dasharo-issues icon indicating copy to clipboard operation
dasharo-issues copied to clipboard

Published 20 hours ago verified publisher icon Dasharo

Verify boot files when downloading from boot.3mdeb.com

Open marmarek opened this issue 2 years ago • 10 comments

The problem you're addressing (if any)

Downloading over plain HTTP is prone to relatively simple MitM attacks.

Describe the solution you'd like

Use either HTTPS or (better) detached signatures (https://www.ipxe.net/cmd/imgverify)

Where is the value to a user, and who might that user be?

Better boot security when booting Dasharo Tools Suite

Describe alternatives you've considered

Additional context

marmarek avatar Nov 21 '22 15:11 marmarek

@marmarek thanks for reporting.

@miczyg1 I guess this is trivial to enable. Question is if we plan it for v1.1.1 or v1.2.0 (I'm thinking about setting up such milestones and start gathering interest) ?

pietrushnic avatar Nov 25 '22 22:11 pietrushnic

Yes, it should be trivial...

miczyg1 avatar Nov 29 '22 13:11 miczyg1

This has been integrated, right? @miczyg1

wessel-novacustom avatar Apr 15 '24 14:04 wessel-novacustom

  1. We switched from boot.3mdeb.com to boot.dasharo.com
  2. We use HTTPS now indeed.
  3. But there is still no verification here: https://boot.dasharo.com/dts/dts.ipxe (need to utilize imgverify: https://ipxe.org/cmd/imgverify)

When point 3 is done, then we can close

miczyg1 avatar Apr 16 '24 07:04 miczyg1

But there is still no verification here: https://boot.dasharo.com/dts/dts.ipxe (need to utilize imgverify: https://ipxe.org/cmd/imgverify)

Isn't the remaining scope from this issue a duplicate of https://github.com/Dasharo/dasharo-issues/issues/54? Could you confirm @artur-rs , @TomaszAIR ?

BeataZdunczyk avatar Apr 25 '24 12:04 BeataZdunczyk

I started investigating it here: https://github.com/Dasharo/meta-dts/blob/main/scripts/generate-ipxe-menu.sh#L18 some time ago

macpijan avatar Apr 25 '24 12:04 macpijan

@BeataZdunczyk it is not a duplicate. The issue you linked should be closed (I already have closed it).

macpijan avatar Apr 25 '24 13:04 macpijan

@marmarek We have the HTTPS enabled, but still looking into this feature. Do you suggest that we enable the imgtrust --permanent in the embedded script in firmware? I think only this way we can ensure that this is always enabled, as if we consider MITM, we cannot hope for an adversary to enable this imgstrust trust option in their ipxe menu.

Doesn't it limit other use-cases, though, such as booting stuff via netboot.xyz, or others, if they do not provide signatures and imgverify commands in their menus?

macpijan avatar Jul 11 '24 17:07 macpijan

First of all, you can enable it only for DTS boot entry, no?

But also, IIUC imgtrust applies to chain too, so even if you use just imgtrust (without --permanent), only a signed script will be able to disable it again.

marmarek avatar Jul 11 '24 22:07 marmarek

We could add imgtrust --permanent here https://github.com/Dasharo/dasharo-blobs/blob/3f879073f4567590977eec477034e50dbd458545/dasharo/dasharo.ipxe#L21 Or if we can verify ipxe script then use imgtrust before dhcp and imgtrust --allow before goto MENU so we aren't stuck with imgtrust in case booting fails.

m-iwanicki avatar Jul 12 '24 08:07 m-iwanicki