| ▲ | jmclnx 3 hours ago |
| So LP is or has left Microsoft ? >We are building cryptographically verifiable integrity into Linux systems I wonder what that means ? It could be a good thing, but I tend to think it could be a privacy nightmare depending on who controls the keys. |
|
| ▲ | poettering 3 hours ago | parent | next [-] |
| Yes, I have. |
|
| ▲ | dTal 3 hours ago | parent | prev | next [-] |
| Verifiable to who? Some remote third party that isn't me? The hell would I want that? |
| |
| ▲ | murphyslaw 2 hours ago | parent | next [-] | | Just an assumption here, but the project appears to be about the methodology to verify the install. Who holds the keys is an entirely different matter. | | |
| ▲ | dsr_ an hour ago | parent [-] | | Werner Von Braun only built the rockets; he didn't aim them, nor did he care where they landed. (London. On some of my relatives.) | | |
| |
| ▲ | Spivak 24 minutes ago | parent | prev [-] | | https://0pointer.net/blog/authenticated-boot-and-disk-encryp... You. The money quote about the current state of Linux security: > In fact, right now, your data is probably more secure if stored on current ChromeOS, Android, Windows or MacOS devices, than it is on typical Linux distributions. Say what you want about systemd the project but they're the only ones moving foundational Linux security forward, no one else even has the ambition to try. The hardening tools they've brought to Linux are so far ahead of everything else it's not even funny. |
|
|
| ▲ | advisedwang 3 hours ago | parent | prev | next [-] |
| The events includes a conference title "Remote Attestation of Imutable Operating Systems built on systemd", which is a bit of a clue. |
| |
| ▲ | jsheard 3 hours ago | parent [-] | | I'm sure this company is more focused on the enterprise angle, but I wonder if the buildout of support for remote attestation could eventually resolve the Linux gaming vs. anti-cheat stalemate. At least for those willing to use a "blessed" kernel provided by Valve or whoever. | | |
| ▲ | devsda 3 hours ago | parent | next [-] | | Road to hell is paved with good intentions. Somebody will use it and eventually force it if it exists and I don't think gaming especially those requiring anti-cheat is worth that risk. If that means linux will not be able to overtake window's market share, that's ok. At-least the year of the linux memes will still be funny. | | |
| ▲ | digiown an hour ago | parent [-] | | That'd be too bad. Sometimes, I feel like the general public doesn't deserve general purpose computing. |
| |
| ▲ | direwolf20 3 hours ago | parent | prev | next [-] | | Only by creating a new stalemate between essential liberty and a little temporary security — anticheat doesn't protect you from DMA cheating. | | | |
| ▲ | rcxdude an hour ago | parent | prev [-] | | I sincerely hope not. |
|
|
|
| ▲ | touisteur 3 hours ago | parent | prev | next [-] |
| rust-vmm-based environment that verifies/authenticates an image before running ? Immutable VM (no FS, root dropper after setting up network, no or curated device), 'micro'-vm based on systemd ? vmm captures running kernel code/memory mapping before handing off to userland, checks periodically it hasn't changed ? Anything else on the state of the art of immutable/integrity-checking of VMs? |
|
| ▲ | mikkupikku 3 hours ago | parent | prev [-] |
| Sounds like kernel mode DRM or some similarly unwanted bullshit. |
| |
| ▲ | bayindirh 3 hours ago | parent | next [-] | | It's probably built on systemd's Secure Boot + immutability support. As said above, it's about who controls the keys. It's either building your own castle or having to live with the Ultimate TiVo. We'll see. | | |
| ▲ | direwolf20 3 hours ago | parent | next [-] | | We all know who controls the keys. It's the first party who puts their hands on the device. | | |
| ▲ | curt15 an hour ago | parent | next [-] | | And once you remove the friction for requiring cryptographic verification of each component, all it takes is one well-resourced lobby to pass a law either banning user-controlled signing keys outright or relegating them to second-class status. All governments share broadly similar tendencies; the EU and UK govts have always coveted central control over user devices. | |
| ▲ | bayindirh 3 hours ago | parent | prev [-] | | Doesn't have to be. While I'm not a fan of systemd (my comment history is there), I want to start from a neutral PoV, and see what it does. I have my reservations, ideas, and what it's supposed to do, but this is not a place to make speculations and to break spirits. I'll put my criticism out politely when it's time. |
| |
| ▲ | zb3 3 hours ago | parent | prev [-] | | Just to make it clear - on Android you don't have the keys. Even with avb_custom_key you can't modify many partitions. | | |
| ▲ | bayindirh 3 hours ago | parent [-] | | None of the consumer mobile devices give you all the keys. There are many reasons for that, but 99.9% of them are monetary reasons. |
|
| |
| ▲ | youarentrightjr 3 hours ago | parent | prev [-] | | > Sounds like kernel mode DRM or some similarly unwanted bullshit. Look, I hate systemd just as much as the next guy - but how are you getting "DRM" out of this? | | |
| ▲ | direwolf20 3 hours ago | parent | next [-] | | Remote attestation is literally a form of DRM | | |
| ▲ | microtonal 3 hours ago | parent | next [-] | | There are genuine positive applications for remote attestation. E.g., if you maintain a set of servers, you can verify that it runs the software it should be running (the software is not compromised). Or if you are running something similar to Apple's Private Compute Cloud to run models, users can verify that it is running the privacy-preserving image that it is claiming to be running. There are also bad forms of remote attestation (like Google's variant that helps them let banks block you if you are running an alt-os). Those suck and should be rejected. Edit: bri3d described what I mean better here: https://news.ycombinator.com/item?id=46785123 | | | |
| ▲ | youarentrightjr an hour ago | parent | prev [-] | | > Remote attestation is literally a form of DRM Let's say I accept this statement. What makes you think trusted boot == remote attestation? |
| |
| ▲ | omnicognate 3 hours ago | parent | prev | next [-] | | As the immediate responder to this comment, I claim to be the next guy. I love systemd. | |
| ▲ | josephcsible 3 hours ago | parent | prev | next [-] | | "cryptographically verifiable integrity" is a euphemism for tivoization/Treacherous Computing. See, e.g., https://www.gnu.org/philosophy/can-you-trust.en.html | |
| ▲ | elcritch 3 hours ago | parent | prev | next [-] | | Secure boot and attestation both generally require a form of DRM. It’s a boon for security, but also for control. | | |
| ▲ | youarentrightjr 31 minutes ago | parent [-] | | > Secure boot and attestation both generally require a form of DRM. They literally don't. For a decade, I worked on secure boot & attestation for a device that was both: - firmware updatable
- had zero concept or hardware that connected it to anything that could remotely be called a network | | |
| ▲ | warkdarrior 3 minutes ago | parent [-] | | Interesting. So what did the attestation say once I (random Internet user) updated the firmware to something I wrote or compiled from another source? |
|
| |
| ▲ | mikkupikku 3 hours ago | parent | prev | next [-] | | I don't mind SystemD. | |
| ▲ | bri3d 3 hours ago | parent | prev [-] | | Hacker News has recently been dominated by conspiracy theorists who believe that all applications of cryptography are evil attempts by shadowy corporate overlords to dominate their use of computing. | | |
| ▲ | josephcsible 3 hours ago | parent | next [-] | | No, it's not "all applications of cryptography". It's only remote attestation. | |
| ▲ | mikkupikku 2 hours ago | parent | prev [-] | | Buddy, if I want encryption of my own I've got secure boot, LUKS, GPG, etc. With all of those, why would I need or even want remote attestation? The purpose of that is to assure corporations that their code is running on my computer without me being able to modify it. It's for DRM. | | |
| ▲ | bri3d an hour ago | parent [-] | | I am fairly confident that this company is going to assure corporations that their own code is running on their own computers (ie - to secure datacenter workloads), to allow _you_ (or auditors) to assure that only _your_ asserted code is also running on their rented computers (to secure cloud workloads), or to assure that the code running on _their_ computers is what they say it is, which is actually pretty cool since it lets you use Somebody Else's Computer with some assurance that they aren't spying on you (see: Apple Private Cloud Compute). Maybe they will also try to use this to assert "deep" embedded devices which already lock the user out, although even this seems less likely given that these devices frequently already have such systems in place. IMO it's pretty clear that this is a server play because the only place where Linux has enough of a foothold to make client / end-user attestation financially interesting is Android, where it already exists. And to me the server play actually gives me more capabilities than I had: it lets me run my code on cloud provided machines and/or use cloud services with some level of assurance that the provider hasn't backdoored me and my systems haven't been compromised. | | |
| ▲ | mikkupikku an hour ago | parent [-] | | How can you be "pretty sure" they're going to develop precisely the technology needed to implement DRM but also will never use or allow it to be used by anybody but the lawful owners of the hardware? You can't. It's like designing new kinds of nerve gas, "quite sure" that it will only ever be in the hands of good guys who aren't going to hurt people with it. That's powerful naïveté. Once you make it, you can't control who has it and what they use it for. There's no take-backsies, that's why it should never be created in the first place. | | |
| ▲ | bri3d an hour ago | parent [-] | | The technology needed to implement DRM has been there for 20+ years and has already evolved in the space where it makes sense from an "evil" standpoint (if you're on that particular side of the fence - Android client attestation), so someone implementing the flip side that might actually be useful doesn't particularly bother me. I remember the 1990s "cryptography is the weapon of evil" arguments too - it's funny how the tables have turned, but I still believe that in general these useful technologies can help people overall. | | |
| ▲ | mikkupikku 33 minutes ago | parent [-] | | The technology already exists and also there is unmet industrial market demand for the technology. Incoherent. If it already exists as you say, then Lennart should fuck off and find something else to make. | | |
| ▲ | bri3d 7 minutes ago | parent [-] | | > The technology already exists and also there is unmet industrial market demand for the technology. The "bad" version, client attestation, is already implemented on Android, and could be implemented elsewhere but is only a parallel concept. There is unmet industrial market demand for the (IMO) "not so bad / maybe even good" version, server attestation. |
|
|
|
|
|
|
|
|
