[arcza]

What is the convincing reason that MicroSlop is the trusted party to sign the shim with their (presumably NSA-blessed key)? Why is there no charitable equivalent like a small/mini LetsEncrypt foundation for the PKI aspect of Secure Boot? I also do not see a convincing reason it meaningfully improves security posture.

[maxlybbert]

In 2012, Windows 8 stopped booting on computers without UEFI secure boot. Hardware companies weren’t enthusiastic, but they couldn’t ignore Microsoft’s demand. Microsoft published the spec for how Windows 8 would handle secure boot, and that included the crypto key that will be expiring in September. Microsoft’s spec did actually have provisions for non-Microsoft operating systems.

Linux developers didn’t all agree about whether Linux needed to do anything about Microsoft’s plan, but ultimately a Red Hat programmer convinced enough people that it would be easier to follow Microsoft’s spec than to tell new users to “turn off secure boot” if they wanted to run Linux ( https://mjg59.dreamwidth.org/12368.html ). This wasn’t a popular decision, and it hasn’t become any more popular over time, but it has worked.

[cute_boi]

Red hat always creates problem in linux....

[whateverboat]

No. I was there in 2012, Redhat's solution was the only solution which would have properly worked. Eventually, the infrastructure developed for measured boot due to these measures allowed Linux to use TPM in it's proper usage, and allowed sedutils and similar applications to be supported on linux.

[calgarymicro]

You can load your own Secure Boot keys and sign your bootloader yourself; as for why the Microsoft ones are preloaded, probably because they're the only entity that interacts with all of these OEMs and had enough leverage over them to force Secure Boot adoption in the first place.

[jeroenhd]

Thanks to the incredible combination of Lenovo and Nvidia, I cannot remove the Microsoft keys from my laptop. Not because Microsoft backdoored my computer, but because the Nvidia boot ROM is signed by an MS cert and that runs before you can access the UEFI setup.

I hope the firmware either doesn't check the expiry date or that the firmware itself has been upgraded, or several years worth of Thinkpad are about to stop booting in the near future.

[PunchyHamster]

It should be just "hey, do you trust this install media" -> "yes" -> boot key is automatically added at this step. Instead the whole ecosystem is at microsoft whim

[calgarymicro]

If it becomes this easy then Secure Boot just becomes Vista-era UAC. Sometimes making the security bypass an intentional act that requires some knowledge is a good thing. Most PC users, were their bootloader compromised and they saw such a screen on startup, would instantly press yes and forget about it within 5 minutes.

Not to say that having Microsoft as the custodian of the keys preloaded on all PCs is the optimal solution, but I don't think a token yes/no to add any random key on boot is a good idea either.

[saghm]

> What is the convincing reason that MicroSlop is the trusted party to sign the shim with their (presumably NSA-blessed key)?

For OEMs, presumably the stranglehold they have on them via Windows. For users, not much, but none of the ones making these decisions really care about that.

[naturalmovement]

Because they were the only party competent enough to run a PKI (which is 95% policy) while Linux distros still can't agree on a single boot loader.

shim didn't exist at first. Linux was planning to go without until Red Hat's hand was forced likely because their paying customers demanded it.

[tombert]

It's not exactly new for Microsoft to slide themselves in somewhere and become the "standard" before anyone has really thought about how terrible their products are.

[expedition32]

Nor is it Microsoft exclusive. Google and Apple have the same modus operandi.

[tgma]

I mean, NSA-blessed or not, the way this happened was not some hidden conspiracy. It was in the open. The reason it happened is all of these machines are basically made to run Windows, so they need to have Microsoft keys. Microsoft was pushing for Secure Boot, for security and "trusted computing" (evil or good, depending on your PoV,) and open source complained that this is a way to lock in users to Windows, so the compromise choice was to have them sign a GRUB shim so that Linux could just as easily be run without enrolling your own keys.

[bri3d]

Microsoft is the trusted party because they convinced hardware manufacturers to install their keys by default; that's it. A lot of commercial/industrial/pre-branded OEM hardware comes without Microsoft's keys, they're only there for the Windows Logo.

> Why is there no charitable equivalent like a small/mini LetsEncrypt foundation for the PKI aspect of Secure Boot?

This would be pointless and erode the security of the system. Users who care can already remove Microsoft's root keys and enroll their own. There's a small corner case with UEFI Extensions / device firmware, but in this case a lightweight "sign everything" foundation would only serve to erode the security of the system. The problem space is completely orthogonal to website SSL and by and large simply good and not bad when properly configured.

> I also do not see a convincing reason it meaningfully improves security posture.

Secure boot paired with secure boot-sealed disk encryption massively reduces attack surface; with only Secure Boot-sealed keys (ie, BitLocker default), it reduces attack surface for the data on your disk to "post-boot authentication bypass or RCE" from "literally anyone or any piece of software who touches your computer or a disk that came out of it, ever." With keys sealed by Secure Boot and sealed or even just stretched by another mechanism (password, PIN, etc.), it reduces attack surface to "machine unlocked."

> MicroSlop is the trusted party to sign the shim with their (presumably NSA-blessed key)

I've been on Hacker News for an extremely long time and respect the community wish to avoid meta-discourse in general, but this kind of rubbish discourse with weird slurs and unfounded conspiracy theories is getting horrendous lately; I wish this site could more collectively move towards a productive curiosity rather than evidence-free statements based on arbitrary prejudice.

[sunaookami]

It's for your own security, duh ;)

[throwrioawfo]

> presumably NSA-blessed

You have your answer