On 1/22/2016 2:24 PM, Gordon Messmer wrote:> On 01/22/2016 01:56 PM, John R Pierce wrote: >> Sure, if someone has penetrated my IPMI and/or virtualization >> management, I'm already in a world of hurt > > Exactly. IPMI should be on a dedicated VLAN with a bastion host. No > other systems should have access to it at all. The servers, > especially, should not have access to their own IPMI network. > Otherwise, you risk creating exactly that kind of hole, where tasks > that are supposed to require console access don't. > > Having said that, I have no idea whether or not the virtual console is > locked during the secure boot path. Anybody who uses IPMI and secure > boot?for that matter, what about a VM running on a service like Amazon AWS (or pick your virtual server environment) ? AWS provides a remote console, doesn't it? -- john r pierce, recycling bits in santa cruz
On 01/22/2016 02:38 PM, John R Pierce wrote:> for that matter, what about a VM running on a service like Amazon AWS > (or pick your virtual server environment) ? AWS provides a remote > console, doesn't it?AWS doesn't offer UEFI Secure Boot, so I'm not sure how that's relevant. It seems like you're reaching for criticisms of mokutil because you don't like it, rather than because there is a demonstrable problem with it.
On 1/22/2016 3:42 PM, Gordon Messmer wrote:> On 01/22/2016 02:38 PM, John R Pierce wrote: >> for that matter, what about a VM running on a service like Amazon AWS >> (or pick your virtual server environment) ? AWS provides a remote >> console, doesn't it? > > AWS doesn't offer UEFI Secure Boot, so I'm not sure how that's relevant. > > It seems like you're reaching for criticisms of mokutil because you > don't like it, rather than because there is a demonstrable problem > with it.yeah, I just realized, duh, secureboot on a VM is not an issue at all, so never mind all that. I do think the whole secureboot thing is a bad idea on a general purpose computer system, seems like an attempt at creating product lock in and turning the x86 PC into an appliance, which it really isn't. -- john r pierce, recycling bits in santa cruz