From Fedora Project Wiki
(Created page with "{{admon/caution|DRAFT|This is just a DRAFT. We try and make sure the information here is up to date and correct, but please check before depending on it.}} {{admon/important | C...")
 
No edit summary
Line 1: Line 1:
{{admon/caution|DRAFT|This is just a DRAFT. We try and make sure the information here is up to date and correct, but please check before depending on it.}}
{{admon/caution|DRAFT|This is just a DRAFT. We try and make sure the information here is up to date and correct, but please check before depending on it.}}
{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section.  They are invisible when viewing this page.  To read it, choose the "edit" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR FEATURE.'''}}
{{admon/important | Set a Page Watch| Make sure you click ''watch'' on your new page so that you are notified of changes to it by others, including the Feature Wrangler}}
{{admon/note | All sections of this template are required for review by FESCo.  If any sections are empty it will not be reviewed }}


<!-- All fields on this form are required to be accepted by FESCo.
<!-- All fields on this form are required to be accepted by FESCo.
Line 13: Line 6:
<!-- The actual name of your feature page should look something like: Features/Your_Feature_Name.  This keeps all features in the same namespace -->
<!-- The actual name of your feature page should look something like: Features/Your_Feature_Name.  This keeps all features in the same namespace -->


= Feature Name <!-- The name of your feature --> =
= RPM Signature Checking During Installation <!-- The name of your feature --> =


== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. -->
 
Back in the dawn of time, rpm grew the ability to check cryptographic signatures of a package. We've never used this during installation, because it was unclear where the root of trust would come from - there's no way to tell that the public keys are valid. This is filed in bugzilla <a href="https://bugzilla.redhat.com/show_bug.cgi?id=998">here</a>.
That problem is now solvable.


== Owner ==
== Owner ==
<!--This should link to your home wiki page so we know who you are-->
<!--This should link to your home wiki page so we know who you are-->
* Name: [[User:FASAcountName| Your Name]]
* Name: [[User:Pjones| Peter Jones]]


<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
Line 26: Line 21:


== Current status ==
== Current status ==
* Targeted release: [[Releases/<number> | Fedora <number> ]]  
* Targeted release: [[Releases/19 | Fedora 19 ]]  
* Last updated: (DATE)
* Last updated: 23-Jun-2012
* Percentage of completion: XX%
* Percentage of completion: 20%


<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->


== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriateA couple sentences suffices to explain the goal, but the more details you can provide the better. -->
Using the Secure Boot mechanism, we can make a UEFI binary, which for this discussion we'll call "Hello, World!", or "HW" for short. In that binary, we add an extra section that holds a list of public keys. We then get the binary signed with the UEFI signing service.
 
During installation, we verify the signature against the hardware keysIf the signature is invalid, we warn the user that something has gone horribly wrong. If it's valid, we extract the public keys from the binary using a simple tool, and we add them to the rpm database. We then run the anaconda transaction with keys in place.


== Benefit to Fedora ==
== Benefit to Fedora ==
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
No more risky installation from untrusted repositories.


== Scope ==
== Scope ==
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<ol>
<li> Write the small utility to generate the binary
<li> Write the small utility to verify the binary and extract the keys
<li> Get a new binary signed every time we change the signing keys.
</ol>


== How To Test ==
== How To Test ==
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate themThe more specific you can be, the better the community testing can be.
Standard installation should test that it's workingInvalid binaries are easily provided to test a negative cryptographic test.
 
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.
 
A good "how to test" should answer these four questions:
 
0. What special hardware / data / etc. is needed (if any)?
1. How do I prepare my system to test this feature? What packages
need to be installed, config files edited, etc.?
2. What specific actions do I perform to check that the feature is
working like it's supposed to?
3. What are the expected results of those actions?
-->


== User Experience ==
== User Experience ==
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
Substantially the same as current experience, but with a nice sense of security.


== Dependencies ==
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
pesign will provide utilities for doing this which it doesn't have yet.


== Contingency Plan ==
== Contingency Plan ==
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. -->
Contingency plan is current status quo.


== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
Not yet.
*


== Release Notes ==
== Release Notes ==
Line 75: Line 63:


== Comments and Discussion ==
== Comments and Discussion ==
* See [[Talk:Features/Your_Feature_Name]] <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
* See [[Talk:Features/SignatureCheckingDuringInstall]]
 


[[Category:FeaturePageIncomplete]]
[[Category:FeaturePageIncomplete]]

Revision as of 20:25, 23 June 2012

DRAFT
This is just a DRAFT. We try and make sure the information here is up to date and correct, but please check before depending on it.


RPM Signature Checking During Installation

Summary

Back in the dawn of time, rpm grew the ability to check cryptographic signatures of a package. We've never used this during installation, because it was unclear where the root of trust would come from - there's no way to tell that the public keys are valid. This is filed in bugzilla <a href="https://bugzilla.redhat.com/show_bug.cgi?id=998">here</a>. That problem is now solvable.

Owner

  • Email: <your email address so we can contact you, invite you to meetings, etc.>

Current status

  • Targeted release: Fedora 19
  • Last updated: 23-Jun-2012
  • Percentage of completion: 20%


Detailed Description

Using the Secure Boot mechanism, we can make a UEFI binary, which for this discussion we'll call "Hello, World!", or "HW" for short. In that binary, we add an extra section that holds a list of public keys. We then get the binary signed with the UEFI signing service.

During installation, we verify the signature against the hardware keys. If the signature is invalid, we warn the user that something has gone horribly wrong. If it's valid, we extract the public keys from the binary using a simple tool, and we add them to the rpm database. We then run the anaconda transaction with keys in place.

Benefit to Fedora

No more risky installation from untrusted repositories.

Scope

  1. Write the small utility to generate the binary
  2. Write the small utility to verify the binary and extract the keys
  3. Get a new binary signed every time we change the signing keys.

How To Test

Standard installation should test that it's working. Invalid binaries are easily provided to test a negative cryptographic test.

User Experience

Substantially the same as current experience, but with a nice sense of security.

Dependencies

pesign will provide utilities for doing this which it doesn't have yet.

Contingency Plan

Contingency plan is current status quo.

Documentation

Not yet.

Release Notes

Comments and Discussion

Retrieved from "https://fedoraproject.org/w/index.php?title=User:Pjones/Features/SignatureCheckingDuringInstall&oldid=293578"