- Devel - lists.sequoia-pgp.org

sequoia-ipc 0.31.0
by Neal H. Walfield 27 Oct '23

27 Oct '23

Hi all, I'm pleased to announce the release of version 0.31.0 of sequoia-ipc. I have published sequoia-ipc on crates.io: https://crates.io/crates/sequoia-ipc You can also fetch version 0.31.0 using the ipc/v0.31.0 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/ipc/v0.31.0 which I signed: $ git verify-tag ipc/v0.31.0 gpg: Signature made Fri Oct 27 16:39:49 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" This is a bug fix release. The most noticeable fix is that using gpg-agent is now more robust. One problem was that when using a key managed by gpg-agent, e.g., from the chameleon, our gpg reimplementation, or from the octopus, our OpenPGP implemenation for Thunderbird, the first interaction would sometimes fail. https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp This has been improved in these commit: https://gitlab.com/sequoia-pgp/sequoia/-/commit/648858b7b8ce1db35a6f5f4a993… https://gitlab.com/sequoia-pgp/sequoia/-/commit/c5670ce4958a33c4a7c3b861bdb… We also added support for GnuPG's loopback pinentry mode. Neal on behalf of the whole Sequoia PGP team

1 0

sequoia-openpgp 1.17.0
by Neal H. Walfield 27 Oct '23

27 Oct '23

Hi all, I'm pleased to announce the release of version 1.17.0 of sequoia-openpgp, our low-level OpenPGP library. I have published sequoia-openpgp on crates.io: https://crates.io/crates/sequoia-openpgp You can also fetch version 1.17.0 using the openpgp/v1.17.0 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.17.0 which I signed: $ git verify-tag openpgp/v1.17.0 gpg: Signature made Fri Oct 27 09:21:43 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" This release includes significant testing improvements, infrastructure upgrades, new functionality, performance increases, and a number of minor bug fixes. # Testing Improvements This release includes a new "null" crypto backend, which faciliates fuzzing: https://gitlab.com/sequoia-pgp/sequoia/-/commit/a4c2b9f50a9f6e6539154eb3bce… Fuzzing works by passing invalid or malformed input to a function to uncover defects. As decryption and signature verification is highly sensitive to malformed input, the cryptography routines would quickly reject malformed input, which prevented the fuzzer from exercising the non-crypto related code. The null crypto backend faciliates fuzzing by accepting pretty much anything. Specifically, it uses a highly optimized version of double ROT-13 to encrypt and decrypt data, and indicates that all signatures are valid. This fuzzing uncovered a bug, which has also been fixed: https://gitlab.com/sequoia-pgp/sequoia/-/commit/3c76d468060a02b0aa129308bc4… There is also a new framework to detect secrets that are leaked to the heap or stack. This happens when memory that stores a secret is not erased after it is deallocated. Erasing secrets can help prevent heartbleed-style attacks. https://heartbleed.com/ See, in particular, this commit for a lot of technical details and a description of the approach: https://gitlab.com/sequoia-pgp/sequoia/-/commit/c62fb995baee091ef6009a06068… The good news is that most crypto backends are good at protecting their secrets. One issue was reported to the Rust aes crate, and a partial fix has since been committed: https://github.com/RustCrypto/block-ciphers/issues/385 # Infrastructure Upgrades On the infrastructure side, we now use Sequoia git to enforce a signing policy: https://gitlab.com/sequoia-pgp/sequoia/-/commit/18dd64b9548ad151fdfa0ec8f67… Sequoia git is a new tool that we've been working on to simplify the articulation and verification of a signing policy: https://gitlab.com/sequoia-pgp/sequoia-git The basic idea is that a file, `openpgp-policy.toml`, is added to a git repository. It contains a list of who is authorized to add commits, sign tags, and change the policy. The `sq-git` CLI can then be used to ensure that a version (e.g., a commit) is an authorized derivation in the sense that each change made since an earlier, known good version (the trust root) is consistent with a parent commit's signing policy. More details are in the specification: https://sequoia-pgp.gitlab.io/sequoia-git/ Using this tool, downstream users can detect changes that were not authorized by the upstream developers, e.g., modifications by a package registry, a forge, or some other machine in the middle. Using the commit where the signing policy was added as our trust root, we can authenticate all commits up to the openpgp/v1.17.0 tag: $ sq-git log --trust-root 18dd64b9 openpgp/v1.17.0 && echo Authenticated. 81d59e96ea37083b187909f12d298e5196c65130..65448ef8932cc8136b67445267e0f9849b7395c0: neal [74E445BA0E15C957] ... Authenticated. # New Functionality Sequoia now includes better support for early v4 certificates. These certificates often lacked a key flags subpacket. Previously, Sequoia would consider these certificates to be unusable, as it concluded the keys had no capabilities. Now, Sequoia more closely matches the behavior of other implementations by inferring the key flags from the algorithm, and the key's role (i.e., whether it is a primary key or a subkey). See: https://gitlab.com/sequoia-pgp/sequoia/-/commit/9e48a064e55e5ee61bc8caf6d7d… This release adds support for Camellia and DSA to the Rust Crypto backend: https://gitlab.com/sequoia-pgp/sequoia/-/commit/e2cb5bafb95fea51328238acac9… https://gitlab.com/sequoia-pgp/sequoia/-/commit/13d56eddcaa3925fb3bfa8ef422… Note: the algorithms supported by each of the backends is listed on the status page: https://sequoia-pgp.org/status/ Sequoia now also uses SHA-1 CD in place of SHA-1 everywhere. https://gitlab.com/sequoia-pgp/sequoia/-/commit/5188c044b9f6645dd05a0918d4a… # Performance Increases Generating a certificate is now much faster. Previously, the certificate was canonicalized after each key was added. For a certificate with a primary key and two subkeys, this means that it was canonicalized three times. Each time a certificate is canonicalized, all of the signatures are checked. Now, the certificate is only canonicalized once, at the end. https://gitlab.com/sequoia-pgp/sequoia/-/commit/4a2c51173f9dc48ebd864998238… Neal on behalf of the whole Sequoia PGP team

1 0

buffered-reader 1.3.0
by Neal H. Walfield 27 Oct '23

27 Oct '23

Hi all, I'm pleased to announce the release of version 1.3.0 of buffered-reader, an enhanced version of the `BufRead` trait from Rust's standard library. https://doc.rust-lang.org/stable/std/io/trait.BufRead.html I have published buffered-reader on crates.io: https://crates.io/crates/buffered-reader You can also fetch version 1.3.0 using the buffered-reader/v1.3.0 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader/v1.3.0 which I signed: $ git verify-tag buffered-reader/v1.3.0 gpg: Signature made Thu Oct 26 17:05:24 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" This release includes two new constructors, `File::new` and `File::new_with_cookie`, which wrap `std::fs::File`. These interfaces allow for some low-level manipulation of the File object before it is wrapped. For instance, it is possible to stat(2) the file to get the file size, or to implement metadata-based caching. For more details, please see: https://docs.rs/buffered-reader/1.3.0/buffered_reader/struct.File.html#meth… Neal on behalf of the whole Sequoia PGP team

1 0

SecureDrop's migration to Sequoia
by Kunal Mehta 18 Oct '23

18 Oct '23

Hi all, SecureDrop is migrating from GPG to Sequoia in our upcoming 2.7.0 release. I want to give a brief overview of how SecureDrop works and then a request for review if anyone has some time. For those not familiar, SecureDrop is a whistleblower submission system. Sources upload documents and send messages for journalists to review said information and determine whether or not to act on it. There's a high-level architecture overview at <https://docs.securedrop.org/en/stable/what_is_securedrop.html>. == Our PGP operations == Submissions are encrypted for journalists using PGP. The journalist secret key is kept offline on an airgapped machine, while the public key is on the SecureDrop server and generally publicly available. When a source logs in, they are given a diceware passphrase ("codename" in SD documentation). The server generates a PGP keypair protected by that passphrase. When the source submits a document/message, it is encrypted for the journalist key and stored. (Note: sources can pre-encrypt their submission locally and upload that, in which case we don't further encrypt it again, but our impression is that this is rarely done). If the journalist chooses to reply to source, that message is encrypted to the specific source and journalist (so journalists can read messages they sent). When a source logs in with their passphrase, we decrypt any journalist replies and display them to the source. Currently this is all done using GPG, using a vendored copy of the unmaintained pretty_bad_protocol library: <https://github.com/freedomofpress/securedrop/tree/develop/securedrop/pretty…>. == Migration to Sequoia == Any new source gets a keypair generated by Sequoia, which is stored in our SQLite database in armored format instead of the GPG keyring. Upon upgrade we run a one-time migration that iterates over the GPG keyring, exporting public keys into our database. When sources log in, we use their passphrase to export their secret key out of GPG and into our database as well. We've also added some checks for SecureDrop admins to reject SHA-1 keys during installation using sq-keyring-linter. To bring Sequoia into our Python application, we've written a small Rust crate ("redwood") that implements the encryption, decryption and key generation functions and can be exported to Python using the PyO3 bridge: <https://github.com/freedomofpress/securedrop/tree/develop/redwood>. == Review request == Thanks to Wiktor who's already reviewed some of our code and Neal for some input on issues and people who replied to my questions in IRC. We'd appreciate if anyone could take a look at our Sequoia-interfacing code, with a focus on the following areas: * Are we creating PGP key pairs correctly? * Is this (armored text) a safe format to store keys in? * Are we generally using the correct Sequoia APIs / are we using those APIs correctly? All of our Rust code is at <https://github.com/freedomofpress/securedrop/tree/develop/redwood> and the main Python<-->Rust integration is at <https://github.com/freedomofpress/securedrop/blob/develop/securedrop/encryp…>. And if there are any other concerns or potential issues that other migrations have encountered that we might have not considered. == Thanks == As a general note, it has been fantastic to use Sequoia. So thank you to everyone who has worked on it! -- Kunal, on behalf of the SecureDrop team

2 2

sequoia-openpgp 1.16.1
by Neal H. Walfield 26 Sep '23

26 Sep '23

Hi all, I'm pleased to announce the release of version 1.16.1 of sequoia-openpgp, our low-level OpenPGP library. I have published sequoia-openpgp on crates.io: https://crates.io/crates/sequoia-openpgp You can also fetch version 1.16.1 using the openpgp/v1.16.1 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.16.1 which I signed: $ git verify-tag openpgp/v1.16.1 gpg: Signature made Tue Sep 26 11:27:04 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" This is a minor bug fix release. Unfortunately, due to a limitation in cargo's dependency resolver, it is not possible to ensure that two dependencies use the same version of a third crate. With the recent release of win-crypto-ng, this leads a build failure when compiling sequoia-openpgp with an up-to-date Cargo.lock file. The specific problem is: - ed25519-dalek version 1.0.1 depends on rand_core 0.5; - the latest release of win-crypto-ng (0.5.1) depends on rand_core 0.5 or 0.6; - cargo compiles ed25519-dalek against rang_core 0.5, and win-crypto-ng against rand_core 0.6; - sequoia-openpgp passes an object returned by win-crypto-ng to ed25519-dalek; - ed25519-dalek requires that that object implement a trait exported by rand_core; - rustc (correctly) considers the trait from rand_core 0.5 to be different from the trait with the same name from rand_core 0.6, and complains. This can be fixed by manually running: cargo update -p win-crypto-ng --precise 0.5.0 This forces the use of an old version of win-crypto-ng. As it is tricky for end users to figure out that this is necessary, 1.16.1 forces the use of win-crypto-ng 0.5.0. See https://gitlab.com/sequoia-pgp/sequoia/-/issues/1052 for more details. Thanks to Jens Reimann for reporting the issue. Neal on behalf of the whole Sequoia PGP team

1 0

Minimal PGP implementation for kernel keys
by Roberto Sassu 10 Aug '23

10 Aug '23

Hi everyone I'm following the discussion of using Sequoia PGP for rpm. Recently, I submitted a patch set for the kernel to support new keys and signature formats transparently. Parsing those formats is offloaded to user space. The kernel gets from user space only minimal information: the public key or signature, the algorithm, the key fingerprint, etc. This is the link of the patch set: https://lore.kernel.org/bpf/20230425173557.724688-1-roberto.sassu@huaweiclo… I was wondering if Sequoia PGP can be used on user space side. It gets the key or signature blob, parses them, and replies to the kernel with the information the latter needs. I had a brief look at the documentation of the openpgp crate, and maybe it could be done, but I don't have a precise idea. Just wanted to ask your opinion on this, as the part of Sequoia PGP I would need is very minimal (the parsing part). Also the binary itself should be statically linked (I aim to execute it early in the boot to load the GPG keys of the Linux distribution to the kernel). Another point would be to avoid external dependencies, like a crypto library, and to use the kernel Crypto API instead (through socket(AF_ALG) in user space). Not the highest priority (as it would require to rewrite some parts of your library), but nice to have. What do you think? Thanks Roberto

3 9

Kernel Crypto exposing asymmetric operations to userland via libkcapi
by Wiktor Kwapisiewicz 10 Aug '23

10 Aug '23

Hi Kernel Crypto folks, I've got a question about the Kernel Crypto API. I'm working on adding a cryptographic backend based on the Kernel Crypto API to Sequoia PGP [0][1]. Sequoia supports several cryptographical backends already but using Kernel Crypto would allow us to significantly reduce dependencies when running on Linux. After implementing hashes, AEAD encryption and symmetric ciphers, I noticed that the libkcapi API for asymmetric ciphers (and ECDH) is not working. The libkcapi maintainer kindly explained [2] that the patches that they proposed for inclusion in the kernel [3] were not merged. I looked up the relevant thread [4], read it thoroughly and from what I can see most of the arguments are about private keys not being sufficiently protected and extensibility concerns with regards to keys stored in hardware security modules (TPMs etc.). However, these are mostly irrelevant to the Sequoia PGP use case, since private keys in software that we read do not need additional protection (as they are available for software anyway). We'd still like to use them for signing, decryption, verification and encryption. As for keys stored in HSMs we handle access to them in userland via our keystore module [5]. My question is: Would it be possible to revisit the decision to expose operations with asymmetric keys (including ECDH) in Linux Crypto thus allowing libkcapi to work with non-patched kernels? I'd like to help make this happen and I think there are other projects that are interested in a complete cryptographic suite of Kernel Crypto functions available in user-land. Thank you for your time! Kind regards, Wiktor [0]: https://gitlab.com/sequoia-pgp/sequoia/-/issues/1030 [1]: https://lists.sequoia-pgp.org/hyperkitty/list/devel@lists.sequoia-pgp.org/t… [2]: https://github.com/smuellerDD/libkcapi/issues/164 [3]: https://github.com/smuellerDD/libkcapi/blob/master/kernel-patches/4.15-rc3/… [4]: https://lkml.kernel.org/lkml/9859277.cZClo5B21s@tauon.atsec.com/T/#m0dfdbd3… [5]: https://gitlab.com/sequoia-pgp/sequoia-keystore

2 2

[RFC][PATCH v3 0/9] KEYS: Introduce user asymmetric keys and signatures
by Roberto Sassu 21 Jul '23

21 Jul '23

From: Roberto Sassu <roberto.sassu(a)huawei.com> Define a new TLV-based format for keys and signatures, aiming to store and use in the kernel the crypto material from other unsupported formats (e.g. PGP). TLV fields have been defined to fill the corresponding kernel structures public_key, public_key_signature and key_preparsed_payload. Keys: struct public_key { struct key_preparsed_payload { KEY_PUB --> void *key; u32 keylen; --> prep->payload.data[asym_crypto] KEY_ALGO --> const char *pkey_algo; KEY_KID0 KEY_KID1 ---------------------------> prep->payload.data[asym_key_ids] KEY_KID2 KEY_DESC ---------------------------> prep->description Signatures: struct public_key_signature { SIG_S --> u8 *s; u32 s_size; SIG_KEY_ALGO --> const char *pkey_algo; SIG_HASH_ALGO --> const char *hash_algo; u32 digest_size; SIG_ENC --> const char *encoding; SIG_KID0 SIG_KID1 --> struct asymmetric_key_id *auth_ids[3]; SIG_KID2 For keys, since the format conversion has to be done in user space, user space is assumed to be trusted, in this proposal. Without this assumption, a malicious conversion tool could make a user load to the kernel a different key than the one expected. That should not be a particular problem for keys that are embedded in the kernel image and loaded at boot, since the conversion happens in a trusted environment such as the building infrastructure of the Linux distribution vendor. In the other cases, such as enrolling a key through the Machine Owner Key (MOK) mechanism, the user is responsible to ensure that the crypto material carried in the original format remains the same after the conversion. For signatures, assuming the strength of the crypto algorithms, altering the crypto material is simply a Denial-of-Service (DoS), as data can be validated only with the right signature. This patch set also offers the following contributions: - A library for parsing TLV-formatted data, usable also by other kernel subsystems - An API similar to the PKCS#7 one, to verify the authenticity of system data through user asymmetric keys and signatures - IMA support for user asymmetric keys and signatures embedded in a module-style appended signature (through the new API) - A mechanism to store a keyring blob in the kernel image and to extract and load the keys at system boot - A new command for gnupg (in user space), to convert keys and signatures from PGP to the new kernel format The primary use case for this patch set is to verify the authenticity of RPM package headers with the PGP keys of the Linux distribution. Once their authenticity is verified, file digests can be extracted from those RPM headers and used as reference values for IMA Appraisal. Compared to the previous patch set, the main difference is not relying on User Mode Drivers (UMDs) for the conversion from the original format to the kernel format, due to the concern that full isolation of the UMD process cannot be achieved against a fully privileged system user (root). The discussion is still ongoing here: https://lore.kernel.org/linux-integrity/eb31920bd00e2c921b0aa6ebed8745cb013… This however does not prevent the goal mentioned above of verifying the authenticity of RPM headers to be achieved. The fact that Linux distribution vendors do the conversion in their infrastructure is a good enough guarantee. A very quick way to test the patch set is to execute: $ gpg --conv-kernel /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-rawhide-primary | keyctl padd asymmetric "" @u $ keyctl show @u Keyring 762357580 --alswrv 0 65534 keyring: _uid.0 567216072 --als--v 0 0 \_ asymmetric: PGP: 18b8e74c Patch 1 introduces a common library for parsing TLV-formatted data. It is generic enough to support other use cases other than this one. Patches 2-3 preliminarly export some definitions to user space so that conversion tools can specify the right public key algorithms and signature encodings (digest algorithms are already exported). Patches 4-5 introduce the user asymmetric keys and signatures. Patches 6 introduces a system API for verifying the authenticity of system data through user asymmetric keys and signatures. Patch 7-8 introduce a mechanism to store a keyring blob with user asymmetric keys in the kernel image, and load them at system boot. Patch 9 adds support for verifying user asymmetric key signatures with IMA. Patches 1-2 [GNUPG] introduce the new gpg command --conv-kernel to convert PGP keys and signatures to the new kernel format. Changelog v2: - Make the TLV parser a generic library and use it for user asymmetric keys and signatures - Modify types in TLV header and data to u64 (future-proof) - Move struct uasym_sig_message definition to uasym_sig_parser.c - Remove eBPF patches (nacked by Alexei) - Add IMA patch to support modsigs with a user asymmetric key signature v1: - Remove useless check in validate_key() (suggested by Yonghong) - Don't rely on User Mode Drivers for the conversion from the original format to the kernel format - Use the more extensible TLV format, instead of a fixed structure Roberto Sassu (9): lib: Add TLV parser crypto: Export public key algorithm information crypto: Export signature encoding information KEYS: asymmetric: Introduce the user asymmetric key parser KEYS: asymmetric: Introduce the user asymmetric key signature parser verification: Add verify_uasym_signature() and verify_uasym_sig_message() KEYS: asymmetric: Preload user asymmetric keys from a keyring blob KEYS: Introduce load_uasym_keyring() ima: Support non-PKCS#7 modsig types MAINTAINERS | 9 + certs/Kconfig | 11 + certs/Makefile | 7 + certs/system_certificates.S | 18 + certs/system_keyring.c | 166 ++++++- crypto/Kconfig | 6 + crypto/Makefile | 2 + crypto/asymmetric_keys/Kconfig | 14 + crypto/asymmetric_keys/Makefile | 8 + crypto/asymmetric_keys/asymmetric_type.c | 3 +- crypto/asymmetric_keys/uasym_key_parser.c | 240 ++++++++++ crypto/asymmetric_keys/uasym_key_preload.c | 102 +++++ crypto/asymmetric_keys/uasym_parser.h | 26 ++ crypto/asymmetric_keys/uasym_sig_parser.c | 497 +++++++++++++++++++++ crypto/pub_key_info.c | 20 + crypto/sig_enc_info.c | 16 + include/crypto/pub_key_info.h | 15 + include/crypto/sig_enc_info.h | 15 + include/crypto/uasym_keys_sigs.h | 81 ++++ include/keys/asymmetric-type.h | 1 + include/linux/tlv_parser.h | 28 ++ include/linux/verification.h | 46 ++ include/uapi/linux/pub_key_info.h | 22 + include/uapi/linux/sig_enc_info.h | 18 + include/uapi/linux/tlv_parser.h | 59 +++ include/uapi/linux/uasym_parser.h | 59 +++ lib/Kconfig | 3 + lib/Makefile | 3 + lib/tlv_parser.c | 203 +++++++++ lib/tlv_parser.h | 17 + security/integrity/ima/ima_modsig.c | 79 +++- 31 files changed, 1771 insertions(+), 23 deletions(-) create mode 100644 crypto/asymmetric_keys/uasym_key_parser.c create mode 100644 crypto/asymmetric_keys/uasym_key_preload.c create mode 100644 crypto/asymmetric_keys/uasym_parser.h create mode 100644 crypto/asymmetric_keys/uasym_sig_parser.c create mode 100644 crypto/pub_key_info.c create mode 100644 crypto/sig_enc_info.c create mode 100644 include/crypto/pub_key_info.h create mode 100644 include/crypto/sig_enc_info.h create mode 100644 include/crypto/uasym_keys_sigs.h create mode 100644 include/linux/tlv_parser.h create mode 100644 include/uapi/linux/pub_key_info.h create mode 100644 include/uapi/linux/sig_enc_info.h create mode 100644 include/uapi/linux/tlv_parser.h create mode 100644 include/uapi/linux/uasym_parser.h create mode 100644 lib/tlv_parser.c create mode 100644 lib/tlv_parser.h -- 2.34.1

