[Ksummit-discuss] [TOPIC] Secure/verified boot and roots of trust
Matthew Garrett
mjg59 at coreos.com
Wed Aug 3 17:26:41 UTC 2016
On Wed, Aug 3, 2016 at 10:23 AM, Andy Lutomirski <luto at amacapital.net> wrote:
> On Wed, Aug 3, 2016 at 10:17 AM, Matthew Garrett <mjg59 at coreos.com> wrote:
>> Keys could be stored in a separate section and ignored for the
>> purposes of build comparison.
>
> But that defeats the purpose. If I'm verifying a reproducible build,
> I don't want to have to take it on faith that the packager didn't keep
> a copy of the build-time key.
If you're trusting your upstream's signed bootloader you're already
forced to trust your packagers. If you want to establish your own root
of trust you could simply strip that section, replace it with your own
and re-sign the modules and kernel. Or just keep using signatures,
sign the public module signing key with the kernel signing key and
push the policy decision out to the bootloader.
More information about the Ksummit-discuss
mailing list