Am 25.03.2014 06:53, schrieb Ingo Weinhold:
On 25.03.2014 01:57, Jonathan Schleifer wrote:Am 24.03.2014 um 21:27 schrieb Axel Dörfler <axeld@xxxxxxxxxxxxxxxx>:On 03/24/2014 07:55 PM, Jonathan Schleifer wrote:Am 23.03.2014 um 23:17 schrieb Axel Dörfler <axeld@xxxxxxxxxxxxxxxx>:I don't think we should only support secure boot in combination with an encrypted boot disk.Well, for it to actually make sense, full disk encryption is basically a must. An attacker can just place arbitrary binaries on the system to get control.How so? If the boot loader is signed, and loads a signed kernel which loads signed packages, I don't quite see how encryption is a necessity.Just place a binary in non-packaged/bin with a name that clashes with that of an installed package, e.g. python. Wait until the victim boots and starts something using python. Let your binary add a new certificate and replace hpkgs. Attack successful ;).That's why unpackaged executables would have to be signed.
I see a big problem with the practicality of such a system. Neither do I want an encrypted boot disk, nor do I want to run only signed and trusted executables. I want to access the disk from other installed operating systems, just for a start. And I want to compile and run software without the need to obtain a trusted certificate and signing it with that.
I doubt that any practical solution would at the same time be a bullet-proof solution. It can only "improve" security and reduce "some" attack vectors, but not elliminate all.
Downloading software from the Internet is a huge attack surface. As such, if packages could be signed, I would have the option to install only signed and trusted packages via that channel. I am completely aware this is not at all bullet-proof.
If someone can propose a system that is bullet-proof and at the same time practical, I am all ears...
Best regards, -Stephan