Re: F38 proposal: Unified Kernel Support Phase 1 (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

PS (adding to my previous reply):

Daniel P. Berrangé wrote:
> The immediate need for UKIs is indeed related to SecureBoot and
> TPMs. These are a core technology foundation of the confidential
> virtual machine stack. On Azure today, if you request an Ubuntu
> confidential VM, Azure will pre-encrypt the root filesystem and

So basically this change proposal is about supporting a feature of the 
Microsoft cloud platform (Azure) in Fedora and will be pretty useless to any 
user not using Microsoft's platform.

> seal the LUKS key against predicted TPM PCR values. It guarantees
> that the root disk can only be decrypted by the specific VM
> instance that is requested, when it is running in SecureBoot
> mode with the expected measurments on AMD SEV-SNP confidential
> hardware.

Does it really guarantee that, and not just that it can only be decrypted by 
any VM using the same UKI?

How reliably does it ensure that the user can only get root in the decrypted 
image with the root password (or SSH key or similar) stored inside the image 
and not through some other means?

In the end, if you store data on a "cloud", you are storing it on other 
people's computers. You are also relying on their confidentiality 
guarantees. How can you trust the "cloud" provider to actually perform the 
encryption steps they claim to perform when you check that checkbox, and 
also to not have a backdoor (such as a fixed master key in an extra LUKS key 
slot, or a custom, possibly software-emulated, TPM that does not actually 
keep the key sealed) that allows them to decrypt anything anyway?

You are handing off your data to a third party and then trying to rely on 
Treacherous Computing technologies preventing that third party from doing 
some things (such as copying the encryption key) on their own computers. I 
do not think that this is in either party's interest.

        Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux