mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-29 17:28:54 +00:00
Replace gnupg with signify
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
This commit is contained in:
parent
ba01c24f46
commit
30cc83e1be
8
Makefile
8
Makefile
@ -143,10 +143,12 @@ endef
|
||||
|
||||
$(foreach _, $(call bins,kexec), $(eval $(call initrd_bin_add,$_)))
|
||||
$(foreach _, $(call bins,tpmtotp), $(eval $(call initrd_bin_add,$_)))
|
||||
$(foreach _, $(call bins,signify), $(eval $(call initrd_bin_add,$_)))
|
||||
|
||||
$(foreach _, $(call libs,tpmtotp), $(eval $(call initrd_lib_add,$_)))
|
||||
$(foreach _, $(call libs,mbedtls), $(eval $(call initrd_lib_add,$_)))
|
||||
$(foreach _, $(call libs,qrencode), $(eval $(call initrd_lib_add,$_)))
|
||||
$(foreach _, $(call libs,signify), $(eval $(call initrd_lib_add,$_)))
|
||||
|
||||
#$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_)))
|
||||
|
||||
@ -169,17 +171,15 @@ $(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary
|
||||
make -C "$(dir $@)"
|
||||
|
||||
# Mounting dm-verity file systems requires dm-verity to be installed
|
||||
# We use gpgv to verify the signature on the root hash.
|
||||
# We use signify to verify the signature on the root hash.
|
||||
# Both of these should be brought in as modules instead of from /sbin
|
||||
#initrd_bins += initrd/bin/cryptsetup
|
||||
initrd/bin/cryptsetup: /sbin/cryptsetup
|
||||
cp "$<" "$@"
|
||||
|
||||
initrd_bins += initrd/bin/dmsetup
|
||||
initrd/bin/dmsetup: /sbin/dmsetup
|
||||
cp "$<" "$@"
|
||||
initrd_bins += initrd/bin/gpgv
|
||||
initrd/bin/gpgv: /usr/bin/gpgv
|
||||
cp "$<" "$@"
|
||||
|
||||
# Update all of the libraries in the initrd based on the executables
|
||||
# that were installed.
|
||||
|
52
README.md
52
README.md
@ -176,55 +176,25 @@ header so that the firmware can validate the image before mounting it.
|
||||
This does require that the firmware be able to find the header;
|
||||
for now we have it hard coded.
|
||||
|
||||
|
||||
mbedtls vs OpenSSL
|
||||
Signing with BSD Signify
|
||||
---
|
||||
mbedtls is a significantly smaller and more modular library than
|
||||
OpenSSL's libcrypto (380KB vs 2.3MB). It is not API compatible,
|
||||
so applications must be written to use it.
|
||||
`signify` is the BSD answer to gpg and openssl in order to sign and verify
|
||||
packages. We make use of signify because less space is left firmware image and
|
||||
signify is only around 350kb big therefore it's perfect for us. You can download
|
||||
signify from this [repository](https://github.com/aperezdc/signify).
|
||||
In order to create a curve25519 keypair for an eddsa operation execute:
|
||||
|
||||
One the build host side we can make use of openssl's tools, but in
|
||||
the firmware we are limited to the smaller library. They are mostly
|
||||
compatible, although the tools are quite different.
|
||||
signify -G -c "roothash key" -p initrd/root.pub -s /path/to/home/root.sec
|
||||
|
||||
Generate the private/public key pair (and copy the public key to
|
||||
the initrd):
|
||||
You will be asked to enter a password and a new keypair is generated.
|
||||
The signing command works as followed:
|
||||
|
||||
openssl genrsa -aes256 -out signing.key
|
||||
openssl rsa -pubout -in signing.key -out signing.pub
|
||||
|
||||
Sign something (requires password and private key):
|
||||
|
||||
openssl pkeyutl \
|
||||
-sign \
|
||||
-inkey signing.key \
|
||||
-in roothash \
|
||||
-out roothash.sig
|
||||
|
||||
Verify it (requires public key, no password):
|
||||
|
||||
openssl pkeyutl \
|
||||
-verify \
|
||||
-pubin
|
||||
-inkey signing.pub \
|
||||
-sigfile roothash.sig \
|
||||
-in roothash
|
||||
|
||||
but this doesn't work with pk_verify from mbedtls. more work is necessary.
|
||||
|
||||
|
||||
Signing with GPG
|
||||
---
|
||||
`gpgv` is a stripped down version of GPG that can be used to verify
|
||||
signatures without extraneous libraries. This works well with the
|
||||
Free Software workflow that we want to use.
|
||||
|
||||
gpg --clearsign roothash
|
||||
signify -S -s /path/to/root.sec -m roothash
|
||||
|
||||
The `roothash` and `roothash.sig` files can be embedded into the
|
||||
HDD image and then extracted at firmware boot time:
|
||||
|
||||
gpgv --keyring /trustedkeys.gpg roothash.sig roothash \
|
||||
signify -V -p /root.pub -x roothash.sig -m roothash \
|
||||
|| echo "FAILED"
|
||||
|
||||
The `mount-boot` script is a start at doing this automatically.
|
||||
|
Binary file not shown.
@ -8,13 +8,13 @@ INITRD=/boot/initramfs-4.4.14-11.pvops.qubes.x86_64.img
|
||||
KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64
|
||||
|
||||
echo "+++ Checking $XEN"
|
||||
gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed"
|
||||
signify -V -p /root.pub -x "${XEN}.asc" -m "${XEN}" || die "Xen signature failed"
|
||||
|
||||
echo "+++ Checking $INITRD"
|
||||
gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed"
|
||||
signify -V -p /root.pub -x "${INITRD}.asc" -m "${INITRD}" || die "Initrd signature failed"
|
||||
|
||||
echo "+++ Checking $KERNEL"
|
||||
gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed"
|
||||
signify -V -p /root.pub -x "${KERNEL}.asc" -m "${KERNEL}" || die "Kernel signature failed"
|
||||
|
||||
# should also check xen command line arguments!
|
||||
# should also check kernel command line arguments!
|
||||
|
@ -47,7 +47,7 @@ fi
|
||||
#
|
||||
# Validate the file
|
||||
#
|
||||
if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then
|
||||
if signify -Ve -p /root.pub -x "$cmd_sig"; then
|
||||
echo >&2 '!!!!!'
|
||||
echo >&2 '!!!!! GPG signature on block failed'
|
||||
echo >&2 '!!!!! Dropping to recovery shell'
|
||||
@ -56,11 +56,10 @@ if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then
|
||||
fi
|
||||
|
||||
#
|
||||
# Strip the PGP signature off the file
|
||||
# (too bad gpgv doesn't do this)
|
||||
# Strip the comment of the signature.
|
||||
#
|
||||
awk < "$cmd_sig" > "$cmd" '
|
||||
/BEGIN PGP SIGNATURE/ { exit };
|
||||
/untrusted comment/ { exit };
|
||||
do_print {print};
|
||||
/^$/ { do_print=1 };
|
||||
'
|
||||
|
2
initrd/root.pub
Normal file
2
initrd/root.pub
Normal file
@ -0,0 +1,2 @@
|
||||
untrusted comment: Verity Roothash Key public key
|
||||
RWRDValaAAv4TpCKnACeZ/6xr8bWGYkdiAzIMicZA1tTmBUxQx81fSpp
|
11
modules/signify
Normal file
11
modules/signify
Normal file
@ -0,0 +1,11 @@
|
||||
modules += signify
|
||||
|
||||
signify_version := 20
|
||||
signify_dir := signify-$(signify_version)
|
||||
signify_tar := signify-v$(signify_version).tar.gz
|
||||
signify_url := https://github.com/aperezdc/signify/archive/v$(signify_version).tar.gz
|
||||
signify_hash := 99dc0f4a3c2a80c854f45410ee4832b0c7fb537ed3bbc0cc4f5435b9d614be22
|
||||
|
||||
signify_output := signify
|
||||
signify_configure :=
|
||||
#signify_target := MUSL=1
|
2
test-data/root.sec
Normal file
2
test-data/root.sec
Normal file
@ -0,0 +1,2 @@
|
||||
untrusted comment: Verity Roothash Key secret key
|
||||
RWRCSwAAAADhjp1d5CgqmMUm1UiuQSuyHxJy6iwa76JDValaAAv4Th8OEwAvxejUqGCtKW8ZdNTNeUqcDQV9Hkl+BGxgAfjVkIqcAJ5n/rGvxtYZiR2IDMgyJxkDW1OYFTFDHzV9Kmk=
|
@ -27,9 +27,9 @@ veritysetup \
|
||||
--data-blocks $[$size*1024*1024/4096] \
|
||||
format hdd.img hdd.img \
|
||||
| ./verity-sign /dev/sda1 \
|
||||
| gpg --clearsign \
|
||||
| tee hdd.table
|
||||
|
||||
| tee hdd.table.tmp
|
||||
signify -Se -s root.sec -m hdd.table.tmp -x hdd.table
|
||||
rm hdd.table.tmp
|
||||
|
||||
use warnings;
|
||||
use strict;
|
||||
|
Loading…
Reference in New Issue
Block a user