Feature #11703: Consider not starting ekeyd by default

Feature #11703

Consider not starting ekeyd by default

Added by cypherpunks 2016-08-23 16:53:52 . Updated 2016-10-06 10:08:10 .

Status:

Rejected

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

2016-08-23

Due date:

% Done:

Feature Branch:

Type of work:

Discuss

Blueprint:

Starter:

Affected tool:

Additional Software Packages

Deliverable for:

Description

EntropyKey is a rare USB TRNG made by a company which has shut down production years ago. The device requires its own, custom, no longer developed daemon which runs as root and monitors all USB devices inserted. It requires this because EntropyKey has its own proprietary firmware running on the device, so unlike other popular USB TRNGs, it cannot use well-maintained alternatives like rngd.

Feature ~~Feature #7687~~ was rejected, which was to remove ekeyd entirely due to the increased attack surface area it provides (it even links against liblua). I was going to contest that rejection, but I decided to create a new ticket to consider keeping the package, but without the corresponding service automatically starting. In that previous ticket, ioerror said that he used EntropyKey, and asked not to have it removed, resulting in its rejection. Why not keep the package installed, but have it no longer start by default? Anyone who uses it could trivially start it up, and everyone else (well over 99.99%) would not have to have an unmaintained daemon running as root for a rare USB device made by a company that no longer exists.

Subtasks

Related issues

Related to Tails - ~~Feature #7687~~: Remove ekeyd

Resolved

2014-07-29

History

#1 Updated by goupille 2016-08-31 13:07:28

Assignee set to sajolida

sajolida, I assigned this one to you because you handle the other one

#2 Updated by sajolida 2016-09-01 07:23:47

related to ~~Feature #7687~~: Remove ekeyd added

#3 Updated by sajolida 2016-09-01 07:37:11

Status changed from New to Confirmed
Assignee deleted (~~sajolida~~)
Type of work changed from Research to Discuss

I’m all for removing useless stuff from Tails. Two years have passed since we rejected ~~Feature #7687~~ so I’m reopening it, see ~~Feature #7687#note-5~~.

#4 Updated by intrigeri 2016-09-10 07:26:04

related to deleted (~~~~Feature #7687~~: Remove ekeyd~~)

#5 Updated by intrigeri 2016-09-10 07:26:15

blocked by ~~Feature #7687~~: Remove ekeyd added

#6 Updated by intrigeri 2016-09-10 07:29:59

I’d rather focus the discussion on ~~Feature #7687~~ first, but this made me curious:

cypherpunks wrote:
> Anyone who uses it could trivially start it up […]

How? (Hint: anything that requires a Terminal does not count as “trivial” here :)

#7 Updated by intrigeri 2016-09-11 03:55:59

blocks deleted (~~~~Feature #7687~~: Remove ekeyd~~)

#8 Updated by intrigeri 2016-09-11 03:56:25

Status changed from Confirmed to Rejected

We’re going to drop it (~~Feature #7687~~).

#9 Updated by intrigeri 2016-09-11 03:56:36

related to ~~Feature #7687~~: Remove ekeyd added

#10 Updated by cypherpunks 2016-10-06 10:08:10

intrigeri wrote:
> I’d rather focus the discussion on ~~Feature #7687~~ first, but this made me curious:
>
> cypherpunks wrote:
> > Anyone who uses it could trivially start it up […]
>
> How? (Hint: anything that requires a Terminal does not count as “trivial” here :)

A udev rule that checks for the presents of an inserted EntropyKey at boot, and starts the service if it is present. Checking only at boot would be preferred to checking constantly so an attacker with a 0day for ekeyd triggered with a malicious USB device cannot get their way.