[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#652011: general: Repeated pattern of FHS violation: Dependencies of /sbin and /bin, belong in /lib

On Thu, Dec 15, 2011 at 12:46:40PM +0000, Roger Leigh wrote:
> > Speed.
> [...]
> > encrypted. But this actually does _not_ slow things down: the Linux disk
> > cache is sensibly caching the decrypted data, so often-used stuff from
> > /bin and /lib happily remains in already-decrypted cache.  The
> > interesting stuff from /usr is generally too large and too seldomly used
> > to remain cached.

> This was brought up last time this came up on -devel.  And I think it kind
> of misses the point.

> You are encrypting / and not encrypting /usr.  That's fine.  But
> it's a workaround.  It's not addressing the *real* goal, which is
> to encrypt /etc.

> That is to say, /usr is a split of /convenience/.  The real solution
> would be to have /etc as a separately-mounted encrypted filesystem.
> So really, keeping /usr separate is a different issue, IMHO.  This
> isn't a reason to keep the /usr split, it's a reason to support
> mounting an encrypted /etc in the initramfs.  Such a solution would
> also satisfy those that want a read-only root but writable /etc for
> admin convenience.

This is just not true.  If you care about encrypting /etc, you frequently
also care about the integrity of /sbin/init so that an attacker can't
compromise the whole system, /bin/login and /lib/security so they can't
intercept passwords, and so forth.  Encrypting the root filesystem provides
this integrity checking; while encryption per se is not required, there
aren't really any usable signing-only methods at present for authenticating
the root filesystem, so if you want to protect against your rootfs having
been hijacked, making sure it's encrypted seems to be the way to do it at

(This assumes that you have signature checking on your initramfs of course,
which is a pain in its own right, or that you keep your initramfs on
removable media that remains under your control even when the laptop is out
of sight; and that if you have /usr as a separate, unencrypted partition,
that you do some kind of signature checking on that - perhaps via debsums.)

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: