On Thu, 17 Dec 2020 at 00:29, przemek klosowski via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 12/16/20 5:38 PM, Kevin Fenzi wrote:
On Wed, Dec 16, 2020 at 04:28:49PM -0500, przemek klosowski via devel wrote:I was trying to make a point that we don't have a way to check the initial image: it could be altered to falsely claim to be signed by fedoraproject.well, we do: https://getfedora.org/security/Right, but it's not automatic, and requires an existing known-good system, which is the actual 'root of trust' here. This cannot be assumed about a flash drive, which is why the automatic image check is hard.
I guess it would involve a secure boot into a fedora signed shim that
- retrieves the checksum over a verified TLS network connection
- checks the image against that.
This problem comes up every couple of years and people start trying to work out how to make it so it is 'trustable'. After about 8 to 12 countermeasures piled on because you found a hole in the last layer.. you end up with something which might prove it but is as fragile as a house of cards (which blows over when someone comes up with the 13th whole in the chain).
The problem with a chain is it is only as strong as its weakest link.. as soon as you fix that one.. it is only as strong as its next weakest link which turns out to be as weak as the first one.
--
Stephen J Smoogen.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx