Linux

53576 readers

1495 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

Secure Boot on or off with Mint? (lemmy.world)

submitted 1 day ago by [email protected] to c/[email protected]

29 comments fedilink hide all child comments

I've seen people advocating for both options, but since I'm still new to Linux I'm not sure what to do. I'm currently installing Mint on my laptop to try it out, and I'm not sure if I should enable secure boot or not.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 2 points 1 day ago (3 children)

Lol, explain how? Are you using TPM values to actually secure anything? If not, then it's literally doing nothing for you.

[–] [email protected] 0 points 1 hour ago (1 children)

Tpm is for crypto and secure generation and storage of values for use in encryption generally. Secureboot is just firmware verification of loaded binaries from boot on out, they’re 2 different pieces and are not really relevant to each other, unless you’re like me and have a fully customized bootloader with keys in TPM and an EFI module with support for the TPM and unlocking your boot drive.

[–] [email protected] 1 points 40 minutes ago

You are quite mistaken. TPM is used as a key pair, and not just generation.

Let give you a specific example: built a hardware platform for a company, and they wanted to make sure that the storage and device were secure on their own, as well as being separated to prevent somebody pulling it apart to try and channel attack all the different things.

On install, the encrypted disk generates a signature. TPm has its own clean keys set to verify that it's paired at various levels with various pieces of onboard hardware. Then you pair a bootloader combination of those signatures to generate a three-part signature to make sure that what is in TPM matches both the onboard signatures of what is hardwired in, along with the key generated by the new encrypted volume on the drive.

Anyone takes that drive out, it's mostly useless, because it can't boot without the signatures verified by TPM, and they'll never be able to match the combination of the other 15 keys stored there for the hardwired components.

That's how it's intended for use. Not just for signature generation and verification. It's more of a key/value store than anything, like a physical hardware token device.

[–] [email protected] 2 points 1 day ago* (last edited 1 day ago) (1 children)

Its not doing nothing. Linux uses a Microsoft provided key for initial BIOS authentication and then has its own tree of keys that it uses for security. So it does have the benefits of locking out malicious code/processes even in a default set up.

Using your own secure boot and TPM keys is certainly more secure, but it doesnt follow that secure boot with the default set up is doing nothing to help secure your system at boot.

[–] [email protected] 4 points 1 day ago* (last edited 1 day ago)

No idea where you got this understanding from, but it's not accurate. In your example, if a distro has signed binaries, then it will work to verify code loaded during the boot process to help to verify system integrity. As OP asked about Mint, yes it technically does have signed pre boot and boot signed modules.

No, this will not prevent all code/processes that aren't signed from running. That's a ludicrous statement. It will prevent unsigned kernel modules from being loaded (see Nvidia's MOK process), and it will prevent a disk from being hit with sideload attacks perhaps (it should be encrypted anyway), but it absolutely does not prevent a user from running unsigned code, or even using root privs to run harmful code (like running random scripts from GitHub).

So at the end of the day does it help a standard user with security? I would argue no. As I said elsewhere, if this question were about HOW to improve security with SB, I'd have a different answer, but that's not the question OP asked.

[–] [email protected] -3 points 1 day ago

You don’t know what you are talking about