> Ah, so malware can no longer manipulate boot state,
Which is an immense benefit.
> just steal all of your passwords
2FA, often now thanks to a HSM (Hardware Security Module) shielding your secrets precisely should your account be compromised (Yubikey, passkeys, ...)
> and credit cards
2FA. My credit cards companies (EU) ask me to sign on a physical hardware device the bank gave me any transaction I make with my credit card when it's either above a certain amount of to an unkown vendor (or both).
> and cryptocurrency
2FA. Cryptocurrencies hardware wallet use an HSM which shields the secret from attackers.
> and make user-level persistent processes.
Which you can detect from root, but only as long as root ain't compromised too.
A local exploit which can be detected and patched is bad but it's not anywhere near as bad as a root exploit which could potentially control the entire boot chain (maybe not SecureBoot if it's setup properly) and lie to you about everything.
Put it another way: it's precisely because a local exploit is not a root exploit that a system can be configured in such a way that should a local exploit happen, the system can make sure that that local exploit doesn't get to stay persistent.
A non root exploit cannot lie to root, which is why there's a distinction between a local exploit and a root one.
Now we begin to have the possibility to boot a minimal immutable Linux distro (maybe even from a read-only medium like a DVD [1]) , maybe from a UKI and a signature enforced by SecureBoot, and from that minimal immutable system, maybe launch something like a VM and/or containers (I prefer my containers to run inside VMs but YMMV).
For example we can begin to envision the following:
SecureBoot -> signed UKI -> Proxmox -> VM -> stateless containers
I am very excited that this now begins to be possible.
Don't you see any value in that?
I don't run an immutable distro yet but I already have throwaway user accounts, mounted on temporary and "noexec" mountpoints.
If you tell me: "Here's a system where it's guaranteed a malware can never ever manipulate boot state", I'll manage to find a way to build a system on top of that where local exploit cannot possibly persists.
Which is an immense benefit.
> just steal all of your passwords
2FA, often now thanks to a HSM (Hardware Security Module) shielding your secrets precisely should your account be compromised (Yubikey, passkeys, ...)
> and credit cards
2FA. My credit cards companies (EU) ask me to sign on a physical hardware device the bank gave me any transaction I make with my credit card when it's either above a certain amount of to an unkown vendor (or both).
> and cryptocurrency
2FA. Cryptocurrencies hardware wallet use an HSM which shields the secret from attackers.
> and make user-level persistent processes.
Which you can detect from root, but only as long as root ain't compromised too.
A local exploit which can be detected and patched is bad but it's not anywhere near as bad as a root exploit which could potentially control the entire boot chain (maybe not SecureBoot if it's setup properly) and lie to you about everything.
Put it another way: it's precisely because a local exploit is not a root exploit that a system can be configured in such a way that should a local exploit happen, the system can make sure that that local exploit doesn't get to stay persistent.
A non root exploit cannot lie to root, which is why there's a distinction between a local exploit and a root one.
Now we begin to have the possibility to boot a minimal immutable Linux distro (maybe even from a read-only medium like a DVD [1]) , maybe from a UKI and a signature enforced by SecureBoot, and from that minimal immutable system, maybe launch something like a VM and/or containers (I prefer my containers to run inside VMs but YMMV).
For example we can begin to envision the following:
SecureBoot -> signed UKI -> Proxmox -> VM -> stateless containers
I am very excited that this now begins to be possible.
Don't you see any value in that?
I don't run an immutable distro yet but I already have throwaway user accounts, mounted on temporary and "noexec" mountpoints.
If you tell me: "Here's a system where it's guaranteed a malware can never ever manipulate boot state", I'll manage to find a way to build a system on top of that where local exploit cannot possibly persists.
Immutable distros are working towards that goal.
And I definitely see where the value is.