|
On 7/9/20 10:46 AM, John M. Harris Jr
wrote:
"Secure Boot" doesn't make root non-uid 0, and can't keep root from controlling system devices, even uploading unsigned firmware to peripherals. While it's true that a completely secure software chain doesn't really exist yet, we are slowly going in that direction, because it is just inconceivable otherwise in the world with billions of autonomous IOT devices---the consequences of a worm-type insecurity that would subvert a significant portion of Internet-connected devices are just too scary. For instance, one possible solution used e.g. for a secure BIOS updates is to prevent loading firmware directly, and instead load it into a separate flash area. Then, reset the system:
So you see that you can't subvert this even with UID==0. Same
thing for controlling system devices---with secure software chain
even the applications can be certified and controlled. THis is not
your or my desktop system, of course, but there is a need for
systems like this. When I hear you say that this takes away the ownership of our
computers from us, I think that it's got to be this way for a
large part of those billions of systems---as the saying goes, we
have to stop thinking of computers as pets, and start seeing them
as cattle. We can still have pets as well, but there has to be a
way to herd cattle. |
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
