• Fizz@lemmy.nz
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    3 days ago

    What problem does it create? Its a good tech and we absolutely should be cryptographically verifying the boot process to ensure it hasnt been tampered with.

    • Zarobi@aussie.zone
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 days ago

      Because it’s proprietary and in 99% of cases actually means “Windows Boot”, and isn’t very compatible with other OS. Windows is basically in charge of the entire technology and doesn’t have a history of being friendly to other OS.

      For a while Linux was completely blocked by this setting, which was yet another technical barrier to getting into Linux because you had to fuck around in your scary UEFI settings otherwise your PC would be soft-bricked after installing Linux. Nowadays it’s slightly supported by some distributions but Microsoft could of course change it at any time.

      Further reading: https://wiki.ubuntu.com/UEFI/SecureBoot

      • orclev@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 days ago

        The way it should work is that during the OS install the OS can ask to have a cert added to the keystore at which point UEFI pops up a screen that says something like:

        An application has requested to add a new certificate to secure boot which will allow new software to run at boot up. This usually happens when installing or updating an OS. If you would like to allow this press and hold <5 randomly selected letters> on the keyboard for 5 seconds. If you don’t want to allow this press and hold escape for 3 seconds.

        This would at least be a vendor agnostic way of enrolling certificates instead of the MS certificate just always being pre-installed. It should also of course be publicly documented exactly how the process works so everyone can use it.

        • exu@feditown.com
          link
          fedilink
          English
          arrow-up
          0
          ·
          3 days ago

          Universal Blue distros do that. For some reason you need to enter a password though.

          • cmhe@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            24 hours ago

            This is the MOK (Machine Owner Key), which is part of the shim bootloader, not UEFI secure boot.

            The shim bootloader is signed by Microsoft UEFI secure boot keys, so Microsoft is the root of trust there.

            On some systems you can delete all Secure Boot keys, and provision your own, then you don’t need the shim bootloader and can sign your own bootloader or Linux kernel directly. Windows would not be able to boot on those systems.

        • addie@feddit.uk
          link
          fedilink
          English
          arrow-up
          0
          ·
          3 days ago

          Problem being, of course, that you can add more certificates, but you can’t revoke the original M$ one. And since it’s vulnerable and you can’t get rid, then these exploits still work and there’s nothing you can do to stop it.

          • cmhe@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            24 hours ago

            On some systems you can clear all secure boot keys, including Microsoft’s, then provision your own and sign your bootloader or kernel with it. Windows cannot boot from such systems.

          • Default Username@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 days ago

            Computers shouldn’t come with Microsoft keys preinstalled to begin with (or an operating system for that matter). Microsoft being able to have Windows preinstalled on the vast majority of non-Apple PCs is how they gained their monopoly in the first place.