zlacker

[return to "Google engineers want to make ad-blocking (near) impossible"]
1. Adverb+T5[view] [source] 2023-07-26 10:56:52
>>pabs3+(OP)
It isn't just "make ad-blocking (near) impossible" as the current title of the submission suggests. It is:

Make browsing the internet possible only on Chrome, Safari or Edge (with no modifications or extensions). No competition allowed in browsers.

Make browsing the internet possible only on macOS, Windows, Android or iOS (no custom Android distributions, definitely no LineageOS or GrapheneOS or whatever). No competition allowed in Operating Systems, especially no open source operating systems.

Make crawling the internet possible only to Google. No private crawling and no competing search engines.

Let me know if I've missed anything...

◧◩
2. mozbal+S8[view] [source] 2023-07-26 11:14:33
>>Adverb+T5
iirc remote attestation is reliant on hardware attestation, which means these websites will only run on authorized DRM-enforcing hardware and architectures. Only Intel, AMD, Qualcomm and the like. No open-source firmwares, architectures or hardware.
◧◩◪
3. jeroen+Ld[view] [source] 2023-07-26 11:44:33
>>mozbal+S8
What attestation the website accepts entirely depends on the configuration. There's nothing in the spec that will prevent attestations for Linux computers. Linux already works perfectly fine with secure boot and such, I don't see why a signed bootloader starting a signed attestation engine wouldn't be trusted by third party websites.

It'll kill open platforms like the rare open source RISC-V implementations, but for almost any platform in use today this can be implemented.

The real question is "but will it", and in practice websites will probably only whitelist Chrome, Edge, and (reluctantly) Safari.

◧◩◪◨
4. codedo+Eh[view] [source] 2023-07-26 12:07:44
>>jeroen+Ld
> I don't see why a signed bootloader starting a signed attestation engine wouldn't be trusted by third party websites.

Do you mean a kind of Linux where root cannot do anything he wants? Like Android?

◧◩◪◨⬒
5. jeroen+Zm[view] [source] 2023-07-26 12:38:55
>>codedo+Eh
Yes, a kind of Linux like Ubuntu or Fedora that already boots with secure boot enabled with full support of TPMs and similar technologies. The kind of Linux 99% of Linux users are running today.

More secure variants like Android, leveraging SELinux and such, help with sandboxing but I don't think that SELinux is a struct requirement.

◧◩◪◨⬒⬓
6. holler+RV5[view] [source] 2023-07-27 18:23:27
>>jeroen+Zm
Huh? Fedora defaults to secure boot's being off and it is complicated to get it turned on.

Even after you manage to turn it on, it only verifies the kernel and cannot do anything about malware hiding in /usr. There is no Linux distro AFIAK that has verification of the entire system like ChromeOS, MacOS, iOS, Android and Windows have.

◧◩◪◨⬒⬓⬔
7. jeroen+o36[view] [source] 2023-07-27 19:00:16
>>holler+RV5
Fedora's own website [1] states:

> Fedora includes support for the UEFI Secure Boot feature, which means that Fedora can be installed and run on systems where UEFI Secure Boot is enabled. On UEFI-based systems with the Secure Boot technology enabled, all drivers that are loaded must be signed with a valid certificate, otherwise the system will not accept them. All drivers provided by Red Hat are signed by the UEFI CA certificate.

Running your own secure boot CA is not enabled out of the box (for obvious reasons), but that does not pose a problem on most systems. Secure boot only needs special care if you need to load unsigned kernel modules (DKMS, Nvidia) or if you run on a super duper special Microsoft device that doesn't have the third party CA certificate by default.

[1]: https://docs.fedoraproject.org/en-US/fedora/latest/system-ad...

◧◩◪◨⬒⬓⬔⧯
8. holler+z66[view] [source] 2023-07-27 19:15:17
>>jeroen+o36
Nothing you wrote contradicts anything I wrote. Specifically, although Fedora support secure boot, if you follow the standard install process, you will get a system with secure boot turned off. I know because I've installed Fedora on a system capable of secure boot.

And, again, it is complicated to get it turned on. How complicated? Take a look:

https://nwildner.com/posts/2021-04-10-secureboot-fedora/

>The kind of Linux 99% of Linux users are running today.

I severely doubt that even 5% of Linux installs have secure boot turned on because of how complicated it is to get it working. Specifically I imagine that the complicated instructions on the page I just linked will need to be modified depending on the specific secure-boot firmware.

◧◩◪◨⬒⬓⬔⧯▣
9. jeroen+Cv6[view] [source] 2023-07-27 21:13:52
>>holler+z66
> Earlier I wrote, "it is complicated to get it turned on". How complicated? Take a look:

> https://nwildner.com/posts/2021-04-10-secureboot-fedora/

Most motherboards ship with secure boot enabled out of the box. Fedora will install and boot in that configuration without any changes to your system or motherboard settings. You actually have to go out of your way to disable it. The manual (https://docs.fedoraproject.org/en-US/fedora/f36/install-guid...) does not mention any such setting changes.

The page you link goes into custom secure boot keys, which are usually unnecessary. They're arguably more secure, but it's an entirely optional step unless you decide to load unsigned kernel modules.

◧◩◪◨⬒⬓⬔⧯▣▦
10. holler+lJ6[view] [source] 2023-07-27 22:42:08
>>jeroen+Cv6
If secure boot is enabled on the motherboard, Fedora can be installed and used without going into the motherboard firmware and turning it off, but that is different from secure boot's providing to the Fedora install the kind of security assurances that secure boot provides to the other mainstream operating systems (Windows, MacOS, iOS, Android and ChromeOS).

For instance, initrd is not verified: >>36717975

>The page you link goes into custom secure boot keys, which are usually unnecessary.

You might be right about that.

◧◩◪◨⬒⬓⬔⧯▣▦▧
11. jeroen+gP6[view] [source] 2023-07-27 23:31:14
>>holler+lJ6
It's true initrd is not verified; the system boots but the security secure boot is supposed to provide is not available by default. I don't think many Fedora users care, but that can be an issue.

To use secure boot without calls to mokutil and friends, Unified Kernel Images are introduced in Fedora 38. These images contain everything (kernel, initrd, and so on) in one, published package. If https://bugzilla.redhat.com/show_bug.cgi?id=2159490 is to be believed, UKIs are live already in Fedora 38.

I can only find pregenerated UKIs for virtual machines in the Fedora repositories and I can't tell if they're properly signed or not, but support is being extended and this problem is being solved.

As for providing security: Linux really needs an easy, user-friendly GUI application for setting up proper secure boot. Of course at least one step is out of the control of Linux developers (configuring the firmware to load new keys) but right now "I want to load my system keys (and also the keys for my Linux dual boot)" is awful on any Linux distro. Every guide presents scripts to call scripts to call automated tools but none of them seem to make the process any easier or friendlier.

[go to top]