Lets say i have 1 malicious computer and i install and verify qubes in this compromised computer. Can i take the usb written with qubes, take it in another computer which i have installed and verified it there and compare it? So that a potential adversary will have to compromise two computers to have it infected. What i mean is plug the usb in a computer and compare the iso on it and the iso on the computer.
Hi Sks
From eg. this post:
you should be able to read the data on the USB and make a digest of it to verify.
3 Likes
3 Likes
Thanks for your answer, So i should use this command
sudo dd if=/dev/sdb bs=4096 count=$(($(stat -c ‘%s’ /home/myname/Qubes-R4.2.4-x86_64.iso) / 4096)) | sha256sum
Why do i need to provide a qubes iso, if it does not verify and just provides a checksum of the usb? If i understand correctly it just returns the sha of the iso written on the usb.
Hi Sks
Your USB stick is (or should be!) larger than the ISO … so the ISO is written from the start of the USB stick, but leaves some space empty/random.
If you calculate the sha256sum for the entire USB stick, it will not match the ISO … so you need to stop the sha256sum after the size of the ISO.
Thank you for your awnser, that makes total sense! Correct me if i am wrong but Cant an attacker just put some malware after the iso size? If the iso is 6028372 B cant an attacker just put an extra 30Bytes and deflect this attack?
Hi Sks
It’s correct that anything can be put in the space after the ISO – but that space is not referenced/read by the software on ISO, so it doesn’t matter if it’s
- all zeros
- all ones
- The Complete Works of Shakespeare
- or something from an attacker
In order for the attacker to make the ISO read the space after the ISO image, he/she/they/… would have to alter parts of the ISO - and thus change the sha256sum of the ISO.
1 Like
Thank you for your answer @ChrisA.Very nicely explained. I will assume that is it as safe as someone can verify an iso. Thanks again!!