* Secure GNU Guix offloading
@ 2021-03-23 13:46 Léo Le Bouter
2021-03-30 8:26 ` Ludovic Courtès
0 siblings, 1 reply; 3+ messages in thread
From: Léo Le Bouter @ 2021-03-23 13:46 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1614 bytes --]
Hello!
I have powerful machines at hand and I would like to share them through
the GNU Guix offloading facility so that they are easy to use.
The problem is that setting up offloading requires my machine to trust
each and every client's store public key which means they can spoof
results of derivations with malware.
I am not entirely sure of how it works internally but I was thinking
that instead of copying results of derivations over there could be a
"Secure offloading" mode where instead of copying store items it would
copy the derivation and ask to rebuild them on the offload machine
instead. It will be less efficient but at least it will be safe to
share a single powerful machine with multiple GNU Guix hackers.
I don't want to give more access than what SSH non-root access would
give, and I think it would be possible to do something helpful in GNU
Guix offloading so it can work even without the offload machine
trusting the client's store public signing key.
Another thing is that it would be nice to have greater granularity on
what you trust some store signing keys for, as in, you would want to
use the offload machine for some development work but you wouldnt want
to allow the offload machine to add malware to your own store. I am
thinking the GNU Guix VM machinery can be used to create a copy-on-
write store (through virtio-fs I think?) whose every modification gets
destroyed on VM shutdown or destroy (which looks great security-wise),
and this already works AFAICT, but it's not widely known how it can be
used and why.
What do you think?
Léo
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Secure GNU Guix offloading
2021-03-23 13:46 Secure GNU Guix offloading Léo Le Bouter
@ 2021-03-30 8:26 ` Ludovic Courtès
2021-04-03 23:12 ` Léo Le Bouter
0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2021-03-30 8:26 UTC (permalink / raw)
To: Léo Le Bouter; +Cc: guix-devel
Hi!
Léo Le Bouter <lle-bout@zaclys.net> skribis:
> I don't want to give more access than what SSH non-root access would
> give, and I think it would be possible to do something helpful in GNU
> Guix offloading so it can work even without the offload machine
> trusting the client's store public signing key.
One possibility would be to give SSH access and nothing more. That
would allow hackers to run:
GUIX_DAEMON_SOCKET=ssh://leo.example.org guix build whatever
Users would still be able to retrieve build results from your machine
via ‘guix copy’ or an instance of ‘guix publish’ running on the machine.
HTH!
Ludo’.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-03 23:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-23 13:46 Secure GNU Guix offloading Léo Le Bouter
2021-03-30 8:26 ` Ludovic Courtès
2021-04-03 23:12 ` Léo Le Bouter
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).