Bug 2000411

Summary: Review Request: Add PKCS#11 opaque keys support in fsverity-utils for HSM usage
Product: [Fedora] Fedora Reporter: Yu Wu <wuyuoss>
Component: fsverity-utilsAssignee: Filipe Brandenburger <filbranden>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: davide, filbranden, jes.sorensen, walters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: fsverity-utils-1.4-4.el8 fsverity-utils-1.4-4.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-16 18:20:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
PatchWork link: https://patchwork.kernel.org/project/linux-fscrypt/patch/20210828013037.2250639-1-olo@fb.com/ none

Description Yu Wu 2021-09-02 06:20:34 UTC 
Created attachment 1819906 [details]
PatchWork link: https://patchwork.kernel.org/project/linux-fscrypt/patch/20210828013037.2250639-1-olo@fb.com/

Description of problem:

The latest version of "fsverity-utils-1.4-2" in Fedora (originally from Kernel) doesn't support generating fsverity file signatures on hardware security modules (HSMs) and similar hardware tokens because of requirement to directly access private key file. 

This patch provides implementation of PKCS#11 opaque keys support through OpenSSL pkcs11 engine, which  allows us to use opaque keys confined in HSMs and similar hardware tokens without direct access to the key material, providing logical separation of the keys from the cryptographic operations performed using them.


Version-Release number of selected component (if applicable):
fsverity-utils-1.4-2.el8

How reproducible:

In Kernel current master version it requires both "--key" and "--cert" files:
$ ./fsverity sign dummy dummy.sig --cert=ca-cert.pem
ERROR: Missing --key argument
Usage:
    fsverity sign FILE OUT_SIGFILE --key=KEYFILE
               [--hash-alg=HASH_ALG] [--block-size=BLOCK_SIZE] [--salt=SALT]
               [--out-merkle-tree=FILE] [--out-descriptor=FILE]
               [--cert=CERTFILE]


With this patch, the signing will succeed and test is available in the patch.

Steps to Reproduce:
1. With current fsverity-utils 1.4, try sign for fsverity signatures without --key specified
2.
3.

Actual results:
ERROR: Missing --key argument

Expected results:
With PKCS#11 support, by specifying pkcs11 engine and module, even without --key specified, still can generate fsverity signatures properly.


Additional info:
Comment 1 Filipe Brandenburger 2021-09-03 01:06:35 UTC 
I created a pull request:
https://src.fedoraproject.org/rpms/fsverity-utils/pull-request/4

And produced a scratch build (for EPEL 8):
https://koji.fedoraproject.org/koji/taskinfo?taskID=75028455

Can you please check the PR to confirm the patch is correct, and test the packages to confirm the feature works as expected?

Cheers!
Filipe
Comment 2 Filipe Brandenburger 2021-09-14 23:33:17 UTC 
I updated the pull request:
https://src.fedoraproject.org/rpms/fsverity-utils/pull-request/4

To use a backport of the commit that made it upstream:
https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/commit/?id=66b1d8a276cb3836ac275cb9f3f6517a07462737

I'm planning to merge the PR tomorrow, so if you have any objections please comment here or on the PR.
Comment 3 Fedora Update System 2021-09-16 01:06:46 UTC 
FEDORA-2021-cef3f68bd4 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cef3f68bd4
Comment 4 Fedora Update System 2021-09-16 01:07:58 UTC 
FEDORA-EPEL-2021-a2d5955810 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-a2d5955810
Comment 5 Filipe Brandenburger 2021-09-16 01:11:18 UTC 
I merged the PR and built new packages for fsverity-utils including this feature.

Pushed it to:
- FC36 (Rawhide)
- FC35 (https://bodhi.fedoraproject.org/updates/FEDORA-2021-cef3f68bd4)
- EPEL8 (https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-a2d5955810)
Comment 6 Fedora Update System 2021-09-16 17:01:44 UTC 
FEDORA-2021-cef3f68bd4 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cef3f68bd4`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cef3f68bd4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2021-09-16 18:20:33 UTC 
FEDORA-EPEL-2021-a2d5955810 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2021-09-24 20:24:21 UTC 
FEDORA-2021-cef3f68bd4 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2021-10-27 23:15:51 UTC 
FEDORA-2021-0be0d9381f has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-0be0d9381f
Comment 10 Fedora Update System 2021-10-28 20:12:29 UTC 
FEDORA-2021-0be0d9381f has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-0be0d9381f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-0be0d9381f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2021-10-30 00:44:42 UTC 
FEDORA-2021-0be0d9381f has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.