[conspire] (forw) Re: [Felton LUG] Oh boy, this doesn't look good...

Rick Moen rick at linuxmafia.com
Thu Jul 30 10:55:48 PDT 2020


Quoting Ruben Safir (ruben at mrbrklyn.com):

> 100% and that control is excersized by root.

If you control _when_ root is able to modify the boot chain, obviously
you gain an additional degree of system protection, e.g., against
interference by root-authority processes and persons messing with the
boot chain without the owner's approval.  Again, this should be
self-evident.

UEFI Secure Boot being a system where Microsoft alone has the keys to 
sign bootloaders is very annoying.  That is obviously a limitation built
into the design, and is one reason why I ignore Secure Boot (among
others).  That having been said, several bootloader efforts have done
the one-time annoyance of getting their code MSFT-signed, so anyone who 
chooses to use it to fully control the boot chain, and prevent even a 
hostile local console user (or malware executed with root authority)
from interfering from boot, can now do so.

I don't choose to use that.  You don't choose to do that.  However, the
advantage is obvious (albeit not IMO compelling for any use-case of mine).

Is your mind flexible enough to understand that some things have
undeniable benefits, even though you (and I) have compelling reasons to
not like them?  Or are you determined to be a fugghead?




More information about the conspire mailing list