Re: Verification of software downloads with virt-install --location?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> On Thu, Apr 30, 2015 at 02:08:56PM +0200, Simon Josefsson wrote:
> > Hi.  I'm experimenting with using 'virt-install --location' for
> > creating virtual machines for myself.  I'm installing Debian Jessie
> > VM's, if that matters, so the invocation looks something like this:
> > 
> > virt-install \
> >     --name=dist.sjd.se \
> >     --ram=1024 \
> >     --os-type=linux --os-variant=debianwheezy \
> >     --initrd-inject=preseed.cfg \
> >     --extra-args="auto=true console=tty0 console=ttyS0,115200" \
> >     --disk=$output,size=4,format=qcow2 \
> >     --serial pty \
> >     --location=http://ftp.se.debian.org/debian/dists/jessie/main/installer-amd64
> > \ --nographics \
> >     --noreboot
> > 
> > However what is not clear to me is if there is any cryptographic
> > verification of the downloaded kernel/initrd-pair?  I can't find any
> > documentation on how to configure the PGP public key to trust for
> > this download, nor any checksum values to double-check it with.
> > 
> > If 'virt-install --location' does not check the integrity
> > of the kernel/initrd download, how do people protect themselves
> > against man-in-the-middle attacks replacing the kernel/initrd files
> > with trojaned versions?
> 
> You are correct that there is no verification of images which are
> downloaded. The only real recommendation for protection is for
> organizations to maintain their own trusted local mirror of the
> distros that they frequently use.

Ok, thanks for confirming my understanding.  I believe a complete local
mirror is a non-starter for me, but maybe a minimized mirror with only
a few files would work, if I can mirror them securely from debian.org.

> That said it would obviously be desirable to look into whether there
> is some kind of cryptographic verification that could be reasonably
> performed.

Yes.  It feels like a real bug to me.

/Simon

Attachment: pgpm6S0XQqjJ8.pgp
Description: OpenPGP digital signatur

_______________________________________________
virt-tools-list mailing list
virt-tools-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/virt-tools-list
[Index of Archives]     [Linux Virtualization]     [KVM Development]     [CentOS Virtualization]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux