From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eH4KHUfxWWDlCgAA0tVLHw (envelope-from ) for ; Tue, 23 Mar 2021 13:46:47 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 6CjMGEfxWWDvVAAAB5/wlQ (envelope-from ) for ; Tue, 23 Mar 2021 13:46:47 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2A54124C49 for ; Tue, 23 Mar 2021 14:46:47 +0100 (CET) Received: from localhost ([::1]:56198 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lOhMs-0005jT-63 for larch@yhetil.org; Tue, 23 Mar 2021 09:46:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34384) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOhMN-0005gY-UC for guix-devel@gnu.org; Tue, 23 Mar 2021 09:46:16 -0400 Received: from mail.zaclys.net ([178.33.93.72]:33453) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOhMK-0000wu-JP for guix-devel@gnu.org; Tue, 23 Mar 2021 09:46:15 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NDk9ad027051 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 23 Mar 2021 14:46:09 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NDk9ad027051 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616507169; bh=82Fy5Zbbe/IoKUJ1y7sgzDgo8peZ7/fbSrxwsnhxPzE=; h=Subject:From:To:Date:From; b=F9XEYSct3JAwsFBj3WVy5utY+FEMHrAT0J+kLCwuH22OswREOZuHaao3in4B+yJ1T GWGmnn3pzcWnCn9Eu8kO8iDbwW9tw1sfVgvBSKDk7xaDLDQmV4BljczZ2j9obIdklO pdssT/9DDF3TfWawuWk9fnNxQ3u0DOUVTI/e5lP0= Message-ID: <08637e6051d17cb890eb051ca8d5518a527bd39b.camel@zaclys.net> Subject: Secure GNU Guix offloading From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: guix-devel@gnu.org Date: Tue, 23 Mar 2021 14:46:05 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-m337juAqo6386tMim36L" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616507207; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=82Fy5Zbbe/IoKUJ1y7sgzDgo8peZ7/fbSrxwsnhxPzE=; b=cmIqMNRX1Apw/TVjZ/0ZQLRd6TSCIgKMH5lCd6aOVv4kiOZxRyySJzL8tkc+FTI/CBhj0l sREwexyRnZbmno4SPTBBivNlOCpGf5UZaSPTphQuTXXRggL8Hk73W0yzLRYE/0whkS6EAW QQWdNMhJSapJkMcWHUDnhbVvjeEbuYrKW+4sEZB6MzWIrLDS8aH9kg7GHAebo4LuNSOPpN 6gF14cLg5AHo5riflibDw5m5ey6Ak8FMJMvkEhvtf3uwiJnlGV/aCeiavpbwQFGmJrfg4s Msgm4UyX5zoeME3aowjV/8sMIHsKJQAOYqUaVKY8PJkEnqLd/C13SkLLcUCSLg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616507207; a=rsa-sha256; cv=none; b=NQ4qWP2GQZfzdtbJ32ivfLwdWNp9OiGgFHR0eEFREw3r+Tpb+zBkdTRHDat7zWhu/IKoau Opr5sZl37QiDcnsgOiFXGfwPasACTOJ6NXYY9F8y+3epInvypxC3GpZcHFzj62VV9+KLWM z8BWXJfXp0x9oL/7LMiNdLctFcpimJ9KAFEB+gDJCdShflU6sE0qfAWN6TL1iihx2LTaCt SeRnv8COK7aZapPgoOIjTdq3r+oda5ArlusNtqrGvcgYhn5qM26HR4QhnyicGpGu6rtO// nneAHXYz5kKqRQ4zOcQcGolVUFh2kj04oK4j5XWFTZ3Zj0DgcNGqF03EHNhjOg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=F9XEYSct; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.22 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=F9XEYSct; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 2A54124C49 X-Spam-Score: -5.22 X-Migadu-Scanner: scn0.migadu.com X-TUID: Q9xAEPfXs4CJ --=-m337juAqo6386tMim36L Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello! I have powerful machines at hand and I would like to share them through the GNU Guix offloading facility so that they are easy to use. The problem is that setting up offloading requires my machine to trust each and every client's store public key which means they can spoof results of derivations with malware. I am not entirely sure of how it works internally but I was thinking that instead of copying results of derivations over there could be a "Secure offloading" mode where instead of copying store items it would copy the derivation and ask to rebuild them on the offload machine instead. It will be less efficient but at least it will be safe to share a single powerful machine with multiple GNU Guix hackers. I don't want to give more access than what SSH non-root access would give, and I think it would be possible to do something helpful in GNU Guix offloading so it can work even without the offload machine trusting the client's store public signing key. Another thing is that it would be nice to have greater granularity on what you trust some store signing keys for, as in, you would want to use the offload machine for some development work but you wouldnt want to allow the offload machine to add malware to your own store. I am thinking the GNU Guix VM machinery can be used to create a copy-on- write store (through virtio-fs I think?) whose every modification gets destroyed on VM shutdown or destroy (which looks great security-wise), and this already works AFAICT, but it's not widely known how it can be used and why. What do you think? L=C3=A9o --=-m337juAqo6386tMim36L Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBZ8R0ACgkQRaix6GvN EKZZRg/8CklzM2kmlSyU7y9dksDF520N+xSJA7njOSAnIt3ziML+pyhGAn3cD62R 5rx5BnBrOBCRHQ2sIA3XmXyU8875Sshi7dU49kVISNEXatubmcBZJuMzcWppot34 JYT+f4jvc8uFx9FLnhJmvZzTjrPgMk+SOZJEEOjvxgJNYmZmowUrfrExfZYHfaMp Y9nJUJPEtY2xjja/0Efu5mpMjipBEbJQEaqx57DF3AxFveA9eMUjSUmotNjkBnAn bZCI/kMX5Rajf8d60+iSejqaWFDNH502HCR8pQMdLkTSdZYQaRo7iap+K5NcibDS 3I17eJcFO25rXuy8Dy/uCpSH6+uk9QPBREtZuVgN6jt+0s3nDT6JnQmLPdnlM9sX z8eHLkwy91zmcdHcTmMu+RKlH3yD33NbEJF7LvpwcbGLdRsw+JWe13/M2QLFPqRF o02mCKP2b8dV+0JTXeygSdhxjINE8XD6kS+V0watfV/xiNXGkk37HupPdGbEG23+ SvC77pCj/XMtRliaJBLoGnpOrgriDZby+jgOWnrPHd/y94rTjKMXdzLqlz5I3yLm lT5//vn1WoC52Z0O/NqfwWFrHBxVbbZUmghny1KOIVY4UnA+Zteg5sHfmNmY21mH 8tzFB+s16N21nOujEQsqLev22zBdIuM4Qs82/AM3OCFb9ULjvaY= =6bbq -----END PGP SIGNATURE----- --=-m337juAqo6386tMim36L--