[PATCH v2 0/5] Signed-Boot OpenSSL support

Samuel Mendoza-Jonas sam at mendozajonas.com
Wed May 30 14:59:17 AEST 2018 

On Wed, 2018-05-23 at 11:04 +1000, Samuel Mendoza-Jonas wrote:
> On Tue, 2018-05-15 at 10:55 +1000, Brett Grandbois wrote:
> > Changes in v2:
> >   * add build support for openssl 1.1.x
> 
> Reviewed-by: Samuel Mendoza-Jonas <sam at mendozajonas.com>

Merged as d47114d

> 
> Looking good to me. Timothy, this of course touches on your GPGME work
> but shouldn't make any functional changes to it. Any thoughts?
> 
> Cheers,
> Sam
> 
> > 
> > Add support for configuration choice between GPGME or OpenSSL for signed-boot.
> > 
> > For configuration the --with-signed-boot option now takes the following values:
> > 
> > no - disable signed boot (as before)
> > gpgme - configure for gpgme (as before), fail if not found
> > openssl - configure for openssl, fail if not found
> > yes - look first for gpgme and the openssl using first found, fail on none
> >       this should behave as before if gpgme is installed
> > 
> > fail on any other invalid options
> > 
> > Add the following variables:
> > 
> > KEYRING_PATH - path to the gpgme home dir, currently unused in openssl but could
> >                be expanded to be the certificate store for verification.  default
> >                is /etc/gpg as before
> > 
> > VERIFY_DIGEST - string to specify signature verifcation MD in OpenSSL raw dgst mode
> > 
> > The OpenSSL support works like this:
> > 
> > he pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded
> > raw public key.  To follow the current conventions the presence of a
> > PKCS12 file as a lockdown signals decrypt mode because of the presence
> > of the private key, anything else signals signature verification mode.
> > The keyring path is currently ignored but in the future could be used to
> > point to an X509 certificate chain for validity checking. Because of
> > this self-signed certificates are currently supported and really just
> > used as a public key container.
> > 
> > Signature verification mode supports:
> > 
> > * Cryptographic Message Syntax (CMS) as detached S/MIME, this is really
> >   more for consistency for the encryption mode (see below). This mode
> >   requires the lockdown file to be an X509 certificate.
> > 
> >   A sample creation command would be:
> >     openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \
> >         -inkey (private key) -signer (recipient certificate)
> > 
> > * Raw signature digest as output from openssl dgst -sign command.  This
> >   mode can have the lockdown file be an X509 certificate or a PEM raw
> >   public key but the digest algorithm must be pre-defined by the
> >   VERIFY_DIGEST configure argument. The default is SHA256.
> > 
> >   A sample creation command would be:
> >     openssl dgst -sign (private key) -out (outfile) -(digest mode) \
> >          (infile)
> > 
> > Decryption mode supports:
> > 
> > * CMS signed-envelope as attached S/MIME.  This is for consistency with
> >   the current expectation of no external file for decryption.  Some
> >   future enhancement could be to come up with some proprietary external
> >   file format containing the cipher used, the encrypted cipher key, and
> >   the IV (if necessary).
> > 
> >   A sample creation command would be:
> >     openssl cms -sign -in (infile) -signer (recipient certificate) \
> >         -binary -nocerts -nodetach -inkey (private key) | \
> >         openssl cms -encrypt -(cipher mode) -out (outfile) \
> >            (recipient certificate)
> > 
> > The PKCS12 file is expecting the private key to have password of NULL or
> > "" as there is currently no mechanism to supply a custom one.
> > 
> > Brett Grandbois (5):
> >   configure: Add signed-boot openssl configuration support
> >   lib/security: add in openssl support
> >   discover: Update to reflect generic signed boot API
> >   ui/ncurses: Update LOCKDOWN_FILE check to reflect generic SIGNED_BOOT
> >   test/lib: Add OpenSSL verify and decrypt tests
> > 
> >  configure.ac                                  |  95 +++--
> >  discover/Makefile.am                          |   3 +-
> >  discover/boot.c                               |  12 +-
> >  lib/Makefile.am                               |  42 ++-
> >  lib/security/common.c                         | 230 +++++++++++++
> >  lib/security/gpg.c                            | 202 +----------
> >  lib/security/gpg.h                            |  83 -----
> >  lib/security/none.c                           |  61 ++++
> >  lib/security/openssl.c                        | 476 ++++++++++++++++++++++++++
> >  lib/security/security.h                       |  46 +++
> >  m4/ax_check_openssl.m4                        | 124 +++++++
> >  test/lib/Makefile.am                          |   7 +
> >  test/lib/data/security/cert.p12               | Bin 0 -> 2469 bytes
> >  test/lib/data/security/cert.pem               |  21 ++
> >  test/lib/data/security/key.pem                |  28 ++
> >  test/lib/data/security/pubkey.pem             |   9 +
> >  test/lib/data/security/rootdata.cmsenc        |  17 +
> >  test/lib/data/security/rootdata.cmsencver     |  41 +++
> >  test/lib/data/security/rootdata.cmsver        |  31 ++
> >  test/lib/data/security/rootdata.txt           |   2 +
> >  test/lib/data/security/rootdata_different.txt |   2 +
> >  test/lib/data/security/rootdatasha256.sig     | Bin 0 -> 256 bytes
> >  test/lib/data/security/rootdatasha512.sig     | Bin 0 -> 256 bytes
> >  test/lib/data/security/wrong_cert.pem         |  21 ++
> >  test/lib/data/security/wrong_key.pem          |  28 ++
> >  test/lib/test-security-openssl-decrypt.c      |  82 +++++
> >  test/lib/test-security-openssl-verify.c       | 103 ++++++
> >  ui/ncurses/nc-boot-editor.c                   |   2 +-
> >  28 files changed, 1419 insertions(+), 349 deletions(-)
> >  create mode 100644 lib/security/common.c
> >  delete mode 100644 lib/security/gpg.h
> >  create mode 100644 lib/security/none.c
> >  create mode 100644 lib/security/openssl.c
> >  create mode 100644 lib/security/security.h
> >  create mode 100644 m4/ax_check_openssl.m4
> >  create mode 100644 test/lib/data/security/cert.p12
> >  create mode 100644 test/lib/data/security/cert.pem
> >  create mode 100644 test/lib/data/security/key.pem
> >  create mode 100644 test/lib/data/security/pubkey.pem
> >  create mode 100644 test/lib/data/security/rootdata.cmsenc
> >  create mode 100644 test/lib/data/security/rootdata.cmsencver
> >  create mode 100644 test/lib/data/security/rootdata.cmsver
> >  create mode 100644 test/lib/data/security/rootdata.txt
> >  create mode 100644 test/lib/data/security/rootdata_different.txt
> >  create mode 100644 test/lib/data/security/rootdatasha256.sig
> >  create mode 100644 test/lib/data/security/rootdatasha512.sig
> >  create mode 100644 test/lib/data/security/wrong_cert.pem
> >  create mode 100644 test/lib/data/security/wrong_key.pem
> >  create mode 100644 test/lib/test-security-openssl-decrypt.c
> >  create mode 100644 test/lib/test-security-openssl-verify.c
> > 
> 
> _______________________________________________
> Petitboot mailing list
> Petitboot at lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/petitboot

More information about the Petitboot mailing list