Techrights

You Cannot Patch/Secure/Protect Your GNU/Linux System Because Microsoft Blocks the Patching Via 'Secure' Boot

Posted by Roy Schestowitz on Oct 21, 2023

Tech.LGBT Removes Shadow Ban on George Takei, Who is Gay, Blocks Gay Man for Asking Why Takei Was Shadowbanned
The Asian and African Elephant in the Room
HTTPS image: Traffic sign and exclamation sign on wall texture background design

Reprinted with permission from Ryan Farmer.

Microsoft Security Theater Boot Forces Unnecessary Steps to Mitigate GNU C Library Vulnerability.

According to Red Hat, Microsoft “Secure Boot” can actually stop you from installing a mitigation for a Severe CVE called “Looney Tunables” (CVE-2023-4911) in glibc, which Red Hat released for those who can’t patch glibc for some reason.

↺ HTTPS: Looney Tunables

If you just try to load the systemtap module without screwing around with “Security Theater Boot”, your computer will fail to boot with a “security policy violation” message from your UEFI firmware.

Irony!!!!!

Here’s the original. Also, Archive Today in case IBM tries to remove this later.

↺ HTTPS: original
↺ HTTPS: Archive Today
If Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel’s keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here – https://www.redhat.com/sysadmin/secure-boot-systemtap
↺ HTTPS: https://www.redhat.com/sysadmin/secure-boot-systemtap
↺ HTTPS: https://www.redhat.com/sysadmin/secure-boot-systemtap

Of course, Security Theater Boot continues to provide no advantages, and now it actively makes securing your computer more difficult because it will block a mitigation as “unsigned module”.

We really don’t need much more evidence that Security Theater Boot and the people who implemented it on Linux are not friends of Free Software (as it is designed to put Microsoft in control of whether your operating system is allowed to load, which can be revoked later, even with a backdoor like Linux Vendor Firmware Service twinking unauthorized modifications to your UEFI dbx into your computer behind your back, unless you uninstall it), but this post should make it more obvious what the score is.

↺ HTTPS: unless you uninstall it

My advice? Continues to be kill LVFS, disable “Secure Boot” in the firmware, then uninstall mokutil and shim, and update grub.

Then you don’t need anyone’s permission to modify your operating system.

Which is how it should be. █

HTTPS: █
gemini.techrights.org