BMC image generation without private key
patrick at stwcx.xyz
Wed Jan 18 23:05:35 AEDT 2023
On Tue, Jan 17, 2023 at 03:21:40PM -0500, Michael Richardson wrote:
> The build server requires authorization from the holder of the private key to
> create signatures. One way is have direst access to the private key.
> I think that if the build server is so untrusted, then maybe there are other
> problems :-)
I don't have any security guidelines or NIST papers to quote here, but
my impression is that this is a great over-simplification. Every design
for signing firmware I've ever seen used in production separates the build
server from the signing server, so there must be good reason for it.
I suspect it stems from it being a lesser-evil if someone unauthorized signs
a one-off image than it is if the private key escapes. Build servers run
a lot of code and thus have a lot of surface to attack. A signing
server can have a single remote API ("here is an image and my identity
... give me a signature"), which keeps the signing key(s) safer.
Requiring the private key to be present on the build server likely also
precludes any use of HSMs.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the openbmc