On Mon, Feb 8, 2021 at 7:13 PM Kevin Kofler via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Chris Murphy wrote: > > If you want to take the risk of acquiring a rootkit that can > > permanently take control of your firmware, that is up to you. It > > should not be a distribution recommendation to subject users to such > > bad advice. > > And the "good advice" would be to accept that your computer will only run > operating systems approved by Microsoft and to accept a security model that > prevents basic functionality such as hibernation, third-party kernel > modules, etc.? This is such an old argument. I know you've been around in Fedora long enough to actually understand this stuff if you really wanted to at least not spread misinformation. Microsoft does not approve or disapprove of operating systems. They have an EFI signing program for developers. They are signing just our shim bootloader. Fedora signs the other things in the boot chain. Anyone can enroll their own signing keys with the firmware, sign the bootloader, kernel and kernel modules, including 3rd party. You can even mix and match signed binaries. And those binaries will comply with a Secure Boot enabled system just fine, without having Microsoft signatures on anything. Yes that's tedious and it would be better if it were easier than it is right now. Windows supports hibernation, with UEFI Secure Boot enabled. We don't because Linux hibernation images are inherently insecure by design and thus are a loophole for thwarting the Secure Boot regime. Therefore a kernel lockdown policy is applied to disallow hibernation if Secure Boot is enabled. It can be fixed, but the resources to finish that work have not yet materialized. Literally none of this is Microsoft's fault. And rootkits predate UEFI. -- Chris Murphy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
