Auteur: Tobias Hunger Datum: Aan: Steve Litt CC: dng, dr.klepp Onderwerp: Re: [DNG] systemd-udevd: renamed network interface eth0 to eth1
@Nikolaus: UEFI is closed source software (just as BIOS), so of course
the usual problems with closed source also apply here. I trust my
notebook vendor just enough to not fuck this up badly enough so that
random thieves will be able to get around secure boot though:-)
I am pretty sure though that a state actor will not be stopped by
UEFI. And of course UEFI has bugs, just like BIOS.
I am skipping the paranoia ramblings....
On Mon, Oct 16, 2017 at 7:51 PM, Steve Litt <slitt@???> wrote: >> > Grub on BIOS basically works like this: the one MBR is read by BIOS
>> > and executed (512 bytes!). That contains code to chain load some
>> > more code (usually from a fixed set of sectors on disk!). That is
>> > phase 1 of the boot loader. That has enough smarts to find a
>> > hard-coded partition and read phase 2 from there. Phase 2 will then
>> > load a ton of modules and some configuration files and do the
>> > actual work.
>
> The preceding is reasonably accurate.
So is the following:-)
>> >
>> > With UEFI the firmware just loads a efi binary with everything:-)
>> > MUCH simpler.
>
> There's absolutely nothing simpler about the preceding sentence: Hunger
> simply fails to break out a vast tree of subcomponents and dependencies
> of the "efi binary."
UEFI can only access the EFI partition. In that partition I have
exactly two files: The bootloader and the kernel it loads. The
bootloader is actually optional: The kernel is a efi binary and can be
booted directly, but updating kernels requires messing with EFI vars
then.
Where is the vast tree of subcomponents and dependencies are you
referring to hiding?
>> > UEFI has a couple more features:
>> >
>> > * UEFI allows for better hardware support (graphical login at full
>> > resolution, mouse support, RAID drivers, etc.)
>
> OF COURSE we all desparately need graphical login at full resolution.
I like it.
> And I guess we never had RAID and CLI mouse support before UEFI, right?
Not before the OS was up with all its drivers.
With UEFI I can boot straight from the RAIDs in my machines. I used to
need a separate HDD on a non-RAID controller for that.
>> > * UEFI allows for more security with secure boot. E.g. my thinkpad
>> > *only* boots things that I have signed with my key.
>
> Does Devuan have a key?
Why would devuan even *need* a key?
> If not, I guess that's all we need to know
> about what distro Tobias Hunger REALLY uses.
You are right: I do not use devuan, I still follow it with interest,
pretty much like you do. Are you still using void Linux?
> I'm guessing he doesn't
> have the brainpower to actually implement the distro-independent shim,
> which sounds like an utter nightmare.
A bootloader signed by Microsoft is only needed if you need the same
binary to boot on any computer out there in the world -- they all come
with a Microsoft key pre-installed. But you can install your own keys
though -- and remove the one from Microsoft.
My systems only know my own key, the Microsoft key is gone. So my
machines boot everything *I* sign and nothing else. No Windows, no
rescue CD, no secure-boot enabled Linux distribution, nothing. Even
meddling with the kernel command line or the initrd. of my signed
kernel will cause the boot to fail (and yes, I did test that:-).
>> > * UEFI allows for different OSes living next to each other
>> > peacefully, without the constant fight over who writes the MBR and
>> > with that defines the boot loader.
>
> Characterization. "Peacefully?" "Constantly fighting?" The fights only
> occur when changing the boot system.
On BIOS you have only one bootloader (per drive:-), and all but the
last one installed will be broken.
On UEFI you can register several bootloaders that will all function at
the same time.
Installing windows after Linux is finally safe:-)
> And by the way, if you use MBR
> boot, you can use the old and superior Grub1 or LILO.
To each what he likes best.
> Tobias Hunger, why don't you go support the project you DO like
I do. Hanging out here does not keep me busy, no worry:-)
> instead of trolling the one you don't?
I posted information that is to the best of my knowledge correct on a
topic that I have actual experience with. I did not spot anything rude
in my mail and did not see anybody complain about that. Your
definition of trolling is very different from mine:-)
Even Steve only disagrees on the parts he has obviously never used --
and admits that the parts he has experience with are "reasonably
accurate".
Best Regards,
Tobias
PS: Feel free to contact me if you want to lock down your Devuan
installation in a similar way I locked down my machines. It is all
very generic and in no way tied to systemd -- how could it be
considering that all this happens before even the kernel is loaded!
You obviously need UEFI though.