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    129
    arrow-down
    5
    ·
    3 days ago

    Unpopular opinion but I’m dying on this hill. Secure boot creates more problems than it solves.

    • JiveTurkey@lemmy.world
      link
      fedilink
      English
      arrow-up
      81
      ·
      3 days ago

      I’d argue this is actually a popular opinion. IMO secureboot has just become a way for Microsoft to leverage it’s position and keep a strangle hold on industries they have no business being in.

      The whole kernel level anti-cheat on win11 bullshit in the gaming industry is a good example. Essentially locking games to its platform and willing to sacrifice security to do so at our expense.

      • Default Username@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        23
        ·
        3 days ago

        This is especially true on computers where it is impossible to change the signing keys. Smartphones, game consoles, many laptops, some desktops, smart TVs, IoT devices, modern cars, etc.

        • RiverFox7@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          2
          ·
          3 days ago

          I think that key can be changed on Google Pixels. I run GrapheneOS and reverting to stock would require erasing the key.

          • Default Username@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            9
            ·
            3 days ago

            Kind of. You can change the signing key for the operating system, but you cannot change the signing key of the primary bootloader, as that is baked into the SoC.

              • Default Username@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                8
                ·
                3 days ago

                That’s moreso because it’s using an unofficial key, so the device manufacturer (Google in the case of Pixels) cannot verify the authenticity of the OS you’re running.

                If you were able to replace that bootloader with a custom one, then you would be able to disable that message or just use a completely different bootloader like UBoot or EDK2 if it was ported, though.

                • 𝕸𝖔𝖘𝖘@infosec.pub
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  2 days ago

                  Functionally, though, wouldn’t it be the same as replacing the computer’s SecureBoot bootloader, since it’s Microsoft (in the case of SecureBoot) that doesn’t like the unofficial key that Linux installs? Shouldn’t the user be allowed to add or remove any key they desire from the allow list of official keys (maybe have some sort of decentralized verification system, if they user decides they want to verify it)?

                  I’m more thinking out loud here, trying to understand.

                  • Default Username@lemmy.dbzer0.com
                    link
                    fedilink
                    English
                    arrow-up
                    3
                    ·
                    2 days ago

                    The difference is that with ARM TrustZone, there is an efuse burned with the key that the manufacturer set in the SoC itself that checks the signature of the primary bootloader, which cannot be modified.

                    Standard computers do not have such a hardware-level key, so if you wanted to replace the bootloader with something like coreboot if it has been ported to your board, then you can. On smartphones, you do not have that option.

                    Same thing goes for even more locked down systems like game consoles.

          • skaffi@infosec.pub
            link
            fedilink
            English
            arrow-up
            2
            ·
            22 hours ago

            You think that’s a safety boot you’ve got there? It’s anything but! It is clearly the bottommost part of a certain powered hazmat suit - why, it’s a Hazard Boot! You’ll need to ask one of the egg heads whether Secure Boot is a part of its boot sequence, though.

            Poor Gordon Freeman, running around out there somewhere, with just one Hazard Boot. I guess you’ll find that his other leg is running with Insecure Foot, then.

      • chaogomu@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        3 days ago

        Popular is the wrong question, the correct question is, how many machines is this default on.

        • incompetent@programming.dev
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 days ago

          And, how many people switch to something other than the default? Most W11 users are just going to go with whatever the computer says it’s doing without changing anything. They’re either ignorant of the options available, or scared of breaking something if they make a change.

    • Fizz@lemmy.nz
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      18
      ·
      3 days ago

      What problem does it create? Its a good tech and we absolutely should be cryptographically verifying the boot process to ensure it hasnt been tampered with.

      • Zarobi@aussie.zone
        link
        fedilink
        English
        arrow-up
        47
        ·
        3 days ago

        Because it’s proprietary and in 99% of cases actually means “Windows Boot”, and isn’t very compatible with other OS. Windows is basically in charge of the entire technology and doesn’t have a history of being friendly to other OS.

        For a while Linux was completely blocked by this setting, which was yet another technical barrier to getting into Linux because you had to fuck around in your scary UEFI settings otherwise your PC would be soft-bricked after installing Linux. Nowadays it’s slightly supported by some distributions but Microsoft could of course change it at any time.

        Further reading: https://wiki.ubuntu.com/UEFI/SecureBoot

        • orclev@lemmy.world
          link
          fedilink
          English
          arrow-up
          19
          ·
          3 days ago

          The way it should work is that during the OS install the OS can ask to have a cert added to the keystore at which point UEFI pops up a screen that says something like:

          An application has requested to add a new certificate to secure boot which will allow new software to run at boot up. This usually happens when installing or updating an OS. If you would like to allow this press and hold <5 randomly selected letters> on the keyboard for 5 seconds. If you don’t want to allow this press and hold escape for 3 seconds.

          This would at least be a vendor agnostic way of enrolling certificates instead of the MS certificate just always being pre-installed. It should also of course be publicly documented exactly how the process works so everyone can use it.

          • addie@feddit.uk
            link
            fedilink
            English
            arrow-up
            8
            ·
            3 days ago

            Problem being, of course, that you can add more certificates, but you can’t revoke the original M$ one. And since it’s vulnerable and you can’t get rid, then these exploits still work and there’s nothing you can do to stop it.

            • cmhe@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              2 days ago

              On some systems you can clear all secure boot keys, including Microsoft’s, then provision your own and sign your bootloader or kernel with it. Windows cannot boot from such systems.

            • Default Username@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              15
              ·
              edit-2
              3 days ago

              Computers shouldn’t come with Microsoft keys preinstalled to begin with (or an operating system for that matter). Microsoft being able to have Windows preinstalled on the vast majority of non-Apple PCs is how they gained their monopoly in the first place.

            • orclev@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              3 days ago

              You should be able to remove any or all the certs as well, although I could see an argument for requiring you to enter the BIOS to do that.

          • exu@feditown.com
            link
            fedilink
            English
            arrow-up
            4
            ·
            3 days ago

            Universal Blue distros do that. For some reason you need to enter a password though.

            • cmhe@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              2 days ago

              This is the MOK (Machine Owner Key), which is part of the shim bootloader, not UEFI secure boot.

              The shim bootloader is signed by Microsoft UEFI secure boot keys, so Microsoft is the root of trust there.

              On some systems you can delete all Secure Boot keys, and provision your own, then you don’t need the shim bootloader and can sign your own bootloader or Linux kernel directly. Windows would not be able to boot on those systems.