Re: New memory tester application potentially to replace memtest86+: PCMemTest

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 8, 2021 at 7:13 PM Kevin Kofler via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Chris Murphy wrote:
> > If you want to take the risk of acquiring a rootkit that can
> > permanently take control of your firmware, that is up to you. It
> > should not be a distribution recommendation to subject users to such
> > bad advice.
>
> And the "good advice" would be to accept that your computer will only run
> operating systems approved by Microsoft and to accept a security model that
> prevents basic functionality such as hibernation, third-party kernel
> modules, etc.?

This is such an old argument. I know you've been around in Fedora long
enough to actually understand this stuff if you really wanted to at
least not spread misinformation.

Microsoft does not approve or disapprove of operating systems. They
have an EFI signing program for developers. They are signing just our
shim bootloader. Fedora signs the other things in the boot chain.

Anyone can enroll their own signing keys with the firmware, sign the
bootloader, kernel and kernel modules, including 3rd party. You can
even mix and match signed binaries. And those binaries will comply
with a Secure Boot enabled system just fine, without having Microsoft
signatures on anything. Yes that's tedious and it would be better if
it were easier than it is right now.

Windows supports hibernation, with UEFI Secure Boot enabled. We don't
because Linux hibernation images are inherently insecure by design and
thus are a loophole for thwarting the Secure Boot regime. Therefore a
kernel lockdown policy is applied to disallow hibernation if Secure
Boot is enabled. It can be fixed, but the resources to finish that
work have not yet materialized.

Literally none of this is Microsoft's fault. And rootkits predate UEFI.

-- 
Chris Murphy
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux