raito/lanzaboote
0
0
Fork 0
Code Issues 45 Pull requests 6 Projects Releases 6 Packages Wiki Activity Actions

WIP: feat: signature via remote server #228

Closed
RaitoBezarius wants to merge 14 commits from signing-client into master
pull from: signing-client
merge into: raito:master
Conversation 5 Commits 14 Files changed 22 +1648 -320
RaitoBezarius commented 2023-09-26 14:19:46 +00:00 (Migrated from github.com)
Copy link

This PR is composed of ~four changes:

  • generalization of signature schemes in the tool
  • generalization of how to assemble stubs in the shared library
  • a remote signature server that sends you signed stub in exchange for signature requests
  • an implementation inside lzbt-systemd of remote signing

This enables moving the local signature to another server… or even maybe a hardware security token!

In the future, the server can ask for attestations or any kind of things to give the signed stub.

This PR is composed of ~four changes: - generalization of signature schemes in the tool - generalization of how to assemble stubs in the shared library - a remote signature server that sends you signed stub in exchange for signature requests - an implementation inside lzbt-systemd of remote signing This enables moving the local signature to another server… or even maybe a hardware security token! In the future, the server can ask for attestations or any kind of things to give the signed stub.
cole-h (Migrated from github.com) reviewed 2023-10-01 00:52:44 +00:00
rust/tool/server/README.md
@ -0,0 +26,4 @@
- `POST /sign-stub`: assembles a signed stub based on the stub parameters sent, 200 OK with a signed binary as body, 400 with a plaintext error if failed.
- `POST /sign-store-path`: assembles a signed binary based on the store path sent, 200 OK with a signed binary as body, 400 with a plaintext error if failed.
- `GET /verify`: verify that the binary sent is signed according to the current keyring, returns a JSON `{ signed: bool, valid_according_to_secureboot_policy: bool }`, a signed binary can be invalid for the current Secure Boot policy, the two attributes represents this fact.
cole-h (Migrated from github.com) commented 2023-10-01 00:52:32 +00:00
Copy link
- `POST /verify`: verify that the binary sent is signed according to the current keyring, returns a JSON `{ signed: bool, valid_according_to_secureboot_policy: bool }`, a signed binary can be invalid for the current Secure Boot policy, the two attributes represents this fact.
```suggestion - `POST /verify`: verify that the binary sent is signed according to the current keyring, returns a JSON `{ signed: bool, valid_according_to_secureboot_policy: bool }`, a signed binary can be invalid for the current Secure Boot policy, the two attributes represents this fact. ```
RaitoBezarius (Migrated from github.com) reviewed 2023-10-01 00:58:00 +00:00
rust/tool/server/README.md
@ -0,0 +26,4 @@
- `POST /sign-stub`: assembles a signed stub based on the stub parameters sent, 200 OK with a signed binary as body, 400 with a plaintext error if failed.
- `POST /sign-store-path`: assembles a signed binary based on the store path sent, 200 OK with a signed binary as body, 400 with a plaintext error if failed.
- `GET /verify`: verify that the binary sent is signed according to the current keyring, returns a JSON `{ signed: bool, valid_according_to_secureboot_policy: bool }`, a signed binary can be invalid for the current Secure Boot policy, the two attributes represents this fact.
RaitoBezarius (Migrated from github.com) commented 2023-10-01 00:58:00 +00:00
Copy link

thx you madman

thx you madman
blitz commented 2023-10-15 13:57:25 +00:00 (Migrated from github.com)
Copy link

I would need some high-level information about the security model here. If people still need to protect the credentials to access this server, which signs everything, why not just given them the private keys themselves? The only advantage I can see now is that the server can log what it signed.

I would need some high-level information about the security model here. If people still need to protect the credentials to access this server, which signs everything, why not just given them the private keys themselves? The only advantage I can see now is that the server can log what it signed.
RaitoBezarius commented 2023-10-15 14:08:47 +00:00 (Migrated from github.com)
Copy link

Let's discuss it tomorrow :)

Le dim. 15 oct. 2023, 14:57, Julian Stecklina @.***> a
écrit :

I would need some high-level information about the security model here. If
people still need to protect the credentials to access this server, which
signs everything, why not just given them the private keys themselves? The
only advantage I can see now is that the server can log what it signed.


Reply to this email directly, view it on GitHub
https://github.com/nix-community/lanzaboote/pull/228#issuecomment-1763397175,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AACMZRHGN5RL37PQ6FGNORTX7PTVDAVCNFSM6AAAAAA5HZ5HT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRTGM4TOMJXGU
.
You are receiving this because you authored the thread.Message ID:
@.***>

Let's discuss it tomorrow :) Le dim. 15 oct. 2023, 14:57, Julian Stecklina ***@***.***> a écrit : > I would need some high-level information about the security model here. If > people still need to protect the credentials to access this server, which > signs everything, why not just given them the private keys themselves? The > only advantage I can see now is that the server can log what it signed. > > — > Reply to this email directly, view it on GitHub > <https://github.com/nix-community/lanzaboote/pull/228#issuecomment-1763397175>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AACMZRHGN5RL37PQ6FGNORTX7PTVDAVCNFSM6AAAAAA5HZ5HT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRTGM4TOMJXGU> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >
RaitoBezarius commented 2023-10-30 12:22:23 +00:00 (Migrated from github.com)
Copy link

This will have to wait until I have some time to fix the merge conflicts. Closing in the meantime, do not delete the branch.

This will have to wait until I have some time to fix the merge conflicts. Closing in the meantime, **do not delete the branch**.

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something isn't working

  
dependency

Issues related to our dependencies

  
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
question

Further information is requested

  
review-next

   
security

   
stub

   
tool

   
wontfix

This will not be worked on

No labels
bug
dependency
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
review-next
security
stub
tool
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: raito/lanzaboote#228
No description provided.
Delete branch "signing-client"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?