Open tlaurion opened 3 years ago
@tlaurion reading thru the comments here and in 999, I'm not sure what the benefit would be to enforcing rollback protection when /boot isn't found / can't be mounted, as you suggest above. If RP exists to protect against a disk swap with an older kernel, then enforcing RP only when /boot can be mounted would seem sufficient. Not to mention, but the swapped disk would almost certainly fail the hash/signature check.
so I'd propose:
Going further though, we need to consider what Heads can/can't protect when used in a diskless state. And we want to handle booting an ISO from USB vs an installed OS on USB-attached media.
@osresearch @MrChromebox
Maybe cleaner way is to have only one mount_boot function(its duplicated everywhere) and do the validation/mount there for /boot if rollback is required per config instead of duplicating code logic. /boot not being found should show boot options (set new /boot drive etc) while setting new TOTP/HOTP forcing rollback is a bug, not a feature.
The path for resolution:
Originally posted by @tlaurion in https://github.com/osresearch/heads/issues/999#issuecomment-877314233