2 13

[RFC][PATCH 00/10] KEYS: Introduce user asymmetric keys and signatures
by Roberto Sassu 07 Jul '23

07 Jul '23

From: Roberto Sassu <roberto.sassu(a)huawei.com> Define a new TLV-based format for keys and signatures, aiming to store and use in the kernel the crypto material from other unsupported formats (e.g. PGP). TLV fields have been defined to fill the corresponding kernel structures public_key, public_key_signature and key_preparsed_payload. Keys: struct public_key { struct key_preparsed_payload { KEY_PUB --> void *key; u32 keylen; --> prep->payload.data[asym_crypto] KEY_ALGO --> const char *pkey_algo; KEY_KID0 KEY_KID1 --> prep->payload.data[asym_key_ids] KEY_KID2 KEY_DESC --> prep->description Signatures: struct public_key_signature { SIG_S --> u8 *s; u32 s_size; SIG_KEY_ALGO --> const char *pkey_algo; SIG_HASH_ALGO --> const char *hash_algo; u32 digest_size; SIG_ENC --> const char *encoding; SIG_KID0 SIG_KID1 --> struct asymmetric_key_id *auth_ids[3]; SIG_KID2 For keys, since the format conversion has to be done in user space, user space is assumed to be trusted, in this proposal. Without this assumption, a malicious conversion tool could make a user load to the kernel a different key than the one expected. That should not be a particular problem for keys that are embedded in the kernel image and loaded at boot, since the conversion happens in a trusted environment such as the building infrastructure of the Linux distribution vendor. In the other cases, such as enrolling a key through the Machine Owner Key (MOK) mechanism, the user is responsible to ensure that the crypto material carried in the original format remains the same after the conversion. For signatures, assuming the strength of the crypto algorithms, altering the crypto material is simply a Denial-of-Service (DoS), as data can be validated only with the right signature. This patch set also offers the following contributions: - An API similar to the PKCS#7 one, to verify the authenticity of system data through user asymmetric keys and signatures - A mechanism to store a keyring blob in the kernel image and to extract and load the keys at system boot - eBPF binding, so that data authenticity verification with user asymmetric keys and signatures can be carried out also with eBPF programs - A new command for gnupg (in user space), to convert keys and signatures from PGP to the new kernel format The primary use case for this patch set is to verify the authenticity of RPM package headers with the PGP keys of the Linux distribution. Once their authenticity is verified, file digests can be extracted from those RPM headers and used as reference values for IMA Appraisal. Compared to the previous patch set, the main difference is not relying on User Mode Drivers (UMDs) for the conversion from the original format to the kernel format, due to the concern that full isolation of the UMD process cannot be achieved against a fully privileged system user (root). The discussion is still ongoing here: https://lore.kernel.org/linux-integrity/eb31920bd00e2c921b0aa6ebed8745cb013… This however does not prevent the goal mentioned above of verifying the authenticity of RPM headers to be achieved. The fact that Linux distribution vendors do the conversion in their infrastructure is a good enough guarantee. A very quick way to test the patch set is to execute: # gpg --conv-kernel /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-rawhide-primary | keyctl padd asymmetric "" @u # keyctl show @u Keyring 762357580 --alswrv 0 65534 keyring: _uid.0 567216072 --als--v 0 0 \_ asymmetric: PGP: 18b8e74c Patches 1-2 preliminarly export some definitions to user space so that conversion tools can specify the right public key algorithms and signature encodings (digest algorithms are already exported). Patches 3-5 introduce the user asymmetric keys and signatures. Patches 6 introduces a system API for verifying the authenticity of system data through user asymmetric keys and signatures. Patch 7-8 introduce a mechanism to store a keyring blob with user asymmetric keys in the kernel image, and load them at system boot. Patches 9-10 introduce the eBPF binding and corresponding test (which can be enabled only after the gnupg patches are upstreamed). Patches 1-2 [GNUPG] introduce the new gpg command --conv-kernel to convert PGP keys and signatures to the new kernel format. Changelog v1: - Remove useless check in validate_key() (suggested by Yonghong) - Don't rely on User Mode Drivers for the conversion from the original format to the kernel format - Use the more extensible TLV format, instead of a fixed structure Roberto Sassu (10): crypto: Export public key algorithm information crypto: Export signature encoding information KEYS: asymmetric: Introduce a parser for user asymmetric keys and sigs KEYS: asymmetric: Introduce the user asymmetric key parser KEYS: asymmetric: Introduce the user asymmetric key signature parser verification: Add verify_uasym_signature() and verify_uasym_sig_message() KEYS: asymmetric: Preload user asymmetric keys from a keyring blob KEYS: Introduce load_uasym_keyring() bpf: Introduce bpf_verify_uasym_signature() kfunc selftests/bpf: Prepare a test for user asymmetric key signatures MAINTAINERS | 1 + certs/Kconfig | 11 + certs/Makefile | 7 + certs/system_certificates.S | 18 + certs/system_keyring.c | 166 +++++- crypto/Kconfig | 6 + crypto/Makefile | 2 + crypto/asymmetric_keys/Kconfig | 14 + crypto/asymmetric_keys/Makefile | 10 + crypto/asymmetric_keys/asymmetric_type.c | 3 +- crypto/asymmetric_keys/uasym_key_parser.c | 229 ++++++++ crypto/asymmetric_keys/uasym_key_preload.c | 99 ++++ crypto/asymmetric_keys/uasym_parser.c | 201 +++++++ crypto/asymmetric_keys/uasym_parser.h | 43 ++ crypto/asymmetric_keys/uasym_sig_parser.c | 491 ++++++++++++++++++ crypto/pub_key_info.c | 20 + crypto/sig_enc_info.c | 16 + include/crypto/pub_key_info.h | 15 + include/crypto/sig_enc_info.h | 15 + include/crypto/uasym_keys_sigs.h | 82 +++ include/keys/asymmetric-type.h | 1 + include/linux/verification.h | 50 ++ include/uapi/linux/pub_key_info.h | 22 + include/uapi/linux/sig_enc_info.h | 18 + include/uapi/linux/uasym_parser.h | 107 ++++ kernel/trace/bpf_trace.c | 68 ++- ...y_pkcs7_sig.c => verify_pkcs7_uasym_sig.c} | 159 +++++- ...s7_sig.c => test_verify_pkcs7_uasym_sig.c} | 18 +- .../testing/selftests/bpf/verify_sig_setup.sh | 82 ++- 29 files changed, 1924 insertions(+), 50 deletions(-) create mode 100644 crypto/asymmetric_keys/uasym_key_parser.c create mode 100644 crypto/asymmetric_keys/uasym_key_preload.c create mode 100644 crypto/asymmetric_keys/uasym_parser.c create mode 100644 crypto/asymmetric_keys/uasym_parser.h create mode 100644 crypto/asymmetric_keys/uasym_sig_parser.c create mode 100644 crypto/pub_key_info.c create mode 100644 crypto/sig_enc_info.c create mode 100644 include/crypto/pub_key_info.h create mode 100644 include/crypto/sig_enc_info.h create mode 100644 include/crypto/uasym_keys_sigs.h create mode 100644 include/uapi/linux/pub_key_info.h create mode 100644 include/uapi/linux/sig_enc_info.h create mode 100644 include/uapi/linux/uasym_parser.h rename tools/testing/selftests/bpf/prog_tests/{verify_pkcs7_sig.c => verify_pkcs7_uasym_sig.c} (69%) rename tools/testing/selftests/bpf/progs/{test_verify_pkcs7_sig.c => test_verify_pkcs7_uasym_sig.c} (82%) -- 2.34.1

2 14

Sequoia sq: 0.31.0
by David Runge 05 Jul '23

05 Jul '23

Hi everyone, I'm pleased to announce the release of version 0.31.0 of Sequoia sq, our general-purpose command-line tool for Sequoia PGP. We have released sequoia-sq on crates.io: https://crates.io/crates/sequoia-sq You can also fetch version 0.31.0 using the v0.31.0 tag: https://gitlab.com/sequoia-pgp/sequoia-sq/-/tags/v0.31.0 which has been signed by Neal H. Walfield: $ git verify-tag v0.31.0 gpg: Signature made 2023-07-05T14:21:36 CEST gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [full] gpg: aka "Neal H. Walfield <neal(a)pep-project.org>" [full] gpg: aka "Neal H. Walfield <neal(a)sequoia-pgp.org>" [full] gpg: aka "Neal H. Walfield <neal(a)gnupg.org>" [full] gpg: aka "Neal H. Walfield <neal(a)pep.foundation>" [full] This release introduces a few changes to the commandline interface as well as a new feature. Most notably, it is now possible to create and attach new subkeys to existing certificates using `sq key subkey add`. The revocation commands below `sq revoke` have been split up and moved to `sq key revoke`, `sq key subkey revoke` and `sq key userid revoke`. The `--expires` and `--expires-in` parameters have been unified as `--expiry`. The command for generating new certificates (`sq key generate`) now uses the more generalized `--output` instead of `--export` for writing to file. More information is available here: https://sequoia-pgp.org/blog/2023/07/05/202307-sq-commandline-improvements/ David on behalf of the whole Sequoia PGP team

1 0

2023

2022

2021

2020

2019

2018

Devel