[PATCH] openwrt-keyring: Only copy sign key for snapshots
Instead of adding all public signature keys from the openwrt-keyring repository only add the key which is used to sign the master feeds. If one of the other keys would be compromised this would not affect users of master snapshot builds. Signed-off-by: Hauke Mehrtens --- As far as I know the other keys are not compromised, this is just a precaution. I would do similar changes to 21.02 and 19.07 to only add the key which is used for this specific release. Instead of adding just this single key, should we add all keys of currently maintained releases like 19.07, 21.02 and master key into all 3 branches? The signature verification of sysupgrade images is currently not used as far as I know, so normal we do not need the keys for of other releases. package/system/openwrt-keyring/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package/system/openwrt-keyring/Makefile b/package/system/openwrt-keyring/Makefile index 6f3aa65622d5..ceaccf1fc527 100644 --- a/package/system/openwrt-keyring/Makefile +++ b/package/system/openwrt-keyring/Makefile @@ -32,7 +32,8 @@ Build/Compile= define Package/openwrt-keyring/install $(INSTALL_DIR) $(1)/etc/opkg/keys/ - $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/* $(1)/etc/opkg/keys/ + # Public usign key for unattended snapshot builds + $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/b5043e70f9a75cde $(1)/etc/opkg/keys/ endef $(eval $(call BuildPackage,openwrt-keyring)) -- 2.30.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openwrt-keyring: Only copy sign key for snapshots
Hi, On 5/13/21 1:32 AM, Hauke Mehrtens wrote: Instead of adding all public signature keys from the openwrt-keyring repository only add the key which is used to sign the master feeds. If one of the other keys would be compromised this would not affect users of master snapshot builds. Signed-off-by: Hauke Mehrtens --- Thanks for working on this. I'm still in favor to include a *openwrt-next* key which becomes the signing key for the next release. This way a upgrade step between release branches is possible. As far as I know the other keys are not compromised, this is just a precaution. I would do similar changes to 21.02 and 19.07 to only add the key which is used for this specific release. In case of 19.07 please add 21.02 release keys as well, since it's *the next key*. Instead of adding just this single key, should we add all keys of currently maintained releases like 19.07, 21.02 and master key into all 3 branches? How about adding keys like that: 19.07: 19.07 + 21.02 keys 21.02: 21.02 + openwrt-next keys snapshot: snapshot key The snapshot key stays the same "forever", it shouldn't be included in releases. The signature verification of sysupgrade images is currently not used as far as I know, so normal we do not need the keys for of other releases. If the `ucert` package is installed and the env variable `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should eventually become the default. So ideally we already start shipping the correct keys before activating the extra security measurements. package/system/openwrt-keyring/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package/system/openwrt-keyring/Makefile b/package/system/openwrt-keyring/Makefile index 6f3aa65622d5..ceaccf1fc527 100644 --- a/package/system/openwrt-keyring/Makefile +++ b/package/system/openwrt-keyring/Makefile @@ -32,7 +32,8 @@ Build/Compile= define Package/openwrt-keyring/install $(INSTALL_DIR) $(1)/etc/opkg/keys/ - $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/* $(1)/etc/opkg/keys/ + # Public usign key for unattended snapshot builds + $(INSTALL_DATA) $(PKG_BUILD_DIR)/usign/b5043e70f9a75cde $(1)/etc/opkg/keys/ endef $(eval $(call BuildPackage,openwrt-keyring)) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openwrt-keyring: Only copy sign key for snapshots
Paul Spooren writes: > On 5/13/21 1:32 AM, Hauke Mehrtens wrote: >> The signature verification of sysupgrade images is currently not used as >> far as I know, so normal we do not need the keys for of other releases. > > If the `ucert` package is installed and the env variable > `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should > eventually become the default. > > So ideally we already start shipping the correct keys before > activating the extra security measurements. I wonder if I have understood the current signing scheme correctly: - create an expiring certificate signed by the private signing key - sign image with private signing key and append both certificate and signature - validate image signature using certificate - validate ceritificate using public signing key If this is correct, then I don't think it will fly. The problem is the expiration of the redundant certificate. This means that the image has an absolute expiration date. You don't want that. You might have expiring keys. But the images, including their signatures, should last forever. Or as long as the key is considered valid. I also have a small issue with the creation of the certificate for home builders, but that's a minor problem and rather simple to fix. However, it just hides the underlying problem by moving the image expiration date from the past to up to a year in the future. It just highlighted the certificate issue when I started building invalid images because the included certificate was older than a year, and already expired by the time it was appended to the image Bjørn ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openwrt-keyring: Only copy sign key for snapshots
On 5/14/21 12:17 PM, Paul Spooren wrote: Hi, On 5/13/21 1:32 AM, Hauke Mehrtens wrote: Instead of adding all public signature keys from the openwrt-keyring repository only add the key which is used to sign the master feeds. If one of the other keys would be compromised this would not affect users of master snapshot builds. Signed-off-by: Hauke Mehrtens --- Thanks for working on this. I'm still in favor to include a *openwrt-next* key which becomes the signing key for the next release. This way a upgrade step between release branches is possible. I would prefer to create it closer to the next release. As far as I know the other keys are not compromised, this is just a precaution. I would do similar changes to 21.02 and 19.07 to only add the key which is used for this specific release. In case of 19.07 please add 21.02 release keys as well, since it's *the next key*. Yes, good idea. Instead of adding just this single key, should we add all keys of currently maintained releases like 19.07, 21.02 and master key into all 3 branches? How about adding keys like that: 19.07: 19.07 + 21.02 keys 21.02: 21.02 + openwrt-next keys snapshot: snapshot key The snapshot key stays the same "forever", it shouldn't be included in releases. The signature verification of sysupgrade images is currently not used as far as I know, so normal we do not need the keys for of other releases. If the `ucert` package is installed and the env variable `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should eventually become the default. How reliable is this working? Currently we do not ship ucert by default and this is needed to check the image signature. So ideally we already start shipping the correct keys before activating the extra security measurements. Hauke OpenPGP_0x93DD20630910B515.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openwrt-keyring: Only copy sign key for snapshots
On Fri, May 14, 2021 at 11:31:27PM +0200, Hauke Mehrtens wrote: > On 5/14/21 12:17 PM, Paul Spooren wrote: > > Hi, > > > > On 5/13/21 1:32 AM, Hauke Mehrtens wrote: > > > Instead of adding all public signature keys from the openwrt-keyring > > > repository only add the key which is used to sign the master feeds. > > > > > > If one of the other keys would be compromised this would not affect > > > users of master snapshot builds. > > > > > > Signed-off-by: Hauke Mehrtens > > > --- > > > > Thanks for working on this. > > > > I'm still in favor to include a *openwrt-next* key which becomes the > > signing key for the next release. This way a upgrade step between > > release branches is possible. > > I would prefer to create it closer to the next release. > > > > As far as I know the other keys are not compromised, this is just a > > > precaution. > > > > > > I would do similar changes to 21.02 and 19.07 to only add the key which > > > is used for this specific release. > > In case of 19.07 please add 21.02 release keys as well, since it's *the > > > next key*. > > Yes, good idea. > > > > Instead of adding just this single key, should we add all keys of > > > currently maintained releases like 19.07, 21.02 and master key into all > > > 3 branches? > > How about adding keys like that: > > 19.07: 19.07 + 21.02 keys > > 21.02: 21.02 + openwrt-next keys > > snapshot: snapshot key > > > > The snapshot key stays the same "forever", it shouldn't be included in > > releases. > > > > > The signature verification of sysupgrade images is currently not used as > > > far as I know, so normal we do not need the keys for of other releases. > > > > If the `ucert` package is installed and the env variable > > `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should > > eventually become the default. > > How reliable is this working? I've been using ucert on many devices for a long time for now. In order to be more secure, the signed data should be normalized (ie. sorted and non-relevant data removed), which has not been done yet. Right now, hash collissions could be constructed by changing the order of fields and/or adding useless additional data -- however, that would still mean having to break SHA256. Generally, to be considered more than just a small extra barrier or even a security risk, much more review would be needed. See: https://git.openwrt.org/?p=project/ucert.git;a=blob;f=README.md;hb=refs/heads/master#l6 > > Currently we do not ship ucert by default and this is needed to check the > image signature. People can, however, install ucert which enabled signature checks of future sysupgrade. When using 'auc' or 'luci-app-attendedsysupgrade' for upgrade, all explicitely installed packages are also kept accross updates, and that can include 'ucert' (which is what I've been doing for a while now on my local devices) > > > So ideally we already start shipping the correct keys before activating > > > the extra security measurements. > > > > Hauke > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openwrt-keyring: Only copy sign key for snapshots
On 5/15/21 1:34 AM, Daniel Golle wrote: On Fri, May 14, 2021 at 11:31:27PM +0200, Hauke Mehrtens wrote: On 5/14/21 12:17 PM, Paul Spooren wrote: Hi, On 5/13/21 1:32 AM, Hauke Mehrtens wrote: Instead of adding all public signature keys from the openwrt-keyring repository only add the key which is used to sign the master feeds. If one of the other keys would be compromised this would not affect users of master snapshot builds. Signed-off-by: Hauke Mehrtens --- Thanks for working on this. I'm still in favor to include a *openwrt-next* key which becomes the signing key for the next release. This way a upgrade step between release branches is possible. I would prefer to create it closer to the next release. As far as I know the other keys are not compromised, this is just a precaution. I would do similar changes to 21.02 and 19.07 to only add the key which is used for this specific release. In case of 19.07 please add 21.02 release keys as well, since it's *the next key*. Yes, good idea. Instead of adding just this single key, should we add all keys of currently maintained releases like 19.07, 21.02 and master key into all 3 branches? How about adding keys like that: 19.07: 19.07 + 21.02 keys 21.02: 21.02 + openwrt-next keys snapshot: snapshot key The snapshot key stays the same "forever", it shouldn't be included in releases. The signature verification of sysupgrade images is currently not used as far as I know, so normal we do not need the keys for of other releases. If the `ucert` package is installed and the env variable `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should eventually become the default. How reliable is this working? I've been using ucert on many devices for a long time for now. In order to be more secure, the signed data should be normalized (ie. sorted and non-relevant data removed), which has not been done yet. Right now, hash collissions could be constructed by changing the order of fields and/or adding useless additional data -- however, that would still mean having to break SHA256. Generally, to be considered more than just a small extra barrier or even a security risk, much more review would be needed. See: https://git.openwrt.org/?p=project/ucert.git;a=blob;f=README.md;hb=refs/heads/master#l6 Currently we do not ship ucert by default and this is needed to check the image signature. People can, however, install ucert which enabled signature checks of future sysupgrade. When using 'auc' or 'luci-app-attendedsysupgrade' for upgrade, all explicitely installed packages are also kept accross updates, and that can include 'ucert' (which is what I've been doing for a while now on my local devices) Ok this is nice. I tried to check the signature of the 21.02-rc1 release and it failed: --- root@OpenWrt:/tmp# REQUIRE_IMAGE_SIGNATURE=1 sysupgrade -T openwrt-21.02.0-rc1-ath79-generic-tplink_tl-wdr4300-v1-squashfs-sysupgrade.bin cert_verify: cannot parse cert Image check failed. --- With a self build image it works. It contains "# fake certificate" where I would expect the certificate. Is this expected? Hauke ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openwrt-keyring: Only copy sign key for snapshots
On Sat, May 15, 2021 at 04:28:58PM +0200, Hauke Mehrtens wrote: > On 5/15/21 1:34 AM, Daniel Golle wrote: > > On Fri, May 14, 2021 at 11:31:27PM +0200, Hauke Mehrtens wrote: > > > On 5/14/21 12:17 PM, Paul Spooren wrote: > > > > Hi, > > > > > > > > On 5/13/21 1:32 AM, Hauke Mehrtens wrote: > > > > > Instead of adding all public signature keys from the openwrt-keyring > > > > > repository only add the key which is used to sign the master feeds. > > > > > > > > > > If one of the other keys would be compromised this would not affect > > > > > users of master snapshot builds. > > > > > > > > > > Signed-off-by: Hauke Mehrtens > > > > > --- > > > > > > > > Thanks for working on this. > > > > > > > > I'm still in favor to include a *openwrt-next* key which becomes the > > > > signing key for the next release. This way a upgrade step between > > > > release branches is possible. > > > > > > I would prefer to create it closer to the next release. > > > > > > > > As far as I know the other keys are not compromised, this is just a > > > > > precaution. > > > > > > > > > > I would do similar changes to 21.02 and 19.07 to only add the key > > > > > which > > > > > is used for this specific release. > > > > In case of 19.07 please add 21.02 release keys as well, since it's *the > > > > > > > next key*. > > > > > > Yes, good idea. > > > > > > > > Instead of adding just this single key, should we add all keys of > > > > > currently maintained releases like 19.07, 21.02 and master key into > > > > > all > > > > > 3 branches? > > > > How about adding keys like that: > > > > 19.07: 19.07 + 21.02 keys > > > > 21.02: 21.02 + openwrt-next keys > > > > snapshot: snapshot key > > > > > > > > The snapshot key stays the same "forever", it shouldn't be included in > > > > releases. > > > > > > > > > The signature verification of sysupgrade images is currently not used > > > > > as > > > > > far as I know, so normal we do not need the keys for of other > > > > > releases. > > > > > > > > If the `ucert` package is installed and the env variable > > > > `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should > > > > eventually become the default. > > > > > > How reliable is this working? > > > > I've been using ucert on many devices for a long time for now. > > In order to be more secure, the signed data should be normalized > > (ie. sorted and non-relevant data removed), which has not been done > > yet. Right now, hash collissions could be constructed by changing > > the order of fields and/or adding useless additional data -- however, > > that would still mean having to break SHA256. > > > > Generally, to be considered more than just a small extra barrier > > or even a security risk, much more review would be needed. See: > > > > https://git.openwrt.org/?p=project/ucert.git;a=blob;f=README.md;hb=refs/heads/master#l6 > > > > > > > > Currently we do not ship ucert by default and this is needed to check the > > > image signature. > > > > People can, however, install ucert which enabled signature checks > > of future sysupgrade. When using 'auc' or 'luci-app-attendedsysupgrade' > > for upgrade, all explicitely installed packages are also kept accross > > updates, and that can include 'ucert' (which is what I've been doing > > for a while now on my local devices) > > Ok this is nice. > > I tried to check the signature of the 21.02-rc1 release and it failed: > --- > root@OpenWrt:/tmp# REQUIRE_IMAGE_SIGNATURE=1 sysupgrade -T > openwrt-21.02.0-rc1-ath79-generic-tplink_tl-wdr4300-v1-squashfs-sysupgrade.bin > > cert_verify: cannot parse cert > Image check failed. > --- > > With a self build image it works. > > It contains "# fake certificate" where I would expect the certificate. > > Is this expected? Yes and no :) No, because in this way ucert is pretty useless. Yes, because this is how buildbots are configured to do things at this point: https://git.openwrt.org/?p=buildbot.git;a=blob;f=phase1/master.cfg;h=a85382ae4fd2ee52d0d102fc90be7f721a2dfe86;hb=HEAD#l986 The goal of ucert is to allow key delegation, as described in the README.md in ucert.git. Like this we could have builders generate keys with short lifetime, have them signed by a more protected instance and have the option to revoke them, if needed. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openwrt-keyring: Only copy sign key for snapshots
