[Bradford] systemd the worst

Robert Burrell Donkin robertburrelldonkin at gmail.com
Sun Feb 15 13:57:52 UTC 2015


On Wed, Feb 11, 2015 at 5:04 PM, Darren Menachem Drapkin
<darren.drapkin at ntlworld.com> wrote:
> Here is the link to an article in German about new systemd horrors,
> including the nsa backdoor
>
> http://www.linux-magazin.de/NEWS/FOSDEM-2015-Microsoft-und-die-NSA-rauskicken-Poettering-will-UEFI-in-Systemd
>
> According to my auto-translator this is the page where Pottering seriously
> spills the beans.

Big picture -
1. once the many core world comes along (probably only 5 years or so
down the line now), chips will ship with dedicated cores for stuff
like IO, BIOS, crypto and security
2. when this happens, most of the stuff running on these specialist
cores will be binary blobs
3. UEFI isn't that scary in itself (and the ability of well funded
bodies like M$, NSA, GCHQ, China etc to crack UEFI will make not much
difference from BIOS level password cracking right now - and yes, of
course the NSA and m$ should be expected to weaken UEFI since strong
UEFI means if the keys are lost, the hardward would be bricked)
4. to secure these binary blobs, systems vendors will ship and secure
these blobs by UEFI and signatures (which is quite scary)

At the risk of being far to Pottering (and this is something I really
hate to do) my Google translation sounds like he's just trying to get
a Fedora certificate chain in place for this future UEFI many-core
world

I'm really not a fan of binary boot scripts, and don't really think
that running binary blobs on extra cores is going to really make Linux
any safer (I'd prefer to see scripts running in Ruby, say, which is an
alternative route avoid binary blobs). On the other hand, it is at
least possible that some countries may insist on "secure boot hardware
only" (very likely China and middle-east; likely EU, unlikely US) so
I'm glad that someone is starting to work on secure signing key chains
whilst there's time...

Interesting times ahead :-)

Robert



More information about the Bradford mailing list