You Cannot Patch/Secure/Protect Your GNU/Linux System Because Microsoft Blocks the Patching Via 'Secure' Boot
Reprinted with permission from Ryan Farmer.
Microsoft Security Theater Boot Forces Unnecessary Steps to Mitigate GNU C Library Vulnerability.
According to Red Hat, Microsoft “Secure Boot” can actually stop you from installing a mitigation for a Severe CVE called “Looney Tunables” (CVE-2023-4911) in glibc, which Red Hat released for those who can’t patch glibc for some reason.
If you just try to load the systemtap module without screwing around with “Security Theater Boot”, your computer will fail to boot with a “security policy violation” message from your UEFI firmware.
Irony!!!!!
Here’s the original. Also, Archive Today in case IBM tries to remove this later.
If Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel’s keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here – https://www.redhat.com/sysadmin/secure-boot-systemtap
-IBM Red Hat
Of course, Security Theater Boot continues to provide no advantages, and now it actively makes securing your computer more difficult because it will block a mitigation as “unsigned module”.
We really don’t need much more evidence that Security Theater Boot and the people who implemented it on Linux are not friends of Free Software (as it is designed to put Microsoft in control of whether your operating system is allowed to load, which can be revoked later, even with a backdoor like Linux Vendor Firmware Service twinking unauthorized modifications to your UEFI dbx into your computer behind your back, unless you uninstall it), but this post should make it more obvious what the score is.
My advice? Continues to be kill LVFS, disable “Secure Boot” in the firmware, then uninstall mokutil and shim, and update grub.
Then you don’t need anyone’s permission to modify your operating system.
Which is how it should be. █