The officially official Devuan Forum!

You are not logged in.

#1 2022-10-25 19:26:14

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Brave New Trusted Boot World

The future of Linux booting, according to Red Hat:

https://0pointer.de/blog/brave-new-trus … world.html

tl;dr: use a signed, unified kernel image verified by TPM, all integrated into the boot process by the init system that shall not be named. Full encryption support is also provided, just like BitLocker.

I have to say that I do approve of this. I've been booting with signed, unified kernel images for quite a while now :-)


Brianna Ghey — Rest In Power

Offline

#2 2022-10-26 09:44:22

Camtaf
Member
Registered: 2019-11-19
Posts: 436  

Re: Brave New Trusted Boot World

This document will assume that the reader has comprehensive familiarity with TPM 2.0 security chips and their capabilities (e.g., PCRs, measurements, SRK), boot loaders, the shim binary, Linux, initrds, UEFI Firmware, PE binaries, and SecureBoot.

Ye gods, what about us poor old folks who just like to use their (ancient) computers without fuss....... big_smile

Offline

#3 2022-10-26 14:33:52

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Brave New Trusted Boot World

Just remember to disable SecureBoot and you'll be fine. At least until that ability is disabled, which is imminent on new hardware. Windows 11 has already forced vendors to disable "third-party" (ie, non-Microsoft) SecureBoot certificates by default[1] so it's only a matter of time before the lock-in is total.


Brianna Ghey — Rest In Power

Offline

#4 2022-10-26 15:17:41

golinux
Administrator
Registered: 2016-11-25
Posts: 3,318  

Re: Brave New Trusted Boot World

Digital incarceration will mean lots of dumpster diving for old hardware . . . smile

Offline

#5 2022-10-27 09:25:41

xinomilo
Unknown
Registered: 2017-07-02
Posts: 315  

Re: Brave New Trusted Boot World

Head_on_a_Stick wrote:

tl;dr: use a signed, unified kernel image verified by TPM, all integrated into the boot process by the init system that shall not be named. Full encryption support is also provided, just like BitLocker.

I have to say that I do approve of this. I've been booting with signed, unified kernel images for quite a while now :-)

excuse my ignorance, but do you care to explain a bit more.. (?)
in particular, everything seems to be dependent on TPM chip/firmware.. what happens in the case of "evil"/broken/taken out TPM?
how's that (=putting another "middle man" in boot process) a good thing?

p.s. not understanding much on UEFI/SecureBoot/TPM, so it can be that i'm completely ignorant on these smile

Offline

#6 2022-10-27 10:57:51

Andre4freedom
Member
Registered: 2017-11-15
Posts: 174  

Re: Brave New Trusted Boot World

Beware of more evil to come:
https://www.theregister.com/2022/10/26/tightening_linux_boot_process_microsoft_poettering/

You know what this guy did to Linux and the free and open source world - pulseaudio and systemd greet you :-(

Now he is proposing even worse things: locking down hardware with TPM2 - Micro$oft must be happy to have him on board.
I am scared.

Offline

#7 2022-10-27 13:16:24

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Brave New Trusted Boot World

xinomilo wrote:

in particular, everything seems to be dependent on TPM chip/firmware.. what happens in the case of "evil"/broken/taken out TPM?
how's that (=putting another "middle man" in boot process) a good thing?

The advantages of the TPM chip are sufficient that making them a point of failure is considered acceptable. The chips offer hardware-based securities against tampering with stored keys and the integration with the boot process allows for passwordless unlocking of encrypted drives.

Trusted computing is a big thing for enterprise so TPMs are considered essential.

EDIT:

Apparently Mac OS & Windows 11 users will soon stop seeing captchas thanks to SecureBoot & TPM "attestation". This will not be the case for open source operating systems, unsurprisingly.

Last edited by Head_on_a_Stick (2022-10-27 13:19:59)


Brianna Ghey — Rest In Power

Offline

#8 2022-10-27 14:28:13

Camtaf
Member
Registered: 2019-11-19
Posts: 436  

Re: Brave New Trusted Boot World

Got no problem with captchas, as long as they work properly, some don't, or are somewhat iffy, but if it helps reduce spam, or something like that, I can see the point, but for my own interests, it will just be a pain in the ar*e, I think.

Anyway, I've got a 'stock' of old machines, so as long as Linux in general doesn't demand it, I'll be fine. smile

Offline

#9 2022-10-27 17:20:06

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Brave New Trusted Boot World

The captchas are the thin end of a wedge: the same technique will also work with, for example, Netflix so you can wave goodbye to watching that on anything other than an Approved Platform.


Brianna Ghey — Rest In Power

Offline

#10 2022-10-27 17:29:32

Camtaf
Member
Registered: 2019-11-19
Posts: 436  

Re: Brave New Trusted Boot World

Ha, ha, I don't watch Netflix - my computer is for the internet, forums, playing music, etc. wink

Offline

#11 2022-12-11 23:31:51

pungentweasel
Member
Registered: 2022-12-11
Posts: 9  

Re: Brave New Trusted Boot World

I highly recommend giving this a thorough read .. one of the best tech articles I've found on the topic

https://gabrielsieben.tech/2022/07/29/remote-assertion-is-coming-back-how-much-freedom-will-it-take/


Behold, I send you forth as sheep in the midst of wolves: be ye therefore wise as serpents, and harmless as doves. - Matthew 10:16

Offline

#12 2022-12-15 13:55:51

MrReplikant
Member
Registered: 2022-12-03
Posts: 53  

Re: Brave New Trusted Boot World

And this, friends, is why I work hard to keep my old hardware working! Microsoft has dipped its fingers in far too many pies in the Linux Scene. And if this is the fate of Linux -Imagine what hell awaits our comrades on *BSD. I understand the security need, but sheesh, its as if Lennart learned *nothing* from the long lecture Linus gave him about the users.

This, dear friends, is why I also feel it is imperative that we try to find more ways to keep Devuan Desktop running as resource-efficiently as possible, so we can keep it working on older hardware as long as we can. Hell, just yesterday I tested my calamares image on a 16-year-old 32-bit Toshiba Satellite, and it still runs smoothly. But for how long? The gradual bloat of the desktops will see to this, too, eventually bogging down. Perhaps it's time for a task-icewm-desktop or task-jwm-desktop package? who knows.

But, i know this: If we have managed to make it this far, I KNOW we can figure it out, I have faith in our team. We can do this!


That's all, folks.

Offline

#13 2022-12-15 16:37:38

golinux
Administrator
Registered: 2016-11-25
Posts: 3,318  

Re: Brave New Trusted Boot World

MrReplikant wrote:

Perhaps it's time for a task-icewm-desktop or task-jwm-desktop package? who knows.

This has been on my mind for some time and discussed off and on. Xfce has been a wonderful ride but then Gnome2 was also. Things are constantly changing and rarely for the better. Always more complexity, more bloat and more restrictions.

But, i know this: If we have managed to make it this far, I KNOW we can figure it out, I have faith in our team. We can do this!

Happy to have you here.  smile

Offline

#14 2022-12-15 16:45:23

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Brave New Trusted Boot World

When BunsenLabs was starting up we did discuss creating a desktop task for openbox with the intention of upstreaming it to Debian but it never came to anything. I always thought it was a good idea but these days Plasma is very nearly as light as openbox/tint2 and is *much* prettier and more user friendly (IMO).

Last edited by Head_on_a_Stick (2022-12-15 16:46:18)


Brianna Ghey — Rest In Power

Offline

#15 2022-12-15 16:50:03

golinux
Administrator
Registered: 2016-11-25
Posts: 3,318  

Re: Brave New Trusted Boot World

All options will be on the table for discussion if we decide to go there.

Offline

#16 2022-12-15 17:59:03

Camtaf
Member
Registered: 2019-11-19
Posts: 436  

Re: Brave New Trusted Boot World

I'd like to see/have a live/installable WM based Devuan - call it Light/Basic/or whatever, just needs a WM, terminal, file browser, web browser to start with, allowing most things to be done that a basic O/S needs - all other software can/could easily be added by the user, as & when needed - with the possibility of persistence, (that would be a big bonus) - but I know we only have a small team who could/can make these things happen, so not expecting it anytime soon...... big_smile

Offline

#17 2022-12-15 18:07:15

aluma
Member
Registered: 2022-10-26
Posts: 646  

Re: Brave New Trusted Boot World

At the risk of expressing my unprofessional opinion.
My netbook has EXEGNU/LINUX and PCLinuxOS installed with the same version of Trinity.
Here are the vmlinux and kernel initrd sizes.
PCLinuxOS -6354752 and 10711.
EXE GNU/LINUX-15472331 and 20007021.
Which one do you think will work faster?
Maybe start with this?

Offline

#18 2022-12-15 18:16:53

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Brave New Trusted Boot World

@aluma: does the phrase "apples & oranges" mean anything to you?

And at any rate I don't think kernel & initramfs hacking should be within Devuan's remit. Sounds like overstretch to me.


Brianna Ghey — Rest In Power

Offline

#19 2022-12-15 18:29:07

MrReplikant
Member
Registered: 2022-12-03
Posts: 53  

Re: Brave New Trusted Boot World

Head_on_a_Stick wrote:

I always thought it was a good idea but these days Plasma is very nearly as light as openbox/tint2 and is *much* prettier and more user friendly (IMO).

This is what I keep hearing, but how the heck does it accomplish this? I have done a fair bit of fooling with plasma and I still can't figure that out for the life of me. Perhaps you can enlighten me?


That's all, folks.

