Comment by exceptione

Comment by exceptione 9 days ago

42 replies

View on Hacker News

The list of dropped components is quite large. The cryptsetup, cryptenroll, unified kernel images, kernel signing and systemd-boot work nicely together.

I think Systemd has a view that those things should reliably work together. I do not fancy a revival of the past where the user has to cobble a mesh of hopefully compatible libraries to achieve the same, taking weeks to study the Arch manual and resolving tons of gotcha's, all to be broken by next week's update.

The integration of all this stuff is now actively under test and maintenance with systemd.

And yes, the mentioned services also have an impact on the scope of service managing. Because if you have a unit that depends on a disk that needs to be unencrypted, this has to be resolved somehow in the right time.

I personally have had no need for systemd-resolved, but I think for *desktop* the list of droppable components is not large.

So maybe we should first have a conversation about the *desktop* vs *container-os* purpose?

duskwuff 9 days ago

> The list of dropped components is quite large. The cryptsetup, cryptenroll, unified kernel images, kernel signing and systemd-boot work nicely together.

These are also all components which would be extremely difficult to make portable - they require tight integration with the kernel and its boot process. I can't imagine how you'd implement them in a portable fashion, short of either making changes to the kernel on one or both operating systems, or implementing a complex set of shims to make them present similar interfaces. Either one of those options would be a sizable project on its own - I can't fault the developer from shying away.

Reply View 1 reply
  • exceptione 7 days ago

    Good point. But it seems that it leaves you a choice of something that is either portable or feature-rich.

    It all depends on the purpose of the fork. If it is there to just provide the common service layer for applications in order to make applications portable, I could see a fork being valuable.

    Reply View 0 replies
udev4096 9 days ago

systemd has definitely made huge improvements to boot security which not a lot of "systemd haters" see. this is a great post from lennart: https://0pointer.de/blog/brave-new-trusted-boot-world.html

Reply View 25 replies
  • swe02 9 days ago

    As someone who uses systemd, "boot security" is pointless. If someone has enough access to your hardware to try booting a different kernel, they have time to load a signed shim that passes secure boot and launches unsigned code.

    The only boot security real users need is disk encryption.

    Reply View 9 replies
    • viraptor 9 days ago

      "on a system not configured for boot security, you get no boot security" is indeed correct. If you care about boot security, your local platform doesn't give you the chance to boot custom kernels and not passing secure boot doesn't give you decryption keys.

      Reply View 0 replies
    • fc417fc802 9 days ago

      There are multiple possible configurations. Only the most basic will permit an arbitrary payload as you describe.

      I've never been entirely clear about the security model when the signed shim is permitted. I assume I'm missing some nuance.

      Disk encryption alone won't protect you from either persistent malware (remote) or evil maids (local).

      Reply View 0 replies
    • bigfatkitten 8 days ago

      > The only boot security real users need is disk encryption.

      Which becomes easy to bypass without boot security. If an adversary can modify code that executes in the boot process, they can steal your keys.

      Reply View 3 replies
      • teddyh 7 days ago

        An adversary can usually only modify code that executes in the boot process if they already have root privileges, or if they have physical access. In either of those cases the game is already over anyway.

        Reply View 2 replies
    • craftkiller 9 days ago

      > signed shim

      How would they sign such a shim without my keys? I don't leave Microsoft keys enrolled on my laptop.

      Reply View 2 replies
      • wkat4242 9 days ago

        You don't but 99.99% of people do :) Especially because most Linux distros use a key signed by Microsoft by default.

        Reply View 1 reply
        • akdev1l 8 days ago

          The “people” don’t really matter.

          Anyone who needs a secure boot environment is having their own MOK and probably a private CA.

          Reply View 0 replies
  • immibis 9 days ago

    The problem with boot security is that the computer has no way to know its owner from someone who isn't its owner. All it can go on is who was there first. Which, you guessed it, was Lenovo.

    I have no problem with secure boot as a concept but I don't know how to implement it so it can't be used to lock you out of your own computer. And an implementation which allows that is worse than no implementation.

    Reply View 11 replies
    • fc417fc802 9 days ago

      The owner is whoever controls the installed keys. I think the issue is one of misuse rather than implementation.

      The firmware refusing to let you change the keys is the root of the problem but it's also useful as an anti theft measure when it's not being abused by OEMs. Boot security doesn't depend on that though.

      In addition to the above, as an alternative implementation I believe measured boot and a sealed secret is also sufficient to implement boot security without the need for the firmware to manage user provided keys at all.

      Reply View 0 replies
    • fsflover 8 days ago

      > but I don't know how to implement it so it can't be used to lock you out of your own computer.

      You probably need Heads with Librem Key, like Purism offers for their laptops.

      Reply View 0 replies
    • shawnz 9 days ago

      If the manufacturer wanted to conduct a supply chain attack on you, they wouldn't need secure boot to do it. They could just design an implant of their own using proprietary technology.

      So why does the presence of secure boot as a user-controlled feature affect that risk calculation?

      Reply View 6 replies
      • immibis 8 days ago

        Because manufacturers aren't trying to add surreptitious implants. They're trying to prevent you installing operating systems other than the one they get a bulk discount if they force you to have.

        Reply View 5 replies
    • udev4096 9 days ago

      sbctl [0] makes secure boot a lot easier. you just enable setup mode from BIOS and it will take care of enrolling and managing the keys. Are you immibis from libera.chat by any chance?

