Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement request: OpenPGP smartcard support #174

Open
udf2457 opened this issue Mar 23, 2022 · 4 comments
Open

Enhancement request: OpenPGP smartcard support #174

udf2457 opened this issue Mar 23, 2022 · 4 comments
Labels
v2 Targeting GopenPGP v2

Comments

@udf2457
Copy link

udf2457 commented Mar 23, 2022

Thanks for your great work on gopenpgp.

Please however consider adding OpenPGP smartcard support.

In today's cyber security world, such functionality is almost no longer an option. Even more so when secure storage such as Yubikey or OpenHSM are readily available for readily little financial cost.

@tlaurion
Copy link

Is there any plan or work on this?

@osbock
Copy link

osbock commented Sep 20, 2023

I think this needs more definition before it's considered. What do you propose the smart card do? The actual encryption? A subset around signature verification/production?
As with all HSMs/SecureEnclaves, you should never use them as "key storage" devices that you then export and use in an external process.
I'm not saying this doesn't have merit, it just needs to be scoped.

@ckcr4lyf
Copy link

I am guessing it is also non-trivial since it would need to rely on lower level OS hardware access, e.g. OpenSC on Linux comes to mind.

@tlaurion
Copy link

tlaurion commented Nov 24, 2023

I can add my two cents here from https://github.com/linuxboot/heads current usage of gnupg toolstack.

Under Heads, gnupg uses OpenPGP smartcard hardware to detach sign and verify signatures of hashes in the goal of having the user authenticate and do integrity validation of /boot content, as well as recently authenticate machine owner prior of going to firmware recovery shell or boot any usb media.

To do so, Heads currently depends un gnupg to

  • factory reset/re-ownership of USB security dongle (gpg --card-edit, factory reset)
  • generate subkeys on smartcard (or copy to card keys generated in memory) for encryption/signature/authentication (gpg --card-edit)
  • detach sign digests (gpg --detach-sign)
  • verify detached signature against public key fused in rom and measured boot by coreboot (gpg --verify)

Heads is looking for a replacement of the gnupg toolstack for a long time to provision opengpg smartcard and for detach-signing and verification operations, considering the toolstack footprint inside of the rom which is currently more then 2mb last time I checked and increases at each version bump.

There is a recent PR under seabios permitting to use provisioned usb dongle for authentication. But that doesn't resolve the provisioning side and re-ownership of the usb security dongle.

It seems that all current alternatives to gnupg are either having experimental smartcard support or none. Following development from afar, but a smaller footprint use smartcards as authentication/integrity purposes would be useful on the embedded world where space is scarce and gnupg is becoming a burden to maintain integration for a while now.

@lubux lubux added the v2 Targeting GopenPGP v2 label Jun 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
v2 Targeting GopenPGP v2
Projects
None yet
Development

No branches or pull requests

6 participants
@tlaurion @osbock @ckcr4lyf @udf2457 @lubux and others