From mboxrd@z Thu Jan 1 00:00:00 1970 From: Giovanni Biscuolo Subject: Guix and intrusion detection (was Re: Help with writing custom boot-loader configuration) Date: Wed, 05 Jun 2019 20:01:03 +0200 Message-ID: <87lfyfud28.fsf@roquette.mug.biscuolo.net> References: <34bfe68c4431240cf1ad05c48ecf3d9ae00be787.camel@disroot.org> <18883b91119efe33ba03ba118449e1cb1f82cfea.camel@disroot.org> <87muiw6tnb.fsf@ngyro.com> <5a8da2409fa4fef22e064d5ac55f0c49b03a51df.camel@disroot.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:38238) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hYaE7-0005Uf-4J for help-guix@gnu.org; Wed, 05 Jun 2019 14:01:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hYaE5-0006eX-D0 for help-guix@gnu.org; Wed, 05 Jun 2019 14:01:31 -0400 Received: from ns13.heimat.it ([46.4.214.66]:38806) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hYaE5-0006YO-25 for help-guix@gnu.org; Wed, 05 Jun 2019 14:01:29 -0400 In-Reply-To: <5a8da2409fa4fef22e064d5ac55f0c49b03a51df.camel@disroot.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Raghav Gururajan , Timothy Sample Cc: help-guix@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello Raghav, Raghav Gururajan writes: [...] > It works. Was curious about other alternatives. Btw, is it possible make = guix to > automatically GPG-Sign the "grub.cfg" it generates during "guix system i= nit" or > "guix system reconfigure" ?? I cannot (still) help patching guix this way, but from a security POV this is interesting, providing you explain what you are trying to achieve :-) Anyway: 1. to sign, guix should have a secret key and that key may be easily stolen (modulo encryption but that's another story...) 2. to verify a list of system admins signatures guix just needs public keys and that's easy to provide, the not so easy part is patching guix I guess 3. signature of "grub.cfg" - or other store items - should be done on *another* machine and items deployed to the host (there is some POC and custom code around in guix-devel for this) Could GPG signature *verification* of selected core parts (bootloader, initrd, kernel... guix itself) of our reproducible system make us confident that instrusions via physical access to hardware are automatically detected and notified by guix? [1] ...or I'm exagerating here and Guix already provides a good path to do effective intrusion detection, even with remote hosts potentially available to physical instrusion? Thoughts? [...] Thanks! Gio'. [1] let's call it Trusting Remote Trust problem =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAlz4A18ACgkQ030Op87M ORL1pRAA4umcvBGGfLKoP5VDiB4L2DunGZb206pxCEDODM1kosM//F9cBkFdbDpP 5v38Ys6pfsjWb0qLCRXLolhaLEjSqSYNUB8Zj3Tig7HbnXGTUBk3XujQvmoMLofE bKh4eb/KKdP5tKkKq8+w78mrOpa6cDVzqkZwIt4HWnQDpK/psBnr9TXKGKNYtrmN zYr3ORJfyKYbif1kJ9xjnwLXpwxWZNfzpuDNM0VAtup6eUVnNkSsVsimm9bUqCL8 9SYo3EeHibrwMCuDXgZ14BPGfGYVVev2ZBAQ9egZmeFQb9ooAFPO9qUjYEJPAMeU 5IBDnEGxGQJZBeBGdYo3BOSRyIOH95MXyqjgjF8esN2o8ukjR5VDVyoyXGirrtza JAxohp+2vfSMwLduWwGRkkUDgFHHgNgHVmTEk0cyY3pqr3MJTAVZoC1q6q/xD5K7 Cta+AJs9Nqttu+edyS5b/YRQ8yDH9DXNXK3A7vVlYshZNNtXxPxulkYrtifoBlSt 7R6avKPgXTLnccI3LOD2x9Fv0OqWECDtS5VA9WOKhvu4cpyf83mBdJBdeoTbVPUk MlG0Nt/caAHmapWgNYLfrMTsTe8B8T6Ntu7oiUBxkCtdbfAopaSWyNsRU4MDWhSA 7NTHNlW4Fxwa1WWboGTm/fMw+IrPirUDG6WvAJH5pyELIT3ieg8= =6IOb -----END PGP SIGNATURE----- --=-=-=--