:: Re: [DNG] ..another new(?) step tow…
Startseite
Nachricht löschen
Nachricht beantworten
Autor: Edward Bartolo
Datum:  
To: Steve Litt
CC: dng
Betreff: Re: [DNG] ..another new(?) step towards Debian systemd: linux-image-4.6.0-1[-rt]-amd-signed, with MSTF keys...
Hi,

SteveT wrote:
<<
Most of those remaining in the Debian user world are pure idiots.
They'll pull any old pseudofact out of thin air, and state it as an
absolute truth.

Notice that his web reference's date is October 2012. Last time I
googled this subject (probably 9 months ago), DIY secure boot
overrides, whether involving this Linux Foundation hack or not, were
much more complex than installing Gentoo. They had more steps than an
Arch chroot install. They were a mess.

I've seen no distro-independent way to defeat secure-boot that was
simple enough for a power user: A guy who can install his own software
via ./configure;make;make install, configure his applications, change
window managers, etc, but is not a professional admin.
>>


But I still am convinced with a signed kernel one can still use it to
boot any installed OS. My reasoning goes like this: once the signed
kernel boots, it would be in control of the machine. A running kernel
can be used to run any executable provided the latter is coded for the
same machine architecture. So, the boot procedure would first consist
of UEFI loading the signed kernel, the kernel then loads a bootloader
like GRUB*.

What do you think? It may look an ugly workaround like most
workarounds, but there is no logic why it should fail.

Edward

On 13/06/2016, Steve Litt <slitt@???> wrote:
> On Sun, 12 Jun 2016 18:00:13 +0200
> Edward Bartolo <edbarx@???> wrote:
>
>> Hi,
>>
>> In line with: <<
>> That way only the big distros will be able to provide a bootable OS
>> and the poor DIY guy will be definitely disgusted. This EFI thingy
>> will in no way improve the security. It is a pure fallacy.
>>
>>     We can survive as long as the BIOS allows non-EFI boot. I hope
>> they will be forced by law to keep this option.

>> >>
>>
>> I have been 'told' that any kernel can still be booted under UEFI
>> Secure Boot. This was told to me on forurms.debian.net. The respondent
>> insisted any kernel can be booted even custom compiled ones.
>>
>> Refer to forums.debian.net thread:
>> http://forums.debian.net/viewtopic.php?p=609579&sid=c65ab3dc5f980e0c1f79b7b7a5116511#p609579
>>
>> Edward
>
> Hi Edward,
>
> How can I put this politely? Let's try this...
>
> Most of those remaining in the Debian user world are pure idiots.
> They'll pull any old pseudofact out of thin air, and state it as an
> absolute truth.
>
> Notice that his web reference's date is October 2012. Last time I
> googled this subject (probably 9 months ago), DIY secure boot
> overrides, whether involving this Linux Foundation hack or not, were
> much more complex than installing Gentoo. They had more steps than an
> Arch chroot install. They were a mess.
>
> I've seen no distro-independent way to defeat secure-boot that was
> simple enough for a power user: A guy who can install his own software
> via ./configure;make;make install, configure his applications, change
> window managers, etc, but is not a professional admin.
>
> SteveT
>
>
> SteveT
>
> Steve Litt
> June 2016 featured book: Troubleshooting: Why Bother?
> http://www.troubleshooters.com/twb
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>