bbsm3678Aug 15, 2023

What is your preferred daily driver distribution?

https://lemm.ee/post/4356029

What is your preferred daily driver distribution? - lemm.ee

Considering switching away from Fedora and to another distribution. Does anyone have any suggestions for distributions I should consider?

Show thread𞋴𝛂𝛋𝛆Aug 15, 2023
The biggest selling point for Fedora IMO is the way it handles UEFI and Secure Boot. I haven’t found anything compatible. Securing the proprietary garbage running on your main board is critical regardless of your OS.
Show threadUnsyllabledQuickiesAug 15, 2023
Can you elaborate or point me to some resources? I’d like to hear more about this because I’ve wondered for a while what to do about Secure Boot on my machine.
Show thread𞋴𝛂𝛋𝛆

…defense.gov/…/CTR-UEFI-Secure-Boot-Customization…

wiki.gentoo.org/wiki/…/Configuring_Secure_Boot

I would ramble on for far too long if I let myself. The Fedora system that runs before Linux is called Anaconda (no relation to python container manager by the same name). The two packages that make Secure Boot easy for most users are called the shim and lockdown. This involves a cryptographic key from the distro packager that they have submitted to a Microsoft program implemented for them to sign what is called a 3rd party key. This 3rd party key is shimmed under the Microsoft key during the UEFI boot phase. Then it kicks off lockdown, and this is what starts the Linux kernel. Lockdown is what prevents the Linux kernel from running unsigned kernel modules. This is why Nvidia has been such a problem for so long. The binary blob kernel drivers are unsigned. If you follow current Fedora documentation for Nvidia drivers, it uses a package that automatically builds the entire Nvidia kernel module from source every time the kernel is updated.

If you are in a real bind with UEFI, the Gentoo link has info about how to boot into UEFI directly using KeyTool.

The entire secure boot system is a criminal attempt at theft of ownership and maintaining monopolistic exploitation with proprietary firmware. Real security would be forcing this code to be completely open source so the community can check, verify, and maintain it. This is why there is no support for secure boot directly in Linux. There is no fully open source firmware alternative for any modern hardware from an OEM. Libreboot is the closest option and this only supports hardware that is from the Core Duo era, so over a decade old. Even most of the stuff from System76 is not fully open source as far as the bootloader firmware.

Aug 15, 2023 at 6:44pmWeb