1 |
We understand that there is in general a continuum between security |
2 |
and ease of use. There is a certain level of provable security |
3 |
that is absolutely required in order to make the claim that Gentoo |
4 |
distributes its product in a secure fashion, which is provided by |
5 |
this implementation. |
6 |
|
7 |
This is the specifications under which the security system for |
8 |
portage will be implemented. This is a document detailing what is |
9 |
to be created and not what is presently available. User and |
10 |
developer documentation will be built from this document when this |
11 |
functionality becomes available for testing. Ideas and comments are |
12 |
welcome, however it should be clear that any potential additional |
13 |
options would be implemented in parallel to this core initiative, |
14 |
not in lieu of it. All comments should be well thought out and |
15 |
constructive. |
16 |
|
17 |
Every effort has been taken to implement this in a manner friendly |
18 |
to all user's needs ranging from no security to extensive |
19 |
verification of Portage data. |
20 |
|
21 |
Implementation: |
22 |
|
23 |
* There will be an inner-keyring of senior developers holding keys. |
24 |
These keys are the master keys used to sign developer keys. |
25 |
They are not used to sign data in portage directly. |
26 |
|
27 |
*** The exact number of keys and holders has not been decided but |
28 |
for a developer to be recognized by portage he will have to |
29 |
have his key signed by the lower bound of N/2 of the inner-ring |
30 |
keys. For example, if we have 5 inner keys then a developer |
31 |
will have to have a key signed by at least 2 of them. |
32 |
|
33 |
* We will use GPG's web-of-trust mechanism for this verification. |
34 |
GPG gives us the flexibility to decide how many complete trust |
35 |
keys will be required to trust a developer key. |
36 |
|
37 |
* The GPG trustdb will be set up on each user's machines, to |
38 |
prevent tampering upstream. The first time a user specifies to |
39 |
use GPG they will need to manually verify the fingerprints for |
40 |
each of the inner keys. This ensures that the inner keys were |
41 |
downloaded to the users machine and have not been tampered with. |
42 |
|
43 |
* The developer keyring will be stored in the Portage tree. This |
44 |
ensures that each user has an up to date keyring anytime they |
45 |
sychronise their Portage tree. |
46 |
|
47 |
* Each key is verified by ensuring it is signed by the proper |
48 |
number of keys from the inner keyring. This is done by GPG |
49 |
and has little overhead. |
50 |
|
51 |
* Manifests in each of the package directories will contain the |
52 |
signature. These manifests contain an all-inclusive list of the |
53 |
digests for that particular package including each ebuild, each |
54 |
file in ./files/ and also the standard ebuild digests. |
55 |
|
56 |
* Manifests are first verified for authenticity by GPG, and then |
57 |
each digest listed is verified. This ensures that no file in |
58 |
Portage has been tampered with. |
59 |
|
60 |
* Key revocation will be done using public key servers. There will |
61 |
be M number of revocation keys, not necessarily the same number |
62 |
as verification keys. |
63 |
|
64 |
* Each of these revocation keys will be on all available public key |
65 |
servers. To revoke a developers key the revocation key holders |
66 |
will add an alias to their keys on the public key servers. The |
67 |
use of public keyservers ensures that the keys are always |
68 |
available, and there is a good amount of mirroring among all |
69 |
public keyservers. |
70 |
|
71 |
* A key is considered revoked if it has been added as an alias to |
72 |
upper bound of M/2 of the revocation keys. |
73 |
|
74 |
* Portage will check for these revocations according to the |
75 |
verification option the user desires (listed below in the |
76 |
'User use' section). |
77 |
|
78 |
Note: For more information about GnuPG's web of trust and how it |
79 |
works, please see the GNU Privacy Handbook: |
80 |
http://www.gnupg.org/gph/en/manual.html |
81 |
|
82 |
|
83 |
Developer use: |
84 |
-------------- |
85 |
* Each developer has one key used exclusively for ebuild signing. |
86 |
* Each developer must have their key signed by at least the lower |
87 |
bound of N/2 inner-ring keys. |
88 |
* Each developer should have a strong passphrase and good |
89 |
protection for their key. |
90 |
* Developers will use repoman to digest and sign manifests. |
91 |
|
92 |
|
93 |
User use: |
94 |
--------- |
95 |
This protection will be implemented through several FEATURE flags. |
96 |
All protection is completely optional and will be disabled by default. |
97 |
|
98 |
* FEATURES="gpg" |
99 |
checks manifest signature and digests at doebuild() calls, |
100 |
intercepting all sourcing of the ebuilds for cache creation and |
101 |
merge operations. |
102 |
|
103 |
* FEATURES="strict" |
104 |
does additional checks on manifests that result in termination of |
105 |
the merge if they fail. Missing manifests, files missing from the |
106 |
manifest, and additional files not included in the manifest will |
107 |
cause portage to exit with a failure notice. |
108 |
|
109 |
* FEATURES="gpg strict" |
110 |
will be slightly more aggressive in checking files. It includes |
111 |
everything from the above two, failing on possible breaches. |
112 |
|
113 |
* FEATURES="gpg severe" |
114 |
causes more frequent/aggressive checking for key revocations and |
115 |
forces a comprehensive check at sync time before any files are |
116 |
sourced. It also implies strict. |
117 |
|
118 |
* The inner keys will be downloaded independantly of the public |
119 |
keyservers and verified by the user. This will provide the |
120 |
maximum assurance that the keys are trustworthy. |
121 |
|
122 |
*** To accommodate users behind restrictive firewalls, the inner |
123 |
public keys will also be included in rsync and webrsync |
124 |
snapshots. The fingerprints themselves will be available from |
125 |
www.gentoo.org, published in newsgroups and mailing lists, and |
126 |
users will be encouraged to verify fingerprints from multiple |
127 |
sources for maximum security. |
128 |
|
129 |
Notes: |
130 |
------ |
131 |
We have discussed several other implementations including server |
132 |
side signing and have ascertained that this implementation has the |
133 |
most benefits and protection for our users while putting minimal |
134 |
strain on developers. |
135 |
|
136 |
The benefits of this implementation include: |
137 |
|
138 |
* Complete protection from the developer all the way to the user. |
139 |
* Ability to revoke and isolate packages handled by a compromised key. |
140 |
* Completely optional and configurable by each user. |
141 |
* Ability to extend security by adding keys to your local trustdb |
142 |
thereby trusting your own or third party keys. |
143 |
|
144 |
|
145 |
Joshua Brindle |
146 |
Hardened Gentoo Project Leader |
147 |
|
148 |
|
149 |
-- |
150 |
gentoo-hardened@g.o mailing list |