this post was submitted on 21 Feb 2026
192 points (97.1% liked)

Technology

81933 readers
3418 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
192
The creator of systemd wants to bring SecureBoot-enforced hardware attestation to Linux (0pointer.net)
submitted 1 week ago* (last edited 1 week ago) by namingthingsiseasy@programming.dev to c/technology@lemmy.world
84 comments fedilink hide all child comments
 

The creator of systemd (Lennart Poettering) has recently created a new company dedicated to bringing hardware attestation to open source software.

What might this entail? A previous blog post could provide some clues:

So, let's see how I would build a desktop OS. The trust chain matters, from the boot loader all the way to the apps. This means all code that is run must be cryptographically validated before it is run. This is in fact where big distributions currently fail pretty badly. This is a fault of current Linux distributions though, not of SecureBoot in general.

If this technology is successful, the end result could be that we would see our Linux laptops one day being as locked down as an Iphone or Android device.

There are lots of others who are equally concerned about this possibility: https://news.ycombinator.com/item?id=46784572

top 50 comments
sorted by: hot top controversial new old
[–] thatradomguy@lemmy.world 19 points 6 days ago* (last edited 6 days ago)

An alternative to secureboot that isn't secureboot but behaves like it. Wonderful πŸ™„

Another Poettering "masterpiece" ready to be gobbled up by his fanbase who will flock towards the new and shiny toy that forgoes the things that actually work fine or aren't solving an actual problem with 99% of whatever it's used by. Great πŸ™„ πŸ™„ πŸ™„

EDIT:

No doubt this will be his opportunity to force everyone off grub and use systemd as the bootloader across major distros. As valid as it may be to succeed grub, surely systemd is not the answer to this.

[–] corsicanguppy@lemmy.ca 12 points 6 days ago (1 children)

Fuck no. He's fucking done enough.

I say that as a long-time Linux user, a developer and a security researcher. He's set us back a decade with his metastatic cancer.

[–] maplesaga@lemmy.world 10 points 6 days ago* (last edited 6 days ago)

Explain like I'm five?

Id love to be as angry as you are.

[–] raspberriesareyummy@lemmy.world 10 points 6 days ago

Oh wow. I thought I couldn't despise that piece of shit any more than I already did. Fuck you, Lennart Poettering, may you burn in some fiery place in the afterlife you useless corporate lickspittle.

[–] RVGamer06@sh.itjust.works 13 points 6 days ago (1 children)

Can't wait to not be able to VR game with my Nvidia GPU on Linux cuz they can't be arsed to properly sign their damn proprietary drivers.

[–] jj4211@lemmy.world 4 points 6 days ago

Nvidia can't meaningfully sign their Linux drivers. A distribution can, in theory, include Nvidia drivers in their build and sign it, but the logistics of out of tree drivers is just impossible.

Redhat toys with the concept of a whitelisted ABI for some limited range of kernels, but I've never seen a driver actually roll with that.

Basically Linux would need to embrace some form of ABI, and there's been zero interest in doing so.

[–] HubertManne@piefed.social 6 points 6 days ago

Im fine with anything that is gpl as long as its through the whole stack starting at hardware.

[–] Lumisal@lemmy.world 5 points 6 days ago

Why not just expand on Libreboot instead?

[–] baronvonj@piefed.social 69 points 1 week ago (31 children)

Because if there's one thing Linux users think about their systems .. it's "hey why does this thing let me do what I want?"

[–] breezeblock@lemmy.ca 60 points 1 week ago

There’s a universe of difference between changes you intended to make in your system, and changes you didn’t intend because a state actor attacked you based on your social media criticism.

Unlike with closed source software, you can always decide you don’t want your software to be secure.

What you should be worried about is not software but hardware.

load more comments (30 replies)
[–] Brummbaer@pawb.social 65 points 1 week ago (1 children)

I don't trust Microsoft, why should I start trusting IBM/Canonical or Poettering now.

If the possibility is there they will happily lock you out of your own hardware.

load more comments (1 replies)
[–] cmnybo@discuss.tchncs.de 59 points 1 week ago (7 children)

Secureboot is worthless if the Microsoft keys are still enabled. It should only allow code that you sign yourself to boot.

load more comments (7 replies)
[–] tabular@lemmy.world 48 points 1 week ago (9 children)

Who decides what SecureBoot considers trustworthy? If SecureBoot is controlled by someone else then it can be used against the user. The aversion to SecureBoot is justified.

load more comments (9 replies)
[–] arcine@jlai.lu 48 points 1 week ago (10 children)

The option of having a full auth trust chain would be nice for some security applications, but the implication that it could be made compulsory is terrifying.

[–] corsicanguppy@lemmy.ca 7 points 6 days ago (1 children)

It'll start as an option and slide into compulsory later. It's the Systemd way.

[–] arcine@jlai.lu 1 points 4 days ago

I have no idea what life was like before systemd so while I like it I have no way to compare

[–] Azzu@lemmy.dbzer0.com 4 points 6 days ago (1 children)

You can already secure boot if you want. But like always, you gotta set it up yourself in a complicated manner :D

[–] arcine@jlai.lu 1 points 4 days ago

Of course I use SecureBoot, if you know how to set it up it has no inconvenients ! But that doesn't go all the way up to the apps !

load more comments (8 replies)
[–] jollyrogue@lemmy.ml 40 points 1 week ago (1 children)

This is needed. Servers need it, and it would be a nice feature to enable for personal systems. We would need to be able to build our own images with our own keys to really make this worthwhile. Especially with programs in my bin dir I’ve compiled or downloaded.

Do I trust Lennart to not do something asinine to turn this into a shit show? I do not. This would be better if it was someone who has security experience and system design cred.

load more comments (1 replies)
load more comments
view more: next β€Ί