Announcement

Collapse
No announcement yet.

Debian 9.0 "Stretch" Might Not Have UEFI Secure Boot Support

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #1

    Debian 9.0 "Stretch" Might Not Have UEFI Secure Boot Support

    Phoronix: Debian 9.0 "Stretch" Might Not Have UEFI Secure Boot Support

    Debian 9.0 "Stretch" has seen UEFI Secure Boot support no longer being considered a release blocker but is now just a stretch goal for this upcoming release...

    Debian 9.0 "Stretch" Might Not Have UEFI Secure Boot Support - Phoronix
    http://www.phoronix.com/scan.php?page=news_item&px=Debian-9-Secure-Boot-Maybe-Not
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    No loss at all. "Secure" boot is an anti-feature anyway.
    • Likes 4

    Comment

    • #3
      I dont have the option to turn it off. But its not like if I were going to install debian on my laptop
      • Likes 1

      Comment

      • #4
        Originally posted by Kohrias View Post
        No loss at all. "Secure" boot is an anti-feature anyway.
        On the contrary, it is quite useful. On my laptop I have full disk encryption, so /root and /boot are in one big LUKS volume. only 1 MiB partition in front is unencrypted and it contains a single file, grubx64.efi signed by my own secure boot key which is the only thing that Secure Boot allows to boot here. So evil made attack becomes impractical. You can't replace my signed bootloader with something else.
        Last edited by stikonas; 27 April 2017, 05:32 PM.
        • Likes 2

        Comment

        • #5
          Originally posted by stikonas View Post

          On the contrary, it is quite useful. On my laptop I have full disk encryption, so /root and /boot are in one big LUKS volume. only 1 MiB partition in front is unencrypted and it contains a single file, grubx64.efi signed by my own secure boot key which is the only thing that Secure Boot allows to boot here. So evil made attack becomes impractical. You can't replace my signed bootloader with something else.
          Since when are you allowed to sign yourself? Don't you need a third party to that (i.e. Microsoft)?
          • Likes 1

          Comment

          • #6
            Originally posted by Kohrias View Post
            Since when are you allowed to sign yourself? Don't you need a third party to that (i.e. Microsoft)?
            You need to be able to import your own key in the UEFI firmware, which is a feature that exists in a relatively large amount of UEFI firmwares nowadays. If there isn't, try checking for BIOS updates because on average the feature was added in a later version (as the ability to turn of Secure Boot for many systems).

            For example I could do that too on my ASUS x102ba that is from 2013.

            You can also delete keys.
            • Likes 5

            Comment

            • #7
              Originally posted by starshipeleven View Post
              You need to be able to import your own key in the UEFI firmware, which is a feature that exists in a relatively large amount of UEFI firmwares nowadays. If there isn't, try checking for BIOS updates because on average the feature was added in a later version (as the ability to turn of Secure Boot for many systems).

              For example I could do that too on my ASUS x102ba that is from 2013.

              You can also delete keys.
              Yeah. There are even some programs (efitools) to do it from the OS although on my laptop it didn't work. But doing it from BIOS worked. Including removal of microsoft key.

              Comment

              • #8
                I'm largely UEFI Pro,
                It is nice to have a firmware that can understand FAT32 natively,
                No need for OS-like bootloaders anymore you can boot kernel directly via EFI stub,
                You can also sign your kernel modules, I imported my own pubkey into the UEFI from usb and compile signed kernel
                There exist free shims that have been signed with Microsoft key, distros like Ubuntu and Fedora include it and make installations painless on Secure Boot enabled systems
                • Likes 1

                Comment

                • #9
                  Last I checked, turning off secure boot on my work laptop would break the full disk encryption for the windows partition... While I wouldn't mind, our IT overlords wouldn't like that showing up in the audits...

                  So yeah, not supporting secure boot is a bit of a deal breaker for me

                  Comment

                  • #10
                    Originally posted by hax0r View Post
                    There exist free shims that have been signed with Microsoft key, distros like Ubuntu and Fedora include it and make installations painless on Secure Boot enabled systems
                    shims set to boot only Grubs signed with Ubuntu/Fedora keys that are also configured to boot only signed Ubuntu/Fedora kernels (and Windows). Same for OpenSUSE. And since all this stuff is signed, you can't tamper with it to have it boot something else.

                    MS didn't sign their shims for lulz, there is a commercial agreement.

                    Comment

                    Previous 1 2 3 template Next
                    Working...
                    X