On Thu, Jan 10, 2013 at 02:41:54PM -0500, Adam Jackson wrote: > On Thu, 2013-01-10 at 17:56 +0100, Till Maas wrote: > > But why should anaconda not verify packages if secure boot is disabled? > > For the same reason Firefox doesn't automatically accept self-signed SSL > certs, and the same reason that ssh doesn't automatically accept new > host keys: it'd be creating trust from thin air. With secure boot > disabled there's no root of trust for verification. You could verify > that the signatures were _valid_, but you'd have no grounds to conclude > from their validity that the signatures were the ones put there by The > Fedora Project, and therefore that the package contains the data that > The Fedora Project intended it to contain. You'd only know that the key > the repo says signed the packages did in fact sign the packages. > > That's not security. That's theatre. It has already been shown in this thread that the boot image needs to be verified manually by the user to ensure that really an anaconda is running that verifies certificates with secure boot enabled and not for example the F18 anaconda. Therefore your argument does not hold. If we assume that Firefox equals anaconda, then the rpm packages are not self signed but signed by the root ca (rpm key) that could be included in the boot image, which needs to be verified by the user as always described in https://fedoraproject.org/en/verify This whole secure boot seems to be more theatre than security with respect to package signature checking during installation. > It changes the attack vector from "someone trojaned some random > repository on the internet" to "someone managed to root this machine's > firmware before it even shipped". And Microsoft is the party with most This is not true. Actually it only ensures that who controlled the initial boot image controls which packages will be installed. Regards Till -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
