The officially official Devuan Forum!

You are not logged in.

#1 2022-10-25 19:26:14

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,737  

Brave New Trusted Boot World

The future of Linux booting, according to Red Hat:

https://0pointer.de/blog/brave-new-trus … world.html

tl;dr: use a signed, unified kernel image verified by TPM, all integrated into the boot process by the init system that shall not be named. Full encryption support is also provided, just like BitLocker.

I have to say that I do approve of this. I've been booting with signed, unified kernel images for quite a while now :-)


"Who's the idiot in charge?" — ralph.ronnquist

Offline

#2 2022-10-26 09:44:22

Camtaf
Member
Registered: 2019-11-19
Posts: 245  

Re: Brave New Trusted Boot World

This document will assume that the reader has comprehensive familiarity with TPM 2.0 security chips and their capabilities (e.g., PCRs, measurements, SRK), boot loaders, the shim binary, Linux, initrds, UEFI Firmware, PE binaries, and SecureBoot.

Ye gods, what about us poor old folks who just like to use their (ancient) computers without fuss....... big_smile

Offline

#3 2022-10-26 14:33:52

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,737  

Re: Brave New Trusted Boot World

Just remember to disable SecureBoot and you'll be fine. At least until that ability is disabled, which is imminent on new hardware. Windows 11 has already forced vendors to disable "third-party" (ie, non-Microsoft) SecureBoot certificates by default[1] so it's only a matter of time before the lock-in is total.


"Who's the idiot in charge?" — ralph.ronnquist

Offline

#4 2022-10-26 15:17:41

golinux
Administrator
Registered: 2016-11-25
Posts: 2,656  

Re: Brave New Trusted Boot World

Digital incarceration will mean lots of dumpster diving for old hardware . . . smile

Offline

#5 2022-10-27 09:25:41

xinomilo
Member
Registered: 2017-07-02
Posts: 282  

Re: Brave New Trusted Boot World

Head_on_a_Stick wrote:

tl;dr: use a signed, unified kernel image verified by TPM, all integrated into the boot process by the init system that shall not be named. Full encryption support is also provided, just like BitLocker.

I have to say that I do approve of this. I've been booting with signed, unified kernel images for quite a while now :-)

excuse my ignorance, but do you care to explain a bit more.. (?)
in particular, everything seems to be dependent on TPM chip/firmware.. what happens in the case of "evil"/broken/taken out TPM?
how's that (=putting another "middle man" in boot process) a good thing?

p.s. not understanding much on UEFI/SecureBoot/TPM, so it can be that i'm completely ignorant on these smile

Offline

#6 2022-10-27 10:57:51

Andre4freedom
Member
Registered: 2017-11-15
Posts: 67  

Re: Brave New Trusted Boot World

Beware of more evil to come:
https://www.theregister.com/2022/10/26/tightening_linux_boot_process_microsoft_poettering/

You know what this guy did to Linux and the free and open source world - pulseaudio and systemd greet you :-(

Now he is proposing even worse things: locking down hardware with TPM2 - Micro$oft must be happy to have him on board.
I am scared.

Offline

#7 2022-10-27 13:16:24

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,737  

Re: Brave New Trusted Boot World

xinomilo wrote:

in particular, everything seems to be dependent on TPM chip/firmware.. what happens in the case of "evil"/broken/taken out TPM?
how's that (=putting another "middle man" in boot process) a good thing?

The advantages of the TPM chip are sufficient that making them a point of failure is considered acceptable. The chips offer hardware-based securities against tampering with stored keys and the integration with the boot process allows for passwordless unlocking of encrypted drives.

Trusted computing is a big thing for enterprise so TPMs are considered essential.

EDIT:

Apparently Mac OS & Windows 11 users will soon stop seeing captchas thanks to SecureBoot & TPM "attestation". This will not be the case for open source operating systems, unsurprisingly.

Last edited by Head_on_a_Stick (2022-10-27 13:19:59)


"Who's the idiot in charge?" — ralph.ronnquist

Offline

#8 2022-10-27 14:28:13

Camtaf
Member
Registered: 2019-11-19
Posts: 245  

Re: Brave New Trusted Boot World

Got no problem with captchas, as long as they work properly, some don't, or are somewhat iffy, but if it helps reduce spam, or something like that, I can see the point, but for my own interests, it will just be a pain in the ar*e, I think.

Anyway, I've got a 'stock' of old machines, so as long as Linux in general doesn't demand it, I'll be fine. smile

Offline

#9 2022-10-27 17:20:06

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 2,737  

Re: Brave New Trusted Boot World

The captchas are the thin end of a wedge: the same technique will also work with, for example, Netflix so you can wave goodbye to watching that on anything other than an Approved Platform.


"Who's the idiot in charge?" — ralph.ronnquist

Offline

#10 2022-10-27 17:29:32

Camtaf
Member
Registered: 2019-11-19
Posts: 245  

Re: Brave New Trusted Boot World

Ha, ha, I don't watch Netflix - my computer is for the internet, forums, playing music, etc. wink

Offline

Board footer