| 1 |
We understand that there is in general a continuum between security |
| 2 |
and ease of use. There is a certain level of provable security |
| 3 |
that is absolutely required in order to make the claim that Gentoo |
| 4 |
distributes its product in a secure fashion, which is provided by |
| 5 |
this implementation. |
| 6 |
|
| 7 |
This is the specifications under which the security system for |
| 8 |
portage will be implemented. This is a document detailing what is |
| 9 |
to be created and not what is presently available. User and |
| 10 |
developer documentation will be built from this document when this |
| 11 |
functionality becomes available for testing. Ideas and comments are |
| 12 |
welcome, however it should be clear that any potential additional |
| 13 |
options would be implemented in parallel to this core initiative, |
| 14 |
not in lieu of it. All comments should be well thought out and |
| 15 |
constructive. |
| 16 |
|
| 17 |
Every effort has been taken to implement this in a manner friendly |
| 18 |
to all user's needs ranging from no security to extensive |
| 19 |
verification of Portage data. |
| 20 |
|
| 21 |
Implementation: |
| 22 |
|
| 23 |
* There will be an inner-keyring of senior developers holding keys. |
| 24 |
These keys are the master keys used to sign developer keys. |
| 25 |
They are not used to sign data in portage directly. |
| 26 |
|
| 27 |
*** The exact number of keys and holders has not been decided but |
| 28 |
for a developer to be recognized by portage he will have to |
| 29 |
have his key signed by the lower bound of N/2 of the inner-ring |
| 30 |
keys. For example, if we have 5 inner keys then a developer |
| 31 |
will have to have a key signed by at least 2 of them. |
| 32 |
|
| 33 |
* We will use GPG's web-of-trust mechanism for this verification. |
| 34 |
GPG gives us the flexibility to decide how many complete trust |
| 35 |
keys will be required to trust a developer key. |
| 36 |
|
| 37 |
* The GPG trustdb will be set up on each user's machines, to |
| 38 |
prevent tampering upstream. The first time a user specifies to |
| 39 |
use GPG they will need to manually verify the fingerprints for |
| 40 |
each of the inner keys. This ensures that the inner keys were |
| 41 |
downloaded to the users machine and have not been tampered with. |
| 42 |
|
| 43 |
* The developer keyring will be stored in the Portage tree. This |
| 44 |
ensures that each user has an up to date keyring anytime they |
| 45 |
sychronise their Portage tree. |
| 46 |
|
| 47 |
* Each key is verified by ensuring it is signed by the proper |
| 48 |
number of keys from the inner keyring. This is done by GPG |
| 49 |
and has little overhead. |
| 50 |
|
| 51 |
* Manifests in each of the package directories will contain the |
| 52 |
signature. These manifests contain an all-inclusive list of the |
| 53 |
digests for that particular package including each ebuild, each |
| 54 |
file in ./files/ and also the standard ebuild digests. |
| 55 |
|
| 56 |
* Manifests are first verified for authenticity by GPG, and then |
| 57 |
each digest listed is verified. This ensures that no file in |
| 58 |
Portage has been tampered with. |
| 59 |
|
| 60 |
* Key revocation will be done using public key servers. There will |
| 61 |
be M number of revocation keys, not necessarily the same number |
| 62 |
as verification keys. |
| 63 |
|
| 64 |
* Each of these revocation keys will be on all available public key |
| 65 |
servers. To revoke a developers key the revocation key holders |
| 66 |
will add an alias to their keys on the public key servers. The |
| 67 |
use of public keyservers ensures that the keys are always |
| 68 |
available, and there is a good amount of mirroring among all |
| 69 |
public keyservers. |
| 70 |
|
| 71 |
* A key is considered revoked if it has been added as an alias to |
| 72 |
upper bound of M/2 of the revocation keys. |
| 73 |
|
| 74 |
* Portage will check for these revocations according to the |
| 75 |
verification option the user desires (listed below in the |
| 76 |
'User use' section). |
| 77 |
|
| 78 |
Note: For more information about GnuPG's web of trust and how it |
| 79 |
works, please see the GNU Privacy Handbook: |
| 80 |
http://www.gnupg.org/gph/en/manual.html |
| 81 |
|
| 82 |
|
| 83 |
Developer use: |
| 84 |
-------------- |
| 85 |
* Each developer has one key used exclusively for ebuild signing. |
| 86 |
* Each developer must have their key signed by at least the lower |
| 87 |
bound of N/2 inner-ring keys. |
| 88 |
* Each developer should have a strong passphrase and good |
| 89 |
protection for their key. |
| 90 |
* Developers will use repoman to digest and sign manifests. |
| 91 |
|
| 92 |
|
| 93 |
User use: |
| 94 |
--------- |
| 95 |
This protection will be implemented through several FEATURE flags. |
| 96 |
All protection is completely optional and will be disabled by default. |
| 97 |
|
| 98 |
* FEATURES="gpg" |
| 99 |
checks manifest signature and digests at doebuild() calls, |
| 100 |
intercepting all sourcing of the ebuilds for cache creation and |
| 101 |
merge operations. |
| 102 |
|
| 103 |
* FEATURES="strict" |
| 104 |
does additional checks on manifests that result in termination of |
| 105 |
the merge if they fail. Missing manifests, files missing from the |
| 106 |
manifest, and additional files not included in the manifest will |
| 107 |
cause portage to exit with a failure notice. |
| 108 |
|
| 109 |
* FEATURES="gpg strict" |
| 110 |
will be slightly more aggressive in checking files. It includes |
| 111 |
everything from the above two, failing on possible breaches. |
| 112 |
|
| 113 |
* FEATURES="gpg severe" |
| 114 |
causes more frequent/aggressive checking for key revocations and |
| 115 |
forces a comprehensive check at sync time before any files are |
| 116 |
sourced. It also implies strict. |
| 117 |
|
| 118 |
* The inner keys will be downloaded independantly of the public |
| 119 |
keyservers and verified by the user. This will provide the |
| 120 |
maximum assurance that the keys are trustworthy. |
| 121 |
|
| 122 |
*** To accommodate users behind restrictive firewalls, the inner |
| 123 |
public keys will also be included in rsync and webrsync |
| 124 |
snapshots. The fingerprints themselves will be available from |
| 125 |
www.gentoo.org, published in newsgroups and mailing lists, and |
| 126 |
users will be encouraged to verify fingerprints from multiple |
| 127 |
sources for maximum security. |
| 128 |
|
| 129 |
Notes: |
| 130 |
------ |
| 131 |
We have discussed several other implementations including server |
| 132 |
side signing and have ascertained that this implementation has the |
| 133 |
most benefits and protection for our users while putting minimal |
| 134 |
strain on developers. |
| 135 |
|
| 136 |
The benefits of this implementation include: |
| 137 |
|
| 138 |
* Complete protection from the developer all the way to the user. |
| 139 |
* Ability to revoke and isolate packages handled by a compromised key. |
| 140 |
* Completely optional and configurable by each user. |
| 141 |
* Ability to extend security by adding keys to your local trustdb |
| 142 |
thereby trusting your own or third party keys. |
| 143 |
|
| 144 |
|
| 145 |
Joshua Brindle |
| 146 |
Hardened Gentoo Project Leader |
| 147 |
|
| 148 |
|
| 149 |
-- |
| 150 |
gentoo-hardened@g.o mailing list |
Archives