Workflows Archive on lore.kernel.org
 help / color / Atom feed
From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: workflows@vger.kernel.org
Subject: Re: Patch attestation RFC + proof of concept
Date: Wed, 26 Feb 2020 15:42:31 -0500
Message-ID: <20200226204231.x5jbqgmkedtgpkmn@chatter.i7.local> (raw)
In-Reply-To: <20200226201140.GA24263@ziepe.ca>

On Wed, Feb 26, 2020 at 04:11:40PM -0400, Jason Gunthorpe wrote:
> > If you look at the contents of the patch attestation message 
> > (https://lore.kernel.org/signatures/202002251425.E7847687B@keescook/), 
> > you will notice a yaml-style formatted document with a series of 
> > three hashes. Let's take the first one as example:
> > 
> > 2a02abe0-215cf3f1-2acb5798:
> >   i: 2a02abe02216f626105622aee2f26ab10c155b6442e23441d90fc5fe4071b86e
> >   m: 215cf3f133478917ad147a6eda1010a9c4bba1846e7dd35295e9a0081559e9b0
> >   p: 2acb5798c366f97501f8feacb873327bac161951ce83e90f04bbcde32e993865
> > 
> > The source of these hashes is the following patch:
> > https://lore.kernel.org/kernel-hardening/20200225051307.6401-2-keescook@chromium.org/
> 
> If you define an alternative message signature algorithm like this,
> then is there still value in detatching the PGP signature from the
> patch email?

I believe that yes, because it offers better workflows around the
following scenarios:

- developer does all their work on a remote VM that doesn't have access 
  to their PGP keys and submits actual attestation when they get back to 
  their workstation
- developer configures their smartcard to require a PIN during each 
  operation and disables the pgp-agent; sending a series of 40 patches 
  requires a single PIN entry instead of 40
- developer submits a v1 of the patch that they don't expect to pass on 
  the first try and doesn't bother submitting attestation; shockingly,
  the maintainer accepts it as-is and the developer can attest their 
  patches post-fact *without* needing to collect all the acked-by's 
  reviewed-by's etc from all others who have already responded to the v1 
  submission

> The usual PGP signature computes a hash of the message in a certain
> way (with unquoting etc). If you instead replace that with your method
> and then just generate the normal base64 blob using:
> 
>   msg_hash = HASH(HASH(i) || HASH(m) || HASH(p))
>   sig = RSA_Sign(msg_hash)

The reason I want to leave i/m/p hashes individually present is because 
it makes it possible to query patch attestation information based on a 
subset of full information.

For example, a maintainer will almost certainly edit the message content 
to add their own Signed-off-by, and may edit the patch for minor 
nitpicking. Full i-m-p attestation will fail in this case, but we can 
then query the signatures archive for each individual hash to identify 
which part of the submission fails validation:
https://lore.kernel.org/signatures/?q=2a02abe02216f626105622aee2f26ab10c155b6442e23441d90fc5fe4071b86e

This lets us present the maintainer with more useful info, like: "full 
attestation failed, but the only changed part is actually the message 
and not the patch content, so it's probably still okay to apply."

> Then the base64 of the sig can just be dropped at the end of the
> message, and doesn't need to be detached, or need the various ---BEGIN
> PGP--- overheads
> 
> The magic I see here is defining a way to compute the message hash of
> a patch email that doesn't cause a big mess.

I still think that one of the key benefits of this proposal is being 
able to submit patch attestation data post-fact. For signatures included 
with patches, I'd rather see this happen during the git-format-patch 
step following Vagard Nossum's work of fully reconstructing commits from 
patches -- see my email to the git list here:
https://lore.kernel.org/git/20200226200929.z4aej74ohbkgcdza@chatter.i7.local/T/#u

Best,
-K

  reply index

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-26 17:25 Konstantin Ryabitsev
2020-02-26 17:50 ` Kees Cook
2020-02-26 18:47   ` Konstantin Ryabitsev
2020-02-26 20:11 ` Jason Gunthorpe
2020-02-26 20:42   ` Konstantin Ryabitsev [this message]
2020-02-26 21:04     ` Jason Gunthorpe
2020-02-26 21:18       ` Konstantin Ryabitsev
2020-02-27  1:23         ` Jason Gunthorpe
2020-02-27  4:11 ` Jason A. Donenfeld
2020-02-27 10:05   ` Geert Uytterhoeven
2020-02-27 13:30     ` Jason A. Donenfeld
2020-02-27 14:29   ` Konstantin Ryabitsev
2020-02-28  1:57     ` Jason A. Donenfeld
2020-02-28  2:30       ` Jason A. Donenfeld
2020-02-28 18:33         ` Konstantin Ryabitsev
2020-02-28 17:54       ` Konstantin Ryabitsev
2020-03-06 16:53       ` Geert Uytterhoeven

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200226204231.x5jbqgmkedtgpkmn@chatter.i7.local \
    --to=konstantin@linuxfoundation.org \
    --cc=jgg@ziepe.ca \
    --cc=workflows@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Workflows Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/workflows/0 workflows/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 workflows workflows/ https://lore.kernel.org/workflows \
		workflows@vger.kernel.org
	public-inbox-index workflows

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.workflows


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git