1 |
On 170302-03:42-0500, Taiidan@×××.com wrote: |
2 |
> On 02/28/2017 12:05 PM, Miroslav Rovis wrote: |
3 |
> |
4 |
> > On 170227-21:59-0500, Rich Freeman wrote: |
5 |
> >> On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis |
6 |
> >> <miro.rovis@××××××××××××××.hr> wrote: |
7 |
... |
8 |
> > And finally Andrew Shavchenko pointed me to gkeys ! |
9 |
> > |
10 |
> > Here's the answer to my query (ah, just the beginning of, my |
11 |
> > implementation of it will take time): |
12 |
> > |
13 |
> > emerge -tuDN app-crypt/gkeys app-crypt/gkeys-gen |
14 |
> > |
15 |
> > # equery f gkeys-gen |
16 |
> > ... |
17 |
> > /usr/share/doc/gkeys-gen-0.2/README.md.bz2 |
18 |
> > ... |
19 |
> > |
20 |
> > ( |
21 |
> > NOTE: The: |
22 |
> > /usr/share/doc/gkeys-0.2/README.md.bz2 |
23 |
> > of the gkeys package is identical. |
24 |
> > ) |
25 |
> > |
26 |
> > # bzcat /usr/share/doc/gkeys-gen-0.2/README.md.bz2 |
27 |
> > |
28 |
> > Gentoo Keys |
29 |
> > ----------- |
30 |
> > |
31 |
> > ### About |
32 |
> > |
33 |
> > Gentoo Keys is a Python based project that aims to manage the GPG keys used |
34 |
> > for validation on users and Gentoo's infrastracutre servers. Gentoo Keys will be able |
35 |
> > to verify GPG keys used for Gentoo's release media, such as installation CD's, |
36 |
> > Live DVD's, packages and other GPG signed documents. It will also be used by |
37 |
> > Gentoo infrastructure to achieve GPG signed git commits in the forthcoming git |
38 |
> > migration of the main CVS tree. |
39 |
> > |
40 |
> > ### License |
41 |
> > |
42 |
> > Gentoo Keys is under GPL-2 License |
43 |
> > # |
44 |
> > |
45 |
> > But do I read this correctly?: |
46 |
> > |
47 |
> > ...Gentoo Keys will be able |
48 |
> > to verify GPG keys used for Gentoo's release media, such as installation CD's, |
49 |
> > Live DVD's, packages and other GPG signed documents. |
50 |
> > |
51 |
> > Again, about this (syntactical) object (in the sentence), with other |
52 |
> > objects removed: |
53 |
> > |
54 |
> > ...Gentoo Keys will be able |
55 |
> > to verify GPG keys used for ... |
56 |
> > ... packages... |
57 |
> > |
58 |
> > Does that mean what I read? That with gkeys any user will be able to get |
59 |
> > packages via git, and somehow automatically gpg -verify the signature of |
60 |
> > each package that (s)he got when (s)he, say: |
61 |
> > |
62 |
> > emerge -tuDN world |
63 |
> > |
64 |
> > ? |
65 |
> > |
66 |
> > Does that mean that? |
67 |
> > |
68 |
... |
69 |
> It is possible to have a reasonably secure system where the hard drive |
70 |
> firmware (or any other devices) can't fuck around with the stuff on |
71 |
> disk, although I highly doubt that the gentoo infrastructure (and |
72 |
> kernel.org, and all the source repos for all the other software) does this |
73 |
Rogue elements everywhere (even the most known Person in the world, |
74 |
throughout the history (which counts from His birth), had His traitors), |
75 |
but you are correct, it is still little likely. |
76 |
|
77 |
I'll keep you thought below for reference, when I some day, find more |
78 |
time to learn about these things: |
79 |
> One way is to use a blob-free coreboot IOMMU supporting board and |
80 |
> bootstrap the crypto/kernel off of the board firmware EEPROM chip to |
81 |
> load the initial kernel thus no plaintext touches the disk and thus |
82 |
> nothing can mess with it. |
83 |
> |
84 |
> The IOMMU (theoretically) protects the CPU and memory from rogue |
85 |
> devices, such as the hard drive. |
86 |
> |
87 |
> In terms of ethics IBM *for now* is a way better company than Intel/AMD, |
88 |
> their POWER servers are owner controlled as there isn't any boot |
89 |
> guard/secure boot/management engine/platform "security" processor (amd's |
90 |
> ME) to stop you from re-writing the firmware as you please. They also |
91 |
> have an getting-there-almost-reasonable open source effort (OpenPOWER) |
92 |
> |
93 |
> You can buy a TYAN OpenPOWER8 "Palmetto" (100% FOSS out of the box, |
94 |
> although not that powerful) or an IBM POWER8 S822 "Firestone" (very |
95 |
> powerful) which needs only a small amount of final work to be open sourced. |
96 |
> |
97 |
> IBM's POWER8 has a supervisor processor, although it is owner controlled |
98 |
> (the key difference) unlike ME/PSP. |
99 |
> |
100 |
> It is a shame that TALOS (POWER workstation board) never went anywhere, |
101 |
> it seems the linux community won't care about real freedom - right up |
102 |
> until microsoft finally locks us out for good and it is too late to do |
103 |
> anything about it. |
104 |
> |
105 |
> https://www.coreboot.org/Board_freedom_levels |
106 |
|
107 |
Yes, I looked up that page, and searched a little about Power8 |
108 |
pocessors... I wish I was aware how important Board freedom is back four |
109 |
and a half years ago. Not so ugly what I have, but neither is open hardware |
110 |
( |
111 |
Asrock |
112 |
Extreme4, a few of them (so I can clone the systems): |
113 |
Use old amd64 gentoo image on new amd64 hardware, possible? |
114 |
https://forums.gentoo.org/viewtopic-t-940916.html#7172822 |
115 |
|
116 |
I can't believe they're still selling them! If I'm not mistaken: |
117 |
http://www.asrock.com/mb/AMD/970%20Extreme4/ |
118 |
I have to say, they are really not bad, but are not openhardware either. |
119 |
) |
120 |
|
121 |
I can't follow all the info that you gave, it's too advanced for me (at |
122 |
least at this time). |
123 |
|
124 |
And I couldn't reply sooner... I had to finish, finally successfully, |
125 |
some steep learning of mine about how to use virtualization. |
126 |
|
127 |
Voilà: |
128 |
|
129 |
Devuan's precursor's, as Tails, image in Qemu (10) |
130 |
https://www.croatiafidelis.hr/foss/cap/cap-161015-qemu-devuan/qemu-devuan-10.php |
131 |
|
132 |
Finally using Tails from my grsecurity-hardened Gentoo, in a |
133 |
VirtualMachine! Finally I can do it! Took me months! |
134 |
|
135 |
( |
136 |
[[ might be of interest to grsecurity-hardeners ]] |
137 |
Ah, what you can't find there (simply because I forgot to give the link |
138 |
to is), is this: |
139 |
|
140 |
Libvirt virtualization policies |
141 |
https://forums.grsecurity.net/viewtopic.php?f=5&t=4675 |
142 |
) |
143 |
|
144 |
The most important/urgent among really great messages that I got in this |
145 |
thread, is Shavchenko's message about the gkeys ! |
146 |
|
147 |
And I'm still wondering: |
148 |
|
149 |
Does anybody have a way to, as I wrote, be pulling packages via git, when |
150 |
doing building/installing with emerge, and be verifying each package as |
151 |
(s)he is pulling them automatically, with gkeys ? |
152 |
|
153 |
That _must_ be waiting for us in the future of Gentoo ;-) |
154 |
|
155 |
gkeys <------ !!! That looks like the solution that I have dreamed about! |
156 |
|
157 |
Regards! |
158 |
|
159 |
-- |
160 |
Miroslav Rovis |
161 |
Zagreb, Croatia |
162 |
https://www.CroatiaFidelis.hr |