[Ksummit-discuss] [TOPIC] Secure/verified boot and roots of trust
Andy Lutomirski
luto at amacapital.net
Wed Aug 3 17:28:51 UTC 2016
On Wed, Aug 3, 2016 at 10:26 AM, Matthew Garrett <mjg59 at coreos.com> wrote:
> On Wed, Aug 3, 2016 at 10:23 AM, Andy Lutomirski <luto at amacapital.net> wrote:
>> On Wed, Aug 3, 2016 at 10:17 AM, Matthew Garrett <mjg59 at coreos.com> wrote:
>>> Keys could be stored in a separate section and ignored for the
>>> purposes of build comparison.
>>
>> But that defeats the purpose. If I'm verifying a reproducible build,
>> I don't want to have to take it on faith that the packager didn't keep
>> a copy of the build-time key.
>
> If you're trusting your upstream's signed bootloader you're already
> forced to trust your packagers. If you want to establish your own root
> of trust you could simply strip that section, replace it with your own
> and re-sign the modules and kernel. Or just keep using signatures,
> sign the public module signing key with the kernel signing key and
> push the policy decision out to the bootloader.
But only sort of. If the upstream bootloader signature serves only to
make Secure Boot accept it, then I don't really care if the owner of
that signing key is evil, because they can't do anything with that key
without physical access.
--
Andy Lutomirski
AMA Capital Management, LLC
More information about the Ksummit-discuss
mailing list