grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC: should the 'trust' and 'verify_detached' commands respect 'chec


From: Vladimir 'φ-coder/phcoder' Serbinenko
Subject: Re: RFC: should the 'trust' and 'verify_detached' commands respect 'check_signatures=enforce'?
Date: Mon, 21 Oct 2013 19:33:59 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131005 Icedove/17.0.9

On 18.10.2013 04:44, Andrey Borzenkov wrote:
> В Thu, 17 Oct 2013 23:44:05 +0200
> Vladimir 'φ-coder/phcoder' Serbinenko <address@hidden> пишет:
> 
>> On 17.10.2013 20:28, Jonathan McCune wrote:
>>> Presently the 'trust' and 'verify_detached' commands disable all filters
>>> (e.g., verify.c:grub_cmd_trust() calls grub_file_filter_disable_all())
>>> when opening a file containing a public key (note the distinction from
>>> verify_detached implicitly using an already-loaded key).
>>
>> This is the intended behaviour. Usecase to manually add keys when
>> needed. Your proposal is for other usecases which would probably require
>> special arguments or separate functions.
>>
> 
> This has the same MITM problem we already discussed and that was fixed
> if pubkey filter is used - you cannot actually know that key you trust
> is the same as key you verified. So I think that at least by default
> "trust" should not disable pubkey filter.
> 
> verify_detached probably should, but may be only for file that is
> verified itself, bit for pubkey.
> 
I didn't oppose to a command or options having the described
functionality. Thinking about it, I have to agree that default behaviour
should be paranoid with options to relax it. Would you or Jonathan
prepare a patch to change the behaviour with an option to restore
current behaviour?

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]