On Mi, 10.05.23 14:32, Neal Gompa (ngompa13@xxxxxxxxx) wrote: > On Wed, May 10, 2023 at 2:24 PM Owen Taylor <otaylor@xxxxxxxxxx> wrote: > >> As soon as you throw UKIs in the mix, you've completely broken that > >> because now the absolutely most valuable code for your system is in a > >> "hostile" environment. At least we can make /boot authenticated and > >> tamper resistant as a Btrfs subvolume. > > > > > > As other people have mentioned, we have a solution for the ESP being untrusted - secure boot. As far as I understand, there's no tamper resistance for /boot on btrfs unless it's encrypted, and that would be a whole other barrel of snakes :-) > > fsverity is separate from fscrypt. We can apply filesystem > authentication today. No that's just wrong. fsverity is *not* filesystem authentication. It's authentication of the content of a single file, and not more. And that's just too little, because a complex file system such as btrfs is simply not considered robust against rogue offline modification. (Again, I am at LFSMMBPF and if you want I can get you a quote from the btrfs maintainer about this). Thus you must authenticate btrfs *before* you mount it, and fsverity is only available after. Sorry, fsverity has some usecases, but your usecase here is absolutely not it. Seriously, forget about this whole btrfs idea. It's wrong on many many levels. > No. It initializes the whole operating system, and then pivots the > user-space later. That's why we have to everything in initramfs. > UKIs attempt to standardize the early-stage image without attempting > to solve this problem, because a two-stage boot process requires > changing how we think about operating system initialization. So the initrd is supposed to contain exactly what is necssary to get access to the root fs, not more. Thing is that Linux is very very flexible, and people put their root fs on crazy stuff. Now I personally don't even care much about the crazy storage options people want to back the rootfs, I only care about the non-crazy part (in my eyes), i.e. encryption, fido2, tpm stuff, which possibly requires interactivity so it probably also means a graphical session to some point. While that generally ends up being a lot, it still is certainly not *everything*. You can stick your head in the sand and pretend that nothing of this mattered, and you don't have to authenticate and things, but then you simply didn't solve the problem at hand. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
