[haiku-development] Re: Design for signed packages

From: Jonathan Schleifer <js-haiku-development@xxxxxxxxxxx>
To: haiku-development@xxxxxxxxxxxxx
Date: Mon, 24 Mar 2014 19:55:47 +0100

Am 23.03.2014 um 23:17 schrieb Axel Dörfler <axeld@xxxxxxxxxxxxxxxx>:

> On 03/22/2014 10:28 PM, Jonathan Schleifer wrote:
>> Remember our file system is encrypted. So now we need to ask the user for 
>> the encryption
>> password (in the loader, that is).
>> The loader is already signed so it cannot be tampered with. So after the 
>> user entered the
>> correct password, the loader can now load the haiku.hpkg - without checking 
>> the signature!
>> 
>> Why? Because we already did so when we installed it, and an adversary cannot 
>> modify data
>> on an encrypted partition.
> 
> I don't think we should only support secure boot in combination with an 
> encrypted boot disk.

Well, for it to actually make sense, full disk encryption is basically a must. 
An attacker can just place arbitrary binaries on the system to get control.

> I also think it does not make any difference wrt signing whether or not the 
> disk is encrypted: once the system is running, the disk will be accessible. 
> With disk encryption, you only make it (supposedly very, very) hard for 
> someone to read/change your disk when they have physical access to it. When 
> the system is running, it does not protect you against malicious software at 
> all.

When the system is running, an attacker already needs to be inside the system 
to place binaries. So it's game over anyway. Even on Windows, for which 
SecureBoot was designed.

> With root access (and there is no reason to believe we will score any better 
> there than all those other systems, besides we're currently always root), you 
> could easily patch the kernel, and make all this signing superfluous.

Exactly. If the system is running and an attacker can modify files, it's game 
over. SecureBoot only protects the boot. When you use full disk encryption, an 
attacker can still modify your bootloader. Secure boot prevents that, but it 
does not prevent attacks on the running system. There is no way to prevent them 
with ports like Firewire, ExpressCard or Thunderbolt: They all allow accessing 
physical memory directly, without the OS noticing.

--
Jonathan

Follow-Ups:
- [haiku-development] Re: Design for signed packages
  - From: Axel Dörfler

References:
- [haiku-development] Design for signed packages
  - From: Jonathan Schleifer
- [haiku-development] Re: Design for signed packages
  - From: Axel Dörfler

Other related posts:

» [haiku-development] Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Axel Dörfler
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages - Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Axel Dörfler
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Stephan Aßmus
» [haiku-development] Re: Design for signed packages- Axel Dörfler
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Rene Gollent
» [haiku-development] Re: Design for signed packages- François Revol
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Urias McCullough
» [haiku-development] Re: Design for signed packages- Rene Gollent
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Julian Harnath
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Ingo Weinhold
» [haiku-development] Re: Design for signed packages- waddlesplash
» [haiku-development] Re: Design for signed packages- SMC.Collins
» [haiku-development] Re: Design for signed packages- Jonathan Schleifer
» [haiku-development] Re: Design for signed packages- Fredrik Holmqvist
» [haiku-development] Re: Design for signed packages- SMC.Collins