BMC image generation without private key
Patrick Williams
patrick at stwcx.xyz
Wed Jan 18 23:05:35 AEDT 2023
On Tue, Jan 17, 2023 at 03:21:40PM -0500, Michael Richardson wrote:
> The build server requires authorization from the holder of the private key to
> create signatures. One way is have direst access to the private key.
> I think that if the build server is so untrusted, then maybe there are other
> problems :-)
I don't have any security guidelines or NIST papers[1] to quote here, but
my impression is that this is a great over-simplification. Every design
for signing firmware I've ever seen used in production separates the build
server from the signing server, so there must be good reason for it.
I suspect it stems from it being a lesser-evil if someone unauthorized signs
a one-off image than it is if the private key escapes. Build servers run
a lot of code and thus have a lot of surface to attack. A signing
server can have a single remote API ("here is an image and my identity
... give me a signature"), which keeps the signing key(s) safer.
Requiring the private key to be present on the build server likely also
precludes any use of HSMs[2].
1. https://csrc.nist.gov/CSRC/media/Publications/white-paper/2018/01/26/security-considerations-for-code-signing/final/documents/security-considerations-for-code-signing.pdf
2. https://www.opencompute.org/documents/ibm-white-paper-best-practices-for-firmware-code-signing
--
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20230118/6cc40438/attachment.sig>
More information about the openbmc
mailing list