|
|
Subscribe / Log in / New account

What is Silverblue? (Fedora Magazine)

[Posted July 12, 2019 by corbet]

Fedora Magazine has posted an introduction to the Silverblue distribution. "One of the main benefits is security. The base operating system is mounted as read-only, and thus cannot be modified by malicious software. The only way to alter the system is through the rpm-ostree utility. Another benefit is robustness. It’s nearly impossible for a regular user to get the OS to the state when it doesn’t boot or doesn’t work properly after accidentally or unintentionally removing some system library."
to post comments

What is Silverblue? (Fedora Magazine)

Posted Jul 12, 2019 19:08 UTC (Fri) by brouhaha (subscriber, #1698) [Link] (7 responses)

If an attacker is able to use an exploit to get root access, can they remount the OS as read/write, or write directly to /dev/whatever to alter the OS image?

What is Silverblue? (Fedora Magazine)

Posted Jul 12, 2019 19:49 UTC (Fri) by mattdm (subscriber, #18) [Link] (6 responses)

Yes. In fact, a user with root access can do this if they want to; no exploit needed.

We have some experimental work in progress in making much more locked down version (with dm-verity and such) but that's not really our target here at this point.

What is Silverblue? (Fedora Magazine)

Posted Jul 13, 2019 9:09 UTC (Sat) by hailfinger (subscriber, #76962) [Link] (5 responses)

Would you mind explaining how "The base operating system is mounted as read-only, and thus cannot be modified by malicious software. The only way to alter the system is through the rpm-ostree utility." and "a user with root access can do this [remount the OS as read/write] if they want to; no exploit needed." don't contradict each other? I really have trouble understanding this.

If only root can modify the Silverblue OS, what's the security difference to other distributions (e.g. Debian, Ubuntu, Fedora...) where only root* can modify the OS?

*root or a user getting code execution as root via some mechanism (sudo, rpm-ostree etc.)

What is Silverblue? (Fedora Magazine)

Posted Jul 13, 2019 16:13 UTC (Sat) by Lennie (subscriber, #49641) [Link]

I guess one extra step which current exploits and worms aren't detecting yet...?

What is Silverblue? (Fedora Magazine)

Posted Jul 14, 2019 5:44 UTC (Sun) by abo (subscriber, #77288) [Link] (2 responses)

There may be vulnerabilities which can be used to cause a file to be written to, as root, but which cannot be directly used to remount the root read/write.

What is Silverblue? (Fedora Magazine)

Posted Jul 14, 2019 8:43 UTC (Sun) by ballombe (subscriber, #9523) [Link] (1 responses)

All usual distributions allow /usr to be mounted read-only for a long time.This is nothing new.

What is Silverblue? (Fedora Magazine)

Posted Jul 15, 2019 17:51 UTC (Mon) by walters (subscriber, #7396) [Link]

Well, there are a few important distinctions here. The biggest is that rpm-ostree (and everything using libostree) *maintains that read-only mount* while upgrades are proceeding; you don't need to transiently turn it off. It's also on by default, which means it's tested a lot more than a non-default setup.

The read-only mount *does* stop some attacks, most notably the runc [CVE-2019-5736](https://github.com/opencontainers/runc/commit/0a8e4117e7f...).

What is Silverblue? (Fedora Magazine)

Posted Jul 14, 2019 17:22 UTC (Sun) by walters (subscriber, #7396) [Link]

The article is plain wrong; I'll see if we can get it fixed.

See also https://blog.verbum.org/2017/06/12/on-dm-verity-and-opera...

What is Silverblue? (Fedora Magazine)

Posted Jul 17, 2019 19:33 UTC (Wed) by rweikusat2 (subscriber, #117920) [Link] (2 responses)

"OS designed to be hostile to user modificiations" is a seriously odd outcome of the "free software" idea ...

What is Silverblue? (Fedora Magazine)

Posted Jul 17, 2019 19:45 UTC (Wed) by walters (subscriber, #7396) [Link]

That's not a correct characterization of the goals of the project, nor I think of the underlying motivations of really any of the people who work on it.

A high level goal is to encourage containerization - it's really *more* freeing and more flexible when one lives in containers as opposed to having everything in the root filesystem.

Supporting arbitrary package layering (as well as overrides) is a core function of the underlying rpm-ostree tool. And even more than that, while Silverblue isn't using it *yet* for Fedora CoreOS we've been working hard on https://github.com/coreos/coreos-assembler which is an opinionated way to build systems using rpm-ostree (and Ignition) that is...more user friendly than the raw rpm-ostree server-side build tools.

Eventually with coreos-assembler I'd like it to be as easy as the Dockerfile style of
```
FROM fedora/silverblue
<customizations>
```
(A lot of details here, it won't really be using docker images, but really it's not far off if you just run coreos-assembler and point it at the config git https://github.com/coreos/fedora-coreos-config )

And absolutely every piece of tooling involved is Free Software.

What is Silverblue? (Fedora Magazine)

Posted Aug 26, 2019 3:29 UTC (Mon) by immibis (subscriber, #105511) [Link]

I think the way my Android phone does it is a good compromise: It starts locked down, but I can unlock it, but not without erasing all of my data and displaying an un-removable boot screen saying it's unlocked. That way, I am free to choose to either have the security benefits of a locked down OS, or have the flexibility of a modifiable OS. And there is no way I might think my phone is running a locked down OS when it actually isn't.

What is Silverblue? (Fedora Magazine)

Posted Jul 17, 2019 19:41 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

Do you support Raspberry PI? I would love to move my VoIP home server to a system like this.

What is Silverblue? (Fedora Magazine)

Posted Jul 18, 2019 1:38 UTC (Thu) by mattdm (subscriber, #18) [Link] (1 responses)

We're currently only building Silverblue for x86_64, but in theory it would work on any other Fedora-supported architecture. (That includes Raspberry Pi 2 and 3, hopefully 4 soon, although because they're not always upstream-friendly Pi isn't our favorite ARM device.)

However, especially for your home VoIP server use case, you may be interested in Fedora IoT, which also uses ostree to provide many of the same advantages (although we expect you to use podman instead of flatpak). This is still in pre-release, but check it out at: https://docs.fedoraproject.org/en-US/iot/

What is Silverblue? (Fedora Magazine)

Posted Jul 18, 2019 2:14 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

I'm honestly quite lost in the amount of various "immutable system" projects from Fedora.

All I want is a (somewhat) stable base system that can be updated/rolled back automatically without fear of getting stuck and a way to package an application, so it can be updated separately. If possible without intermediate containers.

What is Silverblue? (Fedora Magazine)

Posted Jul 21, 2019 8:18 UTC (Sun) by Vogtinator (guest, #108551) [Link]

openSUSE MicroOS (and Kubic) are available for the RPi and other aarch64 platforms as well:

https://kubic.opensuse.org/blog/2019-01-30-kubiconaarch64/

Uses btrfs instead of rpm-ostree to achieve the same transactional behaviour with greater flexibility.


Copyright © 2019, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds