23 Oct 2016

Desktop OS Images Should Be Cryptographically Signed

My Mac stopped working properly, so I had to reinstall macOS, downloading a 5GB OS image from Apple servers. On my 4mbps connection, that took hours, and saturated the connection all the while, preventing other uses of the Internet.

Desktop OSs are still stuck in the past, compared to mobile OSs and Chrome OS. I wouldn't have had to download another copy of the OS if the existing image can be proven to not be corrupt. That's hard to do on desktop OSs, with admin access. The user, and many apps on behalf of the user, can and do alter files outside the home directory. Most installers, in particular, prompt for an administrator password. Under such conditions, one can't guarantee after the fact that no unintended changes were made to system files and directories.

The solution is to cryptographically sign the OS image, and store it in a separate partition. This would only be files that are not modified as the OS runs. Like the code of the OS, drivers, fonts, non-editable config files, and so on. This partition wouldn't store files that change as the OS runs, like log files, or config files that the user edits, or a directory into which third-party apps are installed. Or home directories. All these would reside in a separate user partition.

The OS image partition would be mounted readonly. Nothing in this partition would be writable or deletable by the user, even the administrator [1]. Or by apps running as administrator, like an installer for a third-party app. The only thing that can write to this partition would be the OS updater. The entire partition would be checksummed and cryptographically signed by the OS vendor, Apple in this case. So, even if someone found a way to write to this partition, the checksum wouldn't validate later, so we would be able to detect corruption of the OS image. The OS image could no longer become corrupt without us being able to detect it [2].

Which means that there would be no reason to download another copy of the OS. You'll be able to easily do a factory reset. Desktop OSs are, in a sense, poorly designed and defective because they can't be factory reset. It's time to fix that.

[1] One can imagine an overlay filesystem that lets the administrator modify any file or directory, while being able to safely undo such a change later.

[2] Which is not to say that tinkerers shouldn't be able to turn these checks off.

No comments:

Post a Comment