Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Speaking of SecureBoot and how practically no Linux distribution actually makes use of its potential (in terms of increasing security), does anyone here have any experience with SafeBoot?[0] It looked pretty interesting to me, though mounting the rootfs read-only didn't seem go well with how most Linux distributions these days still require you to change files in / on an almost daily basis.

[0]: https://safeboot.dev



> [...] how practically no Linux distribution actually makes use of its potential (in terms of increasing security) [...]

FWIW, I double-checked with a Fedora developer; the above statement is incorrect. Fedora uses it (Secure Boot) to enforce lock-down on the kernel and then require code signing, etc.


Does that include the initramfs?


> Speaking of SecureBoot and how practically no Linux distribution actually makes use of its potential (in terms of increasing security)

In Ubuntu and Fedora you can’t load unsigned kernel-modules when using secure boot.

How does that not increase security?


Ubuntu's (and to my knowledge also Fedora's) boot chain is not fully validated. An evil maid can easily swap out the initramfs.


I'm pretty sure both Ubuntu and Fedora installers display and have the option for MOK enrollment, when you have SB enabled and you select ~"Install additional drivers", meaning you can install your own modules.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: