GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 27-Aug-2024 23:07:59 JST Lennart Poettering Lennart Poettering

    Noone asked me, but if you are curious what my take on the recent sbat/SecureBoot kerfuffle is, I'll let you know anyway:

    Frankly, I find SecureBoot ultimately pretty uninteresting tech. It casts a very wide net: it basically is a politically charged global allowlist, yet is useful as a very very lose denylist only, because it necessarily contains so so so much stuff. I think the value for security is relatively limited, because it it attempts to be universal, and hence can never be focussed.

    In conversation about 10 months ago from mastodon.social permalink
    • Embed this notice
      Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 27-Aug-2024 23:07:57 JST Lennart Poettering Lennart Poettering
      in reply to

      One beef I have with GNU/FSF folks btw, is that they started that abominable campaign against TPMs back in the day, completely misunderstanding that TPMs are kinda the "democratic" thing, and if anything they should have criticized SecureBoot, but not TPMs.

      In conversation about 10 months ago permalink
    • Embed this notice
      shironeko (shironeko@fedi.tesaguri.club)'s status on Tuesday, 27-Aug-2024 23:07:57 JST shironeko shironeko
      in reply to
      @pid_eins what the hell are you talking about https://www.fsf.org/campaigns/campaigns/secure-boot-vs-restricted-boot/ this is 2011 right after secure boot came out, and also there's tons of early motherboards that made user key enrollment impossible and to this day Microsoft have an unfair control over the whole thing. why else would you need to get shims signed by them?
      In conversation about 10 months ago permalink

      Attachments


      1. Invalid filename.
      翠星石 likes this.
    • Embed this notice
      Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 27-Aug-2024 23:07:58 JST Lennart Poettering Lennart Poettering
      in reply to

      Much more interesting is Measured Boot when tying disk encryption to it. Various OSes, including Windows have been supporting this since about forever. And it's so much better: it basically makes no restrictions on what you can run on your PC. All it enforces is: my encrypted disk can only be decrypted if the OS of my choice is booted in the version of my choice. And that's a *way* more powerful concept, because it is *focussed* on your installation, because…

      In conversation about 10 months ago permalink
      James Morris likes this.
    • Embed this notice
      Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 27-Aug-2024 23:07:58 JST Lennart Poettering Lennart Poettering
      in reply to

      …it is is "democratic", in the sense that anyone can do this without having to get their keys into some centralized keyring.

      Hence, to me it implications of SB are simply not worth it, it brings very little to the table security wise, but creates massive headaches on deployment. MB otoh actually provides a high level of security, and you don't have to ask anyone to put together your own policies.

      Hence if you ask me: focus on making MB a thing on Linux, and bother with SB only to the level…

      In conversation about 10 months ago permalink
    • Embed this notice
      Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 27-Aug-2024 23:07:58 JST Lennart Poettering Lennart Poettering
      in reply to

      …you really have to.

      (I am trying to do my part on this of course, i.e. in systemd we measure a lot of things during boot now, and our FDE logic is hooked up with it.)

      [That all said, I think SB might have some value if you enroll your own keys, which however can only work on very specific hw, and in VMs, but is probably not a solution realistic for general purpose PCs]

      In conversation about 10 months ago permalink
    • Embed this notice
      翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 27-Aug-2024 23:13:59 JST 翠星石 翠星石
      in reply to
      @pid_eins You won't see this, but TPM's were never intended to be a "democratic" thing - TPMs were implemented with the main purpose of restricting the user.

      Yes, ironically the security of past TPM implementations turned out to be so bad that proprietary restrictors gave up on using them and the only use of TPMs are now to check boot signatures - but the security of such TPMs is very flawed and it's arguably more secure to setup GNU Grub to do signature checking and installing GNUboot with your gnupg key inserted into the cbfs.

      microsoft is now giving "palladium" another try under the same name with fTPM's - in the past they totally failed, but they might not fail totally this time.
      In conversation about 10 months ago permalink
    • Embed this notice
      Lennart Poettering (pid_eins@mastodon.social)'s status on Friday, 06-Sep-2024 03:46:03 JST Lennart Poettering Lennart Poettering
      in reply to
      • Matthew Garrett

      @mjg59 on my windows laptop here bitlocker locks to 0, 2, 4, 8, 9, 10, 11. Which I think is today's default on modern Windows. (I certainly didn't change it). PCR 7 is not included interestingly.

      And I think the TPM stuff in windows pretty much works, no?

      systemd-pcrlock tries to lock to even more PCRs by default (but might exclude some if there are measurements we don't recognize).

      In conversation about 9 months ago permalink
      James Morris likes this.
    • Embed this notice
      Matthew Garrett (mjg59@nondeterministic.computer)'s status on Friday, 06-Sep-2024 03:46:04 JST Matthew Garrett Matthew Garrett
      in reply to

      @pid_eins but the default Windows behaviour for measured boot is tied to secure boot because using anything other than PCR 7 is extremely fragile

      In conversation about 9 months ago permalink
    • Embed this notice
      Lennart Poettering (pid_eins@mastodon.social)'s status on Friday, 06-Sep-2024 03:46:15 JST Lennart Poettering Lennart Poettering
      in reply to
      • duxsco

      @duxsco my own focus with systemd is definitely on providing generic components that help make any Linux based systems more secure. hence, I do care a lot about solutions that provide security and can be deployed on *generic* systems in the wild, without prior knowledge of what they provide or not. It's the "general population", or the broader IT ecosystem I care about, not some nerdy niche.

      In conversation about 9 months ago permalink
      James Morris likes this.
    • Embed this notice
      duxsco (duxsco@digitalcourage.social)'s status on Friday, 06-Sep-2024 03:46:16 JST duxsco duxsco
      in reply to

      @pid_eins I think the general population doesn't care about Secure Boot and Measured Boot. Those who do and take the topic serious buy suitable hardware, e.g. without dGPU. Secure Boot without your own keys isn't worth the hassle.

      In conversation about 9 months ago permalink
    • Embed this notice
      Lennart Poettering (pid_eins@mastodon.social)'s status on Friday, 06-Sep-2024 03:46:17 JST Lennart Poettering Lennart Poettering
      in reply to
      • duxsco

      @duxsco yeah, I have doubts though that enrolling your own keys is something that can be made "just work" on general purpose PCs.

      Yes, you can do it locally, if you know your hardware very well, or if you only care about VMs or so. But for the general population, I doubt self-enrolling is really an option. Too many problems given that hw extension cards provide signed firmware too.

      In conversation about 9 months ago permalink
    • Embed this notice
      duxsco (duxsco@digitalcourage.social)'s status on Friday, 06-Sep-2024 03:46:18 JST duxsco duxsco
      in reply to

      @pid_eins I see some use for Secure Boot, but only if you use your own keys (no shim), use Unified Kernel Images and use Measured Boot. I do exactly that:
      https://digitalcourage.social/@duxsco/113028930852304053

      In conversation about 9 months ago permalink

      Attachments

      1. No result found on File_thumbnail lookup.
        ⚠️account moved⚠️David Sardari (@duxsco@digitalcourage.social)
        from ⚠️account moved⚠️David Sardari
        I'm the author of https://gentoo.duxsco.de/ which is a #gentoo installation guide supporting #secureboot, #measuredboot, #luks #encryption, #raid, a #SystemRescue based rescue partition with custom "chroot.sh", Gentoo hardened and (optional) #selinux. This is my first post on Mastodon about this guide, as I've just finished chapter "15. Rescue System Upgrade" (https://gentoo.duxsco.de/rescue_system_upgrade/) which brings the guide to a more or less feature complete state on the x86_64 architecture. I'd love to adapt my guide for #ARM, though. To make this happen, I need you to upvote the issue "Feature Request: system-rescue for ARM64" (https://gitlab.com/systemrescue/systemrescue-sources/-/issues/369). Please, support me here if you are interested in my project or if you just wish for SystemRescue to support #ARM64 in general. Thanks! #aarch64
    • Embed this notice
      Lennart Poettering (pid_eins@mastodon.social)'s status on Friday, 06-Sep-2024 03:46:49 JST Lennart Poettering Lennart Poettering
      in reply to
      • Josh Triplett

      @josh well, if you open up access to your logs (protected via measurements or not) to players you don't want to use them, it's kinda your own fault. Just don't do that. If you web browser passes quotes of your system to the web, it's a bug in the browser, not a problem of the TPM.

      Every computing is dual-use, if you so will, I fail to see why this one should be more or less "dual-use" than anything else.

      In conversation about 9 months ago permalink
    • Embed this notice
      Josh Triplett (josh@social.joshtriplett.org)'s status on Friday, 06-Sep-2024 03:46:50 JST Josh Triplett Josh Triplett
      in reply to
      Measured boot can be a powerful technology for users, but it's also an extremely dual-use technology with both good ("trust your software stack and results") and bad ("website trusts that your browser will display ads and not allow copying/saving"; "app trusts that you don't have root on your phone") uses. Doubly so with the possibility of remote attestation.
      In conversation about 9 months ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.