> On Tue, 2017-10-24 at 09:01 +0200, marc wrote:
>
> > Secureboot is designed for them, not for you. You might come
> > up with a really exotic use case, where it might help you. But
> > if you look at it carefully enough, it relies on secureboot
> > redefining root to something weaker than what we want, and
> > running some complex infrastructure which you are unaware
> > of behind it. If you want a weak root, run a virtual machine
> > instead.
>
> Not at all. Right now if you install Fedora or Ubuntu you get the
> protection of secure boot. You already trust them if you are installing
> their OS, correct? Everyone signs the kernel package at the package
> manager stage so we can all use untrusted mirrors. So now they also put
> a signature on a grub-efi package with a key signed by the UEFI CA that
> embeds their company keys. Now your system validates that GRUB is clean
> and it checks the kernel hasn't been tampered with before executing
> either of them,

But what does that buy us ? If the .deb is already signed,
an extra vmlinuz signature doesn't make any difference. The
bad guys can install their code in the pre or post-install
scripts and get root on your system - a signed kernel isn't
going to help. As explained before, if somebody has root the
game is over. I am puzzled that this is tricky to understand.

Signatures are a tool which can be used for good or bad.
Signed .deb or .rpms are probably a good use of the tool.
Proprietary and complex BIOSes enforcing signatures are a bad
thing for the free software world - you are running an extra
layer of software you don't understand and which wants to
control you.

> Eventually Debian will begin shipping signed grub-efi and kernel
> packages.

That would be terrible, though consistent with the trajectory they
are on.

> Devuan would have to pay $100 to get a signed grub-efi of its
> own (with a Devuan kernel signing key embedded) to ship kernels built by
> them if they don't just pass on the Debian grub and kernel packages
> unmodified.

I would hope collectively Devuan is smarter than that. Paying for
a signed bootloader lends legitimacy to the concept that some party
other than the owner of the computer is entitled to decide what boots
on a particular machine. The next Linus in Malaysia or Nepal might
not be able to afford the $100 to boot his amazing new operating
system (nevermind authenticate well enough to get one), and if
some distribution is somehow instrumental in helping the next
wikileaks, payment processors or cert authorities might refuse to
accept the payment for certificate.

The point is a signed bootloader helps centralises power, which
makes the world more unequal and undemocratic.

> That is it, one can argue how much security benefit it
> brings but it is non-zero and requires minimal effort to achieve.

You are only looking for the positives, and neglect to consider
to the downsides. I would argue that summing features and misfeatures
up one ends up at a net loss.

regards

marc