Installing RPMS via Customization Key

Benjamin M. Schwartz bmschwar at fas.harvard.edu
Fri Mar 7 09:37:00 EST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Stone wrote:
| It's completely unsafe to use the new USB customization keys to execute
| software located on-key or on-NAND because any opportunity for arbitrary
code
| execution as uid 0 represents a serious threat to our first-boot activation
| security.
|
| Since we appear to want to be able to customize images with new RPMS, this
| leaves us in a somewhat sticky situation. The following patch represents one
| approach to resolving the difficulty - that of postponing the running of any
| commands until after the activation initramfs yields control to late
userland.

It is difficult to comment on this without more detail on "USB
customization keys".  My understanding was that such customization would
be done once at the level of whole countries, that it would be restricted
to /home, and that the "key" in question was a cryptographic signing key,
so that customizers (at the ministry of education) could create trusted
images that the firmware or journal would install automatically.  Thus, I
am not sure what a USB customization key is.

Countries that want to make invasive modifications to the operating system
should be allowed to do whatever they want, but allowing users to add
arbitrary RPMs without a developer key is a distinctly terrible idea.  I
cannot tell which you are proposing here.

Your patch does not suggest that the set of RPMs is signed.  Is there a
signature validation happening somewhere?

- --Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH0VMMUJT6e6HFtqQRAvPJAJ9DQZoRGeoux2p2jLppPOku/QPBfACfcHgY
UePE4MqAOjpzj5Ykr4I8uIM=
=S8uD
-----END PGP SIGNATURE-----



More information about the Devel mailing list