You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If we use static-delta with all parts inlined into the single file, the superblock that precedes everything else is not signed.
While the commits contained in the single static-delta file are signed so we can check them and operate on trusted data, the superblock isn't signed in any way, so it end up operating on untrusted data to:
actually find where the trusted data is, and
check whether the update is fit for the current device by looking at the collection id stored in the metadata
An idea to sign the superblock is to generate a signature of all its data (serialized), except the signature, then add the signature to the superblock itself as an additional metadata field.
Verifying the superblock would then involve the following steps:
fetch data from the superblock
serialize the fetched data except the signature to reconstruct a pseudo-superblock
check the computed serialization of the pseud-superblock against the original signature
The GVariant parsing code would still operate on untrusted data, but at least we can verify that the extracted contents are trusted.
Signing the whole bundle would avoid operating on untrusted data but would also require to copy the whole bundle away from external storage to protect from malicious storage devices trying to play TOCTOU tricks on us (for instance, an update shipped on a bundle on a usb key that malicously changes the contents after the first read used to verify the contents).
Do you have any suggestion about what would be the best way to address this issue?
Thanks!
The text was updated successfully, but these errors were encountered:
If we use static-delta with all parts inlined into the single file, the
superblock
that precedes everything else is not signed.While the commits contained in the single static-delta file are signed so we can check them and operate on trusted data, the
superblock
isn't signed in any way, so it end up operating on untrusted data to:An idea to sign the
superblock
is to generate a signature of all its data (serialized), except the signature, then add the signature to thesuperblock
itself as an additional metadata field.Verifying the
superblock
would then involve the following steps:superblock
pseudo-superblock
pseud-superblock
against the original signatureThe GVariant parsing code would still operate on untrusted data, but at least we can verify that the extracted contents are trusted.
Signing the whole bundle would avoid operating on untrusted data but would also require to copy the whole bundle away from external storage to protect from malicious storage devices trying to play TOCTOU tricks on us (for instance, an update shipped on a bundle on a usb key that malicously changes the contents after the first read used to verify the contents).
Do you have any suggestion about what would be the best way to address this issue?
Thanks!
The text was updated successfully, but these errors were encountered: