Hi. I'm experimenting with using 'virt-install --location' for
creating virtual machines for myself. I'm installing Debian Jessie
VM's, if that matters, so the invocation looks something like this:
virt-install \
--name=dist.sjd.se \
--ram=1024 \
--os-type=linux --os-variant=debianwheezy \
--initrd-inject=preseed.cfg \
--extra-args="auto=true console=tty0 console=ttyS0,115200" \
--disk=$output,size=4,format=qcow2 \
--serial pty \
--location=http://ftp.se.debian.org/debian/dists/jessie/main/installer-amd64 \
--nographics \
--noreboot
However what is not clear to me is if there is any cryptographic
verification of the downloaded kernel/initrd-pair? I can't find any
documentation on how to configure the PGP public key to trust for this
download, nor any checksum values to double-check it with.
If 'virt-install --location' does not check the integrity
of the kernel/initrd download, how do people protect themselves against
man-in-the-middle attacks replacing the kernel/initrd files with
trojaned versions?
Thanks,
/Simon
Attachment:
pgphKlq8ZyNfa.pgp
Description: OpenPGP digital signatur
_______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
