Comment by charcircuit

Comment by charcircuit 5 days ago

View on Hacker News

I hope you are mistaken. It's embarrassing how far behind in security the desktop Linux ecosystem is.

jcgl 4 days ago

Agreed in general. But regarding secure boot, it's not like shim actually helps with real security either afaiu, right?

Reply View 5 replies

NekkoDroid 4 days ago

AFAIU (I haven't looked much into it) shim basically exists so that MS signs the shim once (or only a few times when updated), which has the distro public key embedded, which does further verification of the chain (bootloader/kernel) which gets updated more frequently.

Reply View | 4 replies
- jcgl 4 days ago
  
  That's basically my understanding too. But since you can still boot any shim-supported distro, Secure Boot + shim practically gains you nothing. An adversary can simply boot their own own copy of shim with whatever OS they like.
  
  Reply View | 3 replies
  
  NekkoDroid 4 days ago
  
  > An adversary can simply boot their own own copy of shim with whatever OS they like.
  They'd need to get MS to sign it first, but otherwise yea. That's why I remove the MS keys on my non-windows systems.
  
  Reply View | 2 replies

egorfine 4 days ago

I believe you are confusing security with freedom and "behind" with "advanced".

Reply View 0 replies

trelane 4 days ago

They have a TPM that you can enable and add your own keys if you want to.

Reply View 1 reply

egorfine 4 days ago

For now.

Reply View | 0 replies