From owner-freebsd-questions@freebsd.org Sun Sep 20 01:53:32 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 65E543F6470 for ; Sun, 20 Sep 2020 01:53:32 +0000 (UTC) (envelope-from ralf-mardorf@riseup.net) Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Bv9Zz32V4z3YyV for ; Sun, 20 Sep 2020 01:53:31 +0000 (UTC) (envelope-from ralf-mardorf@riseup.net) Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4Bv9ZY31h2zFdwh for ; Sat, 19 Sep 2020 18:53:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1600566808; bh=SmftpqGaKQDUwIQ2NQA2gADumReItefFMUmIsHXdjTU=; h=Date:From:To:Subject:In-Reply-To:References:From; b=AVnZnYw+Tx0q1weg4+vc2EX638UEhz0AVC4VCCdj8q+4BOqIdyybBmjMGp/hsh2Bf 2rmOBlIJyevYgcleThMQefgBt8bFHa5UKhPPS4oIzk+r5fzw4q88exVbB83bu4Pt99 nMM/rxBJJwBUQisASPyrh79OR59Rp1YApFkopjUY= X-Riseup-User-ID: EE7456442BB7724F6215FD665FA2A859304D4885AA3A22BA949E38AAB7292C63 Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id 4Bv9ZX5cpnzJn6J for ; Sat, 19 Sep 2020 18:53:08 -0700 (PDT) Date: Sun, 20 Sep 2020 03:53:10 +0200 From: Ralf Mardorf To: freebsd-questions@freebsd.org Subject: Re: Dual-booting/triple-booting FreeBSD under UEFI Message-ID: <20200920035310.72276666@archlinux> In-Reply-To: <20200919180814.00005391@seibercom.net> References: <20200919180814.00005391@seibercom.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Bv9Zz32V4z3YyV X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=riseup.net header.s=squak header.b=AVnZnYw+; dmarc=pass (policy=none) header.from=riseup.net; spf=pass (mx1.freebsd.org: domain of ralf-mardorf@riseup.net designates 198.252.153.129 as permitted sender) smtp.mailfrom=ralf-mardorf@riseup.net X-Spamd-Result: default: False [-4.39 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[riseup.net:s=squak]; NEURAL_HAM_MEDIUM(-0.99)[-0.992]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[198.252.153.129:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_LOW(-1.00)[riseup.net:dkim]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[riseup.net:+]; DMARC_POLICY_ALLOW(-0.50)[riseup.net,none]; NEURAL_HAM_SHORT(-0.72)[-0.717]; NEURAL_HAM_LONG(-1.08)[-1.082]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_NOT_FQDN(0.50)[]; ASN(0.00)[asn:16652, ipnet:198.252.153.0/24, country:US]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions]; RCVD_IN_DNSWL_LOW(-0.10)[198.252.153.129:from] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Sep 2020 01:53:32 -0000 On Sat, 19 Sep 2020 18:08:14 -0400, Jerry wrote: >https://www.zdnet.com/article/boothole-attack-impacts-windows-and-linux-systems-using-grub2-and-secure-boot/ In the beginning all major distros are using GRUB2... "Currently, GRUB2 is used as the primary bootloader for all major Linux distros" ...and it ends with all distros using it... "The company estimates that every Linux distribution is impacted by this vulnerability, as all use GRUB2 bootloaders" ...Fear, uncertainty, and doubt! Actually Arch Linux is a major distro... https://distrowatch.com/dwres.php?resource=major ...with no default boot loader at all... "In order to boot Arch Linux, a Linux-capable boot loader must be set up." - https://wiki.archlinux.org/index.php/Arch_boot_process How about syslinux? https://wiki.archlinux.org/index.php/Syslinux Btw. I don't understand why somebody wants to boot FreeBSD or Linux with UEFI Secure Boot enabled. As a lot of Linux users I'm using syslinux for a Linux multi-boot desktop PC, giving the choice to boot different major distros. It's probably accurate to claim that most user-friendly (if not all user-friendly) distros default to GRUB2, but likely many, if not all of them provide alternative boot loaders, too. FWIW Arch Linux provides software to audit installed packages against known vulnerabilities, this includes the bootloader packages, too. If a hook doesn't already run the audit tool automatically when updating packages, it alternatively could run by a package manager wrapper script. arch-audit An utility like pkg-audit based on Arch CVE Monitoring Team data pacaudit This package audits installed packages against known vulnerabilities. pkg-audit audit installed packages against known vulnerabilities Actually most, if not all major distros provide information about known vulnerabilities: https://wiki.archlinux.org/index.php/Arch_Security_Team#Tracking_and_publishing https://wiki.archlinux.org/index.php/Arch_Security_Team#Other_distributions A business technology news website spreading inaccurate news isn't required to get informed about known vulnerabilities.