Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CA-376240: Check signature of driver disks/supp packs during host installation #134

Open
wants to merge 1 commit into
base: release/xs8
Choose a base branch
from
Open

CA-376240: Check signature of driver disks/supp packs during host installation #134

wants to merge 1 commit into from

Conversation

GeraldEV
Copy link
Collaborator

The GPG key is specified in the updates.xml of the supplemental pack to install.
The key will already be present on the host as keys are installed as part of the main installation before the supp packs are installed.
During test deployments any test/dev keys must be loaded before the supp packs/driver disks are installed.

Tested on XenServer 8

CA-376240: Check signature of driver disks/supp packs
b2265c4 
The key specified in updates.xml will already be present as they are
installed as part of the main installation before supp packs are
installed.
@rosslagerwall
Copy link
Collaborator

During test deployments any test/dev keys must be loaded before the supp packs/driver disks are installed.

How would someone do that practically if supp packs are applied during installation?

@freddy77
Copy link
Collaborator

It looks like a strong regression. If the support pack is signed on its own when is the key installed in the code? Only the keys from the main repository are installed as far as I can see.

The best thing would be that the installer itself came with the right keys and check everything without having to trust the repositories but at the moment the keys are installed from main repository assuming they are safe.

@GeraldEV
Copy link
Collaborator Author

During test deployments any test/dev keys must be loaded before the supp packs/driver disks are installed.

How would someone do that practically if supp packs are applied during installation?

In my testing, I booted to a shell and then added the key, for an automated test environment the keys would need to be included in the main installation media - this might be impractical for now so we may need an alternative strategy for including the keys

@rosslagerwall
Copy link
Collaborator

Maybe a hidden debug option that can be passed on the command-line to revert back to the old behaviour?

@rosslagerwall
Copy link
Collaborator

There are some changes from xcp-ng that do something like that:

xcp-ng@afdbe02
xcp-ng@5c56d43

@ydirson
Copy link
Contributor

ydirson commented May 15, 2024

The best thing would be that the installer itself came with the right keys and check everything without having to trust the repositories but at the moment the keys are installed from main repository assuming they are safe.

What improvement does this give? If the user does not trust the ISO it would result in importing an attacker key on the host, so anyway the user must check the ISO integrity before using it (i.e. manually checking a gpg sig). And then I'd say all imaginable checks are already encompassed by that ISO integrity check.

@ydirson
Copy link
Contributor

ydirson commented May 15, 2024

There are some changes from xcp-ng that do something like that:

xcp-ng@afdbe02 xcp-ng@5c56d43

Note that for the same reasons as exposed above, I tend to think gpgcheck is make obsolete by repo-gpgcheck, as the repo sig encompasses every single RPM. And that even repo-gpgcheck does not bring any additional security when it comes to the repo in the ISO - which is why the signature checks as we had done them in xcpng-8.2 only impacted the network sources.

At worst, adding security features in the wrong places even give the users a false sense of security, and can lead them to take wrong decisions (ie. not checking the the integrity of the ISO "because there are sig checks already")

@freddy77
Copy link
Collaborator

The best thing would be that the installer itself came with the right keys and check everything without having to trust the repositories but at the moment the keys are installed from main repository assuming they are safe.

What improvement does this give? If the user does not trust the ISO it would result in importing an attacker key on the host, so anyway the user must check the ISO integrity before using it (i.e. manually checking a gpg sig). And then I'd say all imaginable checks are already encompassed by that ISO integrity check.

Having the main repository in the same ISO is only an option. If your main repository is on HTTP or FTP and you can check the signature from a key that comes with the installer you can't tamper with unsafe repositories.

@ydirson
Copy link
Contributor

ydirson commented May 15, 2024

Having the main repository in the same ISO is only an option. If your main repository is on HTTP or FTP and you can check the signature from a key that comes with the installer you can't tamper with unsafe repositories.

Right, and that's what we had added in 8.2.

OTOH, checking sigs when the repo is in the ISO causes issues when the user wants to customize the install media - roughly the same ones as those mentioned above with driver disks signed with a key unknown to the installer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bernhardkaindl bernhardkaindl bernhardkaindl approved these changes

@rosslagerwall rosslagerwall Awaiting requested review from rosslagerwall

@freddy77 freddy77 Awaiting requested review from freddy77

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@GeraldEV @rosslagerwall @freddy77 @ydirson @bernhardkaindl