Purism
Follow

Here is a step-by-step guide on how to cryptographically sign your OS files with keys in your control🗝️puri.sm/posts/stay-protected-w

· Web · 2 · 8 · 8
Aral Balkan  

@purism Wondering if there’s a way to cut down the few minutes waiting time on the scan by implementing this feature using hypercore (a cryptographically-secure directed acyclic graph) by keeping the OS files in a hyperdrive and mounting that drive at boot. That would involve checking just one hash.

1
Kyle Rankin  

@aral @purism So it turns out that generating the hashes does take a minute or two, but checking them (like if you automatically check them at each boot) is much faster.

1
Aral Balkan  

@kyle @purism Ah, right, I thought the couple of minutes was at every boot, sorry.

1
Kyle Rankin  

@aral @purism No problem! I also had to work within a few design constraints. The most relevant one here is that I wanted it to be as OS-agnostic as possible (like PureBoot is in general). I write at length about the design constraints and considerations here: puri.sm/posts/new-pureboot-fea

1
Aral Balkan  

@kyle @purism Thanks for the link, Kyle, looking forward to reading it :)

1
Kyle Rankin  

@aral @purism I actually re-read it and realized I wrote it before we implemented the feature to detect *new* files that were added to the file system so I just updated it to reference that update (and strikethrough the outdated text), which should be live in a bit.

0
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml