On 1/22/2016 1:23 PM, Gordon Messmer wrote:> On 01/22/2016 11:11 AM, John R Pierce wrote: >> if you can insert a custom Machine Owner Key into this keyring, then >> anyone with sufficient ingenuity can, too. which renders the whole >> signature thing moot, other than as another step to be cracked. > > I'm not sure you understand mokutil. You do know that in order to > enroll a key you must be physically present at the console before the > kernel boots, right? In order to enroll a key, you must have admin > access in the OS, and physical access to the hardware.in order to install a kernel module without signing, you still need root level access to the OS, so thats nothing new. Most all servers I run have remote KVM via IPMI, or are VM's, so this can be done without physical presence, unless somehow mokutil disables KVM (keyboard/video/mouse, not kernel virtualization) AND refuses to run in a VM. Sure, if someone has penetrated my IPMI and/or virtualization management, I'm already in a world of hurt, but no physical presence is required. -- john r pierce, recycling bits in santa cruz
On 01/22/2016 01:56 PM, John R Pierce wrote:> Sure, if someone has penetrated my IPMI and/or virtualization > management, I'm already in a world of hurtExactly. IPMI should be on a dedicated VLAN with a bastion host. No other systems should have access to it at all. The servers, especially, should not have access to their own IPMI network. Otherwise, you risk creating exactly that kind of hole, where tasks that are supposed to require console access don't. Having said that, I have no idea whether or not the virtual console is locked during the secure boot path. Anybody who uses IPMI and secure boot?
On 1/22/2016 2:24 PM, Gordon Messmer wrote:> On 01/22/2016 01:56 PM, John R Pierce wrote: >> Sure, if someone has penetrated my IPMI and/or virtualization >> management, I'm already in a world of hurt > > Exactly. IPMI should be on a dedicated VLAN with a bastion host. No > other systems should have access to it at all. The servers, > especially, should not have access to their own IPMI network. > Otherwise, you risk creating exactly that kind of hole, where tasks > that are supposed to require console access don't. > > Having said that, I have no idea whether or not the virtual console is > locked during the secure boot path. Anybody who uses IPMI and secure > boot?for that matter, what about a VM running on a service like Amazon AWS (or pick your virtual server environment) ? AWS provides a remote console, doesn't it? -- john r pierce, recycling bits in santa cruz