| ▲ | Nextgrid 2 hours ago | |
Secure Boot only extends the chain of trust from your firmware down the first UEFI binary it loads. Currently SB is effectively useless because it will at best authenticate your kernel but the initrd and subsequent userspace (including programs that run as root) are unverified and can be replaced by malicious alternatives. Secure Boot as it stands right now in the Linux world is effectively an annoyance that’s only there as a shortcut to get distros to boot on systems that trust Microsoft’s keys but otherwise offer no actual security. It however doesn’t have to be this way, and I welcome efforts to make Linux just as secure as proprietary OSes who actually have full code signature verification all the way down to userspace. | ||
| ▲ | ahepp 36 minutes ago | parent | next [-] | |
Isn't it possible to force TPM measurements for stuff like the kernel command line or initramfs hash to match in order to decrypt the rootfs? Or make things simpler with UKIs? Most of the firmwares I've used lately seem to allow adding custom secureboot keys. | ||
| ▲ | digiown an hour ago | parent | prev [-] | |
A basic setup to make use of secure boot is SB+TPM+LUKS. Unfortunately I don't know of any distro that offers this in a particularly robust way. Code signature verification is an interesting idea, but I'm not sure how it could be achieved. Have distro maintainers sign the code? | ||