Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-1354

PGP Sign RPM's

Details

    • New Feature
    • Resolution: Unresolved
    • Minor
    • None
    • Lustre 2.7.0, Lustre 2.5.5
    • 10537

    Description

      The current RHEL RPM's as delievered by whamcould are not signed with a PKI certificate. It would be beneficial if Whamcloud could sign the RPM's with PKI to verify that Whamcloud is in fact the author of the RPM's.

      Attachments

        Activity

          [LU-1354] PGP Sign RPM's
          degremoa Aurelien Degremont (Inactive) added a comment -

          By latest, do you mean latest kernel for Ubuntu 20.04 LTS, or kernel on latest Ubuntu 21.04 ?

          degremoa Aurelien Degremont (Inactive) added a comment - By latest, do you mean latest kernel for Ubuntu 20.04 LTS, or kernel on latest Ubuntu 21.04 ?
          simmonsja James A Simmons added a comment -

          Sigh. The latest Ubuntu enforces this now

          [ 4874.368433] Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7

          simmonsja James A Simmons added a comment - Sigh. The latest Ubuntu enforces this now [ 4874.368433] Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7
          jmckenna James McKenna added a comment - - edited

          Bumping this topic. Any news?

          jmckenna James McKenna added a comment - - edited Bumping this topic. Any news?
          degremoa Aurelien Degremont (Inactive) added a comment -

          Is there any news on this topic ?

          degremoa Aurelien Degremont (Inactive) added a comment - Is there any news on this topic ?
          utopiabound Nathaniel Clark added a comment -

          After further investigation. The module signing / cert management is as follows:

          1. During the kernel build, a unique pub/priv key is generated (using info in kernelsource/x509.genkey): 
            kernelsource/signing_key.{x509,priv}
          1. All certificates in kernel source dir (files with the .x509 extension) are signed with the per-kernel key and included in the default trust chain.
          2. All kernel modules are signed with the signing_key and thus any module signed with those would also be acceptable.

          NOTE:
          CentOS does not sign any of the provided kmod-* packaged modules.

          utopiabound Nathaniel Clark added a comment - After further investigation. The module signing / cert management is as follows: During the kernel build, a unique pub/priv key is generated (using info in kernelsource/x509.genkey ): kernelsource/signing_key.{x509,priv} All certificates in kernel source dir (files with the .x509 extension) are signed with the per-kernel key and included in the default trust chain. All kernel modules are signed with the signing_key and thus any module signed with those would also be acceptable. NOTE: CentOS does not sign any of the provided kmod-* packaged modules.
          gerrit Gerrit Updater added a comment -

          Nathaniel Clark (nclark@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/34132
          Subject: LU-1354 build: Sign kernel modules during build
          Project: fs/lustre-release
          Branch: master
          Current Patch Set: 1
          Commit: a51e35b679049fbe1e358dd98b3158df0f5abd25

          gerrit Gerrit Updater added a comment - Nathaniel Clark (nclark@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/34132 Subject: LU-1354 build: Sign kernel modules during build Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: a51e35b679049fbe1e358dd98b3158df0f5abd25
          utopiabound Nathaniel Clark added a comment -

          If we're going to sign rpms, we should also consider signing the modules so they will work in a FIPS enabled kernel.

          https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations

          https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html

           

          utopiabound Nathaniel Clark added a comment - If we're going to sign rpms, we should also consider signing the modules so they will work in a FIPS enabled kernel. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html  
          marcindulak Marcin Dulak added a comment -

          It would be valuable to have the RPMS finally signed - also in order to use them properly with configuration management tools like Puppet, etc.

          marcindulak Marcin Dulak added a comment - It would be valuable to have the RPMS finally signed - also in order to use them properly with configuration management tools like Puppet, etc.
          adilger Andreas Dilger added a comment -

          There are several people (myself, Brian Murrell, maybe Oleg) on the HPDD team that have well-known keys that could sign an RPM-signing key.

          adilger Andreas Dilger added a comment - There are several people (myself, Brian Murrell, maybe Oleg) on the HPDD team that have well-known keys that could sign an RPM-signing key.
          mdidomenico Michael Di Domenico added a comment -

          Well some trust is better then no trust, eh? But it does provide someone an ability to verify that the packages were created by a specific person and that the packages have not been altered down the chain.

          http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/5.3/html/Deployment_Guide/satops-rpm-building.html

          as long as the passphrase is safe and the whamcloud servers remain protected, I should be able to sign-off to an auditor that the software I downloaded did in fact come from and was produced by Whamcloud. The only other way I can make that claim with any real distinction would be to have a (silver, non-r/w) CD mailed from whamcloud to me.

          mdidomenico Michael Di Domenico added a comment - Well some trust is better then no trust, eh? But it does provide someone an ability to verify that the packages were created by a specific person and that the packages have not been altered down the chain. http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/5.3/html/Deployment_Guide/satops-rpm-building.html as long as the passphrase is safe and the whamcloud servers remain protected, I should be able to sign-off to an auditor that the software I downloaded did in fact come from and was produced by Whamcloud. The only other way I can make that claim with any real distinction would be to have a (silver, non-r/w) CD mailed from whamcloud to me.

          People

            green Oleg Drokin
            mdidomenico Michael Di Domenico
            Votes:
            1 Vote for this issue
            Watchers:
            17 Start watching this issue

            Dates

              Created:
              Updated: