Hacker News new | ask | show | jobs
by s_dev 148 days ago
>We are building cryptographically verifiable integrity into Linux systems. Every system starts in a verified state and stays trusted over time.

What problem does this solve for Linux or people who use Linux? Why is this different from me simply enabling encryption on the drive?
2 comments
NekkoDroid 148 days ago
Drive encryption is only really securing your data at rest, not while the system is running. Ideally image based systems also use the kernels runtime integrity checking (e.g. dm-verity) to ensure that things are as they are expected to be.
link
cwillu 148 days ago
“ensure that things are as they are expected to be” according to who, and for who's benefit? Certainly not the person sitting in front of the computer.
link
NekkoDroid 148 days ago
The system owner. Usually that is the same entity that owns the secure boot keys, which can be the person that bought a device or another person if the buyer decides to delegate that responsibility (whether knowingly or unknowingly).

In my case I am talking about myself. I prefer to actually know what is running on my systems and ensure that they are as I expect them to be and not that they may have been modified unbeknownst to me.

link
direwolf20 148 days ago
I don't think this is right. Usually, the entity that owns secure boot keys is a large tech corporation which paid to install their keys on all new computers.
link
marcthe12 148 days ago
You can enroll your own and LP goal is basically based on the assumption that you can enroll your own
link
egorfine 147 days ago
Until you cannot.
link
rcxdude 148 days ago
This is only the case if the person sitting in front of it does not own the keys.
link
cwillu 148 days ago
And from this you can safely conclude that users will be under severe pressure to surrender them.
link
Nextgrid 148 days ago
It prevents malware that obtained root access once from forever replacing your kernel/initrd and achieving persistence that way.
link
direwolf20 148 days ago
Unless that malware is able to activate the secure boot feature on a system where it is not enabled, in which case it permanently prevents me from removing the malware.
link
Nextgrid 147 days ago
Then you reset the firmware and re-enroll your SB keys or disable it completely.
link
egorfine 147 days ago
> re-enroll your SB keys

This is possible only temporarily.

link