[virt-tools-list] Verification of software downloads with virt-install --location?
Daniel P. Berrange
berrange at redhat.com
Thu Apr 30 12:14:32 UTC 2015
On Thu, Apr 30, 2015 at 02:08:56PM +0200, Simon Josefsson wrote:
> Hi. I'm experimenting with using 'virt-install --location' for
> creating virtual machines for myself. I'm installing Debian Jessie
> VM's, if that matters, so the invocation looks something like this:
>
> virt-install \
> --name=dist.sjd.se \
> --ram=1024 \
> --os-type=linux --os-variant=debianwheezy \
> --initrd-inject=preseed.cfg \
> --extra-args="auto=true console=tty0 console=ttyS0,115200" \
> --disk=$output,size=4,format=qcow2 \
> --serial pty \
> --location=http://ftp.se.debian.org/debian/dists/jessie/main/installer-amd64 \
> --nographics \
> --noreboot
>
> However what is not clear to me is if there is any cryptographic
> verification of the downloaded kernel/initrd-pair? I can't find any
> documentation on how to configure the PGP public key to trust for this
> download, nor any checksum values to double-check it with.
>
> If 'virt-install --location' does not check the integrity
> of the kernel/initrd download, how do people protect themselves against
> man-in-the-middle attacks replacing the kernel/initrd files with
> trojaned versions?
You are correct that there is no verification of images which are
downloaded. The only real recommendation for protection is for
organizations to maintain their own trusted local mirror of the
distros that they frequently use.
That said it would obviously be desirable to look into whether there
is some kind of cryptographic verification that could be reasonably
performed.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the virt-tools-list
mailing list