Hi, This is a bit of a stream of consciousness, so apologies if it's a bit incoherent... A bit of a thought experiment: you want to be able to reliably show that your installation environment hasn't been tampered with. How do you do this? Assuming the installation environment is a PXE-booted, preseeded one, how do you do this? Firstly, you want to validate your installation server. For a PXE boot, you need to verify that pxelinux.0 is what it should be. This can be done out of band, by checking the checksum with what's on a Debian mirror. Next, you want to validate everything under pxelinux.cfg/ This can also be done out of band, by checking the checksum, except this could be locally customised. Hopefully it's easily eyeballed. Next, you want to validate everything referenced by the config in pxelinux.cfg/ There's already an MD5SUMS file on the Debian mirror, e.g. /debian/dists/lenny/main/installer-i386/current/images/MD5SUMS to help with this, but it's not signed. What would it take to GPG sign this? At this point, there's some deviation from the stock supplied netboot config, but let's say there's a preseed file in use. In an ideal world, this would be stored in a revision control system, so it should be able to be verified against this. But could d-i itself also verify the integrity of the preseed file once it was retrieved, if it also retrieved a detached signature? I'm guessing you'd have to pass an argument to d-i to say what key to expect the preseed to be signed by? Then I guess you've just shifted the point of compromise to the PXELINUX config, which has to pass the GPG key ID... Not sure if that's an improvement or not. I guess see what I said earlier about validating these config files. Anyone else got any thoughts on how to improve the non-repudiation of a netbooted d-i install? regards Andrew
Attachment:
signature.asc
Description: Digital signature