Offline

#20 2022-12-15 18:30:26

aluma
Member
Registered: 2022-10-26
Posts: 646  

Re: Brave New Trusted Boot World

@Head_on_a_Stick
It's up to you, I don't care.

Offline

#21 2022-12-15 19:55:18

sgage
Member
Registered: 2016-12-01
Posts: 341  

Re: Brave New Trusted Boot World

I never did care for KDE anything, and I've actually tried over the years - those folks seem to think on a very different wavelength than me. TBH, I never cared much for XFCE either - I've been using MATE for years. It is probably too 'heavy' for some, though not that much more than XFCE. It is a full DE - it is the fork of Gnome 2.

It seems to me that a simple WM-based option at install time would be welcome for those with older/resource-limited HW. A nicely set up IceWM or something like that, or one of the *box wm's? I mean, you can install just about anything on Devuan after the fact, but setting it up to be decent looking and reasonably functional sometimes seems a bit fiddly. A nicely setup WM at installation would be a useful offering it seems.

Offline

#22 2022-12-15 20:36:01

MrReplikant
Member
Registered: 2022-12-03
Posts: 53  

Re: Brave New Trusted Boot World

sgage wrote:

I never did care for KDE anything, and I've actually tried over the years - those folks seem to think on a very different wavelength than me. TBH, I never cared much for XFCE either - I've been using MATE for years. It is probably too 'heavy' for some, though not that much more than XFCE. It is a full DE - it is the fork of Gnome 2.

It seems to me that a simple WM-based option at install time would be welcome for those with older/resource-limited HW. A nicely set up IceWM or something like that, or one of the *box wm's? I mean, you can install just about anything on Devuan after the fact, but setting it up to be decent looking and reasonably functional sometimes seems a bit fiddly. A nicely setup WM at installation would be a useful offering it seems.

Always been a  MATE man myself, though XFCE 4.18 will soon make it a damn-close second, since it will finally add in recursive search in thunar and fuller date-time functionality. Still, I agree wholeheartedly, we need to look into a dedicated WM task, and I think more research is definitely warranted.

I, personally, don't like AntiX's implementation, solely on the fact that working with files is...not particularly user-friendly, especially for people like me who are used to the "windows" file management style of things. But, hey, I'll give them credit where it's due: they DID manage to make the icewm/jwm menu much more friendly. Props to them for that.

I think maybe we would be better suited looking at the Bunsenlabs or Puppy Linux Implementations

Last edited by MrReplikant (2022-12-16 14:50:16)


That's all, folks.

Offline

#23 2022-12-15 21:51:59

golinux
Administrator
Registered: 2016-11-25
Posts: 3,318  

Re: Brave New Trusted Boot World

Oh joy . . . this on IRC . . .

-Unit193/Wallops- We'd like to give a hearty congratulations to the Xfce team on their 4.18 release after two years of solid work.  To read about what's new, see: https://xfce.org/about/news/?post=1671062400

I haven't looked yet but likely will be "interesting" reading. So please add that info into this discussion

Offline

#24 2022-12-16 14:56:54

MrReplikant
Member
Registered: 2022-12-03
Posts: 53  

Re: Brave New Trusted Boot World

Just edited it into the last thing. But yeah, after sleeping on it last night, I think I know now what our best course is, for the time being. Many, many initiatives are up and coming to get us more open hardware. There's the MNT Reform, Pocket Reform, the Librem 15, Pinebook, and not to mention that since Power ISA got open-sourced, there's an initiative to bring that back, too, atop the recent release of the Alibaba Roma RISC-V laptop. My conclusion is, if we can work to keep our old (or simply pre-lockdown) hardware working long enough, say maybe another 10 years (depending on the device), we can wait this out long enough for those devices to become a bit more accessible to the common folk. It won't be easy, but we're without other options at the moment. We can't buy these locked-down devices, that will only encourage Microsoft and Apple to keep doing it.


That's all, folks.

Offline

#25 2022-12-16 15:12:49

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Brave New Trusted Boot World

MrReplikant wrote:

since Power ISA got open-sourced, there's an initiative to bring that back

Unfortunately POWER10 brought in a requirement for non-free firmware in the memory controller chips:

https://www.devever.net/~hl/omi

Not that it really matters because any POWER9 machine (or any of the "open" platforms you list) will need a hard drive and that drive will have a controller running proprietary code below ring 0. The battle is already lost.

MrReplikant wrote:

the recent release of the Alibaba Roma RISC-V laptop

RISC-V is nice but the specification does allow for non-free extensions and I'm sure most, if not all, manufacturers will take advantage of that. To presume otherwise is naive.

MrReplikant wrote:

My conclusion is, if we can work to keep our old (or simply pre-lockdown) hardware working long enough, say maybe another 10 years (depending on the device), we can wait this out long enough for those devices to become a bit more accessible to the common folk.

It seems to be getting worse rather than better but whatever.


Brianna Ghey — Rest In Power

Offline

Board footer