Oh, well, if it requires a password that is pretty much solved. The original commentor made it seem a lot less hands on.
I was under the impression that the shim let OS's boot all the way up, and that it was just a standard part of the boot process, I was suggesting instead that the signed binary only let's you add a new key, which you can then use to boot without the shim.
Doesnt help when the key expires though.
Thanks for the additional info, greatly appreciated.
Having read up a bit more on mokutil, seems that it doesnt enroll the key by itself, but gets the uefi firmware to prompt the user to add the key at next boot. Which in theory gets around the malware risk, although given how many people auto-click accept, maybe not.
The other way keys could be securely installed would be for the distros to produce a uefi "addmykey" binary, with their keys baked in to the binary. They then get that signed by the MS key, which would allow that image to boot and setup the key without ever disabling secureboot. You wouldnt need to have a trusted PC either, as if the binary was tampered, it wouldn't boot.
100% agree on the risk profile though, far too many people think they are more important than they really are. Realistically, most of us aren't worth the effort to individually break into our computers.
I personally dont think MS did it out of maliciousness, more indifference. They wanted the security benefits, and didn't care what it cost others. But we'll likely never know what their true intent was.
~~I dont know how the bazzite script does it, but any tool that can be executed from userspace that could add keys could just as easily be abused by malware to add their own signing keys, which completely defeats the purpose.~~ Edit: see princessnorah's comments below for more details, but it is a lot more hands on, which prevents malware abusing it.
In an ideal world, Redhat, Canonical, Suse etc could have gotten their verification keys built into every motherboard, but that still cuts out the Arch/Gentoo/flavour-of-the-month crowd. And also increases the risk that a signing key gets leaked and abused by malware.
Its just not an easy problem to solve.
That should exactly fix the problem.
The real issue is that by default, if secure boot is enabled, you won't be able to boot up into bazzite or whatever in order to run that command.
So the user experience will be worse now, because instead of just installing and running, Linux users have to disable secure boot, boot and install their distro, run that enroll command, and then reenable secureboot. And lots of people are going to give up at step 1, and leave secureboot off.
At a minimum, would be nice if the speed got limited to 10mph or something, so you can drive it off the road safely.
My mate had the same issue with his car keys. On the roof, he shut the boot, it slid down and jammed between the boot and the window.
Unfortunately, he didn't have keyless go, and couldn't open the car either, so we were quite stuck. Ended up using a coat hanger to pull it out luckily.
Yes, but not always.
I was messing around in the garage, and put my phone down in the little gap below the windscreen wipers on my car. I forgot it there, hopped in the car, it paired, and away I went. Fortunately I habitually check my pockets, and I noticed it about 3 kms down the road, and before I got on the freeway.
More or less yes, but getting it dry will take longer.
Soaking the stain in water asap (before it dries) will go a long way.
Haven't used USB for this in years, USB flash drives just aren't reliable.
Maybe worth trying a USB SSD, it might give you much better performance and reliability.
This would probably gather more attention if they dropped the pointless X11 qualifier. It works on Wayland, so really, its just a cool desktop widget
Squid proxy, replace all images on those domains with penis enlarging ads. He can then read whatever he likes, but he has to put up with that.
I have this very weird glitch with Gnome, running on Xorg. I can move my mouse off the right hand edge of the screen, and the entire gnome UI starts to scroll over the the left, giving me a glitchy mess on the right hand side of the screen. The screenshot doesn't really do it justice, because it just became transparent instead, but the transparent region where the terminal is should be off screen.
Hope I have explained that well, has anyone else hit that? I wonder if its due to multiple monitors, or non-aligned monitors?
Santa Clarita Diet :(