From 77ce7ba48e102ec48050a418d762a76359a198ea Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Tue, 26 Oct 2021 17:56:16 -0500 Subject: [PATCH 1/8] gencert: Support use of OpenSSL for cert issuance --- sbin/gencert | 158 ++++++++++++++++++++++++++++++++++--------- tests/test-enroll.sh | 31 ++++++++- 2 files changed, 155 insertions(+), 34 deletions(-) diff --git a/sbin/gencert b/sbin/gencert index 249880d7..0764d1f9 100755 --- a/sbin/gencert +++ b/sbin/gencert @@ -20,19 +20,28 @@ else exit 1 fi -GENCERT_CRED=PEM-FILE:/etc/safeboot/gencert-ca.pem +GENCERT_CA_PRIV= +GENCERT_CA_CERT=PEM-FILE:/etc/safeboot/gencert-ca.pem GENCERT_REALM= GENCERT_KEY_BITS=2048 GENCERT_INCLUDE_SAN_PKINIT=true GENCERT_INCLUDE_SAN_DNSNAME=false -GENCERT_EKUS=() +GENCERT_X509_TOOLING=OpenSSL # Or Heimdal +declare -a GENCERT_EKUS declare -A GENCERT_DOMAIN_REALM +declare -A POLICIES +GENCERT_EKUS=() +GENCERT_DOMAIN_REALM=() -cf=$(safeboot_file etc enroll.conf) -if [[ -n $cf && -f $cf ]]; then +if [[ -n ${SAFEBOOT_ENROLL_CONF:-} ]]; then # shellcheck disable=SC1090 - . "$cf" - export SAFEBOOT_ENROLL_CONF="$cf" + . "$SAFEBOOT_ENROLL_CONF" +else + cf=$(safeboot_file etc enroll.conf) + if [[ -n $cf && -f $cf ]]; then + # shellcheck disable=SC1090 + . "$cf" + fi fi die() { echo "skip: $*"; echo >&2 "Error: $PROG" "$@" ; exit 1 ; } @@ -43,6 +52,23 @@ outdir=$2 hostname=$3 shift 3 +${GENCERT_INCLUDE_SAN_PKINIT} \ +|| ${GENCERT_INCLUDE_SAN_DNSNAME} \ +|| die 'One of GENCERT_INCLUDE_SAN_{PKINIT,DNSNAME} must be set to true' + +declare -a hxtool_ca_opts +declare -a openssl_x509_opts + +hxtool_ca_opts=("--ca-certificate=$GENCERT_CA_CERT") +openssl_x509_opts=("-CA" "$GENCERT_CA_CERT") + +if [[ -n $GENCERT_CA_PRIV ]]; then + [[ -n $GENCERT_CA_CERT ]] \ + || die "GENCERT_CA_CERT is not set" + hxtool_ca_opts+=("--ca-private-key=$GENCERT_CA_PRIV") + openssl_x509_opts+=("-CAkey" "$GENCERT_CA_PRIV") +fi + if [[ -z $GENCERT_REALM ]]; then domain=${hostname} while [[ $domain = *.*.* ]]; do @@ -60,46 +86,112 @@ if [[ -z $GENCERT_REALM ]]; then || die "Could not determine realm name for $hostname" fi -sans=() - ${GENCERT_INCLUDE_SAN_PKINIT} \ -&& sans+=(--pk-init-principal="host/$hostname@$GENCERT_REALM") +&& hxtool_ca_opts+=(--pk-init-principal="host/$hostname@$GENCERT_REALM") ${GENCERT_INCLUDE_SAN_DNSNAME} \ -&& sans+=(--hostname="$hostname") +&& hxtool_ca_opts+=(--hostname="$hostname") -ekus=() if ((${#GENCERT_EKUS[@]} > 0)); then for eku in "${GENCERT_EKUS[@]}"; do - ekus+=(--eku="$eku") + hxtool_ca_opts+=(--eku="$eku") done fi +cat > cert-extensions </dev/null \ + || die "Could not generate a key and make a CSR" + ! hxtool issue-certificate \ + "${hxtool_ca_opts[@]}" \ + --type=pkinit-client \ + --subject= \ + --ku=digitalSignature \ + --lifetime=10y \ + --req="PKCS10:cert-req" \ + --certificate=PEM-FILE:cert.pem 2>/dev/null \ + || die "Could not issue certificate" + ;; +OpenSSL) + openssl genrsa \ + -out cert-key.pem 2048 \ + || die "Could not make an RSA key" + openssl req \ + -new \ + -batch \ + -subj '/' \ + -key cert-key.pem \ + -out cert-req \ + || die "Could not make a CSR" + + export GENCERT_REALM + export HOST_NAME="$hostname" + export SERVICE="host" + + openssl x509 \ + -set_serial "0x$(_rand 16 | bin2hex)" \ + "${openssl_x509_opts[@]}" \ + -req \ + -in cert-req \ + -extensions client_cert \ + -extfile cert-extensions \ + -days 365 \ + -out cert.pem \ + || die "Could not make a certificate" +esac + # Append the issuer certificate and any other certs in that file to the output # so that the full chain is included. -openssl crl2pkcs7 -nocrl -certfile "${GENCERT_CRED#*:}" \ +openssl crl2pkcs7 -nocrl -certfile "${GENCERT_CA_CERT#*:}" \ | openssl pkcs7 -print_certs >> cert.pem grep -q PRIVATE cert.pem && die "Private key in cert file?!" diff --git a/tests/test-enroll.sh b/tests/test-enroll.sh index b51cdf79..d4aae6e2 100755 --- a/tests/test-enroll.sh +++ b/tests/test-enroll.sh @@ -45,14 +45,43 @@ cat > db/tofu_pcrs < "${d}/attest-enroll.conf" < Date: Wed, 10 Nov 2021 23:00:36 -0600 Subject: [PATCH 2/8] attest-enroll: Move gen scripts to libexec --- sbin/attest-enroll | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sbin/attest-enroll b/sbin/attest-enroll index 864b213c..59e7f92b 100755 --- a/sbin/attest-enroll +++ b/sbin/attest-enroll @@ -15,6 +15,11 @@ shopt -s extglob PROG=${0##*/} BINDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")") TOP=$(dirname "$BINDIR") +if [[ $TOP = /usr ]]; then + PATH=${TOP}/libexec/safeboot:$PATH +else + PATH=${TOP}/libexec/:$PATH +fi if [[ -s $TOP/lib/safeboot/functions.sh ]]; then # shellcheck source=functions.sh From 2c784e436b7df933aea70fef640c2647beedf490 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 10 Nov 2021 23:03:40 -0600 Subject: [PATCH 3/8] Look for functions.sh in /etc too (fix #153) --- sbin/attest-enroll | 3 +++ sbin/gencert | 3 +++ sbin/genkeytab | 3 +++ sbin/getkeytab | 3 +++ sbin/safeboot | 3 +++ sbin/tpm2-attest | 3 +++ sbin/tpm2-policy | 7 +++---- sbin/tpm2-recv | 3 +++ sbin/tpm2-send | 3 +++ 9 files changed, 27 insertions(+), 4 deletions(-) diff --git a/sbin/attest-enroll b/sbin/attest-enroll index 59e7f92b..5b9bfe61 100755 --- a/sbin/attest-enroll +++ b/sbin/attest-enroll @@ -27,6 +27,9 @@ if [[ -s $TOP/lib/safeboot/functions.sh ]]; then elif [[ -s $TOP/functions.sh ]]; then # shellcheck source=functions.sh . "$TOP/functions.sh" +elif [[ -s /etc/safeboot/functions.sh ]]; then + # shellcheck source=functions.sh + . /etc/safeboot/functions.sh else echo "Unable to find Safeboot function library" 1>&2 exit 1 diff --git a/sbin/gencert b/sbin/gencert index 0764d1f9..5426a6ee 100755 --- a/sbin/gencert +++ b/sbin/gencert @@ -15,6 +15,9 @@ if [[ -s $TOP/lib/safeboot/functions.sh ]]; then elif [[ -s $TOP/functions.sh ]]; then # shellcheck disable=SC1090 source=functions.sh . "$TOP/functions.sh" +elif [[ -s /etc/safeboot/functions.sh ]]; then + # shellcheck source=functions.sh + . /etc/safeboot/functions.sh else echo "Unable to find Safeboot function library" 1>&2 exit 1 diff --git a/sbin/genkeytab b/sbin/genkeytab index 483f23f9..f1846e17 100755 --- a/sbin/genkeytab +++ b/sbin/genkeytab @@ -15,6 +15,9 @@ if [[ -s $TOP/lib/safeboot/functions.sh ]]; then elif [[ -s $TOP/functions.sh ]]; then # shellcheck disable=SC1090 source=functions.sh . "$TOP/functions.sh" +elif [[ -s /etc/safeboot/functions.sh ]]; then + # shellcheck source=functions.sh + . /etc/safeboot/functions.sh else echo "Unable to find Safeboot function library" 1>&2 exit 1 diff --git a/sbin/getkeytab b/sbin/getkeytab index 06754c90..99ca201d 100755 --- a/sbin/getkeytab +++ b/sbin/getkeytab @@ -35,6 +35,9 @@ if [[ -s $TOP/lib/safeboot/functions.sh ]]; then elif [[ -s $TOP/functions.sh ]]; then # shellcheck disable=SC1090 source=functions.sh . "$TOP/functions.sh" +elif [[ -s /etc/safeboot/functions.sh ]]; then + # shellcheck source=functions.sh + . /etc/safeboot/functions.sh else echo "Unable to find Safeboot function library" 1>&2 exit 1 diff --git a/sbin/safeboot b/sbin/safeboot index bbf64ed1..8c5fac0c 100755 --- a/sbin/safeboot +++ b/sbin/safeboot @@ -33,6 +33,9 @@ if [[ -s $TOP/lib/safeboot/functions.sh ]]; then elif [[ -s $TOP/functions.sh ]]; then # shellcheck source=functions.sh . "$TOP/functions.sh" +elif [[ -s /etc/safeboot/functions.sh ]]; then + # shellcheck source=functions.sh + . /etc/safeboot/functions.sh else echo "Unable to find Safeboot function library" 1>&2 exit 1 diff --git a/sbin/tpm2-attest b/sbin/tpm2-attest index 082cbb03..5b1ae461 100755 --- a/sbin/tpm2-attest +++ b/sbin/tpm2-attest @@ -30,6 +30,9 @@ if [[ -s $TOP/lib/safeboot/functions.sh ]]; then elif [[ -s $TOP/functions.sh ]]; then # shellcheck source=functions.sh . "$TOP/functions.sh" +elif [[ -s /etc/safeboot/functions.sh ]]; then + # shellcheck source=functions.sh + . /etc/safeboot/functions.sh else echo "Unable to find Safeboot function library" 1>&2 exit 1 diff --git a/sbin/tpm2-policy b/sbin/tpm2-policy index 221007c7..53457ad2 100755 --- a/sbin/tpm2-policy +++ b/sbin/tpm2-policy @@ -7,17 +7,16 @@ TOP=$(dirname "$BINDIR") if [[ -s $TOP/lib/safeboot/functions.sh ]]; then # shellcheck disable=SC1090 source=functions.sh . "$TOP/lib/safeboot/functions.sh" - functions_sh=$TOP/lib/safeboot/functions.sh elif [[ -s $TOP/functions.sh ]]; then # shellcheck disable=SC1090 source=functions.sh . "$TOP/functions.sh" - functions_sh=$TOP/functions.sh +elif [[ -s /etc/safeboot/functions.sh ]]; then + # shellcheck disable=SC1090 source=functions.sh + . /etc/safeboot/functions.sh else echo "Unable to find Safeboot function library" 1>&2 exit 1 fi -# shellcheck source=functions.sh -. "$functions_sh" set -euo pipefail -o noclobber shopt -s extglob diff --git a/sbin/tpm2-recv b/sbin/tpm2-recv index ec673b4e..8ce0609c 100755 --- a/sbin/tpm2-recv +++ b/sbin/tpm2-recv @@ -10,6 +10,9 @@ if [[ -s $TOP/lib/safeboot/functions.sh ]]; then elif [[ -s $TOP/functions.sh ]]; then # shellcheck disable=SC1090 source=functions.sh . "$TOP/functions.sh" +elif [[ -s /etc/safeboot/functions.sh ]]; then + # shellcheck source=functions.sh + . /etc/safeboot/functions.sh else echo "Unable to find Safeboot function library" 1>&2 exit 1 diff --git a/sbin/tpm2-send b/sbin/tpm2-send index 1579ecd7..952d31b1 100755 --- a/sbin/tpm2-send +++ b/sbin/tpm2-send @@ -10,6 +10,9 @@ if [[ -s $TOP/lib/safeboot/functions.sh ]]; then elif [[ -s $TOP/functions.sh ]]; then # shellcheck disable=SC1090 source=functions.sh . "$TOP/functions.sh" +elif [[ -s /etc/safeboot/functions.sh ]]; then + # shellcheck source=functions.sh + . /etc/safeboot/functions.sh else echo "Unable to find Safeboot function library" 1>&2 exit 1 From 12b9844bdb4241550183bd6d38b17a5e7e8bcdd9 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 10 Nov 2021 22:55:30 -0600 Subject: [PATCH 4/8] debian: Switch source/format to native --- debian/source/format | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/source/format b/debian/source/format index 163aaf8d..89ae9db8 100644 --- a/debian/source/format +++ b/debian/source/format @@ -1 +1 @@ -3.0 (quilt) +3.0 (native) From 9dfe76312f60a27ed8bfb8788b0348eb643c3e81 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 10 Nov 2021 22:38:39 -0600 Subject: [PATCH 5/8] debian: Package split part 1 This commit copies debian/install to debian/safeboot*.install in preparation for the next commit (which will modify their contents). This will allow this: ``` for i in debian/safeboot*.install; do git log --follow "$i"; done ``` --- debian/control | 49 +++++++++++++++++++++++++-- debian/safeboot-attest-client.install | 30 ++++++++++++++++ debian/safeboot-attest-server.install | 30 ++++++++++++++++ debian/safeboot-boot.install | 30 ++++++++++++++++ debian/safeboot-tpm2-tools.install | 30 ++++++++++++++++ debian/safeboot-tpm2-totp.install | 30 ++++++++++++++++ debian/safeboot.install | 30 ++++++++++++++++ 7 files changed, 227 insertions(+), 2 deletions(-) create mode 100644 debian/safeboot-attest-client.install create mode 100644 debian/safeboot-attest-server.install create mode 100644 debian/safeboot-boot.install create mode 100644 debian/safeboot-tpm2-tools.install create mode 100644 debian/safeboot-tpm2-totp.install create mode 100644 debian/safeboot.install diff --git a/debian/control b/debian/control index b8d85d22..4ddddcb7 100644 --- a/debian/control +++ b/debian/control @@ -9,10 +9,55 @@ Homepage: https://github.com/osresearch/safeboot/ #Vcs-Git: https://salsa.debian.org/debian/safeboot.git Package: safeboot -Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, efitools, opensc, yubico-piv-tool, libengine-pkcs11-openssl, uuid, binutils, libqrencode-dev, libjson-c4, libcurl4 +Architecture: all +Depends: ${shlibs:Depends}, ${misc:Depends}, binutils, safeboot-tpm2-tools | tpm2-tools, safeboot-tpm2-totp | tpm2-totp +Description: Common (core) package for Safeboot + Safeboot is a collection of utilities and services for securing the boot + process. + +Package: safeboot-boot +Architecture: all +Breaks: safeboot (<<0.8) +Replaces: safeboot (<<0.8) +Depends: ${shlibs:Depends}, ${misc:Depends}, safeboot, efitools, opensc, yubico-piv-tool, libengine-pkcs11-openssl, uuid, binutils, libqrencode-dev, libjson-c4, libcurl4 Description: Boot Linux more safely Makes the Linux boot process slightly safer by enabling UEFI Secure Boot, signing kernel and initrd with Yubikey hardware tokens, storing disk encryption secrets in the TPM, and preventing persistence with dmverity read-only root filesystems. + +Package: safeboot-attest-client +Architecture: all +Breaks: safeboot (<<0.8) +Replaces: safeboot (<<0.8) +Depends: ${shlibs:Depends}, ${misc:Depends}, safeboot +Description: Safeboot attestation client + Attestation client for Safeboot, which is intended to be used for securely + fetching local filesystem encryption keys (including for the root + filesyste), and other secrets (including device credentials). + +Package: safeboot-attest-server +Architecture: all +Breaks: safeboot (<<0.8) +Replaces: safeboot (<<0.8) +Depends: ${shlibs:Depends}, ${misc:Depends}, safeboot +Description: Safeboot attestation server + Enrollment and attestation server for Safeboot, which is intended to be + used for securely fetching local filesystem encryption keys (including for + the root filesyste), and other secrets (including device credentials). + +Package: safeboot-tpm2-tools +Architecture: any +Breaks: safeboot (<<0.8) +Replaces: safeboot (<<0.8) +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: tpm2-tools at version needed by Safeboot + Safeboot depends on more recent versions of tpm2-tools than are packaged. + +Package: safeboot-tpm2-totp +Architecture: any +Breaks: safeboot (<<0.8) +Replaces: safeboot (<<0.8) +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: tpm2-totp at version needed by Safeboot + Safeboot depends on more recent versions of tpm2-totp than are packaged. diff --git a/debian/safeboot-attest-client.install b/debian/safeboot-attest-client.install new file mode 100644 index 00000000..55caf23d --- /dev/null +++ b/debian/safeboot-attest-client.install @@ -0,0 +1,30 @@ +# shell scripts in the tree +sbin/safeboot usr/sbin/ +sbin/safeboot-tpm-unseal usr/sbin/ +sbin/tpm2-attest usr/sbin/ +sbin/tpm2-pcr-validate usr/sbin/ + +# configuration files and helper functions +safeboot.conf etc/safeboot/ +functions.sh etc/safeboot/ + +# TPM certs and a script to refresh them +tpm-certs.txt etc/safeboot/ +refresh-certs etc/safeboot/ +certs/* etc/safeboot/certs/ + +# Compiled with modifications from source +# to add support for the pkcs11 engine (sbsign), +# hostnames and small qrcodes (tpm2-totp), +# and bundle all tpm2 applications in a single script (tpm2) +bin/sbsign.safeboot usr/sbin/ +bin/sign-efi-sig-list.safeboot usr/sbin/ +bin/tpm2-totp usr/sbin/ +bin/tpm2 usr/sbin/ + +# scripts to interface with secure boot in the initramfs +initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ +initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ +initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ diff --git a/debian/safeboot-attest-server.install b/debian/safeboot-attest-server.install new file mode 100644 index 00000000..55caf23d --- /dev/null +++ b/debian/safeboot-attest-server.install @@ -0,0 +1,30 @@ +# shell scripts in the tree +sbin/safeboot usr/sbin/ +sbin/safeboot-tpm-unseal usr/sbin/ +sbin/tpm2-attest usr/sbin/ +sbin/tpm2-pcr-validate usr/sbin/ + +# configuration files and helper functions +safeboot.conf etc/safeboot/ +functions.sh etc/safeboot/ + +# TPM certs and a script to refresh them +tpm-certs.txt etc/safeboot/ +refresh-certs etc/safeboot/ +certs/* etc/safeboot/certs/ + +# Compiled with modifications from source +# to add support for the pkcs11 engine (sbsign), +# hostnames and small qrcodes (tpm2-totp), +# and bundle all tpm2 applications in a single script (tpm2) +bin/sbsign.safeboot usr/sbin/ +bin/sign-efi-sig-list.safeboot usr/sbin/ +bin/tpm2-totp usr/sbin/ +bin/tpm2 usr/sbin/ + +# scripts to interface with secure boot in the initramfs +initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ +initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ +initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ diff --git a/debian/safeboot-boot.install b/debian/safeboot-boot.install new file mode 100644 index 00000000..55caf23d --- /dev/null +++ b/debian/safeboot-boot.install @@ -0,0 +1,30 @@ +# shell scripts in the tree +sbin/safeboot usr/sbin/ +sbin/safeboot-tpm-unseal usr/sbin/ +sbin/tpm2-attest usr/sbin/ +sbin/tpm2-pcr-validate usr/sbin/ + +# configuration files and helper functions +safeboot.conf etc/safeboot/ +functions.sh etc/safeboot/ + +# TPM certs and a script to refresh them +tpm-certs.txt etc/safeboot/ +refresh-certs etc/safeboot/ +certs/* etc/safeboot/certs/ + +# Compiled with modifications from source +# to add support for the pkcs11 engine (sbsign), +# hostnames and small qrcodes (tpm2-totp), +# and bundle all tpm2 applications in a single script (tpm2) +bin/sbsign.safeboot usr/sbin/ +bin/sign-efi-sig-list.safeboot usr/sbin/ +bin/tpm2-totp usr/sbin/ +bin/tpm2 usr/sbin/ + +# scripts to interface with secure boot in the initramfs +initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ +initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ +initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ diff --git a/debian/safeboot-tpm2-tools.install b/debian/safeboot-tpm2-tools.install new file mode 100644 index 00000000..55caf23d --- /dev/null +++ b/debian/safeboot-tpm2-tools.install @@ -0,0 +1,30 @@ +# shell scripts in the tree +sbin/safeboot usr/sbin/ +sbin/safeboot-tpm-unseal usr/sbin/ +sbin/tpm2-attest usr/sbin/ +sbin/tpm2-pcr-validate usr/sbin/ + +# configuration files and helper functions +safeboot.conf etc/safeboot/ +functions.sh etc/safeboot/ + +# TPM certs and a script to refresh them +tpm-certs.txt etc/safeboot/ +refresh-certs etc/safeboot/ +certs/* etc/safeboot/certs/ + +# Compiled with modifications from source +# to add support for the pkcs11 engine (sbsign), +# hostnames and small qrcodes (tpm2-totp), +# and bundle all tpm2 applications in a single script (tpm2) +bin/sbsign.safeboot usr/sbin/ +bin/sign-efi-sig-list.safeboot usr/sbin/ +bin/tpm2-totp usr/sbin/ +bin/tpm2 usr/sbin/ + +# scripts to interface with secure boot in the initramfs +initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ +initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ +initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ diff --git a/debian/safeboot-tpm2-totp.install b/debian/safeboot-tpm2-totp.install new file mode 100644 index 00000000..55caf23d --- /dev/null +++ b/debian/safeboot-tpm2-totp.install @@ -0,0 +1,30 @@ +# shell scripts in the tree +sbin/safeboot usr/sbin/ +sbin/safeboot-tpm-unseal usr/sbin/ +sbin/tpm2-attest usr/sbin/ +sbin/tpm2-pcr-validate usr/sbin/ + +# configuration files and helper functions +safeboot.conf etc/safeboot/ +functions.sh etc/safeboot/ + +# TPM certs and a script to refresh them +tpm-certs.txt etc/safeboot/ +refresh-certs etc/safeboot/ +certs/* etc/safeboot/certs/ + +# Compiled with modifications from source +# to add support for the pkcs11 engine (sbsign), +# hostnames and small qrcodes (tpm2-totp), +# and bundle all tpm2 applications in a single script (tpm2) +bin/sbsign.safeboot usr/sbin/ +bin/sign-efi-sig-list.safeboot usr/sbin/ +bin/tpm2-totp usr/sbin/ +bin/tpm2 usr/sbin/ + +# scripts to interface with secure boot in the initramfs +initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ +initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ +initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ diff --git a/debian/safeboot.install b/debian/safeboot.install new file mode 100644 index 00000000..55caf23d --- /dev/null +++ b/debian/safeboot.install @@ -0,0 +1,30 @@ +# shell scripts in the tree +sbin/safeboot usr/sbin/ +sbin/safeboot-tpm-unseal usr/sbin/ +sbin/tpm2-attest usr/sbin/ +sbin/tpm2-pcr-validate usr/sbin/ + +# configuration files and helper functions +safeboot.conf etc/safeboot/ +functions.sh etc/safeboot/ + +# TPM certs and a script to refresh them +tpm-certs.txt etc/safeboot/ +refresh-certs etc/safeboot/ +certs/* etc/safeboot/certs/ + +# Compiled with modifications from source +# to add support for the pkcs11 engine (sbsign), +# hostnames and small qrcodes (tpm2-totp), +# and bundle all tpm2 applications in a single script (tpm2) +bin/sbsign.safeboot usr/sbin/ +bin/sign-efi-sig-list.safeboot usr/sbin/ +bin/tpm2-totp usr/sbin/ +bin/tpm2 usr/sbin/ + +# scripts to interface with secure boot in the initramfs +initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ +initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ +initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ +initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ From a30062399153ca175a9427ded7b946f777f480e9 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 10 Nov 2021 22:55:00 -0600 Subject: [PATCH 6/8] debian: Package split part 2 --- debian/install | 30 ------------------- debian/safeboot-attest-client.install | 30 ++----------------- debian/safeboot-attest-server.install | 42 +++++++++------------------ debian/safeboot-boot.install | 13 --------- debian/safeboot-tpm2-tools.install | 25 ---------------- debian/safeboot-tpm2-totp.install | 25 ---------------- debian/safeboot.install | 32 ++++---------------- functions.sh | 11 ++++++- sbin/tpm2-attest | 2 +- 9 files changed, 32 insertions(+), 178 deletions(-) delete mode 100644 debian/install diff --git a/debian/install b/debian/install deleted file mode 100644 index 55caf23d..00000000 --- a/debian/install +++ /dev/null @@ -1,30 +0,0 @@ -# shell scripts in the tree -sbin/safeboot usr/sbin/ -sbin/safeboot-tpm-unseal usr/sbin/ -sbin/tpm2-attest usr/sbin/ -sbin/tpm2-pcr-validate usr/sbin/ - -# configuration files and helper functions -safeboot.conf etc/safeboot/ -functions.sh etc/safeboot/ - -# TPM certs and a script to refresh them -tpm-certs.txt etc/safeboot/ -refresh-certs etc/safeboot/ -certs/* etc/safeboot/certs/ - -# Compiled with modifications from source -# to add support for the pkcs11 engine (sbsign), -# hostnames and small qrcodes (tpm2-totp), -# and bundle all tpm2 applications in a single script (tpm2) -bin/sbsign.safeboot usr/sbin/ -bin/sign-efi-sig-list.safeboot usr/sbin/ -bin/tpm2-totp usr/sbin/ -bin/tpm2 usr/sbin/ - -# scripts to interface with secure boot in the initramfs -initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ -initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ -initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ diff --git a/debian/safeboot-attest-client.install b/debian/safeboot-attest-client.install index 55caf23d..32404124 100644 --- a/debian/safeboot-attest-client.install +++ b/debian/safeboot-attest-client.install @@ -1,30 +1,6 @@ -# shell scripts in the tree -sbin/safeboot usr/sbin/ -sbin/safeboot-tpm-unseal usr/sbin/ +# shell script commands sbin/tpm2-attest usr/sbin/ sbin/tpm2-pcr-validate usr/sbin/ -# configuration files and helper functions -safeboot.conf etc/safeboot/ -functions.sh etc/safeboot/ - -# TPM certs and a script to refresh them -tpm-certs.txt etc/safeboot/ -refresh-certs etc/safeboot/ -certs/* etc/safeboot/certs/ - -# Compiled with modifications from source -# to add support for the pkcs11 engine (sbsign), -# hostnames and small qrcodes (tpm2-totp), -# and bundle all tpm2 applications in a single script (tpm2) -bin/sbsign.safeboot usr/sbin/ -bin/sign-efi-sig-list.safeboot usr/sbin/ -bin/tpm2-totp usr/sbin/ -bin/tpm2 usr/sbin/ - -# scripts to interface with secure boot in the initramfs -initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ -initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ -initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ +# libexec shell scripts +sbin/getkeytab usr/libexec/safeboot/ diff --git a/debian/safeboot-attest-server.install b/debian/safeboot-attest-server.install index 55caf23d..7c0b8b17 100644 --- a/debian/safeboot-attest-server.install +++ b/debian/safeboot-attest-server.install @@ -1,30 +1,14 @@ # shell scripts in the tree -sbin/safeboot usr/sbin/ -sbin/safeboot-tpm-unseal usr/sbin/ -sbin/tpm2-attest usr/sbin/ -sbin/tpm2-pcr-validate usr/sbin/ - -# configuration files and helper functions -safeboot.conf etc/safeboot/ -functions.sh etc/safeboot/ - -# TPM certs and a script to refresh them -tpm-certs.txt etc/safeboot/ -refresh-certs etc/safeboot/ -certs/* etc/safeboot/certs/ - -# Compiled with modifications from source -# to add support for the pkcs11 engine (sbsign), -# hostnames and small qrcodes (tpm2-totp), -# and bundle all tpm2 applications in a single script (tpm2) -bin/sbsign.safeboot usr/sbin/ -bin/sign-efi-sig-list.safeboot usr/sbin/ -bin/tpm2-totp usr/sbin/ -bin/tpm2 usr/sbin/ - -# scripts to interface with secure boot in the initramfs -initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ -initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ -initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ +sbin/attest-enroll usr/sbin/ +sbin/attest-verify +sbin/attest-server usr/sbin/ +# XXX +sbin/attest-server-sub.py usr/sbin/ + +# These are delivered by safeboot-attest-client for now until we split them up +# sbin/tpm2-attest usr/sbin/ +# sbin/tpm2-pcr-validate usr/sbin/ + +# libexec shell scripts +sbin/gencert usr/libexec/safeboot/ +sbin/genkeytab usr/libexec/safeboot/ diff --git a/debian/safeboot-boot.install b/debian/safeboot-boot.install index 55caf23d..0190e575 100644 --- a/debian/safeboot-boot.install +++ b/debian/safeboot-boot.install @@ -1,17 +1,6 @@ # shell scripts in the tree sbin/safeboot usr/sbin/ sbin/safeboot-tpm-unseal usr/sbin/ -sbin/tpm2-attest usr/sbin/ -sbin/tpm2-pcr-validate usr/sbin/ - -# configuration files and helper functions -safeboot.conf etc/safeboot/ -functions.sh etc/safeboot/ - -# TPM certs and a script to refresh them -tpm-certs.txt etc/safeboot/ -refresh-certs etc/safeboot/ -certs/* etc/safeboot/certs/ # Compiled with modifications from source # to add support for the pkcs11 engine (sbsign), @@ -19,8 +8,6 @@ certs/* etc/safeboot/certs/ # and bundle all tpm2 applications in a single script (tpm2) bin/sbsign.safeboot usr/sbin/ bin/sign-efi-sig-list.safeboot usr/sbin/ -bin/tpm2-totp usr/sbin/ -bin/tpm2 usr/sbin/ # scripts to interface with secure boot in the initramfs initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ diff --git a/debian/safeboot-tpm2-tools.install b/debian/safeboot-tpm2-tools.install index 55caf23d..15855cff 100644 --- a/debian/safeboot-tpm2-tools.install +++ b/debian/safeboot-tpm2-tools.install @@ -1,30 +1,5 @@ -# shell scripts in the tree -sbin/safeboot usr/sbin/ -sbin/safeboot-tpm-unseal usr/sbin/ -sbin/tpm2-attest usr/sbin/ -sbin/tpm2-pcr-validate usr/sbin/ - -# configuration files and helper functions -safeboot.conf etc/safeboot/ -functions.sh etc/safeboot/ - -# TPM certs and a script to refresh them -tpm-certs.txt etc/safeboot/ -refresh-certs etc/safeboot/ -certs/* etc/safeboot/certs/ - # Compiled with modifications from source # to add support for the pkcs11 engine (sbsign), # hostnames and small qrcodes (tpm2-totp), # and bundle all tpm2 applications in a single script (tpm2) -bin/sbsign.safeboot usr/sbin/ -bin/sign-efi-sig-list.safeboot usr/sbin/ -bin/tpm2-totp usr/sbin/ bin/tpm2 usr/sbin/ - -# scripts to interface with secure boot in the initramfs -initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ -initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ -initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ diff --git a/debian/safeboot-tpm2-totp.install b/debian/safeboot-tpm2-totp.install index 55caf23d..7fdd7268 100644 --- a/debian/safeboot-tpm2-totp.install +++ b/debian/safeboot-tpm2-totp.install @@ -1,30 +1,5 @@ -# shell scripts in the tree -sbin/safeboot usr/sbin/ -sbin/safeboot-tpm-unseal usr/sbin/ -sbin/tpm2-attest usr/sbin/ -sbin/tpm2-pcr-validate usr/sbin/ - -# configuration files and helper functions -safeboot.conf etc/safeboot/ -functions.sh etc/safeboot/ - -# TPM certs and a script to refresh them -tpm-certs.txt etc/safeboot/ -refresh-certs etc/safeboot/ -certs/* etc/safeboot/certs/ - # Compiled with modifications from source # to add support for the pkcs11 engine (sbsign), # hostnames and small qrcodes (tpm2-totp), # and bundle all tpm2 applications in a single script (tpm2) -bin/sbsign.safeboot usr/sbin/ -bin/sign-efi-sig-list.safeboot usr/sbin/ bin/tpm2-totp usr/sbin/ -bin/tpm2 usr/sbin/ - -# scripts to interface with secure boot in the initramfs -initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ -initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ -initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ diff --git a/debian/safeboot.install b/debian/safeboot.install index 55caf23d..e497bb86 100644 --- a/debian/safeboot.install +++ b/debian/safeboot.install @@ -1,30 +1,8 @@ -# shell scripts in the tree -sbin/safeboot usr/sbin/ -sbin/safeboot-tpm-unseal usr/sbin/ -sbin/tpm2-attest usr/sbin/ -sbin/tpm2-pcr-validate usr/sbin/ - -# configuration files and helper functions -safeboot.conf etc/safeboot/ +# Shell functions library functions.sh etc/safeboot/ +functions.sh usr/lib/safeboot/ # TPM certs and a script to refresh them -tpm-certs.txt etc/safeboot/ -refresh-certs etc/safeboot/ -certs/* etc/safeboot/certs/ - -# Compiled with modifications from source -# to add support for the pkcs11 engine (sbsign), -# hostnames and small qrcodes (tpm2-totp), -# and bundle all tpm2 applications in a single script (tpm2) -bin/sbsign.safeboot usr/sbin/ -bin/sign-efi-sig-list.safeboot usr/sbin/ -bin/tpm2-totp usr/sbin/ -bin/tpm2 usr/sbin/ - -# scripts to interface with secure boot in the initramfs -initramfs/hooks/dmverity-root etc/initramfs-tools/hooks/ -initramfs/hooks/safeboot-hooks etc/initramfs-tools/hooks/ -initramfs/scripts/dmverity-root etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/ -initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/ +tpm-certs.txt usr/share/safeboot/ +refresh-certs usr/share/safeboot/ +certs/* usr/share/safeboot/certs/ diff --git a/functions.sh b/functions.sh index daac0031..a6ec5e34 100755 --- a/functions.sh +++ b/functions.sh @@ -24,8 +24,17 @@ safeboot_dir() { [[ -n $1 ]] \ || die "Internal error in caller of safeboot_dir" case "$1" in - bin) echo "$TOP/bin";; + bin) echo "$TOP/sbin";; lib) echo "$TOP/lib";; + libexec|share) + if [[ $TOP = /usr && -d /usr/${1}/safeboot ]]; then + echo "/usr/${1}/safeboot" + elif [[ -d $TOP/${1} ]]; then + echo "$TOP/${1}" + else + echo "/etc/safeboot" + fi;; + certs) echo "$(safeboot_dir libexec)/certs";; etc) if [[ $TOP = /usr ]]; then echo "/etc/safeboot" elif [[ -d $TOP/etc/safeboot ]]; then diff --git a/sbin/tpm2-attest b/sbin/tpm2-attest index 5b1ae461..73e002bd 100755 --- a/sbin/tpm2-attest +++ b/sbin/tpm2-attest @@ -394,7 +394,7 @@ verify() QUOTE_TAR="$1" NONCE="$2" - CA_ROOT="${3:-$PREFIX$DIR/certs}" + CA_ROOT="${3:-$(safeboot_dir certs)}" unpack-quote "$QUOTE_TAR" \ || die "$QUOTE_TAR: unable to unpack" From afc8e711b03ed8850429dee8415e69690a080dca Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 24 Nov 2021 16:38:07 -0600 Subject: [PATCH 7/8] fixup! debian: Package split part 2 --- debian/control | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/debian/control b/debian/control index 4ddddcb7..f67345a5 100644 --- a/debian/control +++ b/debian/control @@ -10,15 +10,15 @@ Homepage: https://github.com/osresearch/safeboot/ Package: safeboot Architecture: all -Depends: ${shlibs:Depends}, ${misc:Depends}, binutils, safeboot-tpm2-tools | tpm2-tools, safeboot-tpm2-totp | tpm2-totp +Depends: ${shlibs:Depends}, ${misc:Depends}, binutils, safeboot-tpm2-tools | tpm2-tools (>= 5.1.1), safeboot-tpm2-totp | tpm2-totp (>= 3.1.0) Description: Common (core) package for Safeboot Safeboot is a collection of utilities and services for securing the boot process. Package: safeboot-boot Architecture: all -Breaks: safeboot (<<0.8) -Replaces: safeboot (<<0.8) +Breaks: safeboot (<<0.9) +Replaces: safeboot (<<0.9) Depends: ${shlibs:Depends}, ${misc:Depends}, safeboot, efitools, opensc, yubico-piv-tool, libengine-pkcs11-openssl, uuid, binutils, libqrencode-dev, libjson-c4, libcurl4 Description: Boot Linux more safely Makes the Linux boot process slightly safer by enabling UEFI Secure Boot, @@ -28,18 +28,18 @@ Description: Boot Linux more safely Package: safeboot-attest-client Architecture: all -Breaks: safeboot (<<0.8) -Replaces: safeboot (<<0.8) +Breaks: safeboot (<<0.9) +Replaces: safeboot (<<0.9) Depends: ${shlibs:Depends}, ${misc:Depends}, safeboot Description: Safeboot attestation client Attestation client for Safeboot, which is intended to be used for securely fetching local filesystem encryption keys (including for the root - filesyste), and other secrets (including device credentials). + filesystem), and other secrets (including device credentials). Package: safeboot-attest-server Architecture: all -Breaks: safeboot (<<0.8) -Replaces: safeboot (<<0.8) +Breaks: safeboot (<<0.9) +Replaces: safeboot (<<0.9) Depends: ${shlibs:Depends}, ${misc:Depends}, safeboot Description: Safeboot attestation server Enrollment and attestation server for Safeboot, which is intended to be @@ -48,16 +48,16 @@ Description: Safeboot attestation server Package: safeboot-tpm2-tools Architecture: any -Breaks: safeboot (<<0.8) -Replaces: safeboot (<<0.8) +Breaks: safeboot (<<0.9) +Replaces: safeboot (<<0.9) Depends: ${shlibs:Depends}, ${misc:Depends} Description: tpm2-tools at version needed by Safeboot Safeboot depends on more recent versions of tpm2-tools than are packaged. Package: safeboot-tpm2-totp Architecture: any -Breaks: safeboot (<<0.8) -Replaces: safeboot (<<0.8) +Breaks: safeboot (<<0.9) +Replaces: safeboot (<<0.9) Depends: ${shlibs:Depends}, ${misc:Depends} Description: tpm2-totp at version needed by Safeboot Safeboot depends on more recent versions of tpm2-totp than are packaged. From 157ebd4a5f86d4e5a0519b09781cb56f41bc9c9d Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 24 Nov 2021 16:38:22 -0600 Subject: [PATCH 8/8] Release 0.9? --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 8a691606..fcb4cb51 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +safeboot (0.9) unstable; urgency=medium + + * Add enrollment server functionality + * Add helper scripts for enrolled host credential bootstrapping + * Split Debian packaging + + -- Nico Williams Wed, 24 Nov 2021 16:22:53 -0600 + safeboot (0.8) unstable; urgency=medium * `tpm2-attest` and `attest-server` to perform attestations