I just posted a thread on discussion.fedoraproject.org:
https://discussion.fedoraproject.org/t/future-of-encryption-in-fedora/80397
to invite discussion of a requirements document and draft plan about what we might do for encrypting Fedora Workstation systems in the future. Please follow up there, but for convenience, the message is reproduced below:
====
For quite a while, the Workstation Working Group has had open tickets to improve the state of encryption in Fedora - and in particular get to the point where we can make the installer encrypt systems by default.
In order to move that forward, I’ve been working on a requirements document and draft plan. In very brief summary, the plan is:
Use the upcoming btrfs fscrypt support to encrypt both the system and home directories. The system by default will be encrypted with an encryption key stored in the TPM and bound to the signatures used to sign the bootloader/kernel/initrd, providing protection against tampering, while home directories will be encrypted using the user’s login password.
This plan is dependent on the on-going Unified Kernel Image support, since currently Fedora uses unsigned initrds, and substituting the initrd would allow an attacker to bypass all encryption. It represents a big change where we go from having secure boot be something we spend a lot of effort on, but actually doesn’t do much, to something we’re depending on in a big way to provide an extra layer of security to the user.
I’d be interested in hearing, among other things:
* Are there requirements that the document doesn’t capture? * Are there other threats that we should be trying to address? * Is the focus on integrity a good idea? * Do we actually need to separately encrypt home directories? * Do we need to support a model where we bind the encryption key to the current kernel and initrd without having the combination signed by Fedora? * Should we be more seriously considering systemd-homed? What advantages would we get by doing that?
Thanks for any feedback! – Owen
On Mon, Apr 03, 2023 at 03:28:32PM -0400, Owen Taylor wrote:
I just posted a thread on discussion.fedoraproject.org:
https://discussion.fedoraproject.org/t/future-of-encryption-in-fedora/80397
to invite discussion of a requirements document and draft plan about what we might do for encrypting Fedora Workstation systems in the future. Please follow up there, but for convenience, the message is reproduced below:
This seems like exactly the kind of discussion that belongs on the devel list, not on a website that I have to remember to visit for updates.
Brian
On Mon, Apr 3 2023 at 01:41:48 PM -0700, Brian C. Lane bcl@redhat.com wrote:
This seems like exactly the kind of discussion that belongs on the devel list, not on a website that I have to remember to visit for updates.
There is a notification bell in the right sidebar. Click it. ;)
On Mon, 2023-04-03 at 16:18 -0500, Michael Catanzaro wrote:
On Mon, Apr 3 2023 at 01:41:48 PM -0700, Brian C. Lane bcl@redhat.com wrote:
This seems like exactly the kind of discussion that belongs on the devel list, not on a website that I have to remember to visit for updates.
There is a notification bell in the right sidebar. Click it. ;)
Or we can simply ignore that discussion until it lands in devel with a change proposal.
On Thu, Apr 6, 2023 at 12:32 PM Simo Sorce simo@redhat.com wrote:
On Mon, 2023-04-03 at 16:18 -0500, Michael Catanzaro wrote:
On Mon, Apr 3 2023 at 01:41:48 PM -0700, Brian C. Lane bcl@redhat.com wrote:
This seems like exactly the kind of discussion that belongs on the devel list, not on a website that I have to remember to visit for updates.
There is a notification bell in the right sidebar. Click it. ;)
Or we can simply ignore that discussion until it lands in devel with a change proposal.
Discussing on the forum was a suggestion from zbyszek and I think he proposed it in the same spirit that I agreed to the proposal - as an experiment in trying to align technical discussions more closely with the overall direction of the Fedora project for communication.
I think we can see both pros and cons in how it's gone - on the good side, people are involved that might not be involved otherwise, there's an easily accessible public record of the conversation that is more readable than even a good mailing list archive, and having richer markup available is genuinely useful.
On the downside, spam limits on new posters have gotten in the way in some cases, and people have had some trouble figuring out how to use the quoting features, resulting in disconnected responses.
Yes, there will eventually be change proposals, which will be discussed here (unless anything changes...) but I would strongly encourage people to get involved now in the discussion if they care about the topic - the more we can get things right early, the better.
- Owen
There are a couple more disadvantages to using Discourse:
* Several of the replies are lower-quality and are not contributing to the conversation. * There is no threading like we have with emails, so these replies are more disruptive and the discussion is less organized.
On Thu, Apr 06, 2023 at 12:55:28PM -0500, Michael Catanzaro wrote:
There are a couple more disadvantages to using Discourse:
- Several of the replies are lower-quality and are not contributing
to the conversation.
That happens here too, of course. I think it's really a consequence of greater conversation visibility rather than Discourse per se. And, Discourse gives greater ability to moderate those -- either to hide them, or to split them out into separate discussions so they don't distract. Or, at a greater extreme if we want to do this, we could limit direct participation in some discussions to members of FAS groups we decide (others could participate by replying in linked threads).
- There is no threading like we have with emails, so these replies
are more disruptive and the discussion is less organized.
There actually _is_ threading in Discourse topics. It's just not presented in as a nested tree. For example: https://discussion.fedoraproject.org/t/future-of-encryption-in-fedora-deskto...
I probably should have been a little more active in moderating that thread. But also, I'm working on building up a bigger moderation team to help with that. (This too is waiting on the FAS group sync.)
On Thu, 2023-04-06 at 12:56 -0400, Owen Taylor wrote:
On Thu, Apr 6, 2023 at 12:32 PM Simo Sorce simo@redhat.com wrote:
On Mon, 2023-04-03 at 16:18 -0500, Michael Catanzaro wrote:
On Mon, Apr 3 2023 at 01:41:48 PM -0700, Brian C. Lane bcl@redhat.com wrote:
This seems like exactly the kind of discussion that belongs on the devel list, not on a website that I have to remember to visit for updates.
There is a notification bell in the right sidebar. Click it. ;)
Or we can simply ignore that discussion until it lands in devel with a change proposal.
Discussing on the forum was a suggestion from zbyszek and I think he proposed it in the same spirit that I agreed to the proposal - as an experiment in trying to align technical discussions more closely with the overall direction of the Fedora project for communication.
I think we can see both pros and cons in how it's gone - on the good side, people are involved that might not be involved otherwise, there's an easily accessible public record of the conversation that is more readable than even a good mailing list archive, and having richer markup available is genuinely useful.
On the downside, spam limits on new posters have gotten in the way in some cases, and people have had some trouble figuring out how to use the quoting features, resulting in disconnected responses.
Yes, there will eventually be change proposals, which will be discussed here (unless anything changes...) but I would strongly encourage people to get involved now in the discussion if they care about the topic - the more we can get things right early, the better.
Sorry Owen, discourse is too disruptive for me to spend time on.
I did try to skim the discussion and I think you have quite a few hints already that this is not an easy path. What I would recommend though, is to split this monster of a proposal in smaller progressive steps.
You do not need to get everything super-tight-secure on the first try (you won't be able to anyway), and building it in steps will allow you to also (hopefully) offer a more fine-grained choice/configuration later on.
Simo.
On Fri, Apr 7, 2023 at 5:12 AM Simo Sorce simo@redhat.com wrote:
On Thu, 2023-04-06 at 12:56 -0400, Owen Taylor wrote:
On Thu, Apr 6, 2023 at 12:32 PM Simo Sorce simo@redhat.com wrote:
On Mon, 2023-04-03 at 16:18 -0500, Michael Catanzaro wrote:
On Mon, Apr 3 2023 at 01:41:48 PM -0700, Brian C. Lane <
bcl@redhat.com>
wrote:
This seems like exactly the kind of discussion that belongs on the devel list, not on a website that I have to remember to visit for
updates.
There is a notification bell in the right sidebar. Click it. ;)
Or we can simply ignore that discussion until it lands in devel with a change proposal.
Discussing on the forum was a suggestion from zbyszek and I think he proposed it in the same spirit that I agreed to the proposal - as an experiment in trying to align technical discussions more closely with the overall direction of the Fedora project for communication.
I think we can see both pros and cons in how it's gone - on the good
side,
people are involved that might not be involved otherwise, there's an
easily
accessible public record of the conversation that is more readable than even a good mailing list archive, and having richer markup available is genuinely useful.
On the downside, spam limits on new posters have gotten in the way in
some
cases, and people have had some trouble figuring out how to use the
quoting
features, resulting in disconnected responses.
Yes, there will eventually be change proposals, which will be discussed here (unless anything changes...) but I would strongly encourage people
to
get involved now in the discussion if they care about the topic - the
more
we can get things right early, the better.
Sorry Owen, discourse is too disruptive for me to spend time on.
I did try to skim the discussion and I think you have quite a few hints already that this is not an easy path. What I would recommend though, is to split this monster of a proposal in smaller progressive steps.
There already *are* a lot of smaller progressive steps that are proposed for Fedora, or underway upstream, or already completed. But without at least a fuzzy big-picture story of where we're trying to get to, it's really hard to see how they relate to each other, or know what steps are missing. That's where I'm trying to get to.
You do not need to get everything super-tight-secure on the first try (you won't be able to anyway), and building it in steps will allow you to also (hopefully) offer a more fine-grained choice/configuration later on.
There's at least a need to know what the *recommended* combinations of options are, or it will be impossible to know whether super-tight-secure (or medium-tight-secure) has been achieved.
- Owen
On Thu, Apr 06, 2023 at 12:56:55PM -0400, Owen Taylor wrote:
On the downside, spam limits on new posters have gotten in the way in some cases, and people have had some trouble figuring out how to use the quoting features, resulting in disconnected responses.
I have bumped some of the default limits -- and I have a planned solution for this long-term Fedora contributors in the very near future, as we will soon have FAS groups synced to Discussion. When that is available, we can make it so membership in a FAS group automatically grants "trust level 1", which removes most limits. (The "trust level 0" limits are pretty important to stop spammers and trolls, so I don't want to relax them further.)
-
Brian C. Lane -
Matthew Miller -
Michael Catanzaro -
Owen Taylor -
Simo Sorce