(Created page with "{{admon/caution|DRAFT|This is just a DRAFT. We try and make sure the information here is up to date and correct, but please check before depending on it.}} {{admon/important | C...") |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{admon/caution|DRAFT|This is just a DRAFT. We try and make sure the information here is up to date and correct, but please check before depending on it.}} | {{admon/caution|DRAFT|This is just a DRAFT. We try and make sure the information here is up to date and correct, but please check before depending on it.}} | ||
<!-- All fields on this form are required to be accepted by FESCo. | <!-- All fields on this form are required to be accepted by FESCo. | ||
Line 13: | Line 6: | ||
<!-- The actual name of your feature page should look something like: Features/Your_Feature_Name. This keeps all features in the same namespace --> | <!-- The actual name of your feature page should look something like: Features/Your_Feature_Name. This keeps all features in the same namespace --> | ||
= | = RPM Signature Checking During Installation <!-- The name of your feature --> = | ||
== Summary == | == Summary == | ||
Back in the dawn of time, rpm grew the ability to check cryptographic signatures of a package. We've never used this during installation, because it was unclear where the root of trust would come from - there's no way to tell that the public keys are valid. That problem is now solvable.<br> | |||
<br> | |||
Related bugs:<ul> | |||
<li>https://bugzilla.redhat.com/show_bug.cgi?id=998 | |||
<li>https://bugzilla.redhat.com/show_bug.cgi?id=253897 | |||
</ul> | |||
== Owner == | == Owner == | ||
<!--This should link to your home wiki page so we know who you are--> | <!--This should link to your home wiki page so we know who you are--> | ||
* Name: [[User: | * Name: [[User:Pjones| Peter Jones]] | ||
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or technical issues need to be resolved--> | <!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or technical issues need to be resolved--> | ||
* Email: | * Email: pjones at redhat com | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/ | * Targeted release: [[Releases/19 | Fedora 19 ]] | ||
* Last updated: | * Last updated: 23-Jun-2012 | ||
* Percentage of completion: | * Percentage of completion: 20% | ||
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --> | <!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --> | ||
== Detailed Description == | == Detailed Description == | ||
Using the Secure Boot mechanism, we can make a UEFI binary, which for this discussion we'll call "Hello, World!", or "HW" for short. In that binary, we add an extra section that holds a list of public keys. We then get the binary signed with the UEFI signing service. | |||
During installation, we verify the signature against the hardware keys. If the signature is invalid, we warn the user that something has gone horribly wrong. If it's valid, we extract the public keys from the binary using a simple tool, and we add them to the rpm database. We then run the anaconda transaction with keys in place. | |||
== Benefit to Fedora == | == Benefit to Fedora == | ||
No more risky installation from untrusted repositories. | |||
== Scope == | == Scope == | ||
< | <ol> | ||
<li> Write the small utility to generate the binary | |||
<li> Write the small utility to verify the binary and extract the keys | |||
<li> Get a new binary signed every time we change the signing keys. | |||
</ol> | |||
== How To Test == | == How To Test == | ||
Standard installation should test that it's working. Invalid binaries are easily provided to test a negative cryptographic test. | |||
== User Experience == | == User Experience == | ||
Substantially the same as current experience, but with a nice sense of security. | |||
== Dependencies == | == Dependencies == | ||
< | <ul><li>pesign will provide utilities for doing this which it doesn't have yet. | ||
<li>https://fedoraproject.org/wiki/Features/SecureBoot | |||
</ul> | |||
== Contingency Plan == | == Contingency Plan == | ||
Contingency plan is current status quo. | |||
== Documentation == | == Documentation == | ||
Not yet. | |||
== Release Notes == | == Release Notes == | ||
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --> | <!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --> | ||
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --> | <!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --> | ||
== Comments and Discussion == | == Comments and Discussion == | ||
* See [[Talk:Features/ | * See [[Talk:Features/SignatureCheckingDuringInstall]] | ||
[[Category:FeaturePageIncomplete]] | [[Category:FeaturePageIncomplete]] |
Latest revision as of 18:23, 25 June 2012
RPM Signature Checking During Installation
Summary
Back in the dawn of time, rpm grew the ability to check cryptographic signatures of a package. We've never used this during installation, because it was unclear where the root of trust would come from - there's no way to tell that the public keys are valid. That problem is now solvable.
Related bugs:
Owner
- Name: Peter Jones
- Email: pjones at redhat com
Current status
- Targeted release: Fedora 19
- Last updated: 23-Jun-2012
- Percentage of completion: 20%
Detailed Description
Using the Secure Boot mechanism, we can make a UEFI binary, which for this discussion we'll call "Hello, World!", or "HW" for short. In that binary, we add an extra section that holds a list of public keys. We then get the binary signed with the UEFI signing service.
During installation, we verify the signature against the hardware keys. If the signature is invalid, we warn the user that something has gone horribly wrong. If it's valid, we extract the public keys from the binary using a simple tool, and we add them to the rpm database. We then run the anaconda transaction with keys in place.
Benefit to Fedora
No more risky installation from untrusted repositories.
Scope
- Write the small utility to generate the binary
- Write the small utility to verify the binary and extract the keys
- Get a new binary signed every time we change the signing keys.
How To Test
Standard installation should test that it's working. Invalid binaries are easily provided to test a negative cryptographic test.
User Experience
Substantially the same as current experience, but with a nice sense of security.
Dependencies
- pesign will provide utilities for doing this which it doesn't have yet.
- https://fedoraproject.org/wiki/Features/SecureBoot
Contingency Plan
Contingency plan is current status quo.
Documentation
Not yet.