1 |
Am 17.06.2012 19:10, schrieb Michał Górny: |
2 |
> On Sun, 17 Jun 2012 12:56:34 -0400 |
3 |
> Matthew Finkel <matthew.finkel@×××××.com> wrote: |
4 |
> |
5 |
>> On Sun, Jun 17, 2012 at 11:51 AM, Michał Górny <mgorny@g.o> |
6 |
>> wrote: |
7 |
>>> 1. How does it increase security? |
8 |
>>> |
9 |
>> This removed a few vectors of attack and ensures your computer is only |
10 |
>> bootstrapped by and booted using software you think is safe. By using |
11 |
>> any software we don't write, we make a lot of assumptions. |
12 |
> |
13 |
> I agree that it removes a few vectors of attack. But this doesn't |
14 |
> necessarily mean the system is more secure. It has one vulnerability |
15 |
> less but let's not get overenthusiastic. |
16 |
> |
17 |
> I'm basically trying to point out that a single solution like that can |
18 |
> do more evil than good if people will believe it's perfect. |
19 |
> |
20 |
|
21 |
I think I now understand your train of thought. But I don't think anyone |
22 |
implied that Secure Boot solves each and every security issue. What it |
23 |
does, however, is impose new hurdles for malware authors. Therefore I |
24 |
don't see a reason not to use it as long as the inconveniences and |
25 |
limitations it imposes are acceptable for my particular use case. |
26 |
|
27 |
>>> 3. What happens if the machine signing the blobs is compromised? |
28 |
>>> |
29 |
>> See above. But also, a compromised system wouldn't necessarily mean |
30 |
>> the blobs would be compromised as well. In addition, ideally the |
31 |
>> priv-key would be kept isolated to ensure a compromise would be |
32 |
>> extremely difficult. |
33 |
> |
34 |
> In my opinion, if a toolchain is quietly compromised, everything built |
35 |
> on the particular machine can be compromised. And signed. I doubt that |
36 |
> someone will check bit-exact machine code of the toolchain |
37 |
> and operating system before starting to sign packages. |
38 |
> |
39 |
|
40 |
Just because you cannot rule out bugs doesn't mean you shouldn't use |
41 |
security enhancing systems. Don't tell me you open telnet for root |
42 |
access to your machines just because you cannot rule out the chance that |
43 |
SSH is compromised or someone compromised the SSH source code you |
44 |
downloaded from the Gentoo mirrors. |
45 |
|
46 |
Regards, |
47 |
Florian Philipp |