2:28 p.m.
I just posted a thread on discussion.fedoraproject.org:
https://discussion.fedoraproject.org/t/future-of-encryption-in-fedora/80397
to invite discussion of a requirements document and draft plan about what
we might do for encrypting Fedora Workstation systems in the future. Please
follow up there, but for convenience, the message is reproduced below:
====
For quite a while, the Workstation Working Group has had open tickets to
improve the state of encryption in Fedora - and in particular get to the
point where we can make the installer encrypt systems by default.
In order to move that forward, I’ve been working on a requirements document
and draft plan. In very brief summary, the plan is:
Use the upcoming btrfs fscrypt support to encrypt both the system
and home directories. The system by default will be encrypted with
an encryption key stored in the TPM and bound to the signatures
used to sign the bootloader/kernel/initrd, providing protection against
tampering, while home directories will be encrypted using the user’s
login
password.
This plan is dependent on the on-going Unified Kernel Image support, since
currently Fedora uses unsigned initrds, and substituting the initrd would
allow an attacker to bypass all encryption. It represents a big change
where we go from having secure boot be something we spend a lot of effort
on, but actually doesn’t do much, to something we’re depending on in a big
way to provide an extra layer of security to the user.
I’d be interested in hearing, among other things:
* Are there requirements that the document doesn’t capture?
* Are there other threats that we should be trying to address?
* Is the focus on integrity a good idea?
* Do we actually need to separately encrypt home directories?
* Do we need to support a model where we bind the encryption key to the
current kernel and initrd without having the combination signed by Fedora?
* Should we be more seriously considering systemd-homed? What advantages
would we get by doing that?
Thanks for any feedback!
– Owen
3:41 p.m.
On Mon, Apr 03, 2023 at 03:28:32PM -0400, Owen Taylor wrote:
I just posted a thread on discussion.fedoraproject.org:
https://discussion.fedoraproject.org/t/future-of-encryption-in-fedora/80397
to invite discussion of a requirements document and draft plan about what
we might do for encrypting Fedora Workstation systems in the future. Please
follow up there, but for convenience, the message is reproduced below:
This seems like exactly the kind of discussion that belongs on the devel
list, not on a website that I have to remember to visit for updates.
Brian
--
Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart
4:18 p.m.
On Mon, Apr 3 2023 at 01:41:48 PM -0700, Brian C. Lane <bcl(a)redhat.com>
wrote:
This seems like exactly the kind of discussion that belongs on the
devel
list, not on a website that I have to remember to visit for updates.
There is a notification bell in the right sidebar. Click it. ;)
11:31 a.m.
On Mon, 2023-04-03 at 16:18 -0500, Michael Catanzaro wrote:
On Mon, Apr 3 2023 at 01:41:48 PM -0700, Brian C. Lane
<bcl(a)redhat.com>
wrote:
> This seems like exactly the kind of discussion that belongs on the
> devel
> list, not on a website that I have to remember to visit for updates.
There is a notification bell in the right sidebar. Click it. ;)
Or we can simply ignore that discussion until it lands in devel with a
change proposal.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
11:56 a.m.
On Thu, Apr 6, 2023 at 12:32 PM Simo Sorce <simo(a)redhat.com> wrote:
On Mon, 2023-04-03 at 16:18 -0500, Michael Catanzaro wrote:
> On Mon, Apr 3 2023 at 01:41:48 PM -0700, Brian C. Lane <bcl(a)redhat.com>
> wrote:
> > This seems like exactly the kind of discussion that belongs on the
> > devel
> > list, not on a website that I have to remember to visit for updates.
>
> There is a notification bell in the right sidebar. Click it. ;)
>
Or we can simply ignore that discussion until it lands in devel with a
change proposal.
Discussing on the forum was a suggestion from zbyszek and I think he
proposed it in the same spirit that I agreed to the proposal - as an
experiment in trying to align technical discussions more closely with the
overall direction of the Fedora project for communication.
I think we can see both pros and cons in how it's gone - on the good side,
people are involved that might not be involved otherwise, there's an easily
accessible public record of the conversation that is more readable than
even a good mailing list archive, and having richer markup available is
genuinely useful.
On the downside, spam limits on new posters have gotten in the way in some
cases, and people have had some trouble figuring out how to use the quoting
features, resulting in disconnected responses.
Yes, there will eventually be change proposals, which will be discussed
here (unless anything changes...) but I would strongly encourage people to
get involved now in the discussion if they care about the topic - the more
we can get things right early, the better.
- Owen
12:55 p.m.
There are a couple more disadvantages to using Discourse:
* Several of the replies are lower-quality and are not contributing to
the conversation.
* There is no threading like we have with emails, so these replies are
more disruptive and the discussion is less organized.
10:19 a.m.
On Thu, Apr 06, 2023 at 12:55:28PM -0500, Michael Catanzaro wrote:
There are a couple more disadvantages to using Discourse:
* Several of the replies are lower-quality and are not contributing
to the conversation.
That happens here too, of course. I think it's really a consequence of
greater conversation visibility rather than Discourse per se. And, Discourse
gives greater ability to moderate those -- either to hide them, or to split
them out into separate discussions so they don't distract. Or, at a greater
extreme if we want to do this, we could limit direct participation in some
discussions to members of FAS groups we decide (others could participate by
replying in linked threads).
* There is no threading like we have with emails, so these replies
are more disruptive and the discussion is less organized.
There actually _is_ threading in Discourse topics. It's just not presented
in as a nested tree. For example:
https://discussion.fedoraproject.org/t/future-of-encryption-in-fedora-des...
I probably should have been a little more active in moderating that thread.
But also, I'm working on building up a bigger moderation team to help with
that. (This too is waiting on the FAS group sync.)
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
4:12 a.m.
On Thu, 2023-04-06 at 12:56 -0400, Owen Taylor wrote:
On Thu, Apr 6, 2023 at 12:32 PM Simo Sorce <simo(a)redhat.com>
wrote:
> On Mon, 2023-04-03 at 16:18 -0500, Michael Catanzaro wrote:
> > On Mon, Apr 3 2023 at 01:41:48 PM -0700, Brian C. Lane <bcl(a)redhat.com>
> > wrote:
> > > This seems like exactly the kind of discussion that belongs on the
> > > devel
> > > list, not on a website that I have to remember to visit for updates.
> >
> > There is a notification bell in the right sidebar. Click it. ;)
> >
>
> Or we can simply ignore that discussion until it lands in devel with a
> change proposal.
>
Discussing on the forum was a suggestion from zbyszek and I think he
proposed it in the same spirit that I agreed to the proposal - as an
experiment in trying to align technical discussions more closely with the
overall direction of the Fedora project for communication.
I think we can see both pros and cons in how it's gone - on the good side,
people are involved that might not be involved otherwise, there's an easily
accessible public record of the conversation that is more readable than
even a good mailing list archive, and having richer markup available is
genuinely useful.
On the downside, spam limits on new posters have gotten in the way in some
cases, and people have had some trouble figuring out how to use the quoting
features, resulting in disconnected responses.
Yes, there will eventually be change proposals, which will be discussed
here (unless anything changes...) but I would strongly encourage people to
get involved now in the discussion if they care about the topic - the more
we can get things right early, the better.
Sorry Owen,
discourse is too disruptive for me to spend time on.
I did try to skim the discussion and I think you have quite a few hints
already that this is not an easy path.
What I would recommend though, is to split this monster of a proposal
in smaller progressive steps.
You do not need to get everything super-tight-secure on the first try
(you won't be able to anyway), and building it in steps will allow you
to also (hopefully) offer a more fine-grained choice/configuration
later on.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
11:44 a.m.
On Fri, Apr 7, 2023 at 5:12 AM Simo Sorce <simo(a)redhat.com> wrote:
On Thu, 2023-04-06 at 12:56 -0400, Owen Taylor wrote:
> On Thu, Apr 6, 2023 at 12:32 PM Simo Sorce <simo(a)redhat.com> wrote:
>
> > On Mon, 2023-04-03 at 16:18 -0500, Michael Catanzaro wrote:
> > > On Mon, Apr 3 2023 at 01:41:48 PM -0700, Brian C. Lane <
bcl(a)redhat.com>
> > > wrote:
> > > > This seems like exactly the kind of discussion that belongs on the
> > > > devel
> > > > list, not on a website that I have to remember to visit for
updates.
> > >
> > > There is a notification bell in the right sidebar. Click it. ;)
> > >
> >
> > Or we can simply ignore that discussion until it lands in devel with a
> > change proposal.
> >
>
> Discussing on the forum was a suggestion from zbyszek and I think he
> proposed it in the same spirit that I agreed to the proposal - as an
> experiment in trying to align technical discussions more closely with the
> overall direction of the Fedora project for communication.
>
> I think we can see both pros and cons in how it's gone - on the good
side,
> people are involved that might not be involved otherwise, there's an
easily
> accessible public record of the conversation that is more readable than
> even a good mailing list archive, and having richer markup available is
> genuinely useful.
>
> On the downside, spam limits on new posters have gotten in the way in
some
> cases, and people have had some trouble figuring out how to use the
quoting
> features, resulting in disconnected responses.
>
> Yes, there will eventually be change proposals, which will be discussed
> here (unless anything changes...) but I would strongly encourage people
to
> get involved now in the discussion if they care about the topic - the
more
> we can get things right early, the better.
Sorry Owen,
discourse is too disruptive for me to spend time on.
I did try to skim the discussion and I think you have quite a few hints
already that this is not an easy path.
What I would recommend though, is to split this monster of a proposal
in smaller progressive steps.
There already *are* a lot of smaller progressive steps that are proposed
for Fedora, or underway upstream, or already completed. But without at
least a fuzzy big-picture story of where we're trying to get to, it's
really hard to see how they relate to each other, or know what steps are
missing. That's where I'm trying to get to.
You do not need to get everything super-tight-secure on the first
try
(you won't be able to anyway), and building it in steps will allow you
to also (hopefully) offer a more fine-grained choice/configuration
later on.
There's at least a need to know what the *recommended* combinations of
options are, or it will be impossible to know whether super-tight-secure
(or medium-tight-secure) has been achieved.
- Owen
10:13 a.m.
On Thu, Apr 06, 2023 at 12:56:55PM -0400, Owen Taylor wrote:
On the downside, spam limits on new posters have gotten in the way in
some
cases, and people have had some trouble figuring out how to use the quoting
features, resulting in disconnected responses.
I have bumped some of the default limits -- and I have a planned solution
for this long-term Fedora contributors in the very near future, as we will
soon have FAS groups synced to Discussion. When that is available, we can
make it so membership in a FAS group automatically grants "trust level 1",
which removes most limits. (The "trust level 0" limits are pretty important
to stop spammers and trolls, so I don't want to relax them further.)
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
372
days inactive
386
days old
9 comments
5 participants
participants (5)
-
Brian C. Lane -
Matthew Miller -
Michael Catanzaro -
Owen Taylor -
Simo Sorce