On Mi, 09.10.24 20:17, Fedora Development ML (devel@xxxxxxxxxxxxxxxxxxxxxxx) wrote: > Am 09.10.24 um 17:12 schrieb Simo Sorce: > > > Hence I am very curious where you think the security issues are? > > Sorry, I did not mean in any way to imply there are open security issue > > with systemd-homed, I meant only that we need to analyze the security > > assumptions in the context of making this a default and ensure we > > protect what we mean to protect, and address the risk profile we > > define. > > I want to add something here. FDE has two main purposes for mobile > devices (e.g. a Laptop): > > 1. prevent a thief of getting the data after the device is stolen > 2. prevent an attacker installing or exchanging installed software with > a version of their own (e.g. installing a keylogger) while the owner > isn't looking > > Number 1 is also taken care of by homed (if it does the encryption), if > you only have your data in your home directory (my father for example > does not, he has an extra disk with his most important data mounted to > ~/data, yes, mounted INTO his home directory). > > FDE alone obviously can't take care of number 2 alone, but needs at > least something like SecureBoot and a protected BIOS (or similar). But > if that's a given, it's pretty darn hard for attacker to do so (although > obviously not impossible, but I don't think there's a system where you > can say that). > With homed on the other hand, I don't think that would work. As far as I > understand it, things like SecureBoot only work up until including the > kernel, but not for e.g. the init system, or homed itself. So an > attacker could take the disk, mount it on one of his devices, exchange > some system software with their own version (after all, it's not checked > that this is an ok binary) and then put the disk back into the device. > > So, if you have a mobile device (like e.g. a Laptop), I don't think that > using JUST homed (even with SecureBoot) would be enough anyway. The model I am trying to push people towards is to guarantee OS integrity via Measured Boot, systemd brings a lot of infrastructure for that these days to provide TPM measurements, to manage TPM policies based on that, and to the hook up FDE to that. I think Secure Boot is much less interesting tech, since – at least in its incarnation for PCs – it is at best a very very wide allowlist of things, that because it is so unprecise is effectively just a denylist of known bad stuff, not more. A security policy linked to Measured Boot is a much fine grained approach, i.e. it can lock disk encryption to the OS vendor, the device vendor and its configuration. I wished Fedora would focus more on making Measured Boot by default a thing (other distros are working towards that, for example SUSE has been investing in that), but Fedora is not precisely leading in this effort right now. Lennart -- Lennart Poettering, Berlin -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue