Bug 2000411 - Review Request: Add PKCS#11 opaque keys support in fsverity-utils for HSM usage
Summary: Review Request: Add PKCS#11 opaque keys support in fsverity-utils for HSM usage
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: fsverity-utils
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Filipe Brandenburger
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-02 06:20 UTC by Yu Wu
Modified: 2021-10-30 00:44 UTC (History)
4 users (show)

Fixed In Version: fsverity-utils-1.4-4.el8 fsverity-utils-1.4-4.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-16 18:20:33 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
PatchWork link: https://patchwork.kernel.org/project/linux-fscrypt/patch/20210828013037.2250639-1-olo@fb.com/ (8.96 KB, patch)
2021-09-02 06:20 UTC, Yu Wu 		no flags Details | Diff
View All

Description Yu Wu 2021-09-02 06:20:34 UTC 
Created attachment 1819906 [details]
PatchWork link: https://patchwork.kernel.org/project/linux-fscrypt/patch/20210828013037.2250639-1-olo@fb.com/

Description of problem:

The latest version of "fsverity-utils-1.4-2" in Fedora (originally from Kernel) doesn't support generating fsverity file signatures on hardware security modules (HSMs) and similar hardware tokens because of requirement to directly access private key file. 

This patch provides implementation of PKCS#11 opaque keys support through OpenSSL pkcs11 engine, which  allows us to use opaque keys confined in HSMs and similar hardware tokens without direct access to the key material, providing logical separation of the keys from the cryptographic operations performed using them.


Version-Release number of selected component (if applicable):
fsverity-utils-1.4-2.el8

How reproducible:

In Kernel current master version it requires both "--key" and "--cert" files:
$ ./fsverity sign dummy dummy.sig --cert=ca-cert.pem
ERROR: Missing --key argument
Usage:
    fsverity sign FILE OUT_SIGFILE --key=KEYFILE
               [--hash-alg=HASH_ALG] [--block-size=BLOCK_SIZE] [--salt=SALT]
               [--out-merkle-tree=FILE] [--out-descriptor=FILE]
               [--cert=CERTFILE]


With this patch, the signing will succeed and test is available in the patch.

Steps to Reproduce:
1. With current fsverity-utils 1.4, try sign for fsverity signatures without --key specified
2.
3.

Actual results:
ERROR: Missing --key argument

Expected results:
With PKCS#11 support, by specifying pkcs11 engine and module, even without --key specified, still can generate fsverity signatures properly.


Additional info:
Comment 1 Filipe Brandenburger 2021-09-03 01:06:35 UTC 
I created a pull request:
https://src.fedoraproject.org/rpms/fsverity-utils/pull-request/4

And produced a scratch build (for EPEL 8):
https://koji.fedoraproject.org/koji/taskinfo?taskID=75028455

Can you please check the PR to confirm the patch is correct, and test the packages to confirm the feature works as expected?

Cheers!
Filipe
Comment 2 Filipe Brandenburger 2021-09-14 23:33:17 UTC 
I updated the pull request:
https://src.fedoraproject.org/rpms/fsverity-utils/pull-request/4

To use a backport of the commit that made it upstream:
https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/commit/?id=66b1d8a276cb3836ac275cb9f3f6517a07462737

I'm planning to merge the PR tomorrow, so if you have any objections please comment here or on the PR.
Comment 3 Fedora Update System 2021-09-16 01:06:46 UTC 
FEDORA-2021-cef3f68bd4 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cef3f68bd4
Comment 4 Fedora Update System 2021-09-16 01:07:58 UTC 
FEDORA-EPEL-2021-a2d5955810 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-a2d5955810
Comment 5 Filipe Brandenburger 2021-09-16 01:11:18 UTC 
I merged the PR and built new packages for fsverity-utils including this feature.

Pushed it to:
- FC36 (Rawhide)
- FC35 (https://bodhi.fedoraproject.org/updates/FEDORA-2021-cef3f68bd4)
- EPEL8 (https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-a2d5955810)
Comment 6 Fedora Update System 2021-09-16 17:01:44 UTC 
FEDORA-2021-cef3f68bd4 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cef3f68bd4`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cef3f68bd4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2021-09-16 18:20:33 UTC 
FEDORA-EPEL-2021-a2d5955810 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2021-09-24 20:24:21 UTC 
FEDORA-2021-cef3f68bd4 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2021-10-27 23:15:51 UTC 
FEDORA-2021-0be0d9381f has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-0be0d9381f
Comment 10 Fedora Update System 2021-10-28 20:12:29 UTC 
FEDORA-2021-0be0d9381f has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-0be0d9381f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-0be0d9381f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2021-10-30 00:44:42 UTC 
FEDORA-2021-0be0d9381f has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.