I'm surprised more people aren't freaking out about this. It seems likely a whole lot of Linux machines are going to fail to reboot in the next few months. The problem affects VMs too. I was grateful Proxmox put a little warning in its hypervisor GUI with a button to press to fix the BIOS of its VMs.
Secure Boot has been deeply broken for years, not providing meaningful security on most consumer machines.
Existing systems are going to continue to boot. The expiry date is enforced for signing new binaries, not for deciding whether an already signed binary is allowed to boot (barring buggy firmware).
Shim, the first stage bootloader on Linux, is designed to be updated infrequently. Distributions embed their own signing certificate in it and have that binary signed by Microsoft. The actual bootloader (typically either grub or systemd-boot) is then signed with the distribution certificate, as is the kernel. Distributions get to set their own policy around how long that certificate lasts for, it's entirely unrelated to the Microsoft certificate expiry.
No, distros uses a shim binary that is less likely to need updates. If that shim needs an update (only signed with the new key) then we get into a situation where old machines will fail to boot it.
I don't have any numbers to prove it, but I'd say the reason Linux users aren't freaking out is because the vast majority of them would've have disabled Secure Boot. In fact, many guides and videos from popular Youtubers[1] explicitly state to disable Secure Boot.
As for VMs, whilst the problem indeed affects them too, the reality is that most hypervisors - even commercial ones - don't actually enable Secure Boot by default, you'd have to go really out of your way to enable it for a VM.
My very recent story with libvirt and secureboot resulted in blanket disabling of secureboot as part of the preparation for creation of VMs.
The reason: the VM refuses to boot when provided with an ISO (via virtual CDROM) with a meaningless error (permission denied: go figure out what permission and why was it denied and by whom).
Secureboot is meaningless / useless for most people running VMs, be it on own or rented hardware. It takes some pain and extra work to get it to work sometimes, and a huge amount of work to get it to work always. I doubt anyone was dedicated enough to get it to work always. So, I believe you are right. This is extremely unlikely to be a problem for anyone running Linux VMs, and the more VMs they need to run, the less likely it is a problem.
Why has it been broken? I’m running secure boot on all my machines with my own certs. It works fine.
Whatever ms and hp / Lenovo do with their certs doesn’t affect me, since I only have my certs installed. Except on a single machine whose purpose is running windows, but it’s not on the critical path for my job.
I love stuff like this. But if it's serious as a thing you might use, would be nice to see some example programs and evaluation of how well they work. Also a test suite.
And the just released “Palaces of The Crow” by Ray Nayler. I just finished it — really moving but also a brutal read in parts (c.f. because of what humans will do to each other not crows)
> In Ray Nayler's speculative novel of the recent past, four young teens caught between Nazis and the Red Army survive winter in the woods with the help of a flock of highly intelligent crows with a magnificent secret of their own to protect Neriya, a young Jewish girl who dreams of becoming a biologist, has befriended a local flock of crows in her shtetl.
We once deleted the lost+found folder on an old Unix system* by accident. Things went very badly the next time the system rebooted, fsck did not handle it at all well.
Is Start9 a well known company? The page by itself seems indistinguishable from a scam, but maybe they have a reputation that justifies their asking for $250,000?
I like TopoJSON and have used it in projects. But it's weird to set it up as opposition to GeoJSON. It's a complement. GeoJSON is a general data format meant to replace uses of ESRI Shapefiles and other complex formats. TopoJSON is more of a solution for a particular application need.
Is there much work developing or using TopoJSON these days? I haven't seen much about it in a few years.
To be clear, I'm not suggesting TopoJSON as an alternative to GeoJSON. I like GeoJSON and was loosely involved with the working group that created and updated its spec.
I'm just saying that for the specific task I mentioned GeoJSON or any format such as shapefiles that store polygons individually naturally leads to the "sliver" problem.
A nice processing pipeline is:
1. Convert GeoJSON to TopoJSON.
2. Run the simplification on the TopoJSON.
3. Convert the resulting TopoJSON back to GeoJSON.
The TopoJSON GitHub has tools for each of these steps.
Not sure if it's using the same thing this MacOS thing is doing. In the link the author explains that the cable e-Marker contains a "Discover Identity" message that you can read and display in ChromeOS. Most ordinary Windows hardware can't read it because of BIOS limitations, but Chromebooks can. I'm guessing Macs can too.
Secure Boot has been deeply broken for years, not providing meaningful security on most consumer machines.
reply