Il 15/12/2022 18:15, Toomas Tamm via linux-fai ha scritto:
Some things that I can imagine that could mitigate such risks would be:
- Inputting some secret on the physical machine during install (from the keyboard, USB
stick, etc). This would defeat the idea of "fully automatic" install.
That's a form of "root of trust".
- Pre-loading a secret onto hardware (is this what you mean by using TPM?).
Yes. TPM (Trusted Platform Module) is a piece of HW that handles crypto
keys and should be hard to tamper. At least it would require
unsupervised physical access to the interior of the machine for quite a
long time. But once the attacker does have unsupervised physical access
to the machine, it would be faster to just boot from USB key and extract
the files. Unless TPM is also used for secure boot, but that's another
can of worms.
- Time-limiting the availability of secrets and/or some component of FAI. Most
of us probably do not install clients every day, all day.
That shouldn't be too hard. Just make secrets available only during
install. Once the machine is installed it calls a hook to close the
access to the secrets.
- Monitoring of installation processes and flagging abnormal activities. This
would not prevent successful attacks, but possible breaches could be patched
up, eg keys replaced afterwards.
This seems harder.
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
