| 1 |
On Sun, 17 Jun 2012 12:56:34 -0400 |
| 2 |
Matthew Finkel <matthew.finkel@×××××.com> wrote: |
| 3 |
|
| 4 |
> On Sun, Jun 17, 2012 at 11:51 AM, Michał Górny <mgorny@g.o> |
| 5 |
> wrote: |
| 6 |
> > 1. How does it increase security? |
| 7 |
> > |
| 8 |
> This removed a few vectors of attack and ensures your computer is only |
| 9 |
> bootstrapped by and booted using software you think is safe. By using |
| 10 |
> any software we don't write, we make a lot of assumptions. |
| 11 |
|
| 12 |
I agree that it removes a few vectors of attack. But this doesn't |
| 13 |
necessarily mean the system is more secure. It has one vulnerability |
| 14 |
less but let's not get overenthusiastic. |
| 15 |
|
| 16 |
I'm basically trying to point out that a single solution like that can |
| 17 |
do more evil than good if people will believe it's perfect. |
| 18 |
|
| 19 |
> > 3. What happens if the machine signing the blobs is compromised? |
| 20 |
> > |
| 21 |
> See above. But also, a compromised system wouldn't necessarily mean |
| 22 |
> the blobs would be compromised as well. In addition, ideally the |
| 23 |
> priv-key would be kept isolated to ensure a compromise would be |
| 24 |
> extremely difficult. |
| 25 |
|
| 26 |
In my opinion, if a toolchain is quietly compromised, everything built |
| 27 |
on the particular machine can be compromised. And signed. I doubt that |
| 28 |
someone will check bit-exact machine code of the toolchain |
| 29 |
and operating system before starting to sign packages. |
| 30 |
|
| 31 |
-- |
| 32 |
Best regards, |
| 33 |
Michał Górny |
Archives