Open alokmenghrajani opened 6 years ago
Thank you for thinking carefully through your risks. What are your thoughts on the elephant that's in the room?
Subzero is designed to be run on machines which are airgapped: The only connection in and out of the system is via QR codes. Even if the machine contained a bloomberg-proposed implant, it would not have a way of getting data out.
Additionally, Subzero is designed to minimally trust its host computer: The private key, policy checking, and transaction signing all happens in an HSM, loading code which is signed and cannot be modified by the computer the HSM is in.
(Ignoring the fact that the companies impacted by these recent news events have acknowledged not being affected, this is a very good question and exactly the kind of things I would like to discuss in more details.)
Generally, the HSMs provides a good defense against the host machine being compromised. The wallet private keys are created inside the HSMs and are never exported. We trust our HSMs because they are subject to various certifications; some of those cover the security of the supply chain.
We have to trust the host machine to do things like display accurate information. This information is also available on other machines (e.g. the QR codes can be decoded on any laptop or mobile device).
Finally, the whole setup is offline.
There's also nothing preventing people from running their cold wallet on a mix of different hardware.
I have a draft discussing the supply chain aspect of things. Next step is to clean it up and add it to our docs.
@alokmenghrajani looking forward to this - happy to serve as a guinea pig.
Looking at current docs - I'm assuming the iso
resulting from https://github.com/square/subzero/tree/master/live-usb-creator#building-image is what you want on the DVD, but the "Writing image to USB drive" section is there just as another option?
Also noticed the use of md5 (https://github.com/square/subzero/tree/master/live-usb-creator#build-process) - knowing it's weaknesses, do you think it's sufficient for the purposes?
Ah also based on https://github.com/square/subzero/tree/master/live-usb-creator#building-image - the DVD/USB used should be at least 13gb in size? Might be worth adding to https://subzero.readthedocs.io/en/master/physical_components/#physical-components.
Hopefully my comments are helpful guys! This is an awesome project!
I never got around to discussing the supply chain issue in more depth. Now that we have nearly 2 years of experience running this project, we can probably think about supply chain from various different angles. Here are some thoughts:
Some other things I had in my notes:
From an attacker's point of view, there are a few scenarios:
Looking at current docs - I'm assuming the iso resulting from https://github.com/square/subzero/tree/master/live-usb-creator#building-image is what you want on the DVD, but the "Writing image to USB drive" section is there just as another option?
Writing image to USB drive is useful for debugging / development purpose since USB drives are ~10x faster.
Also noticed the use of md5 (https://github.com/square/subzero/tree/master/live-usb-creator#build-process) - knowing it's weaknesses, do you think it's sufficient for the purposes?
The checksum is only used to detect corrupted/scratched optical media. It is just a hash of all the data and is not cryptographically tied to anything.
Ah also based on https://github.com/square/subzero/tree/master/live-usb-creator#building-image - the DVD/USB used should be at least 13gb in size? Might be worth adding to https://subzero.readthedocs.io/en/master/physical_components/#physical-components.
You need a lot more than 13GB of free space to build everything until the final iso (I usually keep ~50GB free). The final ISO is fairly small (around 1GB) and fits on any type of DVD.
@alokmenghrajani unclear what the centos root username and password are, is it just root
with one of the passwords in https://github.com/square/subzero/blob/master/live-usb-creator/rhel7-livemedia.ks?
Also noticed the top of that file says "DEVEL" - outside of changing username/password, anything you'd recommend to be changed for production?
Root is password-less: https://github.com/square/subzero/blob/master/live-usb-creator/rhel7-livemedia.ks#L306 There's also another user added here: https://github.com/square/subzero/blob/master/live-usb-creator/rhel7-livemedia.ks#L165
A root password isn't useful here (ideally we would make the system auto-login). One thing we don't do is encrypt the boot media, which would add a layer of defense (in addition to the existing password on the HSM's smart card) against physical access/tampering.
The DEVEL comment is probably incorrect, this is the only file we have and we use it for dev/staging/production. I believe this file was based on one of the files in https://github.com/weldr/lorax/blob/master/docs/.
Hm interesting.
I'm trying to boot a VMware Fusion machine from the iso, and it won't take root
as username (immediately re-prompts) (screencapture: https://app.box.com/s/p0wl8km16iica8dwtzqqnsyj8xlh5ucy).
I can't boot-up the VM from the USB stick because Mac can no longer read the device after I ran the dd
command to copy over the iso - is that normal? The device was in FAT32 to start. Actually seems even if I don't use dd
, VMware fusion can't boot from a USB anyway.
Using this for testing before I go ahead and buy dedicated hardware.
Moving build issues to dedicated issue.
The docs don't explain what kinds of supply chain attacks we are worried about, what we are doing to mitigate them, what risks we need to assume, etc.
There's also many ways to approach this problem, and it might be worth clarifying our take / vision. For example, we believe that being able to reproduce builds is more useful than having a few people perform a clean build.