| 3 Oct 2024 |
 ElvishJerricco | other than SBAT by default, what would you change? | 21:02:38 |
 raitobezarius | well | 21:02:45 |
| raitobezarius | secureboot 2.0 is already a thing | 21:02:48 |
| ElvishJerricco | oh? | 21:02:53 |
| ElvishJerricco | didn't know that | 21:02:55 |
| raitobezarius | ~6 months ago, there was a presentation / discussions among the secureboot folks | 21:03:06 |
| ElvishJerricco | is there a link? | 21:03:14 |
| raitobezarius | i think they want to fix things like the fact that's it very non-democratic / non user owned | 21:03:16 |
| raitobezarius | In reply to @elvishjerricco:matrix.org
is there a link? not that i'm aware of | 21:03:29 |
| raitobezarius | probably if you infiltrate the UEFI forum | 21:03:37 |
| raitobezarius | you can find the informations | 21:03:39 |
| ElvishJerricco | heh bummer | 21:03:50 |
| raitobezarius | classical :) | 21:03:57 |
 emily | any chance of per-OS keys/security levels like Apple Silicon has? | 21:13:21 |
| ElvishJerricco | TPM | 21:13:55 |
| ElvishJerricco | just bind keys and stuff to measurements for your OS | 21:14:15 |
| emily | that's not quite the same, but sure | 21:14:32 |
| ElvishJerricco | what's different? | 21:14:40 |
| emily | you can't have, say, one OS partition where you can boot unsigned arbitrary kernels for development but another where you have strict requirements. admittedly segregating secrets is most of why it makes sense to do this on Apple Silicon, but you can segregate secrets and still want to enforce certain OS signing keys per-OS | 21:18:02 |
| emily | (or else why do Secure Boot at all? just rely on the measurements) | 21:18:08 |
 K900 | You can do that with secure boot? | 21:18:38 |
| ElvishJerricco | isn't that essentially just having one signed OS that doesn't check signatures of following boot components and one that does? | 21:19:00 |
| ElvishJerricco | IIRC macs do this by enrolling what is essentially a MOK for your custom OS | 21:19:55 |
| ElvishJerricco | (look at that, Apple has MOK built in, unlike UEFI :P) | 21:20:38 |
| emily | In reply to @elvishjerricco:matrix.org
isn't that essentially just having one signed OS that doesn't check signatures of following boot components and one that does? I guess this is true in the same sense that Secure Boot is the same as a facility to store one trusted hash of a bootloader that handles chain-loading and enforcing any other security policy | 21:21:54 |
| emily | i.e., in terms of raw capabilities, sure I guess, but in terms of the UX and what's reasonable to set up not really | 21:22:09 |
| emily | admittedly the less integration with your secure element you have the less sense a lot of the Apple Silicon boot design makes | 21:22:36 |
| ElvishJerricco | I dunno, apple's mechanism for letting you boot your own OS really does just seem like first party MOK to me | 21:23:26 |
| raitobezarius | In reply to @emilazy:matrix.org
any chance of per-OS keys/security levels like Apple Silicon has? i know there's a lot of activity on the concept of multiboot | 21:23:54 |
| ElvishJerricco | like even in terms of UX, I can just boot into the MOK manager thingy and say "please allow my other OS now please", which is basically what you do with apple | 21:23:58 |
