Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Sep 2020 03:53:10 +0200
From:      Ralf Mardorf <ralf-mardorf@riseup.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: Dual-booting/triple-booting FreeBSD under UEFI
Message-ID:  <20200920035310.72276666@archlinux>
In-Reply-To: <20200919180814.00005391@seibercom.net>
References:  <DB8PR06MB64421AFD5B11F7674E48CBAAF63C0@DB8PR06MB6442.eurprd06.prod.outlook.com> <20200919180814.00005391@seibercom.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sat, 19 Sep 2020 18:08:14 -0400, Jerry wrote:
>https://www.zdnet.com/article/boothole-attack-impacts-windows-and-linux-systems-using-grub2-and-secure-boot/

In the beginning all major distros are using GRUB2...

"Currently, GRUB2 is used as the primary bootloader for all major Linux
distros"

...and it ends with all distros using it...

"The company estimates that every Linux distribution is impacted by
this vulnerability, as all use GRUB2 bootloaders"

...Fear, uncertainty, and doubt!

Actually Arch Linux is a major distro...

https://distrowatch.com/dwres.php?resource=major

...with no default boot loader at all...

"In order to boot Arch Linux, a Linux-capable boot loader must be set
up." - https://wiki.archlinux.org/index.php/Arch_boot_process

How about syslinux?

https://wiki.archlinux.org/index.php/Syslinux

Btw. I don't understand why somebody wants to boot FreeBSD or Linux
with UEFI Secure Boot enabled. As a lot of Linux users I'm using
syslinux for a Linux multi-boot desktop PC, giving the choice to
boot different major distros.

It's probably accurate to claim that most user-friendly (if not
all user-friendly) distros default to GRUB2, but likely many, if not all
of them provide alternative boot loaders, too.

FWIW Arch Linux provides software to audit installed packages against
known vulnerabilities, this includes the bootloader packages, too. If a
hook doesn't already run the audit tool automatically when updating
packages, it alternatively could run by a package manager wrapper
script.

arch-audit
    An utility like pkg-audit based on Arch CVE Monitoring Team data
pacaudit
    This package audits installed packages against known
    vulnerabilities.
pkg-audit
    audit installed packages against known vulnerabilities

Actually most, if not all major distros provide information about known
vulnerabilities:

https://wiki.archlinux.org/index.php/Arch_Security_Team#Tracking_and_publishing
https://wiki.archlinux.org/index.php/Arch_Security_Team#Other_distributions

A business technology news website spreading inaccurate news isn't
required to get informed about known vulnerabilities.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20200920035310.72276666>