Crouton（Security）

翻译
原文

自娱自乐，不好勿喷lalala~

crouton is not and cannot be as secure as Chromium OS in verified mode. Here's why:

crouton远没有验证模式下的Chromium OS那么安全。有以下几点原因：

Chromium OS's security out of the box is extremely good. All code that is natively run is either explicitly vetted by the chain of trust that starts from the embedded controller (the OS and Chrome itself) or permuted such that it cannot escape a narrowly-defined sandbox (NaCl, Pepper plugins, etc). If you have a Chromebook and you're running ChromeOS, it's even better, as the chain of trust starts from the TPM. (This might be a little off on the details, but secure boot is way better documented elsewhere.) Since arbitrary code can't run, you don't get keyloggers, screen readers, session/password hijackers running natively on the machine. Your user profile is encrypted with your password, and if you lock the screen or reboot, there's no way to access the unencrypted contents.

Chromium OS自带的安全性是非常好的。所有在本机运行的代码要么明确的通过由操作系统或Chrome本身（嵌入式控制器）启动的信任链的审核，异或是在狭义上的沙盒（NaCl，Pepper plugins 等）中运行。如果你正在使用一台运行着ChromeOS的Chromebook，由于信任链由TPM(可信平台模块)启动，会让使用更加安全。（这样解释可能在细节方面有所缺失，但是安全启动在其他文档中有更详尽的解释。）由于没有任意代码执行权限，你将不会受到在本机上运行的键盘记录器，屏幕阅读器，会话或密码劫持等的威胁。你的用户文档由密码加密，在你锁定屏幕或者重启后，入侵者将无法访问未加密的内容。

Of course, without arbitrary code execution, crouton can't work. So you enable dev mode.

当然，没有任意代码执行的权限，crouton将无法运行。所以你必须开启开发者模式。

Dev mode out of the box does several things that compromise security, including disabling verified boot, enabling VT2, and activating passwordless root shell access. This means even without crouton, if you're in dev mode, someone can switch to VT2, log in as root and add a keylogger that runs at startup, then switch back without you knowing. If you're logged in, they can also access the unencrypted contents of your Chrome profile and copy it elsewhere. If an exploit to Chrome is found, verified boot will no longer protect you from persistent compromises. Essentially, dev mode by default is less physically secure than a standard laptop running Linux*.

自带的开发者模式有许多危及安全的行为，包括禁用验证启动，开启第二虚拟终端（ctrl+alt+F2），激活无密码的最高用户权限。这意味着就算你不用crouton，只要你开启了开发者模式，入侵者就可以在你不知道的情况下切换到第二虚拟终端，以最高权限登录并添加一个开机自启的键盘记录器，然后切换回来。如果你登陆了，入侵者就可以访问你未加密的Chrome文档资料，并且把它拷贝到远程主机。如果Chrome上的一个漏洞利用程序被发现，你将不再受到验证启动的保护。实质上在普遍情况下，比起在笔记本电脑上运行的完整Linux发行版，开发者模式下Chromebook运行的chroot环境的安全性要差很多。

crouton adds a huge attack vector to the system by running a lot of unvetted code (i.e., all of Debian/Ubuntu/whatever). While it tries pretty hard to keep things restricted for non-root and installing and running as few things as possible, fundamentally there's nothing about a chroot that prevents a process with root access from escaping the chroot and compromising Chromium OS itself. So any remote root exploit anywhere in your Linux distro of choice now could be used to compromise Chromium OS

因为crouton的使用会开启一个chroot环境（Debian/Ubuntu等各发行版），由于大量未经授权的代码的执行，系统（包括ChromeOS及chroot环境等）将受到更多被入侵的威胁（增加大量的攻击矢量）。尽管crouton尽最大可能限制非最高权限的操作，安装和运行尽可能少的程序，但从根本上，chroot环境不可能阻止一个拥有最高权限的的进程离开chroot环境，并且危害Chromium OS本身。所以无论用何种Linux发行版，远程的最高权限利用漏洞都可以被用来危害你的Chromium OS。(所以尽管是chroot环境，还是会对Chromium OS本身造成一定程度的威胁。)

crouton gives you the option to encrypt your chroot, which attempts to regain a lot of the security guarantees of stock Chromium OS. For starters, it refuses to let you mount an encrypted chroot without first setting a root password. So the VT2 attack is password-protected, which helps physical security (assuming you don't leave your chroot's graphical session unlocked). It re-enables verified boot when it can, although this is a bit of a false sense of security, as anything with the ability to escape the chroot and edit the rootfs also has the permissions necessary to disable verified boot again as well. But it does enable you to check at bootup whether verification is enabled if you're paranoid (press TAB at the Scary Warning Screen), so if you reboot and you see verification is enabled at the boot screen, you can be reasonably sure you haven't been persistently compromised inside Chromium OS. Once you enter the chroot after booting, though, that guarantee is of course gone. Finally, crouton encrypts the entire chroot and prevents non-root users from accessing the unencrypted mount. This is to protect your chroot from Chromium OS; if you reboot or Chromium has a non-root exploit, nothing can touch your chroot (or if it does, at least the chroot will break so it's obvious).

crouton提供加密chroot环境的选项，用来增强Chromium OS的安全性。对于初次安装的用户，crouton要求首先设置最高权限密码，之后再挂载加密的chroot环境。因此，第二虚拟终端攻击是受密码保护的，这就增强了物理安全性（务必在离开时锁定chroot环境的图型会话）。同时，crouton尽可能地重新启用了验证启动，尽管这只是一种自认为的安全（因为拥有退出chroot环境并修改根操作系统的权限的进程，同样拥有再次关闭验证启动的权限）。但是如果你足够谨慎，你可以在启动时查看验证启动是否开启（出现警告画面时按 TAB 键），所以如果你在重启画面中看见验证已开启，你就可以确信你的Chromium OS目前没有受到威胁。当然，一旦你启动后进入chroot环境，这些安全保障就没有了。最后，crouton加密整个chroot环境来阻止那些非最高权限用户访问未加密目录的行为。这也保护你的chroot环境不受Chromium OS的侵害；例如，如果你重启或者Chromium被发现了非最高权限漏洞利用的危害，你的chroot环境还是安全的（就算受到了侵害，chroot环境就会被破坏，所以安全性显而易见）。

Despite that, an encrypted chroot absolutely does not have the same strong security guarantees that fully-verified ChromeOS has. At best, it's a tad better than a stock Linux distribution.

尽管是这样，加密的chroot环境任然没有完整验证的ChromeOS的安全保障性那么好。（但是至少要比stock Linux发行版（这是啥？股票制？）要好一点。）

• Justification: with a standard laptop running Linux, you can physically compromise the security of a system by rebooting into single-user mode to gain root, but that would lock you out of any encrypted disks. With dev mode, you can just switch to VT2 and have root, and your profile is available for the reading, plain as day.

辨析：在运行完整Linux的标准笔记本电脑上，通过重启进入单人维护模式获取最高权限的方式，你的系统可能会遭受物理上的安全危害，但是不会威胁到已加密的硬盘。在开发者模式下，你可以随时切换到第二虚拟终端并获取最高权限，显然，你的文档资料就可以被随意访问了。