Ok, *fine*, I'll write a post about secure boot certificate rollover

@mjg59 the lwn article was spectacularly wrong in lots of ways.

@hughsie @mjg59 Link? And is there a selection of wrong things you can correct?

@mjg59 just out of interest and curiosity: have you gathered any experience with himmelblau yet, i.e. the project reimplementing *windows client profile* by the means reverse engineering the protocol with packet traces?

it's just something that has recently (early summer) evolved into a priority topic in my professional life now and in foreseeable near future, thus the interest.

@jarkko I have not but I also have a professional interest in this

@mjg59 Microsoft does have Linux Intune client profile but it is a joke. It's missing all the actually interesting crypto capabilities to put this short. As a consequence the official Intune App for Linux is not a target of interests to anyone.

We do need "Edge" functionality tho to communicate with local services and Siemens has implemented that in https://github.com/siemens/linux-entra-sso (Firefox ok'ish, Chrome early phases). This extension can run both on top of intune-portal (daemon that comes with Intune App) and HImmelblau as it is just protocols that matter in that integration."Edge" (or linux-entra-sso) authenticate essentially to a local broker who then talks to MS, and yeah nothing too suprising here really :-)

Himmelblau addresses the problem of Linux Client profile essentially by pretending to be Windows, so it's both software development and reverse engineering (via analysing packet captures) project. Microsoft does not try to purposely shut it down but neither has wanted to endorse it so far, i.e. they are doing just what they always do. :-)

As software project there's two flavours of daemon: other for OAuth with MS-OAPX extensions doing authentication and other doing kerberos renewal, answering queries coming from the cloud (e.g. machine state related queries)

I've been reading and experimenting about a month or something like that (heard first about the project in May), and done modest PR (fixing systemd unit for debian), I wrote above out of my memory just to check what i can still remember from it after coming back from holidays so keep that in mind but i guess this should give some starting points at least :-)

@mjg59 right, for what is worth Himmelblau itself is implemented with Rust which is probably a good choice to move forward

@mjg59 I wonder why there is so little noise about Intune. I started to look for projects that might integrate with it immediately when I first heard about it last Spring. Microsoft is totally owning the game right now as they just do whatever they want without much of any real debate, and with the weight of Azure they end up defining what machine authentication for the industry by large, single handedly.

@jarkko @mjg59 agreed on Intune for Linux, it's mostly a joke, for now. It has a core written in Rust too, but seems like the Linux version is an afterthought.

@Aissen @mjg59 Yes, and this is the takeaway from my mumbling: Himmelblau is writing a "Windows client" :-)

Looking forward to contribute to this project (they are using tpmrm0 behind the curtains so that way I've already early started :-) ) and encourage others to do so too. This is actually important.

@Aissen @mjg59 And from Linux Client profile the most important takeaway is that obviously it is made purposely a joke. And most likely MS has no plans for legal actions against Himmelblau. They just want to keep decisive power when to stamp it. It's a Samba alike situation ...

@Aissen @mjg59 And when reaching bigger user volumes Microsoft will need better crossplatform support too, as there's bunch of non-windows commercial uses for linux (and other OS) not being mobile phones, microwave ovens or server racks. E.g., mainframes would need better Intune support as its ecosystem grows. This makes Himmelblau also realistic project in its goals in terms of risk/gain factor. It will likely succeed if it is just implemented properly.