      [0] - https://github.com/Foxboron/sbctl

      Reply View 1 reply
      • bmacho 8 days ago

        There was this SixOS presentation[0] 2 months ago of a single man's own distro, among a lot of things he claims that he's created the most secure boot process ever

        > On NixOS, either the initrd "secrets" or the software that decrypts them is stored unencrypted on writable media. Ownerbooted sixos closes this loophole without any "trusted computing" voodoo, eliminating all unencrypted storage except for an eeprom whose hardware write-protect pin is connected to ground... coreboot [loads] an immutable pre-kexec kernel from write-protected SPI flash... authenticate the user, decrypt writeable storage, kexec into the post-exec kernel... The speaker runs ownerbooted sixos on his workstations, servers, twelve routers, stockpile of disposable laptops, and on his company's 24-server/768-core buildfarm.

        [0] : https://news.ycombinator.com/item?id=42884727

        Reply View 0 replies
  • donnachangstein 9 days ago

    Most 'systemd haters' see boot security as unnecessary, or a toy no one would use, and that UEFI secure boot is a conspiracy orchestrated by Microsoft.

    It fits the personality profile of not wanting to learn new things. After all, we didn't need it in 2002, so why do we need it now?

    There is no fixing these people, so it doesn't make sense expending energy convincing them.

    Reply View 2 replies
    • M95D 8 days ago

      That's almost entirely correct, with one exception:

      > It fits the personality profile of not wanting to learn new things.

      'systemd haters' learn a lot. They learn how to write manual boot scripts, set up mdev instead of udev, compile their own kernel, install their own u-boot or coreboot, strip binary blobs, etc. etc. They know MORE than the average systemd guy. They just don't want to learn systemd.

      Isn't the whole purpose of systemd to ease and automate administration and configuration, so the user need not care? Doesn't that imply that systemd admins/users know LESS?

      ----

      Now let me make my own characterization of 'systemd enthusiasts'.

      These people are overworked sysadmins that hate manual configuration. They want it easy, everything automated, they want to not care about it, they want the distro to auto-do everything and not even ask, they want less admin work. Systemd does all these things for them and they are in heaven. They're so enthusiastic that they feel we should all be one big happy family under the systemd umbrella.

      But they fail too see that no company or manager will tolerate people that are _not_ overworked.

      When something becomes automated, people previously doing the manual job are fired. A 10 people non-systemd team that works day-and-night to set manually up boot, mounts, network, services, cron, backups, logs, etc., as soon as systemd automates the work, will be cut down to just one guy (or less) and he will still work day-and-night, same as before, doing the work of the entire team. And he won't be able to take break because there's nobody left to replace him.

      They also fail to see that resilience comes from diversity. Uniformity, systems where software is identical, updates are identical, configuration is identical, permissions are identical, etc., will also fail identically and probably at the same time, and will be hacked identically and at the same time (by automated bots/tools).

      Reply View 1 reply
      • cf100clunk 8 days ago

        An enjoyable perspective on how workload can affect techno-tribalism. Like many who have worked in, or run, mixed shops over the years, I've lamented the interpersonal friction that can happen amongst camps. It can be corrosive, almost to the point of destruction, at which point I've had to fire people for using terms like ''hater'' or worse. Good riddance, because we had work to do.

        Reply View 0 replies
DrillShopper 9 days ago

> The cryptsetup, cryptenroll, unified kernel images, kernel signing and systemd-boot work nicely together.

This has not been my experience across Debian and Arch

Reply View 11 replies
  • donnachangstein 9 days ago

    That's because Debian 'stable' has a half-assed implementation of systemd, frozen in time on some ancient version. So you are stuck waiting years between upgrades. Bookworm finally supports the crypto functions.

    Arch OTOH was where these functions first worked out of the box.

    Reply View 5 replies
    • bogantech 9 days ago

      > frozen in time on some ancient version.

      Yeah that's a feature of Debian stable

      Reply View 4 replies
      • donnachangstein 9 days ago

        It stops being a feature and becomes a bug bordering on retardation when they purposefully ship broken software.

        First example coming to mind, TLS is broken in the version of OpenSMTPD that ships with Debian Stable.

        Yes you read that correctly.

        The version of OpenSMTPD in Debian Stable does not have functioning TLS. It's also not well documented why this is, things just don't work and you are forced to discover why.

        It has to do with a broken dependency on their ancient version of OpenSSL. They refuse to patch it because muh stability - it requires a version jump. So you are forced to jump through hoops and install a newer version from backports if you expect TLS to work on your SMTP server.

        Reply View 2 replies
  • mattpallissard 9 days ago

    Arch user here. These things work much nicer than any of the previous alternatives. Sure, kernel signing is a bit of a mess, but that's more of a product of how key-signing at a low-level works than anything. Cryptsetup, cryptenroll, unified kernel images, and systemd-boot worked for me out of box.

    Reply View 3 replies
    • DrillShopper 9 days ago

      They very much did not for me. I beat things into shape with sbctl but it was very much an uphill battle.

      idk why Arch seems allergic to packaging shim-signed (it's an AUR, why would I trust such a key component to essentialy a stranger?), but here we are I guess.

      Reply View 2 replies
      • Timber-6539 8 days ago

        The AUR is just a repository of PKGBUILDs. You don't need to trust a stranger to use PKGBUILD.

        Reply View 0 replies
      • udev4096 8 days ago

        you can inspect the PKGBUILD file very easily. it's same as alpine's abuild and various other build file formats from distros. don't just blindly build it

        Reply View 0 replies
  • Timber-6539 8 days ago

    Am on Arch and I use them with unattended boot(TPM) and they work flawlessly.

    Reply View 0 replies
badgersnake 9 days ago

My cryptenroll is currently broken by the latest system update (I think it was a bios update). It’s better, but I’m not sure it’s good.

Reply View 0 replies