Replace gnupg with signify

Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
This commit is contained in:
Philipp Deppenwiese 2016-11-30 03:30:51 +01:00
parent ba01c24f46
commit 30cc83e1be
No known key found for this signature in database
GPG Key ID: 3FBAF0E7D81427AB
9 changed files with 43 additions and 59 deletions

View File

@ -143,10 +143,12 @@ endef
$(foreach _, $(call bins,kexec), $(eval $(call initrd_bin_add,$_)))
$(foreach _, $(call bins,tpmtotp), $(eval $(call initrd_bin_add,$_)))
$(foreach _, $(call bins,signify), $(eval $(call initrd_bin_add,$_)))
$(foreach _, $(call libs,tpmtotp), $(eval $(call initrd_lib_add,$_)))
$(foreach _, $(call libs,mbedtls), $(eval $(call initrd_lib_add,$_)))
$(foreach _, $(call libs,qrencode), $(eval $(call initrd_lib_add,$_)))
$(foreach _, $(call libs,signify), $(eval $(call initrd_lib_add,$_)))
#$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_)))
@ -169,17 +171,15 @@ $(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary
make -C "$(dir $@)"
# Mounting dm-verity file systems requires dm-verity to be installed
# We use gpgv to verify the signature on the root hash.
# We use signify to verify the signature on the root hash.
# Both of these should be brought in as modules instead of from /sbin
#initrd_bins += initrd/bin/cryptsetup
initrd/bin/cryptsetup: /sbin/cryptsetup
cp "$<" "$@"
initrd_bins += initrd/bin/dmsetup
initrd/bin/dmsetup: /sbin/dmsetup
cp "$<" "$@"
initrd_bins += initrd/bin/gpgv
initrd/bin/gpgv: /usr/bin/gpgv
cp "$<" "$@"
# Update all of the libraries in the initrd based on the executables
# that were installed.

View File

@ -176,55 +176,25 @@ header so that the firmware can validate the image before mounting it.
This does require that the firmware be able to find the header;
for now we have it hard coded.
mbedtls vs OpenSSL
Signing with BSD Signify
---
mbedtls is a significantly smaller and more modular library than
OpenSSL's libcrypto (380KB vs 2.3MB). It is not API compatible,
so applications must be written to use it.
`signify` is the BSD answer to gpg and openssl in order to sign and verify
packages. We make use of signify because less space is left firmware image and
signify is only around 350kb big therefore it's perfect for us. You can download
signify from this [repository](https://github.com/aperezdc/signify).
In order to create a curve25519 keypair for an eddsa operation execute:
One the build host side we can make use of openssl's tools, but in
the firmware we are limited to the smaller library. They are mostly
compatible, although the tools are quite different.
signify -G -c "roothash key" -p initrd/root.pub -s /path/to/home/root.sec
Generate the private/public key pair (and copy the public key to
the initrd):
You will be asked to enter a password and a new keypair is generated.
The signing command works as followed:
openssl genrsa -aes256 -out signing.key
openssl rsa -pubout -in signing.key -out signing.pub
Sign something (requires password and private key):
openssl pkeyutl \
-sign \
-inkey signing.key \
-in roothash \
-out roothash.sig
Verify it (requires public key, no password):
openssl pkeyutl \
-verify \
-pubin
-inkey signing.pub \
-sigfile roothash.sig \
-in roothash
but this doesn't work with pk_verify from mbedtls. more work is necessary.
Signing with GPG
---
`gpgv` is a stripped down version of GPG that can be used to verify
signatures without extraneous libraries. This works well with the
Free Software workflow that we want to use.
gpg --clearsign roothash
signify -S -s /path/to/root.sec -m roothash
The `roothash` and `roothash.sig` files can be embedded into the
HDD image and then extracted at firmware boot time:
gpgv --keyring /trustedkeys.gpg roothash.sig roothash \
signify -V -p /root.pub -x roothash.sig -m roothash \
|| echo "FAILED"
The `mount-boot` script is a start at doing this automatically.

Binary file not shown.

View File

@ -8,13 +8,13 @@ INITRD=/boot/initramfs-4.4.14-11.pvops.qubes.x86_64.img
KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64
echo "+++ Checking $XEN"
gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed"
signify -V -p /root.pub -x "${XEN}.asc" -m "${XEN}" || die "Xen signature failed"
echo "+++ Checking $INITRD"
gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed"
signify -V -p /root.pub -x "${INITRD}.asc" -m "${INITRD}" || die "Initrd signature failed"
echo "+++ Checking $KERNEL"
gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed"
signify -V -p /root.pub -x "${KERNEL}.asc" -m "${KERNEL}" || die "Kernel signature failed"
# should also check xen command line arguments!
# should also check kernel command line arguments!

View File

@ -47,7 +47,7 @@ fi
#
# Validate the file
#
if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then
if signify -Ve -p /root.pub -x "$cmd_sig"; then
echo >&2 '!!!!!'
echo >&2 '!!!!! GPG signature on block failed'
echo >&2 '!!!!! Dropping to recovery shell'
@ -56,11 +56,10 @@ if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then
fi
#
# Strip the PGP signature off the file
# (too bad gpgv doesn't do this)
# Strip the comment of the signature.
#
awk < "$cmd_sig" > "$cmd" '
/BEGIN PGP SIGNATURE/ { exit };
/untrusted comment/ { exit };
do_print {print};
/^$/ { do_print=1 };
'

2
initrd/root.pub Normal file
View File

@ -0,0 +1,2 @@
untrusted comment: Verity Roothash Key public key
RWRDValaAAv4TpCKnACeZ/6xr8bWGYkdiAzIMicZA1tTmBUxQx81fSpp

11
modules/signify Normal file
View File

@ -0,0 +1,11 @@
modules += signify
signify_version := 20
signify_dir := signify-$(signify_version)
signify_tar := signify-v$(signify_version).tar.gz
signify_url := https://github.com/aperezdc/signify/archive/v$(signify_version).tar.gz
signify_hash := 99dc0f4a3c2a80c854f45410ee4832b0c7fb537ed3bbc0cc4f5435b9d614be22
signify_output := signify
signify_configure :=
#signify_target := MUSL=1

2
test-data/root.sec Normal file
View File

@ -0,0 +1,2 @@
untrusted comment: Verity Roothash Key secret key
RWRCSwAAAADhjp1d5CgqmMUm1UiuQSuyHxJy6iwa76JDValaAAv4Th8OEwAvxejUqGCtKW8ZdNTNeUqcDQV9Hkl+BGxgAfjVkIqcAJ5n/rGvxtYZiR2IDMgyJxkDW1OYFTFDHzV9Kmk=

View File

@ -27,9 +27,9 @@ veritysetup \
--data-blocks $[$size*1024*1024/4096] \
format hdd.img hdd.img \
| ./verity-sign /dev/sda1 \
| gpg --clearsign \
| tee hdd.table
| tee hdd.table.tmp
signify -Se -s root.sec -m hdd.table.tmp -x hdd.table
rm hdd.table.tmp
use warnings;
use strict;