Comment by direwolf20 5 days ago
This is basically propaganda for the war on general purpose computing. My user data is less safe on a Windows device, because Microsoft has full access to that device and they are extremely untrustworthy. On my Linux device, I choose the software to install.
What are you talking about? This has nothing to do with general purpose computing and everything to do with allowing you to authenticate the parts of the Linux boot process that must by necessity be left unencrypted in order to actually boot your computer. This is putting SecureBoot and the TPM to work for your benefit.
It's not propaganda in any sense, it's recognizing that Linux is behind the state of the art compared to Windows/macOS when it comes to preventing tampering with your OS install. It's not saying you should use Windows, it's saying we should improve the Linux boot process to be a tight security-wise as the Windows boot process along with a long explanation of how we get there.
Secure boot is initialized by the first person who physically touches the computer and wants to initialize it. Guess who that is? Hint: it's not the final owner.
It's only secure from evil maker attacks if it can be wiped and reinitialised at any time.
You seem to be under the impression that you cannot reset your Secure Boot to setup mode. You can in the UEFI, doing so wipes any enrolled keys. This, of course assumes you trust the UEFI (and hardware) vendors. But if you don't, you have much bigger problems anyway.
Is it possible someone will eventually build a system that doesn't allow this? Yes. Is this influenced in any way by features of Linux software? No.
It is certainly influenced by the features of Linux software. If Linux does not support this then this preserves a platform as an escape route where this is not possible and this substantially reduces the incentive to provide certain content and services (!) only when this is enabled.
Yes you. The parts being expanded upon happen after the shim is authenticated by SecureBoot and are fully in your control. The scary part has already happened, Linux distros support SecureBoot right now and have for a while. Right now the current state of the Linux boot process is all the downsides (in your view) of SecureBoot with none of the upsides because very little is authenticated after that.
> we should improve the Linux boot process to be a tight security-wise as the Windows
I hope this never happens. I really want my data secure and I do have something to hide. So, no Microsoft keys on my computer and only I will decide what kind of software I get to run.
Absolutely fuck that.
So to I guess spite Microsoft or something you're going to make your data less secure?
Turning off SecureBoot only means any rando can decide what software runs on your device and install a bootkit. Not authenticating the rest of the boot process as outlined here (what Microsoft calls Trusted Boot) only means that randos can tamper with your OS using the bits that can't be encrypted.
Literally an own-goal in every sense of the word.
> Turning off SecureBoot only means any rando can decide what software runs on your device
I see it as exactly the opposite: turning SecureBoot on means someone else can and will decide what software runs on my device.
> spite Microsoft or something you're going to make your data less secure
We all know very well Microsoft's track record with security and with data protection measures and practice. Trusting Microsoft is... irrational, let's put it that way.
Propaganda begins with reframing. What russia is waging is not a war, it's a special military operation. War is peace. Data on Windows is secure. Linux's security is far behind.
That sort of things.