this post was submitted on 24 Feb 2024
94 points (76.7% liked)
Linux
48199 readers
896 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
They give up some security by gaining convenience and slightly better UX.
I can't vet Apple's security, but TPM isn't a silver bullet either.
https://hacky.solutions/blog/2024/02/tpm-attack
Yeah I don't need a silver bullet I'm not storing highly sensitive data, I just mistakenly assumed this would be easier.
Great to hear. TPM is totally usable if your threat model can tolerate the risk. Sadly Linux is a bit lacking support for TPM in FDE. You can try the Nitrokey with GPG method without pin I wrote in the other thread if you hit the wall. Good luck!
Here's a guide if you want FDE with TPM: https://blastrock.github.io/fde-tpm-sb.html
Linux works fine with the TPM, systemd even includes it as a feature (although Ubuntu patches it out, Fedora does not). Takes two commands to enable it, although you can get very into the weeds like that guide does if you are concerned about real bad actors instead of common thieves.
That I doesn't know Ubuntu patches it out.
The decision had to do with not having unified kernel images or something, essentially the decision that it couldn’t be done securely enough so they didn’t allow it at all even if you understand the risks. I don’t agree with the philosophy.
The next LTS should have official support in the installer (experimental in 23.10), and with signed binaries that will increase security substantially. Unfortunately it depends on snap.