← Back to context

Comment by udev4096

6 hours ago

What a cope. The hardening options highly restrict the unit files from accessing anything more than it's required for it's function. systemd has also made a lot of efforts in progressing the boot security: https://0pointer.net/blog/brave-new-trusted-boot-world.html. Have fun running your "non-infected" systems which is so easy to pwn

2 comments

udev4096

Reply
zetanor  5 hours ago

To make a comment like this, I imagine that you've set up BIOS security (password, case intrusion detection...), that you check your keyboard wire end-to-end daily, that you use a USB device whitelist, that you regularly check for hidden cameras spying on your keystrokes, etc., otherwise you're equally "easy to pwn" using equally-quick and roughly-as-cheap attacks.

  • udev4096  5 hours ago

    Using luks to encrypt all partitions (incl. /boot) and it's only unlocked using yubikey. I have secureboot enabled (sbctl to enroll keys) and TPM PCR values to avoid tampering. systemd-boot (a lot more secure than grub) doesn't have password to lock the kernel editor so I have disabled the editor altogether. I use fapolicy for "whitelisting" apps. Unfortunately, coreboot doesn't have BIOS password feature so it's unlocked