Hi there. I wish I could spend more time writing this nuanced post, but I’ll try to save it for those who are clueless:
Installing UEFI Secure Boot is easy and doesn’t need Microsoft. Just try using Ventoy, the ISO system that comes with a SecureBoot key for you to add to your SecureKey list while installing the OS. (Whether or not this is secure is an entirely different topic on supply chain attacks or inept vendors. forums.truenas .com/t/add-support-for-secure-boot-to-scale/9727 )
I’ve seen a thread or two here in TrueNAS Forums that says, “What about the laser security system you need to protect your server?” But it’s really what-about-ism. SecureBoot is right now the only implementable and accessible security system anybody has to protect their system from rootkits. ( forums.truenas .com/t/freebsd-kicks-me-back-to-bios-on-boot-after-upgrading-cpu/3932 )
TrueNAS’s team, avoiding this topic or failing to target it DIRECTLY, means that this is a level of enterprise security that folk like you and me DO NOT have access to, and require. Are you only storing pirated media? Maybe you’re fine with legacy boot. But are you storing pictures? Documents? What about incredibly private things that people might try to blackmail you with?
The point is that it IS possible to get SecureBoot running on ANY operating system you or other folk run. It’s not rocket science, it’s computer science.
Until then, ixSystems IS aware that people WANT Secure Boot for TPMs and other ways of automatedly unlocking drives–it’s not just about rootkits. ( [NAS-114463] - iXsystems TrueNAS Jira[NAS-111251] - iXsystems TrueNAS Jira ) It’s about knowing your system wasn’t tampered with, and having a modern security system to which you can ENTRUST your data. Otherwise, I would only use TrueNAS for hobbyist or laboratory things unless you have enterprise support that can ensure and guarantee your system remains uncompromised. Even JPGs, video files, and other common media formats can have viral payloads. Stop taking it for granted.
Sincerely,
Filene Taylor
(AKA my personal account at the old Community forums, FindingFilene, URL: findingfilene.105469 )
PS: I had to modify the links in this post that link to threads within this very forum because they consume my 2-link maximum as a ‘new member.’
Even secure boot has been compromised. For example, my model of SuperMicro motherboard was in the list of affected hardware in the discovery just a few months ago:
So thinking that Secure Boot can guarantee a system is uncompromiseable by root kits is unfortunately a pipe dream. It’s a slim layer of protection at best.
My view of this post is that it’s scare mongering. If an outsider can run arbitrary code on your server, that others should have no access to from the outside, it’s game over anyway.
I really can’t wait, but I might be busy enough that you’ll finish when I can take TrueNAS back.
The work and security it takes to safeguard a PKI is really understated in the current international condition. And I’m unfamiliar with the build process you’d need to develop to sign your builds or releases as well! It’s not an easy task by any means.
For anybody else reading, you might need to dig a little deeper than the preceding replies had, as they might have been unable to assemble the malformed links I posted, or the arguments behind them.
SecureBoot is an ideology of signing a bootloader with a key, so if the bootloader file changes, the key signature won’t match. I don’t need Intel or Microsoft to sign my bootloader, and neither did VenToy. Moreover, we have a multilateral supply chain attack, where software vendors are so lazy their keys have 4-character passphrases and were reused for a decade across manufacturers. We need to pay our coders (and iX Systems devs) more so they might have robust quarantining systems, and key creation logs to reconstruct a history, as both protect the entire supply chain of keyholders. Otherwise, even my own PKI for my own projects is failed, if it means I had to share my root key with some thug.
Before anybody replies again on this HTTPS website, with a certificate signed by Let’s Encrypt, let’s revisit how Entrust has had, IIRC, a variety of their top PKI keyholders missing in the midst of confusing key issuing conflicts. You all need a deeper read of the world our softwares live in. Google Chrome to Stop Loading Sites Using Entrust Certificates in November | RestorePrivacy It’s for the same reason we don’t use a certain malwared Polyfill website.
I’d ask what you think these two things have to do with each other (they are, after all, completely unrelated CAs), but I’m afraid your answer would be yet another random and bizarre rant.
Ah, I love how it’s not clear if you’re willing to dredge the threat of PKI compromise, or if you think there will always be a root CA for you to trust that’s not “vendor lock-in.” no, you go on.
With a stance like that, how are you going to acquire a copy of TrueNAS 25.10 Sarcastic Fringehead, featuring the new Secure Boot bits, without trusting HTTPS during the transfer?
And that’s without even broaching the subject of DNS and how that can be manipulated…
Thank you for mentioning DNS as that’s just another leg I’m learning about. (I like TrueNAS CORE does ACME DNS certificate issuing, I want TrueNAS scale to take it on, but that’s another topic! )
But it’s really what-about-ism. SecureBoot is right now the only implementable and accessible security system anybody has to protect their system from rootkits. ( forums.truenas .com/t/freebsd-kicks-me-back-to-bios-on-boot-after-upgrading-cpu/3932 )
I love that. It reminded me of this guy: