No, this is not true at all. Microsoft requires their system vendors (Dell, HP, etc) to allow users to enroll their own Secure Boot keys through their “Designed for Windows” certification.
Further, many distributions are already compatible with Secure Boot and work out of the box. Whether or not giving Microsoft the UEFI root of trust was a good idea is questionable, but what they DO have is a long, established history of supporting Linux secure boot. They sign a UEFI shim that allows distributions to sign their kernels with their own, distribution-controlled keys in a way that just works on 99% of PCs.
> Is it possible to un-enroll the Microslop certificates
Technically yes, with a massive fucking asterisk: Some option-ROM are signed with the MS certs and if your Motherboard doesn't support not loading those (whether needed or not) you will not be able to sometimes even POST.
With almost all modern motherboard firmware you can enter Setup mode and use KeyTool to configure the trust store however you want, starting from enrolling a user PK (Platform Key) upwards.
It’s generally a lot more secure to avoid the use of any shims (since they leave you vulnerable to what happened in this article) and just build a UEFI Kernel Image and sign that.
Some systems need third party firmware to reach the OS, and this can get a bit more complicated since those modules need to load with the new user keys, but overall what you are asking is generally possible.
I have a slow burn project where I simulate a supply chain attack on my own motherboard. You can source (now relatively old) Intel PCH chips off Aliexpress that are “unfused” and lack certain security features like Boot Guard (simplified explanation). I bought one of these chips and I intend to desolder the factory one on my motherboard and replace it with the Aliexpress one. This requires somewhat difficult BGA reflow but I have all the tools to do this.
I want to make a persistent implant/malware that survives OS reinstalls. You can also disable Intel (CS)ME and potentially use Coreboot as well, but I don’t want to deal with porting Coreboot to a new platform. I’m more interested in demonstrating how important hardware root of trust is.
I don't want Boot Guard or any of that DRM crap. I want freedom.
I want to make a persistent implant/malware that survives OS reinstalls.
Look up Absolute Computrace Persistence. It's there by default in a lot of BIOS images, but won't survive a BIOS reflash with an image that has the module stripped out (unless you have the "security" of Boot Guard, which will effectively make this malware mandatory!)
I’m more interested in demonstrating how important hardware root of trust is.
You mean more interested in toeing the line of corporate authoritarianism.
Well, this project is literally about me circumventing/removing Boot Guard so I don’t know how it’s corporate authoritarianism. I’m literally getting rid of it. In doing so I get complete control of the BIOS/firmware down to the reset vector. I can disable ME. To me, that’s ultimate freedom.
As a power user, do I want boot guard on my personal PC? Honestly, no. And we’re in luck because a huge amount of consumer motherboards have a Boot Guard profile so insecure it’s basically disabled. But do I want our laptops at work to have it, or the server I have at a colocation facility to have it? Yes I do. Because I don’t want my server to have a bootkit installed by someone with an SPI flasher. I don’t want my HR rep getting hidden, persistent malware because they ran an exe disguised as a pdf. It’s valuable in some contexts.
I want an equivalent of boot guard that I hold the keys to. Presented only with a binary choice certainly having boot guard is better than not having it if physical device security is in question. But that ought to be a false dichotomy. Regulation has failed us here.
Me managing my own (for example) secure boot keys does not inherently enable malicious actors. Obviously unauthorized access to the keys is an attack vector that whoever holds them needs to account for. Obviously it's not risk free. There's always the potential that a user could mismanage his keys.
There's absolutely no excuse for hardware vendors not to provide end users the choice.
> trust is protected by trusted companies...
The less control of and visibility into their product you have the less trustworthy they are.
Secureboot was being used as an example to illustrate the issue with your claim that a user controlling the keys must necessarily undermine security.
I'll grant that if the user is given control then compromise within the supply chain does become possible. However the same hypothetical malicious aliexpress vendor could also enroll a custom secure boot key, install "definitely totally legit windows", and unless the user inspects he might well never realize the deception. Or the supply chain could embed a keylogger. Or ...
> You mean more interested in toeing the line of corporate authoritarianism.
That’s not what I got from their post. After all, they’re putting in some effort to hardware backdoor their motherboard, physically removing BootGuard. I read it as “if your hardware is rooted then your software is, no matter what you do.”
> I want to make a persistent implant/malware that survives OS reinstalls.
You want to look into something called "Windows Platform Binary Table" [1]. Figure out a way to reflash the BIOS or the UEFI firmware for your target device ad-hoc and there you have your implant.
> You want to look into something called "Windows Platform Binary Table" [1].
Is this how various motherboard manufacturers are embedding their system control software? I was helping a family friend with some computer issues and we could not figure out where the `armoury-crate` (asus software for controlling RGB leds on motherboard :() program kept coming from
That most likely comes from Windows Update though. It now has the ability to download "drivers". It actually had said ability for a long time (back from Vista days if I remember right) but back then it was only downloading the .inf file and associated .sys files/etc, where as nowadays it actually downloads and runs the full vendor bloatware.
Have your friend grab https://github.com/seerge/g-helper which can disable armory crate. It’s also a lot lighter on your system - I was having constant gradual frame drops (games would start find and performance would slowly degrade) until I tried this and used the option to disable the AC processes.
Only works if the target is running Windows (paranoid people might be on Linux), so you'd probably want to slip in a malicious UEFI driver directly. Tools like UEFITool can be used to analyze and modify the filesystem of a UEFI firmware image.
Calling it a “kill switch” buries the lede here. What these politicians call a kill switch is technology to passively detect drunk driving. In 2021, Congress passed a law (HALT Drunk Driving Act) requiring NHTSA to eventually require auto makers to install passive drunk driver detection systems. NHTSA missed their statutory November 2024 deadline to finalize the regulations on this so it’s not like this amendment failing has a substantial impact. This technology is still many model years (maybe 2029? 2030?) away. I make no claims to the merits of this technology, I just feel the need to clarify the current situation.
This is conceptually interesting to me because I see this as almost a more generic TI Webench. I’m curious why your focus in the sized “grid” blocks (presumably for placement directly on the PCB layout) instead of doing the same but for the schematic. That way I still have the flexibility of laying out the board how I want to meet eg mechanical constraints instead of working around a 12.7mm grid.
I saw routing as equally as big of a headache as the schematic, so formalizing the layout to a grid means layout becomes a compilation problem, not a design problem.
My intent for phaestus isn't to design pcb's, it's to design entire products, and also to be friendly to non technical users who don't know what a PCB is, let alone do layout themselves.
I’ve been paying for Google Workspace for my custom domain for years basically just so I can use Gmail. For just $7 more dollars a month, I upgraded my plan to access Gemini Pro, which has guaranteed enterprise-grade privacy controls. I think this is currently the best value platform for anyone who values their privacy for LLMs. If Apple and the DoD trust Google’s internal controls, I do too.
Because Red Hat pays the salaries of dozens (hundreds?) of kernel maintainers all over different subsystems. So they’re subject matter experts, and know exactly which ones are relevant to Red Hat.
Even RHEL misses things that don't get announced. This is a big issue for LTS kernels and downstreams, although RHEL does a much better job than most due to the nature of the company/ products.
I don't have tons of examples off hand but Spender and Project Zero have a number of examples like this (not necessarily for RHEL! Just in general where lack of CVE led to downstreams not being patched).
> Always remember, kernel developers:
> - do not know your use case.
> - do not know what code you use.
> - do not want to know any of this.
I just found this part so odd. You don't need to know how users are deploying code to know that a type confusion in an unprivileged system call that leads to full control over the kernel is a vulnerability. If someone has a very strange deployment where that isn't the case, okay, they can choose not to patch.
It's odd for every distro to have to think "is this patch for a vulnerability?" with no insight from upstream on the matter. Thankfully, researchers can go out of their way to get a CVE assigned.
Paying maintainers doesn't give Red Hat a magic oracle for "which commits matter for security". What you actually end up with is cherry-picking + backporting. Backporting is inherently messy, you can introduce new bugs (including security bugs) while trying to transplant fixes, and omissions are inevitable. And CVEs don't save you here: plenty of security relevant fixes never get a tidy CVE in the first place, and vendors miss fixes because they often pretend the CVE stream is "the security feed".
Greg is pretty blunt about this in the video linked in the article: "If you are not using the latest stable / longterm kernel, your system is insecure" (see 51:40-53:00 in [1]). He also calls out Red Hat explicitly for ending up "off in the weeds" with their fixes.
RHEL as an entire distribution may provide good enough security for most environments. But that is not the same claim as "the RHEL kernel is secure" or "they know exactly which commits are relevant". It is still guesswork plus backports, and you're still running behind upstream fixes (many of which will never get pulled in). It is a comfortable myth.
I have an almost identical story except the state in question was Nevada. I’m curious what “dubious” domain it was, for me it was video game cheats. Maybe I’m actually the co-owner you’re talking about. :)
Checking version numbers usually isn’t a good way of determining whether software on Linux is vulnerable to CVEs. Big distros (especially Red Hat derivatives) lock software versions but back port security patches. Reporting “vulnerabilities” solely based on reported version number is pure noise.
This reminding me of pointless PCI scans that flag you for using a vulnerable version of Nginx or a VPN software because that version has a CVE on record. This ignores the fact that the distro version is patched for the non-exploitable CVE.
Oh, one of my absolute favorite things is setting ServerTokens ProductOnly, so that scrubs will freak right out when they see their canned vuln scanner get bug-eyed and basically scream that the server might be vulnerable to every possible exploit ever written.
Actually, VAC handles Cheat Engine and the like very well. You won’t get banned for simply having them open, only for having them attached to the game, which I think is reasonable.
I used to use CheatEngine on single player games that I ran through Steam, and I don't recall Steam having a problem with that at the time. Not sure if it's changed, but it was pretty reasonable.
I ordered an FPGA development board from China last month that unfortunately didn’t make it out of the country before tariffs/end of de minimis set in. So it’s now sitting in a consolidation warehouse overseas while I figure out what to do with it. Paying almost double its value in taxes alone just kills its viability as a hobby, and sourcing it overseas is the only way to get hands on hardware without shelling out $2,000+.
There’s a whole cottage industry over there where they harvest semiconductors from junk/e-waste and turn them in to usable products again. I assume that’s where the actual FPGA chip came from.
I had to delay learning PCB design during Covid because I couldn't source any parts.
Now prototypes will cost at least 2x, if not more.
These tariffs are essentially shooting US technology development in the foot. Chinese engineers will have the greatest access in the world to manufacturing and components, while engineers in the US who don't already have a large company to bankroll them will just find something else to do.
I had some projects in the pipeline that I might not bother with now. It's simply not worth the money. US PCB fabs are probably even worse, they still get a lot made overseas, but now they also hate you because they exist to do large orders for the DoD, not joe schmo democratizing hardware.
this exact 'cottage industry' you speak of is what existed in north america and started little conpanies like Apple, etc.
The sad fact that we lost all of these because of the entire electronics supply and design chain moving to Taiwan and China, is why we are where we are. These barriers might bring some back, who knows.
Ultimately global open borders, for goods and services, had their own issues. For example open competition between free market economies and centrally planned economies creates rather obvious advantages of scale that are skewed...
> The sad fact that we lost all of these because of the entire electronics supply and design chain moving to Taiwan and China, is why we are where we are. These barriers might bring some back, who knows.
And yet almost all the actual design was still happening in the U.S.
It’s almost like the origin of the components didn’t matter. Access did.
And even if the origin might have shifted the fact that access increased made Americans stronger in Tech not weaker.
Right now, we don’t have origins of manufacturing nor access. Even if some parts of the industry does reshore to the U.S., the access will still be limited primarily to those parts of the industry that re-shored and even there access would be lower due to higher costs.
It’s incredible how America had the fastest growing major economy, was the leader in nearly all the industries of the future, has insanely high per capita income that continues to grow, and decided to throw all that away all because it refuses to undo the decisions that allow all that growth in wealth to accumulate with a tiny minority of the country.
I agree entirely with what you said. To extend on your point, we _want_ the higher order manufacturing here. Not the lower order.
Think for a second. Would you rather there be a new aluminum plant in the US? Or would you rather there be another successful airplane manufacturer. In no world does prefering the aluminum plant get you anywhere close to the same GDP of a airplane factory
We want both. We don't need nearly enough airplanes to employ everyone assembling airplanes. The airplane workers and engineers being in close contact with the aluminum workers and engineers will enable innovation from both. And if it becomes harder to get aluminum from another country, having the domestic plant means we can keep making airplanes. But of course Trump's senile "plan" will get us neither.
Was there a real example of centrally planned economies after the fall of the ussr? More like centrally guided: Korea, Japan, China are all equally good examples.
Which is where? A country outpacing everyone else in growth and recovery after COVID?
This assumption that globalism = bad because we don't have people assembling electronics for $10/hour is strange. Does some of that need to be reshored for national security? Definitely, and that's why we have the CHIPS act but Trump is trying to kill it so I'm not really sure what these tariffs are trying to accomplish and I don't think this administration does either.
I am exploring whether PCB prototypes can be imported tariff-free under HTSUS 9817.85.01. However getting a tariff broker to figure out how to do this properly might also be expensive.
The big pain point for me would be the assembly service. Smaller designs I don't mind putting together by hand, I have a toaster oven and low-temp paste.
If I'm designing something that would need 100 units though, that's going to send a design cost from reasonable to out of reach rather quickly.
This feels like the exact kind of thing Chinese vendors/marketplaces are going to be figuring out at scale, but that still won't stop them from doubling their prices even if they do avoid paying many of the high tariff taxes. Market disruptions are an excuse to raise prices (see the first round of Trump inflation from the completely inappropriate economic response to Covid), and I wouldn't be surprised if the shipped-direct-from-China business drastically grows because of the recent tariff tax changes.
Another perverse incentive is that to get items sitting in a US warehouse (eg Amazon), the seller has to pay the high tariffs before they can even start selling them, while also hoping that tariffs aren't lowered before they can sell them all (and the expectation is that Trump is going to have to dial back this idiotic "plan" of his some time). Meanwhile the seller of a direct shipped item has a confirmed sale and cash-in-hand by the time the shipment gets to the border. So I expect the selection of US-stocked items is about to drop dramatically, and the poor economic conditions and abjectly poor leadership is going to leave many people not feeling too bad about (or even gleefully embracing) shopping direct.
I think what you're referring to is insidious and not getting anywhere near enough attention.
There's constant clamoring about increasing STEM engagement and then they go and kill off accessibility of tech.
Tech access is important all the way up and down the cost spectrum. The way people — kids as well as adults — get interested in this stuff is by having things to play with and use. You have an idea and want to work on a prototype? Now it's more expensive. Want to build something with your kid to get them interested in hardware? More expensive.
Disagree. The way de minimis was being exploited created a market distortion that unfairly favored foreign companies. I get that there are niche cases where it causes real pain, and that sucks but calling it insidious feels like overkill.
I support free trade, and in an ideal world we’d have no tariffs at all. But enforcement around imports is hard. You still need some mechanism to regulate goods entering the country, and duty taxes are a practical tool for that. When a U.S. retailer imports goods from China, they pay duties. When Temu ships a nearly identical product directly to U.S. consumers under de minimis, no one pays anything. That’s not a level playing field.
So your concern appears to be that the current system doesn’t allow a U.S. retail middle man to take their cut?
I didn’t realize there was so much sympathy for non value providing middle men in the U.S.
I do actually agree with the de-minimus issue and that the system needed to be redone, but not because I think more Americans should be spending their lives being middle men leeching money off the American user, but because the de-minimus exemption was distorting the markets leading to highly inefficient individual packages instead of bulk packages being shipped.
But the problem isn’t the elimination of de-minimus. If that had been eliminated a year ago, a $1000 import from AliExpress would see a $100-$200 additional cost which while not ideal would have been reasonable.
The problem is the raising of tariffs to extremely high levels that mean that the $1000 goods now carry a $1100-$1500 duty on top.
This isn’t about protecting "middlemen" for the sake of it, it's about applying consistent rules across different channels of commerce. If a domestic retailer has to pay duties to bring in inventory from abroad, but a foreign seller can ship the same item directly to a U.S. consumer with no duty via de minimis, that's a structural arbitrage opportunity, and yes, that does distort the market.
Whether the intermediary adds value or not is a fair debate, but the real issue is the system favoring one pathway over another based on a technicality, not merit. If you want to argue for a globalized market with no tariffs or friction, I’m sympathetic to that. But that’s not what we have, and pretending that eliminating de minimis while raising punitive tariffs are the same problem is a conflation.
I’m with you on criticizing high tariffs — retaliatory or otherwise, especially when they become a blunt weapon. But de minimis wasn't a free-market policy, it was an exploit. Fixing it doesn’t mean embracing protectionism, it means closing a loophole that had gotten too large to ignore.
1. I guess I think mechanisms for regulating goods entering the country should be based on specific articulated harms, and targeted through law enforcement or tariffs with a specific harm reduction goal. It's a bit absurd to me that China is being hit with a giant tariff based solely on source of product, and things like tainted Indian generic drugs continue to be an ongoing issue with actual medical harms.
2. I'm not sure why US consumers should be paying a middleman. If you can buy a product direct from the source, why not? The gains from a middleman should be intrinsic to what the middleman can bring, like savings through bulk purchases or shipping. Maybe more directly, I think tariffs should be eliminated completely, not just de minimis (except for those targeting a specific aim, with articulated goals and endpoint conditions).
3. These discussions have gotten so bizarre to me at some level because the US constitution specifically empowers Congress, not the president, with tariff powers. I don't think they should be allowed to shift those powers to another branch. Grievances about tariffs established by an executive were one of the reasons for the establishment of the US as a separate country to begin with, and just because Congress screwed up one time with tariffs doesn't mean they should be able to abdicate their responsibilities. I think having tariff powers reside with a large distributed body increases the burden of establishing a tariff probably. But this is an entirely different issue from the focus of the article.
You’re conflating tariffs with duty taxes collected on imports, and that’s a big part of why this conversation gets muddled.
I don’t support broad tariffs either — I’d love a world of free trade. But duty taxes aren't the same thing. They're not necessarily protectionist; they exist to fund the enforcement of customs and import regulations. If we agree that there are things we should regulate at the border, plants, animals, counterfeit goods, etc. then you need a mechanism to fund that enforcement. Duty taxes are that mechanism.
De minimis creates a loophole where foreign companies can flood the market with small direct-to-consumer shipments, bypassing both duties and most scrutiny. A U.S. importer pays duties and follows import regs. Temu doesn’t. That’s not about "harm reduction", it's about uneven enforcement and subsidized noncompliance.
I'm all for optimizing enforcement of small package imports and making compliance easier for individuals and small businesses. But we can’t pretend that zero enforcement cost is viable at scale, or that eliminating duties across the board is somehow neutral in its effects.
If you're arguing for removing all import duties and funding border enforcement from general taxes, fine but say that. Otherwise, it feels like folks just want all the upside of globalization with none of the costs or responsibilities.
It’s not that a level playing field is more important than every other consideration, it’s that you can’t have a functional or fair market without one.
If one group has to follow the rules and bear the costs, while another gets a free pass because of a legal loophole, you're not fostering innovation or accessibility, you're just subsidizing arbitrage. That’s not sustainable, and it warps both pricing and incentives.
I’m all for lowering costs and increasing access to STEM tools. But if the policy that does that relies on systematically undercutting domestic importers and eroding trade enforcement, then we should be honest about the tradeoffs. Let’s push for smarter, broader reforms (like targeted STEM subsidies or tariff carve-outs for educational goods) instead of defending a workaround that happened to benefit us temporarily.
> junk/e-waste and turn them in to usable products again.
Could you expend on this? In my understanding (armchair-youtube-expert), seminconductor "recycling" is basically burning the device and to scrap the metallic parts then using as usual cyanide+boiling chloride (or mercury) to extract gold. Then throw away everything else.
The less industrial method involves human dissection of such devices (with pre and post burning) to extract Silver/Cooper
There's an entire industry in Asia that takes apart computers and boards and industrial equipment, removes the chips, and resells them. Sometimes they even paint part numbers and such on them by hand.
It can be a source of fake chips, but also a source of chips that aren't made anymore.
China seemed to take chips from obsolete motherboards and turn them into boards to allow reuse of old Xeons, at least for awhile there. I can't imagine those chipsets were still being made so I assume that is what was happening. A lot of those old processors were still quite useful but since the motherboard supply had dried up they were cheap e-waste. I can't imagine that kind of recycled product being made here, not least of which because Intel would probably find a way to sue a domestic company out of existence if they even tried.
I am running one right now, ancient 10 core Xeon on a new motherboard, runs as a beast, aircooled (iirc these boards were first designed by russian hackers and appeared on a message board years ago). Anyway, almost everything seems to get recycled/repurposed in China (sd cards, memory chips, styrofoam), heck even if there is no demand but just overstock they find a way to create demand, what do you do with an overstock of ballbearings? Fidget spinners?
China has a large number of lithography machines. Except for some very high-end 3nm chips that cannot yet be produced, other types of chips can all be manufactured.
In 2024, China's chip export value reached nearly $95 billion. This certainly couldn’t have been achieved through so-called "recycling."
Further, many distributions are already compatible with Secure Boot and work out of the box. Whether or not giving Microsoft the UEFI root of trust was a good idea is questionable, but what they DO have is a long, established history of supporting Linux secure boot. They sign a UEFI shim that allows distributions to sign their kernels with their own, distribution-controlled keys in a way that just works on 99% of PCs.
reply