PS (adding to my previous reply):
Daniel P. Berrangé wrote:
> The immediate need for UKIs is indeed related to SecureBoot and
> TPMs. These are a core technology foundation of the confidential
> virtual machine stack. On Azure today, if you request an Ubuntu
> confidential VM, Azure will pre-encrypt the root filesystem and
So basically this change proposal is about supporting a feature of the
Microsoft cloud platform (Azure) in Fedora and will be pretty useless to any
user not using Microsoft's platform.
> seal the LUKS key against predicted TPM PCR values. It guarantees
> that the root disk can only be decrypted by the specific VM
> instance that is requested, when it is running in SecureBoot
> mode with the expected measurments on AMD SEV-SNP confidential
> hardware.
Does it really guarantee that, and not just that it can only be decrypted by
any VM using the same UKI?
How reliably does it ensure that the user can only get root in the decrypted
image with the root password (or SSH key or similar) stored inside the image
and not through some other means?
In the end, if you store data on a "cloud", you are storing it on other
people's computers. You are also relying on their confidentiality
guarantees. How can you trust the "cloud" provider to actually perform the
encryption steps they claim to perform when you check that checkbox, and
also to not have a backdoor (such as a fixed master key in an extra LUKS key
slot, or a custom, possibly software-emulated, TPM that does not actually
keep the key sealed) that allows them to decrypt anything anyway?
You are handing off your data to a third party and then trying to rely on
Treacherous Computing technologies preventing that third party from doing
some things (such as copying the encryption key) on their own computers. I
do not think that this is in either party's interest.
Kevin Kofler
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
