On Thu, Apr 30, 2015 at 02:08:56PM +0200, Simon Josefsson wrote: > Hi. I'm experimenting with using 'virt-install --location' for > creating virtual machines for myself. I'm installing Debian Jessie > VM's, if that matters, so the invocation looks something like this: > > virt-install \ > --name=dist.sjd.se \ > --ram=1024 \ > --os-type=linux --os-variant=debianwheezy \ > --initrd-inject=preseed.cfg \ > --extra-args="auto=true console=tty0 console=ttyS0,115200" \ > --disk=$output,size=4,format=qcow2 \ > --serial pty \ > --location=http://ftp.se.debian.org/debian/dists/jessie/main/installer-amd64 \ > --nographics \ > --noreboot > > However what is not clear to me is if there is any cryptographic > verification of the downloaded kernel/initrd-pair? I can't find any > documentation on how to configure the PGP public key to trust for this > download, nor any checksum values to double-check it with. > > If 'virt-install --location' does not check the integrity > of the kernel/initrd download, how do people protect themselves against > man-in-the-middle attacks replacing the kernel/initrd files with > trojaned versions? You are correct that there is no verification of images which are downloaded. The only real recommendation for protection is for organizations to maintain their own trusted local mirror of the distros that they frequently use. That said it would obviously be desirable to look into whether there is some kind of cryptographic verification that could be reasonably performed. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
