Am 17.12.20 um 14:35 schrieb Stephen John Smoogen:
Right, but it's not automatic, and requires an existing known-good system, which is the actual 'root of trust' here. This cannot be assumed about a flash drive, which is why the automatic image check is hard.
Speaking from Security pov, it's not hard, it's impossible. The attacker can sign everything with it's own cert and putting that into the image itself. Way easier is it to remove the check for a valid sig and always return "true" is asked for a match, as any root kit will do.
best regards, Marius _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx