[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Guix and intrusion detection (was Re: Help with writing custom boot-load

From: Giovanni Biscuolo
Subject: Guix and intrusion detection (was Re: Help with writing custom boot-loader configuration)
Date: Wed, 05 Jun 2019 20:01:03 +0200

Hello Raghav,

Raghav Gururajan <address@hidden> writes:


> It works. Was curious about other alternatives. Btw, is it possible make guix 
> to
>  automatically GPG-Sign the "grub.cfg" it generates during "guix system init" 
> or
> "guix system reconfigure" ??

I cannot (still) help patching guix this way, but from a security POV
this is interesting, providing you explain what you are trying to
achieve :-)


1. to sign, guix should have a secret key and that key may be easily
stolen (modulo encryption but that's another story...)

2. to verify a list of system admins signatures guix just needs public
keys and that's easy to provide, the not so easy part is patching guix I

3. signature of "grub.cfg" - or other store items - should be done on
*another* machine and items deployed to the host (there is some POC and
custom code around in guix-devel for this)

Could GPG signature *verification* of selected core parts (bootloader,
initrd, kernel... guix itself) of our reproducible system make us
confident that instrusions via physical access to hardware are
automatically detected and notified by guix? [1]

...or I'm exagerating here and Guix already provides a good path to do
effective intrusion detection, even with remote hosts potentially
available to physical instrusion?



Thanks! Gio'.

[1] let's call it Trusting Remote Trust problem

Giovanni Biscuolo

Xelera IT Infrastructures

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]