Re: Authenticated Boot: dm-integrity modes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Wol,

Please, read the blog post I'm responding to for context to what I'm
saying: https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html

> dm-integrity is NOT ABOUT authentication
dm-integrity provides authentication when configured to use
sha256-hmac. I am not confusing dm-verity with dm-integrity.

> What if they're WRITTEN by things outside of the kernel? At which point, when the kernel tries to read it, things will go well pear-shaped for the system.
Well that's my point. A clever attacker can modify the filesystem
outside of the kernel and exploit a kernel vulnerability. The point of
putting dm-integrity on the rootfs (in hmac mode) is to prevent the
rootfs from being modified offline. My point is that it's entirely
possible to maliciously modify other filesystems that *will* be
mounted and *cannot* us dm-integrity

> You should always run dm-integrity on bare metal.
Lennart was proposing to use dm-integrity (in HMAC mode) inside of the
loopback image to verify that the filesystem inside of the image was
not maliciously modified to hijack the kernel. My argument was that,
given that the filesystem the image is stored on is authenticated, why
does the content of the image have to be authenticated? As I've
pointed out in a previous email, layering instances of dm-integrity on
top of each other is catastrophic for write performance

Regards,
Adrian
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux