zlacker

[parent] [thread] 3 comments
1. hulitu+(OP)[view] [source] 2022-03-05 17:16:10
> Linux does unfortunately not have support for signatures of ELF executables

Fortunately. This whole pseudo security brings nothing.

People scream about right to repair. When certificate is revoked or has expired your computer will stop working. It's that simple.

replies(1): >>Genbox+XV
2. Genbox+XV[view] [source] 2022-03-05 23:24:00
>>hulitu+(OP)
It is not pseudo security. A secure booted system that can only load signed software is the optimal solution for preventing unauthorized code from running. iOS on iPhone/iPad is a great example where you can be sure nobody can insert themselves into the OS unless it is signed by Apple.

There is nothing in Secure Boot that prevent people from running their own software. You can update the Secure Boot DB/DBX with whatever you want. Yes, the certificates expire - my computer was bought 4 years ago and Microsoft's UEFI CA will expire in 4 years. At that point I will probably have bought a new computer, but if I have not, I can update the certificate to the new one they released.

Secure Boot is very much an improvement over non-secure booting, and Authenticode signing is an extension of that security to enable signed-only software to run.

replies(2): >>hulitu+GR1 >>JetSpi+8fl
◧◩
3. hulitu+GR1[view] [source] [discussion] 2022-03-06 10:54:45
>>Genbox+XV
> It is not pseudo security. A secure booted system that can only load signed software is the optimal solution for preventing unauthorized code from running. iOS on iPhone/iPad is a great example where you can be sure nobody can insert themselves into the OS unless it is signed by Apple.

Pegasus.

◧◩
4. JetSpi+8fl[view] [source] [discussion] 2022-03-12 13:12:40
>>Genbox+XV
It is pseudo-security. SElinux and "mount noexec" already provide sysadmins with control over all the code that can be executed on a machine.
[go to top]