About this fight around device-mode and the famous “power-off or push button”.
Possible solution to that: TPM, Key-Pair file in boot, or similar.
It’s clear that MikroTik guys are trying to do something good.
Certainly, related to security and avoid use of MikroTik devices as a denial-of-service attack vector.
I guess probably they were “kindly” forced by some government to do something about that.
And they are doing it! And I reinforce: THIS IS A GOOD THING.
This “physical access to the device” is the only way they found to verify that those “possible malicious actions” are not malicious.
But what if it were possible to get a remote signal saying “Yes, this is trustworthy” from someone that the device could cryptographically validate?
P.S.:
This leads-me to other unicorn that exists on MikroTik’s world:
“The MikroTik Devices Controller”
haha.jpg
That push could come via API/Secure-API/Rest-API/TR-069, bringing an “It’s safe to do what the other guy is saying.” in a cryptographic signed message that only a “trustable guy” could do.
For that, the ideal would be some kind hardware based cryptography key. I guess TPM would be ideal for that.
But I had never heard any mention of this type of hardware in any Mikrotik hardware. If it exists, it would be great.
So I think this is a solution that will only be implemented and available 10 years from now.
An alternative to the hardware key would be to put the cryptography keys on a boot partition(or similar). Not a perfect alternative, but maybe reasonable.
Something to be studied.
But in the hypothesis been accepted, comes another discussion:
Who will generate those certificates? And how would those certificates be inserted there?
(It reminds-me of some very old discussions on the linux mail list. haha)
Dreaming a bit here in my own world where everything is possible:
“/ip/cloud” already has something to deal with key-pairs, maybe new release that would have a feature like:
“The special reboot cycle that will write the file on the boot partition will only occur on releases newer than X.Y.Z, and it will only occur if the device can connect “/ip/cloud” and “flagged: no”.
By now it’s just an idea!