Auto-attachment based on signed GPTs #9620
Comments
DemiMarie
added
T: enhancement
|
Could you expand a bit on the intended use case and the desired security properties that you have in mind? |
I understand it as an UX improvement. You will be able to make a list of partitions and on which qubes it should attach it when available, instead of connecting the drive and use sys-usb to dispatch it to the right qube. There is even a little security benefit as it will avoid mistake, and also prevent the drive to be used if its partition changed. |
Indeed so! The assumption is that the drive itself is trusted and the whole disk is not accessible by untrusted code, but there might be other disks that are (in their entirity) attached to other qubes or come from other systems. |
|
What is the practical difference of this approach from using simply disk GUID (also part of GPT)? GPT doesn't say much about partition content (or their trustworthiness for that matter), and signature of GPT isn't really attached to this particular disk or its content - it can be freely copied as long as its copied together with the GPT. So, it remains secure only as long as its secret. Just disk GUID is already 128bits, also unlikely to be guessed, and similarly vulnerable to copying. |
|
Or if you really don't want to use disk GUID, maybe you can use a hash of the GPT? That would break of somebody changes GPT of course, but I guess it's a rare event. |
I understand why auto-attachment would be desirable. But what I'm wondering is in which specific scenario a signed partition table helps.
"whole disk is not accessible by untrusted code", so this includes not connecting that disk to another less trusted system, right? In that case why do you need to sign anything? If you don't like to use the GPT disk ID, since it's (normally) not considered secret, just write another random ID to it, no need to sign anything. On the other hand if the disk is also connected to less trusted systems, the signed GPT would no longer help with identifying the disk, since it can be copied including it's signature. |
Preventing impersonation, without relying on data that is likely to be logged by standard tools remaining confidential.
The idea is that one might have some disks that are connected to untrusted systems (presumably with signed firmware) and others that are not. This would be for disks in the latter category. |
But how helps signing the partition table here? Why not just add another random ID (that has enough entropy and is not logged by standard tools)? (Where exactly you would store that ID depends on the intended tradeoff, some options: MBR boot sector, behind GPT but before first partition, dedicated (very small) partition, ...) |
A random ID with enough entropy would work just fine, as long as it doesn’t get logged or used in e.g. qrexec policies without first being hashed. |
How to file a helpful issue
The problem you're addressing (if any)
Auto-attachment of block device partitions is brittle, even in the easy case where the disk (but not necessarily the image on it) is trusted. GUIDs have enough entropy that they are impractical to forge, but they are generally not considered sensitive and so are likely to leak to logs, bug reports, and other places.
The solution you'd like
Support auto-attaching based on signed GUID Partition Tables (GPTs). The signature will be placed in the unused space after the partition table but before the first partition. The signature might also include various information about the device itself.
The value to a user, and who that user might be
Users will be able to establish trust in a block device in a slightly robust way.
Completion criteria checklist
(This section is for developer use only. Please do not modify it.)
The text was updated successfully, but these errors were encountered: