

Depends on the OS, but you can generally have mkinitcpio
handle generating new UKIs after updates and also have it trigger something like sbctl
to re-sign images.
Depends on the OS, but you can generally have mkinitcpio
handle generating new UKIs after updates and also have it trigger something like sbctl
to re-sign images.
It seems the issue here is that initramfs is not signed, which makes this attack possible.
If it is signed and an evil maid modifies the initramfs itself, it will break the secure boot process and the user will be notified that their system has been tampered with. This should indicate that the secure boot protection is working.
If initramfs is not signed and it drops to the debug shell, then the attacker can make any changes to your system without it affecting secure boot, since it has already passed the protection. At least that’s my understanding when I read this.
I believe the Pixel 9a is also available. You might snag that one instead of an 8a just to give yourself another year of support.
Forgive me. Just trying to understand. How does the kernel flag NEO_DISABLE_MITIGATIONS
have any affect on the CPU? Seems to be targeted towards OpenCL and Level Zero, which are APIs to access GPU hardware directly.
The kernel mitigations would be for the CPU, not the GPU.
Depends on how you use your system if you have multiple users. CPU mitigations wont protect GPU workloads, and vice versa. If your CPU was mitigating GPU workloads, that would probably be a massive performance loss.
This is fine for single user systems. If your system allows more than 1 users, this is probably not something you want to do.
I changed my mkinitcpio hook from the busybox initencrypt
to systemd init sd-encrypt
to help with this, as it presents a different way to unlock a LUKS partition. Be sure to read the notes about sd-vconsole
if you use this hook. Your mileage may vary since im not sure which OS you’re on.
Wonder how well this works with unified kernel images, secure boot, tpm, cpu microcode, and disk encryption.
I can think of some commercial audio processors that can help with that, but they are super pricey.
I can’t think of a linux application that has this capability. If there is something out there that offers AEC (acoustic echo cancellation) on linux with two mic inputs, id also be interested.
One way to help with this as far as inexpensive hardware is to make sure you’re using cardioid dynamic microphones, and not omnidirectional condenser microphones. Cardioid dynamic mics generally pick up audio directionally, like from the “front”. You have to be right up on the mic in order to have it record any type of audio. They generally wont pick up environmental sound from anything more than a few feet away. You can just point them away from noise you don’t want to pick up.
Linux 3.18…???
TPM has solved this now for more than a decade.
Verified boot + TPM encryption key storage is a huge layer of protection for the boot process.
Check out the Arch wiki for TPM. It has some good reading.
Just use AI to remove all the AI slop!
Its one or the other. Either Google Play Services will push notifications, or the apps have to have the ability to handle push notifications on their own (which isn’t common).
Google Play Services can be sandboxed in GrapheneOS, but there isn’t an open source Google Play Services since its not included in AOSP. It is very much a proprietary blob.
I think once you give your IP to the satellite, the deapsea cables will start tracking all jellyfin packets
During those rare times that you boot into Windows 11, go ahead and update it.
I wouldn’t go out of your way and boot into it for the sole purpose of keeping it updated tho.
You need VLANs if you want separate networks on the SAME router. But if you have separate routers, then you don’t need VLANs.
You will need two wireless access points. If the router you mentioned has two wireless access points built in, then just set one to connect to the shared network, and the other will act as an AP for your private network. Then the router can be configured to send WAN traffic out of the shared network AP.
If you use a router that only has a single AP built in, then you will need to purchase and additional AP to plug into one of your router’s LAN ports so that it has two total.
Some routers might have the ability to create multiple wireless networks on one router, but be sure the hardware can handle the load. I know my ubiquity UDR can create up to 5 wireless networks on that single device before you run into performance issues.
Honestly, if you’re using your own router, you won’t need to worry about VLANs as long as your router separates your private network from the shared one.
For example, if the shared network is 192.168.0.0/24, you can make your private network 192.168.5.0/24 and have your router’s firewall block incoming traffic from 192.168.0.0/24. Only allow WAN traffic out, and allow return traffic.
Then have your router or connected server act as the authoritative DNS and DHCP servers for the 192.168.5.0/24 private network.
One wireless AP will be used in client mode to connect to the 192.168.0.0/24 shared network. The other wireless AP will be used as an access point for other devices to connect to the 192.168.5.0/24 private network.
The changelog for 2.31 is here:
https://sourceware.org/legacy-ml/libc-announce/2020/msg00001.html
Latest version of glibc is 2.41, released 2025-01-30. That puts 2.31 at least 10 releases behind. That version is quite outdated. There are numerous security and bug fixes in 2.31 alone, with each newer release also fixing some as well.
Secure boot helps protect against evil maid attacks by checking hardware and OS signatures. If the boot process has been tampered with, the user can be alerted that the secure boot process can no longer properly verify signatures.
While its probably true that you can no longer guarantee that system can be used safely ever again, at least you will be aware that it was tampered with and you can go ahead and send that system to e-waste and get you a new system.