Replace gnupg with signify

Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>

Makefile

@@ -80,7 +80,7 @@ define define_module =
     $(build)/$($1_dir)/.config: $(build)/$($1_dir)/.canary
 	touch "$$@"
   endif
-  
+
 
   # Use the module's configure variable to build itself
   $(build)/$($1_dir)/.configured: \
@@ -143,10 +143,12 @@ endef
 
 $(foreach _, $(call bins,kexec), $(eval $(call initrd_bin_add,$_)))
 $(foreach _, $(call bins,tpmtotp), $(eval $(call initrd_bin_add,$_)))
+$(foreach _, $(call bins,signify), $(eval $(call initrd_bin_add,$_)))
 
 $(foreach _, $(call libs,tpmtotp), $(eval $(call initrd_lib_add,$_)))
 $(foreach _, $(call libs,mbedtls), $(eval $(call initrd_lib_add,$_)))
 $(foreach _, $(call libs,qrencode), $(eval $(call initrd_lib_add,$_)))
+$(foreach _, $(call libs,signify), $(eval $(call initrd_lib_add,$_)))
 
 #$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_)))
 
@@ -169,17 +171,15 @@ $(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary
 	make -C "$(dir $@)"
 
 # Mounting dm-verity file systems requires dm-verity to be installed
-# We use gpgv to verify the signature on the root hash.
+# We use signify to verify the signature on the root hash.
 # Both of these should be brought in as modules instead of from /sbin
 #initrd_bins += initrd/bin/cryptsetup
 initrd/bin/cryptsetup: /sbin/cryptsetup
 	cp "$<" "$@"
+
 initrd_bins += initrd/bin/dmsetup
 initrd/bin/dmsetup: /sbin/dmsetup
 	cp "$<" "$@"
-initrd_bins += initrd/bin/gpgv
-initrd/bin/gpgv: /usr/bin/gpgv
-	cp "$<" "$@"
 
 # Update all of the libraries in the initrd based on the executables
 # that were installed.
@@ -216,7 +216,7 @@ initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install
 	) \
 	| cpio --quiet -H newc -o \
 	| ../cpio-clean \
-		> "../$@.tmp" 
+		> "../$@.tmp"
 	if ! cmp --quiet "$@" "$@.tmp"; then \
 		mv "$@.tmp" "$@"; \
 	else \
@@ -225,7 +225,7 @@ initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install
 	fi
 
 initrd.intermediate: initrd.cpio
-	
+
 
 # populate the coreboot initrd image from the one we built.
 # 4.4 doesn't allow this, but building from head does.

README.md

@@ -176,56 +176,26 @@ header so that the firmware can validate the image before mounting it.
 This does require that the firmware be able to find the header;
 for now we have it hard coded.
 
-
-mbedtls vs OpenSSL
+Signing with BSD Signify
 ---
-mbedtls is a significantly smaller and more modular library than
-OpenSSL's libcrypto (380KB vs 2.3MB).  It is not API compatible,
-so applications must be written to use it.
+`signify` is the BSD answer to gpg and openssl in order to sign and verify
+packages. We make use of signify because less space is left firmware image and
+signify is only around 350kb big therefore it's perfect for us. You can download
+signify from this [repository](https://github.com/aperezdc/signify).
+In order to create a curve25519 keypair for an eddsa operation execute:
 
-One the build host side we can make use of openssl's tools, but in
-the firmware we are limited to the smaller library.  They are mostly
-compatible, although the tools are quite different.
+    signify -G -c "roothash key" -p initrd/root.pub -s /path/to/home/root.sec
 
-Generate the private/public key pair (and copy the public key to
-the initrd):
+You will be asked to enter a password and a new keypair is generated.
+The signing command works as followed:
 
-	openssl genrsa -aes256 -out signing.key
-	openssl rsa -pubout -in signing.key -out signing.pub
-
-Sign something (requires password and private key):
-
-	openssl pkeyutl \
-		-sign \
-		-inkey signing.key \
-		-in roothash \
-		-out roothash.sig
-
-Verify it (requires public key, no password):
-
-	openssl pkeyutl \
-		-verify \
-		-pubin
-		-inkey signing.pub \
-		-sigfile roothash.sig \
-		-in roothash
-
-but this doesn't work with pk_verify from mbedtls.  more work is necessary.
-
-
-Signing with GPG
----
-`gpgv` is a stripped down version of GPG that can be used to verify
-signatures without extraneous libraries.  This works well with the
-Free Software workflow that we want to use.
-
-	gpg --clearsign roothash
+    signify -S -s /path/to/root.sec -m roothash
 
 The `roothash` and `roothash.sig` files can be embedded into the
 HDD image and then extracted at firmware boot time:
 
-	gpgv --keyring /trustedkeys.gpg roothash.sig roothash \
-	|| echo "FAILED"
+    signify -V -p /root.pub -x roothash.sig -m roothash \
+    || echo "FAILED"
 
 The `mount-boot` script is a start at doing this automatically.
 There needs to be an empty block at the end of the partition

initrd/bin/start-xen

@@ -8,13 +8,13 @@ INITRD=/boot/initramfs-4.4.14-11.pvops.qubes.x86_64.img
 KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64
 
 echo "+++ Checking $XEN"
-gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed"
+signify -V -p /root.pub -x "${XEN}.asc" -m "${XEN}" || die "Xen signature failed"
 
 echo "+++ Checking $INITRD"
-gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed"
+signify -V -p /root.pub -x "${INITRD}.asc" -m "${INITRD}" || die "Initrd signature failed"
 
 echo "+++ Checking $KERNEL"
-gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed"
+signify -V -p /root.pub -x "${KERNEL}.asc" -m "${KERNEL}" || die "Kernel signature failed"
 
 # should also check xen command line arguments!
 # should also check kernel command line arguments!

initrd/mount-boot

@@ -47,7 +47,7 @@ fi
 #
 # Validate the file
 #
-if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then
+if signify -Ve -p /root.pub -x "$cmd_sig"; then
 	echo >&2 '!!!!!'
 	echo >&2 '!!!!! GPG signature on block failed'
 	echo >&2 '!!!!! Dropping to recovery shell'
@@ -56,11 +56,10 @@ if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then
 fi
 
 #
-# Strip the PGP signature off the file
-# (too bad gpgv doesn't do this)
+# Strip the comment of the signature.
 #
 awk < "$cmd_sig" > "$cmd" '
-	/BEGIN PGP SIGNATURE/ { exit };
+	/untrusted comment/ { exit };
 	do_print {print};
 	/^$/ { do_print=1 };
 '

initrd/root.pub

@@ -0,0 +1,2 @@
+untrusted comment: Verity Roothash Key public key
+RWRDValaAAv4TpCKnACeZ/6xr8bWGYkdiAzIMicZA1tTmBUxQx81fSpp

modules/signify

@@ -0,0 +1,11 @@
+modules += signify
+
+signify_version := 20
+signify_dir := signify-$(signify_version)
+signify_tar := signify-v$(signify_version).tar.gz
+signify_url := https://github.com/aperezdc/signify/archive/v$(signify_version).tar.gz
+signify_hash := 99dc0f4a3c2a80c854f45410ee4832b0c7fb537ed3bbc0cc4f5435b9d614be22
+
+signify_output := signify
+signify_configure :=
+#signify_target := MUSL=1

test-data/root.sec

@@ -0,0 +1,2 @@
+untrusted comment: Verity Roothash Key secret key
+RWRCSwAAAADhjp1d5CgqmMUm1UiuQSuyHxJy6iwa76JDValaAAv4Th8OEwAvxejUqGCtKW8ZdNTNeUqcDQV9Hkl+BGxgAfjVkIqcAJ5n/rGvxtYZiR2IDMgyJxkDW1OYFTFDHzV9Kmk=

verity-sign

@@ -27,9 +27,9 @@ veritysetup \
 	--data-blocks $[$size*1024*1024/4096] \
 	format hdd.img hdd.img \
 | ./verity-sign /dev/sda1 \
-| gpg --clearsign \
-| tee hdd.table
-
+| tee hdd.table.tmp
+signify -Se -s root.sec -m hdd.table.tmp -x hdd.table
+rm hdd.table.tmp
 
 use warnings;
 use strict;