| 1 |
On 170302-03:42-0500, Taiidan@×××.com wrote: |
| 2 |
> On 02/28/2017 12:05 PM, Miroslav Rovis wrote: |
| 3 |
> |
| 4 |
> > On 170227-21:59-0500, Rich Freeman wrote: |
| 5 |
> >> On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis |
| 6 |
> >> <miro.rovis@××××××××××××××.hr> wrote: |
| 7 |
... |
| 8 |
> > And finally Andrew Shavchenko pointed me to gkeys ! |
| 9 |
> > |
| 10 |
> > Here's the answer to my query (ah, just the beginning of, my |
| 11 |
> > implementation of it will take time): |
| 12 |
> > |
| 13 |
> > emerge -tuDN app-crypt/gkeys app-crypt/gkeys-gen |
| 14 |
> > |
| 15 |
> > # equery f gkeys-gen |
| 16 |
> > ... |
| 17 |
> > /usr/share/doc/gkeys-gen-0.2/README.md.bz2 |
| 18 |
> > ... |
| 19 |
> > |
| 20 |
> > ( |
| 21 |
> > NOTE: The: |
| 22 |
> > /usr/share/doc/gkeys-0.2/README.md.bz2 |
| 23 |
> > of the gkeys package is identical. |
| 24 |
> > ) |
| 25 |
> > |
| 26 |
> > # bzcat /usr/share/doc/gkeys-gen-0.2/README.md.bz2 |
| 27 |
> > |
| 28 |
> > Gentoo Keys |
| 29 |
> > ----------- |
| 30 |
> > |
| 31 |
> > ### About |
| 32 |
> > |
| 33 |
> > Gentoo Keys is a Python based project that aims to manage the GPG keys used |
| 34 |
> > for validation on users and Gentoo's infrastracutre servers. Gentoo Keys will be able |
| 35 |
> > to verify GPG keys used for Gentoo's release media, such as installation CD's, |
| 36 |
> > Live DVD's, packages and other GPG signed documents. It will also be used by |
| 37 |
> > Gentoo infrastructure to achieve GPG signed git commits in the forthcoming git |
| 38 |
> > migration of the main CVS tree. |
| 39 |
> > |
| 40 |
> > ### License |
| 41 |
> > |
| 42 |
> > Gentoo Keys is under GPL-2 License |
| 43 |
> > # |
| 44 |
> > |
| 45 |
> > But do I read this correctly?: |
| 46 |
> > |
| 47 |
> > ...Gentoo Keys will be able |
| 48 |
> > to verify GPG keys used for Gentoo's release media, such as installation CD's, |
| 49 |
> > Live DVD's, packages and other GPG signed documents. |
| 50 |
> > |
| 51 |
> > Again, about this (syntactical) object (in the sentence), with other |
| 52 |
> > objects removed: |
| 53 |
> > |
| 54 |
> > ...Gentoo Keys will be able |
| 55 |
> > to verify GPG keys used for ... |
| 56 |
> > ... packages... |
| 57 |
> > |
| 58 |
> > Does that mean what I read? That with gkeys any user will be able to get |
| 59 |
> > packages via git, and somehow automatically gpg -verify the signature of |
| 60 |
> > each package that (s)he got when (s)he, say: |
| 61 |
> > |
| 62 |
> > emerge -tuDN world |
| 63 |
> > |
| 64 |
> > ? |
| 65 |
> > |
| 66 |
> > Does that mean that? |
| 67 |
> > |
| 68 |
... |
| 69 |
> It is possible to have a reasonably secure system where the hard drive |
| 70 |
> firmware (or any other devices) can't fuck around with the stuff on |
| 71 |
> disk, although I highly doubt that the gentoo infrastructure (and |
| 72 |
> kernel.org, and all the source repos for all the other software) does this |
| 73 |
Rogue elements everywhere (even the most known Person in the world, |
| 74 |
throughout the history (which counts from His birth), had His traitors), |
| 75 |
but you are correct, it is still little likely. |
| 76 |
|
| 77 |
I'll keep you thought below for reference, when I some day, find more |
| 78 |
time to learn about these things: |
| 79 |
> One way is to use a blob-free coreboot IOMMU supporting board and |
| 80 |
> bootstrap the crypto/kernel off of the board firmware EEPROM chip to |
| 81 |
> load the initial kernel thus no plaintext touches the disk and thus |
| 82 |
> nothing can mess with it. |
| 83 |
> |
| 84 |
> The IOMMU (theoretically) protects the CPU and memory from rogue |
| 85 |
> devices, such as the hard drive. |
| 86 |
> |
| 87 |
> In terms of ethics IBM *for now* is a way better company than Intel/AMD, |
| 88 |
> their POWER servers are owner controlled as there isn't any boot |
| 89 |
> guard/secure boot/management engine/platform "security" processor (amd's |
| 90 |
> ME) to stop you from re-writing the firmware as you please. They also |
| 91 |
> have an getting-there-almost-reasonable open source effort (OpenPOWER) |
| 92 |
> |
| 93 |
> You can buy a TYAN OpenPOWER8 "Palmetto" (100% FOSS out of the box, |
| 94 |
> although not that powerful) or an IBM POWER8 S822 "Firestone" (very |
| 95 |
> powerful) which needs only a small amount of final work to be open sourced. |
| 96 |
> |
| 97 |
> IBM's POWER8 has a supervisor processor, although it is owner controlled |
| 98 |
> (the key difference) unlike ME/PSP. |
| 99 |
> |
| 100 |
> It is a shame that TALOS (POWER workstation board) never went anywhere, |
| 101 |
> it seems the linux community won't care about real freedom - right up |
| 102 |
> until microsoft finally locks us out for good and it is too late to do |
| 103 |
> anything about it. |
| 104 |
> |
| 105 |
> https://www.coreboot.org/Board_freedom_levels |
| 106 |
|
| 107 |
Yes, I looked up that page, and searched a little about Power8 |
| 108 |
pocessors... I wish I was aware how important Board freedom is back four |
| 109 |
and a half years ago. Not so ugly what I have, but neither is open hardware |
| 110 |
( |
| 111 |
Asrock |
| 112 |
Extreme4, a few of them (so I can clone the systems): |
| 113 |
Use old amd64 gentoo image on new amd64 hardware, possible? |
| 114 |
https://forums.gentoo.org/viewtopic-t-940916.html#7172822 |
| 115 |
|
| 116 |
I can't believe they're still selling them! If I'm not mistaken: |
| 117 |
http://www.asrock.com/mb/AMD/970%20Extreme4/ |
| 118 |
I have to say, they are really not bad, but are not openhardware either. |
| 119 |
) |
| 120 |
|
| 121 |
I can't follow all the info that you gave, it's too advanced for me (at |
| 122 |
least at this time). |
| 123 |
|
| 124 |
And I couldn't reply sooner... I had to finish, finally successfully, |
| 125 |
some steep learning of mine about how to use virtualization. |
| 126 |
|
| 127 |
Voilà: |
| 128 |
|
| 129 |
Devuan's precursor's, as Tails, image in Qemu (10) |
| 130 |
https://www.croatiafidelis.hr/foss/cap/cap-161015-qemu-devuan/qemu-devuan-10.php |
| 131 |
|
| 132 |
Finally using Tails from my grsecurity-hardened Gentoo, in a |
| 133 |
VirtualMachine! Finally I can do it! Took me months! |
| 134 |
|
| 135 |
( |
| 136 |
[[ might be of interest to grsecurity-hardeners ]] |
| 137 |
Ah, what you can't find there (simply because I forgot to give the link |
| 138 |
to is), is this: |
| 139 |
|
| 140 |
Libvirt virtualization policies |
| 141 |
https://forums.grsecurity.net/viewtopic.php?f=5&t=4675 |
| 142 |
) |
| 143 |
|
| 144 |
The most important/urgent among really great messages that I got in this |
| 145 |
thread, is Shavchenko's message about the gkeys ! |
| 146 |
|
| 147 |
And I'm still wondering: |
| 148 |
|
| 149 |
Does anybody have a way to, as I wrote, be pulling packages via git, when |
| 150 |
doing building/installing with emerge, and be verifying each package as |
| 151 |
(s)he is pulling them automatically, with gkeys ? |
| 152 |
|
| 153 |
That _must_ be waiting for us in the future of Gentoo ;-) |
| 154 |
|
| 155 |
gkeys <------ !!! That looks like the solution that I have dreamed about! |
| 156 |
|
| 157 |
Regards! |
| 158 |
|
| 159 |
-- |
| 160 |
Miroslav Rovis |
| 161 |
Zagreb, Croatia |
| 162 |
https://www.CroatiaFidelis.hr |
Archives