:: Re: [DNG] ..another new(?) step tow…
Página Principal
Delete this message
Reply to this message
Autor: Edward Bartolo
Data:  
Para: Steve Litt
CC: dng
Assunto: Re: [DNG] ..another new(?) step towards Debian systemd: linux-image-4.6.0-1[-rt]-amd-signed, with MSTF keys...
Hi SteveT,

GRUB2 has a small kernel, on can always replace that with a full blown
signed kernel and this would not introduce another step in the boot
procedure.

Edward

On 13/06/2016, Edward Bartolo <edbarx@???> wrote:
> Hi,
>
> SteveT wrote:
> <<
> Most of those remaining in the Debian user world are pure idiots.
> They'll pull any old pseudofact out of thin air, and state it as an
> absolute truth.
>
> Notice that his web reference's date is October 2012. Last time I
> googled this subject (probably 9 months ago), DIY secure boot
> overrides, whether involving this Linux Foundation hack or not, were
> much more complex than installing Gentoo. They had more steps than an
> Arch chroot install. They were a mess.
>
> I've seen no distro-independent way to defeat secure-boot that was
> simple enough for a power user: A guy who can install his own software
> via ./configure;make;make install, configure his applications, change
> window managers, etc, but is not a professional admin.
>>>
>
> But I still am convinced with a signed kernel one can still use it to
> boot any installed OS. My reasoning goes like this: once the signed
> kernel boots, it would be in control of the machine. A running kernel
> can be used to run any executable provided the latter is coded for the
> same machine architecture. So, the boot procedure would first consist
> of UEFI loading the signed kernel, the kernel then loads a bootloader
> like GRUB*.
>
> What do you think? It may look an ugly workaround like most
> workarounds, but there is no logic why it should fail.
>
> Edward
>
> On 13/06/2016, Steve Litt <slitt@???> wrote:
>> On Sun, 12 Jun 2016 18:00:13 +0200
>> Edward Bartolo <edbarx@???> wrote:
>>
>>> Hi,
>>>
>>> In line with: <<
>>> That way only the big distros will be able to provide a bootable OS
>>> and the poor DIY guy will be definitely disgusted. This EFI thingy
>>> will in no way improve the security. It is a pure fallacy.
>>>
>>>     We can survive as long as the BIOS allows non-EFI boot. I hope
>>> they will be forced by law to keep this option.

>>> >>
>>>
>>> I have been 'told' that any kernel can still be booted under UEFI
>>> Secure Boot. This was told to me on forurms.debian.net. The respondent
>>> insisted any kernel can be booted even custom compiled ones.
>>>
>>> Refer to forums.debian.net thread:
>>> http://forums.debian.net/viewtopic.php?p=609579&sid=c65ab3dc5f980e0c1f79b7b7a5116511#p609579
>>>
>>> Edward
>>
>> Hi Edward,
>>
>> How can I put this politely? Let's try this...
>>
>> Most of those remaining in the Debian user world are pure idiots.
>> They'll pull any old pseudofact out of thin air, and state it as an
>> absolute truth.
>>
>> Notice that his web reference's date is October 2012. Last time I
>> googled this subject (probably 9 months ago), DIY secure boot
>> overrides, whether involving this Linux Foundation hack or not, were
>> much more complex than installing Gentoo. They had more steps than an
>> Arch chroot install. They were a mess.
>>
>> I've seen no distro-independent way to defeat secure-boot that was
>> simple enough for a power user: A guy who can install his own software
>> via ./configure;make;make install, configure his applications, change
>> window managers, etc, but is not a professional admin.
>>
>> SteveT
>>
>>
>> SteveT
>>
>> Steve Litt
>> June 2016 featured book: Troubleshooting: Why Bother?
>> http://www.troubleshooters.com/twb
>> _______________________________________________
>> Dng mailing list
>> Dng@???
>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>>
>