Bootloader updates - consent here is largely "Is this a request that you expected to occur right now"
-
-
Replying to @mjg59
Wouldn't I always expect that to occur every time I run a system update?
1 reply 0 retweets 1 like -
-
Replying to @mjg59
seems like the Security Key model of "tap button on login, confirming that you want the machine to log in to *something* (without communicating what that thing is)", except instead of doing it whenever you log in, you do it whenever the machine tells you to
1 reply 0 retweets 1 like -
Replying to @tehjh
If a request is being triggered then either: 1) I'm getting a legitimate update 2) My distro's entire infrastructure has been comprehensively owned 3) My machine is already compromised
1 reply 0 retweets 0 likes -
Replying to @mjg59
I don't get your point. In all three cases, the user will think "ah, I'm getting a legitimate system update" and press yes. What hurdle does requiring user consent on a separate device create to an attacker?
2 replies 0 retweets 1 like -
Replying to @tehjh
In the cases of (2) and (3) I'm already screwed, so it's basically irrelevant. But I'm now protected against someone only having compromised my distribution's signing infrastructure.
1 reply 0 retweets 0 likes -
Replying to @mjg59
Are you talking about an attacker who has the distro's signing key and control over an update server / MITM on the connection to the update server? If so, won't that play out just like case 2? User tries to install updates, sees (evil) bootloader update, installs it?
1 reply 0 retweets 0 likes -
Replying to @tehjh
No, someone who has the ability to generate a correctly signed malicious binary but not the ability to push that to all users
1 reply 0 retweets 0 likes -
Replying to @mjg59
So how would that attacker get that signed binary on the machine of any user? You need code exec as root on the machine, network MITM, or physical access, right? Which of these are you trying to defend against?
1 reply 0 retweets 0 likes
It sounds like you don't want to guard against malicious network or code exec as root - in which case, wouldn't you get the same level of protection by automatically signing installed updates with a private key that's on the computer's LUKS-encrypted filesystem?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.