[RFC] Keystore design

[RFC] Keystore design

[Jean-Christophe PLAGNIOL-VILLARD]

Hi,

	I'm curently looking the implementation for the PKI keystore

	I was thinking to simply do a FS

	The idea is this one

	we will use envfs as storing format.

	Contraint:

	 - Multiple RO env
	 - one RW env
	 - as less as possible API to add a key

	1) Builtin

	 We will allow to have multiple keystore for boards
	 we need to be hanble to drop a keystore if not valid for this board
	 we need to be able to have global keystore

	2) SoC Keytore
	 - RO

	3) RW

	 a key will be store in the keystore on if valid (signed by a master
	 key or CA)

	We will use the fs api

	to put a key a simple cp will be enough

Best Regards,
J.

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [RFC] Keystore design

[Marc Kleine-Budde]

[-- Attachment #1.1: Type: text/plain, Size: 2411 bytes --]

On 03/18/2015 10:59 AM, Jean-Christophe PLAGNIOL-VILLARD wrote:
> 	I'm curently looking the implementation for the PKI keystore
> 
> 	I was thinking to simply do a FS
> 
> 	The idea is this one
> 
> 	we will use envfs as storing format.
> 
> 	Contraint:
> 
> 	 - Multiple RO env
> 	 - one RW env
> 	 - as less as possible API to add a key
> 
> 	1) Builtin
> 
> 	 We will allow to have multiple keystore for boards
> 	 we need to be hanble to drop a keystore if not valid for this board
> 	 we need to be able to have global keystore
> 
> 	2) SoC Keytore
> 	 - RO
> 
> 	3) RW
> 
> 	 a key will be store in the keystore on if valid (signed by a master
> 	 key or CA)
> 
> 	We will use the fs api
> 
> 	to put a key a simple cp will be enough

Jan and me were discussing you approach to implement a keystore with the
filesystem API. For us it was hard to imagine the benefits of accessing
the keystore by fs API, but our usecases are rather minimal compared to
"full" x509 PKI support.

We don't see the advantage of having a FS, does it makes a huge
difference to add a cert by "cp /path/to/cert /barebox/pki" or by
"keystore --add /path/to/cert". This can be done via a simple lined
list, too. With x509 you can have nested certs, do you want to map this
to directories?

We see the following usecases:

- add certificate and mark that cert as trusted (i.e. add a new CA)
- add certificate (only succeeds of store trusts that cert)
- lockdown store, so that only trusted certs can be added
- add cert/public key from DT (DT compiled into barebox)
- add cert/public key compiled into barebox (e.g. via section magic)
- add cert/public key from file and/or directory
- you probably want x509
- possibility to go without x509
- add/get/use cert/public key by name
- validate file, mem region against a public key in store

Our big picture use case is:
- validate fit image against RSA public key in DT

We think a keystore can be implemented by a linked list of certs/public
keys, some iterator functions to find key by name, for x509 probably CN,
etc...

regards,
Marc

-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |



[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

[-- Attachment #2: Type: text/plain, Size: 149 bytes --]

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [RFC] Keystore design

[Marc Kleine-Budde]

[-- Attachment #1.1: Type: text/plain, Size: 629 bytes --]

On 04/13/2015 11:48 AM, Marc Kleine-Budde wrote:
> On 03/18/2015 10:59 AM, Jean-Christophe PLAGNIOL-VILLARD wrote:
>> 	I'm curently looking the implementation for the PKI keystore

Any news from the keystore front? I've patches here to secure the
contents of the state partition by a hmac, so I need an API to request
the shared secret.

Marc

-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

[-- Attachment #2: Type: text/plain, Size: 149 bytes --]

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox