USB encrypted flash - enable binary execution

[Christopher Nugent]

Would it be possible to enable binary execution on a so-called "trusted" USB device.  Let's define "trusted" in this case to mean "encrypted with a key stored within the user's Google account that was either randomly determined by Google (and therefore only accessible within a ChromeOS instance where the user has logged in) or manually entered by the user".  I understand the rationale behind disabling flash drive execution in general, but I personally have some known trusted devices for which I would prefer it if binary execution could be enabled by default.

[Mike Frysinger]

what do you mean by "binary execution" ?  you want to put Linux programs on there and be able to execute them ?  or something else ?

-mike

On Mon, Dec 28, 2020 at 12:41 PM Christopher Nugent <skymag...@gmail.com> wrote:

Would it be possible to enable binary execution on a so-called "trusted" USB device.  Let's define "trusted" in this case to mean "encrypted with a key stored within the user's Google account that was either randomly determined by Google (and therefore only accessible within a ChromeOS instance where the user has logged in) or manually entered by the user".  I understand the rationale behind disabling flash drive execution in general, but I personally have some known trusted devices for which I would prefer it if binary execution could be enabled by default.

--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
https://groups.google.com/a/chromium.org/group/chromium-os-dev

[Christopher Nugent]

For me, yes. I'm trying to use my Chromebook as my main device. It actually works well, but I have custom-made executables (scripts and binaries) that I need to run. I switch between computers a lot. So I put my stuff on a flash drive that I then have to remount with 'exec' allowances. It is only a minor annoyance, but to be able to "trust" a USB flash device still seems useful. Off the top of my head, a so-called "trusted" device could be auto-mounted into Crostini (Penguin) with exec permissions, removing the need to put the device into Developer Mode.

Additionally, for people who are not Linux users, perhaps such a device could be used to store Android APKs and related data, or, possibly eventually, Windows programs (to execute via Wine/Proton).

To clarify, I can manually remount my drives, but the possiblity of "trusted" drives still seemed promising to me, and I wanted to ask about it.

[Mike Frysinger]

sorry, there is no chance of this happening :).  we're actively locking down the system to make this sort of thing harder in the future, and to further isolate the system & user state.

right now you should be able to share the USB device with Crostini and then run inside of that VM.  i suspect you can't exec it directly currently, but it's something we're thinking about -- star https://crbug.com/1159211 for updates.

n the meantime, you could copy+exec easily enough, and if it's a shell script, you can workaround with `bash ./foo.sh` inside the VM.

-mike

--

[Christopher Nugent]

Isn't that amount of locking a bit excessive? For sure lock down the main system, but what's wrong with allowing exec on drives connected to the VM?  Chromebooks still don't have much storage, and the point of locking down USB devices is because many cannot be trusted. For me, it seems that a simple (relatively) way to establish "trust" is to, first wipe the drive, and then encrypt it with a key tied to the Google account. The main caveat to this, that I can see, is that the drive would no longer be usable outside  of ChromeOS or a Linux distro, depending on how the encryption is implemented on the drive (because, you may use LUKs in order to provide a recovery key, per se).

I understand it was not your original goal, but ChromeOS is still one of the best Linux distros I have personally tried, mainly because the stability is, to me, unmatched. However,  not being able to run executables on external storage is a hinderance to my personal workflow. That said, if your minds are made up, I'll find another way.

---
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-d...@chromium.org.

[Mike Frysinger]

i'm not sure which part you're referring to, so to be clear, forcing noexec on all inserted devices for use outside of the VM is not excessive at all.  *nothing* should be allowed to be executed on the system that cannot be verified, and we define verified as "chain of trust back to Google".  users being able to execute arbitrary code while not in dev mode is a huge violation of the security model.  if you really want to execute arbitrary code, then that's why we provided dev mode.

for the VM, yes, it's debatable.  that's why i suggested you take a look at crbug.com/1159211.  i think it's reasonable to allow people to mount USB storage devices inside the VM with exec permissions.  we hadn't really considered that mode of use originally when we were focusing on implementing more basic things (like being able to share files/dirs with the VM at all which took quite a bit of effort).

-mike