On 5/15/21 4:44 PM, Daniel Golle wrote: On Sat, May 15, 2021 at 04:28:58PM +0200, Hauke Mehrtens wrote: On 5/15/21 1:34 AM, Daniel Golle wrote: On Fri, May 14, 2021 at 11:31:27PM +0200, Hauke Mehrtens wrote: On 5/14/21 12:17 PM, Paul Spooren wrote: Hi, On 5/13/21 1:32 AM, Hauke Mehrtens wrote: Instead of adding all public signature keys from the openwrt-keyring repository only add the key which is used to sign the master feeds. If one of the other keys would be compromised this would not affect users of master snapshot builds. Signed-off-by: Hauke Mehrtens --- Thanks for working on this. I'm still in favor to include a *openwrt-next* key which becomes the signing key for the next release. This way a upgrade step between release branches is possible. I would prefer to create it closer to the next release. As far as I know the other keys are not compromised, this is just a precaution. I would do similar changes to 21.02 and 19.07 to only add the key which is used for this specific release. In case of 19.07 please add 21.02 release keys as well, since it's *the next key*. Yes, good idea. Instead of adding just this single key, should we add all keys of currently maintained releases like 19.07, 21.02 and master key into all 3 branches? How about adding keys like that: 19.07: 19.07 + 21.02 keys 21.02: 21.02 + openwrt-next keys snapshot: snapshot key The snapshot key stays the same "forever", it shouldn't be included in releases. The signature verification of sysupgrade images is currently not used as far as I know, so normal we do not need the keys for of other releases. If the `ucert` package is installed and the env variable `REQUIRE_IMAGE_SIGNATURE` is set, the images are verified. This should eventually become the default. How reliable is this working? I've been using ucert on many devices for a long time for now. In order to be more secure, the signed data should be normalized (ie. sorted and non-relevant data removed), which has not been done yet. Right now, hash collissions could be constructed by changing the order of fields and/or adding useless additional data -- however, that would still mean having to break SHA256. Generally, to be considered more than just a small extra barrier or even a security risk, much more review would be needed. See: https://git.openwrt.org/?p=project/ucert.git;a=blob;f=README.md;hb=refs/heads/master#l6 Currently we do not ship ucert by default and this is needed to check the image signature. People can, however, install ucert which enabled signature checks of future sysupgrade. When using 'auc' or 'luci-app-attendedsysupgrade' for upgrade, all explicitely installed packages are also kept accross updates, and that can include 'ucert' (which is what I've been doing for a while now on my local devices) Ok this is nice. I tried to check the signature of the 21.02-rc1 release and it failed: --- root@OpenWrt:/tmp# REQUIRE_IMAGE_SIGNATURE=1 sysupgrade -T openwrt-21.02.0-rc1-ath79-generic-tplink_tl-wdr4300-v1-squashfs-sysupgrade.bin cert_verify: cannot parse cert Image check failed. --- With a self build image it works. It contains "# fake certificate" where I would expect the certificate. Is this expected? Yes and no :) No, because in this way ucert is pretty useless. Yes, because this is how buildbots are configured to do things at this point: https://git.openwrt.org/?p=buildbot.git;a=blob;f=phase1/master.cfg;h=a85382ae4fd2ee52d0d102fc90be7f721a2dfe86;hb=HEAD#l986 The goal of ucert is to allow key delegation, as described in the README.md in ucert.git. Like this we could have builders generate keys with short lifetime, have them signed by a more protected instance and have the option to revoke them, if needed. Ok thank you Daniel for the clarification. So people are fine with the original patch to only include the master key into the image. I will send seperate patches for 21.02 and 19.07. Hauke OpenPGP_0x93DD20630910B515.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel