this post was submitted on 21 Feb 2026
144 points (96.8% liked)

Technology

81653 readers
4091 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
144
The creator of systemd wants to bring SecureBoot-enforced hardware attestation to Linux (0pointer.net)
submitted 23 hours ago* (last edited 23 hours ago) by namingthingsiseasy@programming.dev to c/technology@lemmy.world
79 comments fedilink hide all child comments
 

The creator of systemd (Lennart Poettering) has recently created a new company dedicated to bringing hardware attestation to open source software.

What might this entail? A previous blog post could provide some clues:

So, let's see how I would build a desktop OS. The trust chain matters, from the boot loader all the way to the apps. This means all code that is run must be cryptographically validated before it is run. This is in fact where big distributions currently fail pretty badly. This is a fault of current Linux distributions though, not of SecureBoot in general.

If this technology is successful, the end result could be that we would see our Linux laptops one day being as locked down as an Iphone or Android device.

There are lots of others who are equally concerned about this possibility: https://news.ycombinator.com/item?id=46784572

you are viewing a single comment's thread
view the rest of the comments
[–] baronvonj@piefed.social 50 points 23 hours ago (2 children)

Because if there's one thing Linux users think about their systems .. it's "hey why does this thing let me do what I want?"

[–] breezeblock@lemmy.ca 48 points 23 hours ago

There’s a universe of difference between changes you intended to make in your system, and changes you didn’t intend because a state actor attacked you based on your social media criticism.

Unlike with closed source software, you can always decide you don’t want your software to be secure.

What you should be worried about is not software but hardware.

[–] just_another_person@lemmy.world 10 points 23 hours ago (1 children)

Uhhhh...wha?

This would be a big deal for hardware manufacturers or product manufacturers in securing their devices. Only a tiny, tiny fraction of Linux users are just desktop jockeys.

[–] baronvonj@piefed.social 19 points 23 hours ago (2 children)

I was referring to this

If this technology is successful, the end result could be that we would see our Linux laptops one day being as locked down as an Iphone or Android device.

[–] FauxLiving@lemmy.world 4 points 21 hours ago (1 children)

What if the thing that you want is to have SecureBoot-enforced hardware attestation?

[–] baronvonj@piefed.social -2 points 21 hours ago (1 children)

What if it was just an off the cuff joke?

[–] FauxLiving@lemmy.world 10 points 21 hours ago

This is too many dependent probabilities

[–] just_another_person@lemmy.world -4 points 22 hours ago (2 children)

That would be beneficial to users as well. I'm not understanding the downside here.

[–] deltaspawn0040@lemmy.zip 6 points 22 hours ago (1 children)

Only being able to install "allowed" apps is not great for freedom.

[–] just_another_person@lemmy.world -3 points 20 hours ago (1 children)

Not even how that works FFS. You're not the target audience here.

Y'all really need to start reading more about things before jumping to ridiculously uninformed conclusions and making comments. My gosh.

[–] deltaspawn0040@lemmy.zip 0 points 20 hours ago (1 children)

Hey you fucking idiot, iPhones need to be jailbroken for that and Android is about to be locked down so developers will need to identify themselves to Google.

Get your condescending ass out of my face. I'm not in the damn mood for a random fucking stranger to tell me I'm an idiot for commenting on someone else's speculation. This is a lot meaner than I normally am, but I happen to be grumpy right now and you don't matter to me at all, so I will continue on to say: Fuck your unhelpful ass.

[–] just_another_person@lemmy.world -2 points 20 hours ago (1 children)

Seems like more of a "you" problem for not understanding the problem or solutions being discussed. Seems like maybe you probably just shouldn't have commented at all, huh?

[–] baronvonj@piefed.social 5 points 22 hours ago (1 children)

I guess you're not thinking of "locked down" in terms of independent developers finding the iOS and Android "play by our rules and be distributed thru our app store or we'll make it hard for users to run your software" to be a barrier to distribution.

[–] just_another_person@lemmy.world -2 points 20 hours ago (1 children)

Bruh...that's not even the point of the company or what he's talking about. You're being paranoid, first off.

Second, you want secure devices? You can't have that right now with Linux very easily. There is no chain of trust coming from the hardware aside from TPM, which is kind of a joke. This guy wants to make a standard way of certifying a chain of trust which would allow an ecosystem of devices to maintain some semblance of trust amongst itself and other devices. This would make things like networks, edge devices, forward deployed hardware, and running sensitive data in less than secure locations more secure.

Last, if you're going to be paranoid, at least educate yourself on the subject. Not a single person who is even vaguely familiar with what this entails is thinking "Oh they're going to lock all our devices rawrawrawr". That's just ridiculous. That could happen now, but...you seeing that out in the components world anywhere? Absolutely not. Because it's no desirable, and that's NOT WHAT HES EVEN TALKING ABOUT.

🤦

[–] Brummbaer@pawb.social 7 points 19 hours ago (1 children)

Sorry but this whole thing is just snake-oil.

You can verify and sign your whole trust chain down to the last shared library and it doesn't matter when you don't know what the binary blobs on your TPM / CPU / BIOS / NIC are doing.

The only guarantee to a secure system is openness an all of that signing won't help you there.

[–] just_another_person@lemmy.world 2 points 15 hours ago (1 children)

Right, so because of your limited knowledge and understanding of what the actual needs of an entire industry are, it's all snake oil. Cool.

Meanwhile I'd just love a way to box up a custom machine, use something what he's building, ship it to site, and have it run without issue and have some piece of mind a competitor didn't try to gank the data over USB, or bypass the identity of the motherboard that SHOULD have boot blocks in place, or maybe someone just rips the SSD right out of it and tries to boot it elsewhere.

Fuck the rest of ALL that and the practical needs of security experts and system builders because YOU are worried that it somehow magically it's used for all kinds of other nefarious things.

Cool. Cool.

[–] tomalley8342@lemmy.world 0 points 6 hours ago (1 children)

Yes, that's correct, the last 5 years should have made clear to anybody that the "actual needs of an entire industry" and the needs of the people are diametrically opposed.

[–] just_another_person@lemmy.world 0 points 4 hours ago (1 children)

Again, no it here complaining even read the damn article, and has no idea what their up in arms about.

I hope you're so committed to this anger that you're destroying your motherboard RIGHT NOW 🤣

[–] tomalley8342@lemmy.world 0 points 4 hours ago (1 children)

better than reading the damn article, here are the weasily corporate words directly from mr daan the founder 🤣

So adding all of this technology will certainly make it more easy to be used for either good or bad. And it will certainly become possible to build an OS that will be less hackable than your run of the mill Linux distro.

[–] just_another_person@lemmy.world 1 points 4 hours ago* (last edited 4 hours ago) (1 children)

First, yes, he's correct in talking about the SOFTWARE side of that, so if your anger is with this dude, you better just outlaw software, because anyone can choose to NOT do these things. That's the entire point of open source. Make stupid decisions, and you have zero following.

Second, let me finish his thought for you:

But we will never enforce using any of these features in systemd itself. It will always be up to the distro to enable and configure the system to become an immutable monolith. And I certainly don't think distributions like Fedora or Debian will ever go in that direction.

We don't really have any control over what Microsoft decides to do with Secure Boot. If they decide at one point to make Secure Boot reject any Linux distribution and hardware vendors prevent enrolling user owned keys, we're in just as much trouble as everyone else running Linux will be.

He's very CLEARLY illustrating his intent to prevent the very thing you're shitting your pants about. You're literally inventing a scenario you've thought of yourself, and getting upset about it.

I bet you're super fun to be around.

[–] tomalley8342@lemmy.world 2 points 4 hours ago (1 children)

He’s very CLEARLY illustrating his intent to prevent the very thing you’re shutting your pants about

It will always be up to the distro

We don’t really have any control over what Microsoft decides to do

where is the prevention brother?

[–] just_another_person@lemmy.world 0 points 4 hours ago (1 children)

Uhhhh...it's open. Didn't know anyone needed precautionary blocks in place or permission.

What in the actual hell is happening in here. Who made you so fearful of everyone? Did somebody hurt you? WHO DID IT???

[–] tomalley8342@lemmy.world 2 points 3 hours ago (1 children)

We know from systemd that these people are willing to use corporate resources to snuff out grassroots alternatives to grow their market share, and we know from the sorry state of boot chains on basically every device that isn't x86 UEFI that corporations are salivating at the idea of implementing trusted computing at the expense of user freedoms, and we know know from the above quotes that the best assurance the founders of this companies have is "we just provide the tools, it's up to the corporations to decide how to use it, teehee!" The only mystery here is people like you here who see all this and think "surely things will go different this time. these are good boys".

[–] just_another_person@lemmy.world -1 points 2 hours ago (1 children)
  1. How is systemd somehow taking away freedoms at the behest of corporations who asked such a thing?
  2. UEFI is an open standard, buddy. Microsoft is the only player fucking that up
  3. "Trusted Computing" has existed in the very hardware you own and run for almost 30 years now. Literally nobody but cellphone makers use it in the way you describe. Seems you're still using it though, so nobody seems to have made the apocalyptic decisions that bring your fearful future to bear.
  4. A "Trusted Computing" framework - and this is how I know you don't understand any of this - is only present. It takes software to interact with it to "take your freedoms away" as you put it. It's just sitting there otherwise. Nobody even needs to interact with it. You're so out of touch with this that you're angry at the wrong side of it, and you don't even know it.
  5. "...we just provide the tools..". MY GOD. Where do I even start with this? I can name about a hundred different FOSS tools that break encryption. You mad at the people who made the FOSS encryption tools, or the ones who the FOSS tools to decrypt it?
  6. The only people who want this are people make and produce hardware platforms that ship out into the world so they can ensure they are T2B secure. It seems you don't know much about security, so I'll let you in a little secret...(If it claims to be secure, it means there are hardware controls in place)
[–] tomalley8342@lemmy.world 1 points 2 hours ago (1 children)

How is systemd somehow taking away freedoms at the behest of corporations who asked such a thing?

RedHat putting their thumb on the scale providing full time engineers on this project to gain market share and become the defacto standard that they control doesn't sound like a problem? How do you feel about what chromium is doing to the web?

UEFI is an open standard, buddy. Microsoft is the only player fucking that up

Microsoft is the only player "fucking that up" right. And the other corporations have some sort of god-given goodness to them that make it impossible for them to follow suit?

“Trusted Computing” has existed in the very hardware you own and run for almost 30 years now. Literally nobody but cellphone makers use it in the way you describe. Seems you’re still using it though, so nobody seems to have made the apocalyptic decisions that bring your fearful future to bear.

Nobody but (half of the entire consumer device market) use it in the way described, and this company comes in offering tools to do the same thing to the other half, and you don't see the problem?

A “Trusted Computing” framework - and this is how I know you don’t understand any of this - is only present. It takes software to interact with it to “take your freedoms away” as you put it.

Software that these people are developing.

“…we just provide the tools…”. MY GOD. Where do I even start with this? I can name about a hundred different FOSS tools that break encryption. You mad at the people who made the FOSS encryption tools, or the ones who the FOSS tools to decrypt it?

I'm wary of the people that provide turn key solutions to deploy it at scale

The only people who want this are people make and produce hardware platforms that ship out into the world so they can ensure they are T2B secure. It seems you don’t know much about security, so I’ll let you in a little secret…(If it claims to be secure, it means there are hardware controls in place)

And if the user (that's what we call the person who owns the device, if you don't know much about these things) doesn't want it?

[–] just_another_person@lemmy.world 0 points 2 hours ago (1 children)

How do you address mail to your bunker? Is there e like...a sublevel addition or something?

[–] tomalley8342@lemmy.world 0 points 2 hours ago (1 children)

I unfortunately accept the reality of our corporate dominated technology landscape, I'm just confused about your downright enthusiasm for the same.

[–] just_another_person@lemmy.world 0 points 2 hours ago (1 children)

🤣

There's zero corporate about it. You're actually in denial and possibly crazy. My God.

[–] tomalley8342@lemmy.world 1 points 2 hours ago (1 children)

This entire announcement is literally about an creation of a for-profit company to deliver hardware attestation in linux as a product 🤣

[–] just_another_person@lemmy.world 1 points 1 hour ago (1 children)

Again...read what the guy is saying. You can't do something like this without BOTH the OSS community AND a company to back it up. It's just not possible for legal reasons, financial reasons, and so on. The aim is to replace the existing bullshit Microsoft created, and make an open standard that is backed by a presence that keeps it there. Not something you can just fund and keep moving in a git repo alone.

[–] tomalley8342@lemmy.world 1 points 1 hour ago

Why are you telling me "It can't be done without corporate involvement" like it's some kind of persuasive point 😭