Changes between Version 2 and Version 3 of Security considerations


Ignore:
Timestamp:
04/30/25 10:36:55 (9 months ago)
Author:
enno
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • Security considerations

    v2 v3  
    1 Let’s go through this from a security architecture perspective, and identify:
    2 
    3 Potential risks
    4 
    5 Mitigation strategies
     1= Potential risks
     2
     3== Mitigation strategies
    64
    75Recommendations specific to Guix in air-gapped, classified use
    86
    9 πŸ›‘️ Security Risks in an Air-Gapped Guix Workflow
    10 1. Supply Chain Attacks via Source Code
     7=== Security Risks in an Air-Gapped Guix Workflow
     8
     9==== Supply Chain Attacks via Source Code
     10
    1111Even though you're building from source, the upstream source code (tarballs, Git repos) may be maliciously modified.
    12 
    1312Guix uses cryptographic hash verification, but only against what is declared in the Guix package definition β€” not against independent trust anchors.
    1413
    15 βœ… Mitigations:
    16 
    17 Use guix build --source with hash-locked package definitions (content-addressed derivations).
    18 
    19 Use reproducible builds and determinism checks (e.g., compare build outputs across trusted builders).
    20 
    21 Consider maintaining a private mirror of trusted source code, and pin hash checks yourself.
    22 
    23 Use content scanning tools (e.g., static analyzers) on all .tar.gz and Git checkouts.
    24 
    25 2. Compromise via Channel Updates
     14'''Mitigations:'''
     15
     16* Use guix build --source with hash-locked package definitions (content-addressed derivations).
     17
     18* Use reproducible builds and determinism checks (e.g., compare build outputs across trusted builders).
     19
     20* Consider maintaining a private mirror of trusted source code, and pin hash checks yourself.
     21
     22* Use content scanning tools (e.g., static analyzers) on all .tar.gz and Git checkouts.
     23
     24==== Compromise via Channel Updates
     25
    2626Your Guix package definitions come from Git channels (e.g., guix.git, or your own).
    2727
    2828If your channel is compromised, malicious package definitions could be delivered.
    2929
    30 βœ… Mitigations:
    31 
    32 Use a pinned commit hash in your channels.scm.
    33 
    34 Verify the channel commit with signed Git commits or tags (Guix supports this).
    35 
    36 Host your own internal Guix channel for critical environments β€” control what definitions are trusted.
    37 
    38 Use guix time-machine to avoid rolling updates.
    39 
    40 3. Media Transfer Risks (USB, SD cards)
     30'''Mitigations:'''
     31
     32* Use a pinned commit hash in your channels.scm.
     33
     34* Verify the channel commit with signed Git commits or tags (Guix supports this).
     35
     36* Host your own internal Guix channel for critical environments β€” control what definitions are trusted.
     37
     38* Use guix time-machine to avoid rolling updates.
     39
     40==== Media Transfer Risks (USB, SD cards)
     41
    4142USB drives used for transferring .nar files or source archives can be a vector for malware, even in an air-gapped setup.
    4243
    43 βœ… Mitigations:
    44 
    45 Always format and scan USB media on a controlled, known-clean staging machine before inserting into classified systems.
    46 
    47 Use write-once optical media (DVD-R) where appropriate for immutable transfer.
    48 
    49 Prefer hash verification of transferred files (sha256sum sources.nar) using offline-known-good hashes.
    50 
    51 4. Build Environment Leakage
     44'''Mitigations:'''
     45
     46* Always format and scan USB media on a controlled, known-clean staging machine before inserting into classified systems.
     47
     48* Use write-once optical media (DVD-R) where appropriate for immutable transfer.
     49
     50* Prefer hash verification of transferred files (sha256sum sources.nar) using offline-known-good hashes.
     51
     52==== Build Environment Leakage
     53
    5254If the build process writes temporary files or outputs data to places outside the Guix store, secrets or traces of sensitive data could leak or persist.
    5355
    54 βœ… Mitigations:
    55 
    56 Use guix build inside a dedicated, minimal, reproducible system (e.g., a guix system vm).
    57 
    58 Enable build sandboxing (enabled by default in Guix).
    59 
    60 Disable networking in builders if not already (Guix does this by default, but confirm your configuration).
    61 
    62 Consider full-disk encryption for the build system.
    63 
    64 5. Tampered Nar Archives
     56'''Mitigations:'''
     57
     58* Use guix build inside a dedicated, minimal, reproducible system (e.g., a guix system vm).
     59
     60* Enable build sandboxing (enabled by default in Guix).
     61
     62* Disable networking in builders if not already (Guix does this by default, but confirm your configuration).
     63
     64* Consider full-disk encryption for the build system.
     65
     66==== Tampered Nar Archives
     67
    6568.nar archives imported into your air-gapped server could be tampered with in transit.
    6669
    67 βœ… Mitigations:
    68 
    69 Sign the archive on the export side and verify the signature on the import side.
    70 
    71 Use GPG or minisign for signing hashes.
    72 
    73 Maintain a hash whitelist of approved .nar files on the classified system.
    74 
    75 Store all .nar imports in a sealed append-only log for auditing.
    76 
    77 βœ… High-Security Recommendations for Guix in Classified Environments
    78 
    79 Concern Recommendation
    80 Source authenticity     Use fixed-output derivations with pinned hashes
    81 Package definition trust        Host internal Guix channel; pin commit hashes
    82 Archive integrity       Sign .nar files and verify signatures
    83 Reproducibility Use multiple offline builders to cross-check outputs
    84 Logging Keep an audit trail of all imports and builds
    85 Isolation       Build in virtual machines or system containers with no network
    86 Transfer media  Sanitize USBs or use write-once optical media
    87 User separation Separate users for import, build, audit, and deployment tasks
    88 πŸ” Final Thoughts
     70'''Mitigations:'''
     71
     72* Sign the archive on the export side and verify the signature on the import side.
     73
     74* Use GPG or minisign for signing hashes.
     75
     76* Maintain a hash whitelist of approved .nar files on the classified system.
     77
     78* Store all .nar imports in a sealed append-only log for auditing.
     79
     80== High-Security Recommendations for Guix in Classified Environments
     81
     82|| Concern || Recommendation ||
     83|| Source authenticity  || Use fixed-output derivations with pinned hashes ||
     84|| Package definition trust || Host internal Guix channel; pin commit hashes ||
     85|| Archive integrity || Sign .nar files and verify signatures ||
     86|| Reproducibility || Use multiple offline builders to cross-check outputs ||
     87|| Logging || Keep an audit trail of all imports and builds ||
     88|| Isolation || Build in virtual machines or system containers with no network ||
     89|| Transfer media || Sanitize USBs or use write-once optical media ||
     90|| User separation || Separate users for import, build, audit, and deployment tasks ||
     91
     92== Final Thoughts
     93
    8994Guix offers an excellent foundation for secure, reproducible software environments.
    9095