[haiku-development] Re: Design for signed packages

  • From: Axel Dörfler <axeld@xxxxxxxxxxxxxxxx>
  • To: haiku-development@xxxxxxxxxxxxx
  • Date: Sun, 23 Mar 2014 23:17:51 +0100

On 03/22/2014 10:28 PM, Jonathan Schleifer wrote:
Remember our file system is encrypted. So now we need to ask the user for the 
encryption
password (in the loader, that is).
The loader is already signed so it cannot be tampered with. So after the user 
entered the
correct password, the loader can now load the haiku.hpkg - without checking the 
signature!

Why? Because we already did so when we installed it, and an adversary cannot 
modify data
on an encrypted partition.

I don't think we should only support secure boot in combination with an encrypted boot disk.

I also think it does not make any difference wrt signing whether or not the disk is encrypted: once the system is running, the disk will be accessible. With disk encryption, you only make it (supposedly very, very) hard for someone to read/change your disk when they have physical access to it. When the system is running, it does not protect you against malicious software at all.

With root access (and there is no reason to believe we will score any better there than all those other systems, besides we're currently always root), you could easily patch the kernel, and make all this signing superfluous.

Bye,
   Axel.


Other related posts: