[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Automating signing of DKMS modules with machine owner key

On Aug 05 2020, Jeremy Stanley <fungi@yuggoth.org> wrote:
> On 2020-08-05 20:30:59 +0100 (+0100), Nikolaus Rath wrote:
>> On Aug 04 2020, Jeremy Stanley <fungi@yuggoth.org> wrote:
>> > Okay, so for systems to which a malicious party may gain physical
>> > access (or remote console access) there's sort of a third risk this
>> > addresses. A special case of the second risk really. *If* you're
>> > also encrypting the filesystem on which that signing key resides
>> > (via LUKS or similar) then this might keep you safe from someone
>> > with access to replace the kernel or initrd on the unencrypted boot
>> > partition... but only if they can't unlock the decryption key for
>> > the FS which holds the signing key of course.
>> 
>> Wouldn't such an attacker simply modify the (necessarily unencrypted)
>> initrd such that it stores the decryption key for the attacker the next
>> time you enter it?
>
> How would this attacker generate the new initrd signature so that it
> still validates correctly?

I didn't know this was validated these days. Still, couldn't they just
reconfigure/reinstall Grub so that it doesn't validate the initrd?

Best
-Nikolaus
-- 
GPG Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«
Reply to: