Feature #11703
Consider not starting ekeyd by default
0%
Description
EntropyKey is a rare USB TRNG made by a company which has shut down production years ago. The device requires its own, custom, no longer developed daemon which runs as root and monitors all USB devices inserted. It requires this because EntropyKey has its own proprietary firmware running on the device, so unlike other popular USB TRNGs, it cannot use well-maintained alternatives like rngd.
Feature Feature #7687 was rejected, which was to remove ekeyd entirely due to the increased attack surface area it provides (it even links against liblua). I was going to contest that rejection, but I decided to create a new ticket to consider keeping the package, but without the corresponding service automatically starting. In that previous ticket, ioerror said that he used EntropyKey, and asked not to have it removed, resulting in its rejection. Why not keep the package installed, but have it no longer start by default? Anyone who uses it could trivially start it up, and everyone else (well over 99.99%) would not have to have an unmaintained daemon running as root for a rare USB device made by a company that no longer exists.
Subtasks
History
#1 Updated by goupille 2016-08-31 13:07:28
- Assignee set to sajolida
sajolida, I assigned this one to you because you handle the other one
#2 Updated by sajolida 2016-09-01 07:23:47
- related to
Feature #7687: Remove ekeyd added
#3 Updated by sajolida 2016-09-01 07:37:11
- Status changed from New to Confirmed
- Assignee deleted (
sajolida) - Type of work changed from Research to Discuss
I’m all for removing useless stuff from Tails. Two years have passed since we rejected Feature #7687 so I’m reopening it, see Feature #7687#note-5.
#4 Updated by intrigeri 2016-09-10 07:26:04
- related to deleted (
)Feature #7687: Remove ekeyd
#5 Updated by intrigeri 2016-09-10 07:26:15
- blocked by
Feature #7687: Remove ekeyd added
#6 Updated by intrigeri 2016-09-10 07:29:59
I’d rather focus the discussion on Feature #7687 first, but this made me curious:
cypherpunks wrote:
> Anyone who uses it could trivially start it up […]
How? (Hint: anything that requires a Terminal does not count as “trivial” here :)
#7 Updated by intrigeri 2016-09-11 03:55:59
- blocks deleted (
)Feature #7687: Remove ekeyd
#8 Updated by intrigeri 2016-09-11 03:56:25
- Status changed from Confirmed to Rejected
We’re going to drop it (Feature #7687).
#9 Updated by intrigeri 2016-09-11 03:56:36
- related to
Feature #7687: Remove ekeyd added
#10 Updated by cypherpunks 2016-10-06 10:08:10
intrigeri wrote:
> I’d rather focus the discussion on Feature #7687 first, but this made me curious:
>
> cypherpunks wrote:
> > Anyone who uses it could trivially start it up […]
>
> How? (Hint: anything that requires a Terminal does not count as “trivial” here :)
A udev rule that checks for the presents of an inserted EntropyKey at boot, and starts the service if it is present. Checking only at boot would be preferred to checking constantly so an attacker with a 0day for ekeyd triggered with a malicious USB device cannot get their way.