WIP: 2020-02-19-opnsense-xen-trenchboot-demo.md #204
Conversation
…oncept of blog post Signed-off-by: Piotr Kleinschmidt <[email protected]>
…ion of product Signed-off-by: Piotr Kleinschmidt <[email protected]>
| - *coreboot + TrenchBoot* ensure user that current firmware and further loaded | ||
| components are not compromised | ||
| - *virtualization* solves WiFi card support problem in BSD firewalls and adds | ||
| additional security |
There was a problem hiding this comment.
| additional security | |
| additional security without significant performance penalty |
?
| - [pfSense under Xen - part 2](https://blog.3mdeb.com/2019/2019-12-13-pfsense-boot-under-xen/) | ||
|
|
||
| When you already have basic knowledge, we can move on to the essential part of | ||
| this section. |
There was a problem hiding this comment.
@piotr-kleins I believe here we should have a summary of concepts explained in other posts. The methodology that you use will not work since people typically do not have enough time to dig in into all that stuff. Please present summary and mention that if you need deep dive you can find it in above posts.
| by virtualization. It introduces another level of security. Closing entities | ||
| (such as network interface, firewall software or operating system) in separate | ||
| environments minimizes the effects of a potential attack. User can be sure that | ||
| virus doesn't spread out to entire system, but stay only in infected part. |
There was a problem hiding this comment.
@piotr-kleins it works both ways, firmware from wifi card has hard time to infect system if correct IOMMU configuration was used and firewall VM is isolated from real hardware. The question is what is the performance penalty? We should provide benchmarks to prove our thesis.
| environments minimizes the effects of a potential attack. User can be sure that | ||
| virus doesn't spread out to entire system, but stay only in infected part. | ||
|
|
||
| The idea of virtualization and separation is well implemented in **Qubes OS**. |
There was a problem hiding this comment.
@pietrushnic link to QubesOS website
| gives user an assurance that an upgrade is safe and can be done almost without | ||
| effort. Of course, vendors can't sign up to trusted list just like that. Each | ||
| must complete verification process and only then can be marked as confirmed and | ||
| trusted vendor. |
There was a problem hiding this comment.
@piotr-kleins we should mention that we are recognized as fwupd/LVFS consultants and link here: https://fwupd.org/lvfs/docs/consulting
There was a problem hiding this comment.
and provide integration services
| our [LVFS and fwupd blog | ||
| post](https://blog.3mdeb.com/2019/2019-07-11-how-to-safely-and-easily-update-your-firmware/). | ||
|
|
||
| ## Our implementation - final demo |
There was a problem hiding this comment.
@piotr-kleins where is demo?
| ## Our implementation - final demo | ||
|
|
||
|
|
||
| ## Summary |
There was a problem hiding this comment.
@piotr-kleins here we need pitch that we can provide such image for any platform if someone is interested in. Also maybe it would be great to mention how dom0 would ba upgraded and build?
There was a problem hiding this comment.
Also there are no system diagrams and execution flows.
Signed-off-by: Piotr Kleinschmidt [email protected]