If I were to hold a #SecureBoot talk in the #Distributions devroom at #FOSDEM.
What would you like to know?

@Foxboron I'm sure @jarkko and @mjg59 would be interested xD

@Foxboron how easy is to get access to a secure boot signing key, given infinite money (state actors and criminals)?

@portaloffreedom
This is probably not going to deal with questions like that. 20-25 minutes and should mostly be community/distro relevant.

@Foxboron a simpler question: a comparison between secure boot and a password encrypted drive. They seem to solve a similar problem, what are the advantages and disadvantages?

@portaloffreedom
Those sort of answers/questions would be more fitting for the security devroom. The point of secure boot for Linux distros is two fold.

1. Introduce a security barrier into your boot chain.

2. Ensure it's easier to onboard mom and pop onto Linux.

It's both a security measure *and* a usability measure.

@Foxboron
1. History of
2. What it's good for (the why)
3. Where it fails (limitations)
4. How would you design a replacement if you had a magic wand?

@achilleas
I'm probably not clever enough to answer 4 :p

@tris @Foxboron @mjg59

Actually the point of all this to be NOT interested what everyone is doing.

That's what standards are great for. We can ignore each other and still everything works together.

@Foxboron @achilleas I have defacto answer for question four: https://www.joelonsoftware.com/2000/04/06/things-you-should-never-do-part-i/

@x_cli @Foxboron secureboot can be seen as hardening in certain scenarios, incl. the scenario where you do not want to allow the attacker to run arbitrary code on your target devices

@x_cli @Foxboron and verified boot is far from being "easy" to implement on all OS contexts, highly customizable OSes have very difficult paths to measured boot

@x_cli
Yes.

If you want your parents to install Linux, you don't want to explain to them how to get into BIOS to disable secure boot.

@x_cli
Sure, but that's just an implementation detail.

You would still need to deal with Secure Boot, shim, signing, coordinated disclosure and improvements to the process that is being collaborated on with Microsoft

@x_cli @Foxboron With UKIs, it's much simpler to validate things (and thus do measured boot) if you sign them with Secure Boot.

@x_cli You have to trust the firmware to update the PCR values in the TPM correctly in both cases so trusting it to validate the signature of UKIs isn't that much more.