• 2 Posts
  • 23 Comments
Joined 1 year ago
cake
Cake day: July 1st, 2023

help-circle




  • Look, it’s such an exhausting night, and I really do believe that you want to see a better world. I do too.

    I’m just so shattered that we’re looking at four years of chipping away at the rights of women, LGBT, and transgender people. Four years of degrading all the checks and balances against the president. Four years of political retaliations going unchecked. Four years of aggressive anti-climate policy, inhumane border policy, and pandering to a Russia (and now North Korea!) that is also slaughtering innocents in Ukraine. Four years of middle east policy that is at least as bad as Biden/Harris’s, but likely far worse. And four years of slamming our economy with tariffs to “own the Chinese” I guess.

    A vote for Harris was a vote to make things better. Not everything. Good lord she wasn’t the answer to so many major issues facing the US and the world. But it was an objectively better vote, by every metric, than a vote for Trump, or a no-vote. I just can’t argue any more on that.












  • 100% monitoring and control doesn’t exist. Your children will find a loophole to access unrestricted internet, it’s what they do.

    Similarly, children will play in the street sometimes despite their parents’ best efforts to keep them in. (And yes, I would penalize Ford for building the trucks that have exploded in size and are more likely to kill children, but that’s a separate discussion.)

    I get what you’re saying, I just think it’s wrong to say “parental responsibility” and dust off your hands like you solved the problem. A parent cannot exert their influence 24/7, they cannot be protecting their child 24/7. And that means that we need to rely on society to establish safer norms, safer streets, etc, so that there’s a “soft landing” when kids inevitably rebel, or when the parent is in the shower for 15 minutes.







  • The reason is simple: in order to be a signed piece of secure boot software, the kernel needs to do everything possible to prevent unsigned code from running at the kernel’s privilege level, or risk its signing key getting revoked by Microsoft.

    I assume your kernel is from Fedora and is signed. If your kernel, once loaded, allowed the loading of unsigned kernel modules, then any attacker could use it as part of an exploit that allows them to break secure boot. They would simply include a copy of the Fedora kernel, and then write a custom kernel module which takes control of the machine and continues their attack. The resulting exploit could be used on any system to bypass and defeat secure boot. In essence, secure boot is only as secure as the weakest signed implementation out there.

    So, Linux distributors need to demonstrate to Microsoft that they don’t allow unsigned kernel code execution. Linux contains a feature called lockdown, which implements this idea. In order to be effective, lockdown must be automatically enabled by the kernel if secure boot is enabled. Interestingly, Linus flat out refuses to include the code to do that, I guess he disagrees with it. So a little discussed reality of secure boot is that, all Linux kernels which are signed have this extra patch included in order to enable lockdown during secure boot.

    And that is why you can’t load an unsigned module when secure boot is enabled.