Re: shim-signed
Hi everbody,
On Sun, 24 Apr 2022, Tollef Fog Heen wrote:
> I don't think we have docs for running with a different root of trust
> than MS'. To be honest, I'm not sure we even _should_ have a lot of docs
> around it, since the general brittleness of the boot process, UEFI and
> friends might very well lead to more systems being broken when people
> discover the docs and run with the instructions without understanding
> the implications.
I am a very firm believer of giving people as much information as
possible while being responsible. Meaning, that I would love to have
that documentation - including a big warning sign which sais "if you
follow this path, you may brick your machine and this is your problem,
not ours". If someone is interested to learn _how_ the security is
done and implemented, why should this be unavailable?
> As for it being more secure, for that to be a good and meaningful
> discussion, we have to agree on what the threat model is. What's the
> threat you want to protect against by using your own or Debian's keys?
someone wants to make sure that no one except him is able to change
the core functionalities of his device. or a company wants to make
sure that the customer doesn't change the supported image he is
provided with.
my first guess would be a project like qubes-os, where they want to be
able to give proof that no one change something on the system.
best regards, Hanno Wagner
--
| Hanno Wagner | Member of the HTML Writers Guild | Rince@IRC |
| Eine gewerbliche Nutzung meiner Email-Adressen ist nicht gestattet! |
| 74 a3 53 cc 0b 19 - we did it! | Generation @ |
Fachbegriffe der Informatik : Updateritis
-> Softwarebulemie
Frank Klemm
Reply to: