Greentext

7182 readers

859 users here now

This is a place to share greentexts and witness the confounding life of Anon. If you're new to the Greentext community, think of it as a sort of zoo with Anon as the main attraction.

Be warned:

Anon is often crazy.
Anon is often depressed.
Anon frequently shares thoughts that are immature, offensive, or incomprehensible.

If you find yourself getting angry (or god forbid, agreeing) with something Anon has said, you might be doing it wrong.

founded 2 years ago

MODERATORS

Early_To_Risa@sh.itjust.works

595

Anon gets rid of drop box (sh.itjust.works)

submitted 1 day ago by Early_To_Risa@sh.itjust.works to c/greentext@sh.itjust.works

80 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] j4k3@piefed.world 71 points 1 day ago (2 children)

The owner of the machine is the owner of the secure boot keys.

[–] Whostosay@sh.itjust.works 18 points 1 day ago* (last edited 1 day ago) (4 children)

J4k3, hope youre doing alright dude.

Got a question you may be able to help me with. I have never changed my secure boot key on my motherboard after switching from windows. Do I need to worry about anything? If I don't, what's the pros and cons and what not.

I remember reading that there's some sort of potential issues with keys from windows if you're a Linux user a few months back.

[–] Turret3857@infosec.pub 21 points 1 day ago (1 children)

not j4k3 but my understanding is that the default keys are expiring soon and need to be rotated, and the rotation is up to your Mobo OEM to push out (?). I am not entirely sure that is correct, but I think it is.

Pros and cons of your own key: Pros: its your key, so youre responsible for your security

Cons: its your key, so youre responsible for your security

[–] Whostosay@sh.itjust.works 8 points 1 day ago

That was my understanding as well,

I got a good chuckle out of the pros and cons list lol, ty for that.

I'll have to look into self owned boot keys now.

Thanks for chiming in

[–] j4k3@piefed.world 15 points 1 day ago

You can generate your own keys. Here are two PDF links I copied just now from a post I made 2 years ago here. I don't keep these white listed, so I did not check them for connecting. The first is the official UEFI overview. The second is a great guide from the US government detailing exactly how to set the keys. If that link doesn't work, pull out the document number from the link and search for it. Gentoo and Arch have guides on this. Fedora has the most advanced pre Linux init system in my opinion.

https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2019.pdf

https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF

If you have secure boot enabled, and you are using the shim from fedora or ubuntu, then yes you need to worry about it if you want to dual boot with w11.

[–] lorentz@feddit.it 8 points 1 day ago

I remember reading a post on mastodon where it was explained that no mother board validates the secure boot keys expiration dates otherwise it wouldn't boot the first time the BIOS battery gets empty and the internal clock gets reset. The post was written well and was citing some sources. But I didn't try to verify these assertions.

[–] mushroomman_toad@lemmy.dbzer0.com 7 points 1 day ago* (last edited 1 day ago) (1 children)

Pros and cons of disabling the default Microsoft key:

(Assuming you have secure boot enabled, and want the security that comes from that)

pros:

You control your own key and have full choice over what software can start up on your computer, software cannot be approved by anybody else.
Your secure boot security model is not vulnerable to the risk of booting 3rd party software with known security vulnerabilities.
Sophisticated attackers with physical access to your computer cannot carry out an evil maid attack on your computer and convince it to trick you or steal your data.

cons:

You need to have software installed to manage the key. There is software available for Ubuntu and NixOS.
There are many buggy UEFI implementations out there that require the Microsoft key to load built-in oproms during standard boot, potentially bricking your computer.
Software that gains root access to your computer could steal your signing key, potentially negating the benefits of secure boot against non-evil maid attacks.

[–] felsiq@piefed.zip 2 points 19 hours ago

There are many buggy UEFI implementations out there that require the Microsoft key to load built-in oproms during standard boot, potentially bricking your computer.

From what I’ve found looking into this before, nvidia graphics cards have these oproms so your own secure boot key + nvidia will brick your shit. Can anyone confirm or deny this? Are modern AMD cards any better for this? I’ve been itching to use my own keys for ages and this is the only thing holding me back

[–] umbrella@lemmy.ml 1 points 17 hours ago* (last edited 17 hours ago)

AND the ones who control the source code of the software you run.