From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from uplift.swm.pp.se (swm.pp.se [212.247.200.143]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 0A6843B29E for ; Tue, 27 Nov 2018 06:03:37 -0500 (EST) Received: by uplift.swm.pp.se (Postfix, from userid 501) id EA920B9; Tue, 27 Nov 2018 12:03:35 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1543316615; bh=EZDuiVa2nT+C2Qb+NTTeLuGFg03Y7J6KBcV5pWkFf8c=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=PjeEOJwKPsEuCjT6dt1j10aUOQrGDZEpm2Br6GorYfGoiHljX1fDKs8NsAGE9evp8 arWEc0RhOaftmICliBCk4hM9kfnFYhUxRBt5RNv3YHk9LeidzO0Lml3tjcKyTF5prm txxLhFwoHKrB8tHr7lo9kOpsywMRUd8+Sj01VnxA= Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id E89F19F; Tue, 27 Nov 2018 12:03:35 +0100 (CET) Date: Tue, 27 Nov 2018 12:03:35 +0100 (CET) From: Mikael Abrahamsson To: Sebastian Moeller cc: cerowrt-devel In-Reply-To: <05A88D6B-51BC-4CC5-98D9-E85AE11D96AC@gmx.de> Message-ID: References: <6F8CDBFF-8B8A-4B6B-BCE9-918A69354626@gmx.de> <05A88D6B-51BC-4CC5-98D9-E85AE11D96AC@gmx.de> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) Organization: People's Front Against WWW MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Subject: Re: [Cerowrt-devel] security guidelines for home routers X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2018 11:03:37 -0000 On Mon, 26 Nov 2018, Sebastian Moeller wrote: > I guess that most cheap routers do not actually do "secure boot" but > rather make it hard to flash not-approved firmware binaries from the > GUI, and for the intents an purposes of the BSI document that level of > security, in spite of the talk about firmware authentication by digital > signatures, seems sufficient. So no need to secure the JTAG interface, > or even a tftp update method that can be initiated by pressing a button > on the router or similar. There are a huge amount of routers in peoples homes in Germany that have secure boot enabled. Trying to achieve the requirement that these can have any software installed on them requires new functionality to be created, perhaps even new administration to handle this in a secure way. Yes, it might be enough to in the future create a button inside the device (so it actually has to be opened up) to disable secure boot, but this still does open up for tampering by someone who happens to have physical access to the device. Right now with secure boot on and all code being signed, it's really hard to tamper with the device and making it do things it wasn't designed to do. I'd really like to see a wider audience weigh in on the pro:s and con:s of this approach. Do parents really want to come home to their 12 year old who might have opened up their residential gateway and installed something the 12 year old downloaded from the Internet? Perhaps yes, perhaps no. > Why? In my reading 2 basically just turns the "The router MAY > allow the installation of unsigned firmware (i.e. custom firmware)" into > a "The router MUST allow " it does not rule that the manufacturer needs > to actively help to develop said custom firmware IMHO. Now it would be a > great idea to do so, but certainly not required. Ok, I just took for granted that to make the idea practical, one would need access to hw / sw specifications. > Yes, I agree, this is one of the issues where one of the > heavy-weights needs to get involved. My bet is on the EU picking > something like this up first though. ATM I do not see much appetite for > such regulatory actions in the US. Agreed. -- Mikael Abrahamsson email: swmike@swm.pp.se