ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-20 21:43:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Replace gnupg with signify

Browse Source 
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
This commit is contained in:
Philipp Deppenwiese 2016-11-30 03:30:51 +01:00
parent ba01c24f46
commit 30cc83e1be
No known key found for this signature in database
GPG Key ID: 3FBAF0E7D81427AB
9 changed files with 43 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Makefile
View File

@ -143,10 +143,12 @@ endef
$(foreach _, $(call bins,kexec), $(eval $(call initrd_bin_add,$_))) $(foreach _, $(call bins,kexec), $(eval $(call initrd_bin_add,$_)))
$(foreach _, $(call bins,tpmtotp), $(eval $(call initrd_bin_add,$_))) $(foreach _, $(call bins,tpmtotp), $(eval $(call initrd_bin_add,$_)))
$(foreach _, $(call bins,signify), $(eval $(call initrd_bin_add,$_)))
$(foreach _, $(call libs,tpmtotp), $(eval $(call initrd_lib_add,$_))) $(foreach _, $(call libs,tpmtotp), $(eval $(call initrd_lib_add,$_)))
$(foreach _, $(call libs,mbedtls), $(eval $(call initrd_lib_add,$_))) $(foreach _, $(call libs,mbedtls), $(eval $(call initrd_lib_add,$_)))
$(foreach _, $(call libs,qrencode), $(eval $(call initrd_lib_add,$_))) $(foreach _, $(call libs,qrencode), $(eval $(call initrd_lib_add,$_)))
$(foreach _, $(call libs,signify), $(eval $(call initrd_lib_add,$_)))
#$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_))) #$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_)))
@ -169,17 +171,15 @@ $(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary
make -C "$(dir $@)" make -C "$(dir $@)"
# Mounting dm-verity file systems requires dm-verity to be installed # Mounting dm-verity file systems requires dm-verity to be installed
# We use gpgv to verify the signature on the root hash. # We use signify to verify the signature on the root hash.
# Both of these should be brought in as modules instead of from /sbin # Both of these should be brought in as modules instead of from /sbin
#initrd_bins += initrd/bin/cryptsetup #initrd_bins += initrd/bin/cryptsetup
initrd/bin/cryptsetup: /sbin/cryptsetup initrd/bin/cryptsetup: /sbin/cryptsetup
cp "$<" "$@" cp "$<" "$@"
initrd_bins += initrd/bin/dmsetup initrd_bins += initrd/bin/dmsetup
initrd/bin/dmsetup: /sbin/dmsetup initrd/bin/dmsetup: /sbin/dmsetup
cp "$<" "$@" cp "$<" "$@"
initrd_bins += initrd/bin/gpgv
initrd/bin/gpgv: /usr/bin/gpgv
cp "$<" "$@"
# Update all of the libraries in the initrd based on the executables # Update all of the libraries in the initrd based on the executables
# that were installed. # that were installed.

54
README.md
View File

@ -176,56 +176,26 @@ header so that the firmware can validate the image before mounting it.
This does require that the firmware be able to find the header; This does require that the firmware be able to find the header;
for now we have it hard coded. for now we have it hard coded.
Signing with BSD Signify
mbedtls vs OpenSSL
--- ---
mbedtls is a significantly smaller and more modular library than `signify` is the BSD answer to gpg and openssl in order to sign and verify
OpenSSL's libcrypto (380KB vs 2.3MB). It is not API compatible, packages. We make use of signify because less space is left firmware image and
so applications must be written to use it. signify is only around 350kb big therefore it's perfect for us. You can download
signify from this [repository](https://github.com/aperezdc/signify).
In order to create a curve25519 keypair for an eddsa operation execute:
One the build host side we can make use of openssl's tools, but in signify -G -c "roothash key" -p initrd/root.pub -s /path/to/home/root.sec
the firmware we are limited to the smaller library. They are mostly
compatible, although the tools are quite different.
Generate the private/public key pair (and copy the public key to You will be asked to enter a password and a new keypair is generated.
the initrd): The signing command works as followed:
openssl genrsa -aes256 -out signing.key signify -S -s /path/to/root.sec -m roothash
openssl rsa -pubout -in signing.key -out signing.pub
Sign something (requires password and private key):
openssl pkeyutl \
-sign \
-inkey signing.key \
-in roothash \
-out roothash.sig
Verify it (requires public key, no password):
openssl pkeyutl \
-verify \
-pubin
-inkey signing.pub \
-sigfile roothash.sig \
-in roothash
but this doesn't work with pk_verify from mbedtls. more work is necessary.
Signing with GPG
---
`gpgv` is a stripped down version of GPG that can be used to verify
signatures without extraneous libraries. This works well with the
Free Software workflow that we want to use.
gpg --clearsign roothash
The `roothash` and `roothash.sig` files can be embedded into the The `roothash` and `roothash.sig` files can be embedded into the
HDD image and then extracted at firmware boot time: HDD image and then extracted at firmware boot time:
gpgv --keyring /trustedkeys.gpg roothash.sig roothash \ signify -V -p /root.pub -x roothash.sig -m roothash \
|| echo "FAILED" || echo "FAILED"
The `mount-boot` script is a start at doing this automatically. The `mount-boot` script is a start at doing this automatically.
There needs to be an empty block at the end of the partition There needs to be an empty block at the end of the partition

BIN
initrd/.gnupg/trustedkeys.gpg
View File

Binary file not shown.

6
initrd/bin/start-xen
View File

@ -8,13 +8,13 @@ INITRD=/boot/initramfs-4.4.14-11.pvops.qubes.x86_64.img
KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64 KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64
echo "+++ Checking $XEN" echo "+++ Checking $XEN"
gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed" signify -V -p /root.pub -x "${XEN}.asc" -m "${XEN}" || die "Xen signature failed"
echo "+++ Checking $INITRD" echo "+++ Checking $INITRD"
gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed" signify -V -p /root.pub -x "${INITRD}.asc" -m "${INITRD}" || die "Initrd signature failed"
echo "+++ Checking $KERNEL" echo "+++ Checking $KERNEL"
gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed" signify -V -p /root.pub -x "${KERNEL}.asc" -m "${KERNEL}" || die "Kernel signature failed"
# should also check xen command line arguments! # should also check xen command line arguments!
# should also check kernel command line arguments! # should also check kernel command line arguments!

7
initrd/mount-boot
View File

@ -47,7 +47,7 @@ fi
# #
# Validate the file # Validate the file
# #
if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then if signify -Ve -p /root.pub -x "$cmd_sig"; then
echo >&2 '!!!!!' echo >&2 '!!!!!'
echo >&2 '!!!!! GPG signature on block failed' echo >&2 '!!!!! GPG signature on block failed'
echo >&2 '!!!!! Dropping to recovery shell' echo >&2 '!!!!! Dropping to recovery shell'
@ -56,11 +56,10 @@ if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then
fi fi
# #
# Strip the PGP signature off the file # Strip the comment of the signature.
# (too bad gpgv doesn't do this)
# #
awk < "$cmd_sig" > "$cmd" ' awk < "$cmd_sig" > "$cmd" '
/BEGIN PGP SIGNATURE/ { exit }; /untrusted comment/ { exit };
do_print {print}; do_print {print};
/^$/ { do_print=1 }; /^$/ { do_print=1 };
' '

2
initrd/root.pub Normal file
View File

@ -0,0 +1,2 @@
untrusted comment: Verity Roothash Key public key
RWRDValaAAv4TpCKnACeZ/6xr8bWGYkdiAzIMicZA1tTmBUxQx81fSpp

11
modules/signify Normal file
View File

@ -0,0 +1,11 @@
modules += signify
signify_version := 20
signify_dir := signify-$(signify_version)
signify_tar := signify-v$(signify_version).tar.gz
signify_url := https://github.com/aperezdc/signify/archive/v$(signify_version).tar.gz
signify_hash := 99dc0f4a3c2a80c854f45410ee4832b0c7fb537ed3bbc0cc4f5435b9d614be22
signify_output := signify
signify_configure :=
#signify_target := MUSL=1

2
test-data/root.sec Normal file
View File

@ -0,0 +1,2 @@
untrusted comment: Verity Roothash Key secret key
RWRCSwAAAADhjp1d5CgqmMUm1UiuQSuyHxJy6iwa76JDValaAAv4Th8OEwAvxejUqGCtKW8ZdNTNeUqcDQV9Hkl+BGxgAfjVkIqcAJ5n/rGvxtYZiR2IDMgyJxkDW1OYFTFDHzV9Kmk=

6
verity-sign
View File

@ -27,9 +27,9 @@ veritysetup \
--data-blocks $[$size*1024*1024/4096] \ --data-blocks $[$size*1024*1024/4096] \
format hdd.img hdd.img \ format hdd.img hdd.img \
| ./verity-sign /dev/sda1 \ | ./verity-sign /dev/sda1 \
| gpg --clearsign \ | tee hdd.table.tmp
| tee hdd.table signify -Se -s root.sec -m hdd.table.tmp -x hdd.table
rm hdd.table.tmp
use warnings; use warnings;
use strict; use strict;