Merge pull request #510 from tlaurion/gpg2

Gpg2 with all fixes included
linuxboot · Feb 8, 2019 · eafb470 · eafb470
2 parents aef5753 + 695993b
commit eafb470
Show file tree

Hide file tree

Showing 26 changed files with 360 additions and 34 deletions.
diff --git a/Makefile b/Makefile
@@ -393,6 +393,8 @@ bin_modules-$(CONFIG_PCIUTILS) += pciutils
 bin_modules-$(CONFIG_FLASHROM) += flashrom
 bin_modules-$(CONFIG_CRYPTSETUP) += cryptsetup
 bin_modules-$(CONFIG_GPG) += gpg
+bin_modules-$(CONFIG_GPG2) += gpg2
+bin_modules-$(CONFIG_PINENTRY) += pinentry
 bin_modules-$(CONFIG_LVM2) += lvm2
 bin_modules-$(CONFIG_DROPBEAR) += dropbear
 bin_modules-$(CONFIG_FLASHTOOLS) += flashtools

diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config
@@ -6,7 +6,7 @@ export CONFIG_COREBOOT=y
 CONFIG_CRYPTSETUP=y
 CONFIG_FLASHROM=y
 CONFIG_FLASHTOOLS=y
-CONFIG_GPG=y
+CONFIG_GPG2=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y

diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config
@@ -8,7 +8,7 @@ export CONFIG_COREBOOT=y
 CONFIG_CRYPTSETUP=y
 CONFIG_FLASHROM=y
 CONFIG_FLASHTOOLS=y
-CONFIG_GPG=y
+CONFIG_GPG2=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y

diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config
@@ -17,7 +17,7 @@ CONFIG_FLASHROM=y
 CONFIG_PCIUTILS=y
 CONFIG_UTIL_LINUX=y
 CONFIG_CRYPTSETUP=y
-CONFIG_GPG=y
+CONFIG_GPG2=y
 CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_DROPBEAR=y

diff --git a/boards/qemu-linuxboot/qemu-linuxboot.config b/boards/qemu-linuxboot/qemu-linuxboot.config
@@ -18,7 +18,7 @@ endif
 
 CONFIG_FLASHROM=y
 CONFIG_FLASHTOOLS=y
-CONFIG_GPG=y
+CONFIG_GPG2=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_DROPBEAR=y

diff --git a/boards/x230/x230.config b/boards/x230/x230.config
@@ -6,7 +6,7 @@ CONFIG_LINUX_CONFIG=config/linux-x230.config
 CONFIG_CRYPTSETUP=y
 CONFIG_FLASHROM=y
 CONFIG_FLASHTOOLS=y
-CONFIG_GPG=y
+CONFIG_GPG2=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y

diff --git a/config/linux-kgpe-d16.config b/config/linux-kgpe-d16.config
@@ -64,6 +64,7 @@ CONFIG_PCI_PRI=y
 # CONFIG_COREDUMP is not set
 CONFIG_NET=y
 CONFIG_PACKET=y
+CONFIG_UNIX=y
 CONFIG_INET=y
 CONFIG_SYN_COOKIES=y
 # CONFIG_INET_XFRM_MODE_TRANSPORT is not set

diff --git a/config/linux-librem13v2.config b/config/linux-librem13v2.config
@@ -63,6 +63,7 @@ CONFIG_PCI_PRI=y
 # CONFIG_COREDUMP is not set
 CONFIG_NET=y
 CONFIG_PACKET=y
+CONFIG_UNIX=y
 CONFIG_INET=y
 CONFIG_SYN_COOKIES=y
 # CONFIG_INET_XFRM_MODE_TRANSPORT is not set

diff --git a/config/linux-linuxboot.config b/config/linux-linuxboot.config
@@ -84,6 +84,7 @@ CONFIG_PCI_PRI=y
 CONFIG_IA32_EMULATION=y
 CONFIG_NET=y
 CONFIG_PACKET=y
+CONFIG_UNIX=y
 CONFIG_INET=y
 CONFIG_SYN_COOKIES=y
 # CONFIG_INET_XFRM_MODE_TRANSPORT is not set

diff --git a/config/linux-x230.config b/config/linux-x230.config
@@ -64,6 +64,7 @@ CONFIG_PCI_PRI=y
 # CONFIG_COREDUMP is not set
 CONFIG_NET=y
 CONFIG_PACKET=y
+CONFIG_UNIX=y
 CONFIG_INET=y
 CONFIG_SYN_COOKIES=y
 # CONFIG_INET_XFRM_MODE_TRANSPORT is not set

diff --git a/initrd/.ash_history b/initrd/.ash_history
@@ -1,14 +1,17 @@
-mount /dev/sda1 /boot
-mount -o remount,rw /boot
-rm /boot/kexec_*
-mount-usb
-mkdir -p /media/gpg_keys
-gpg --home=/media/gpg_keys --card-edit
-gpg --home=/media/gpg_keys --export --armor e@mail.address > /media/gpg_keys/public.key
-gpg --home=/media/gpg_keys --export-secret-keys --armor e@mail.address > /media/gpg_keys/private.key
-cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key
-cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/private.key" -f /media/gpg_keys/private.key
-mount -o remount,ro /media
-flash.sh /media/coreboot.com
+#remove invalid kexec_* signed files
+mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot
+#Generate keys from GPG smartcard: 
+mount-usb && gpg --home=/.gnupg/ --card-edit
+#Copy generated public key, private_subkey, trustdb and artifacts to external media for backup: 
+mount -o remount,rw /media && mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor email@address.com > /media/gpg_keys/private.key && gpg --export --armor email@address.com  > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null
+#Insert public key and trustdb export into reproducible rom:
+cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key && cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/otrust.txt" -f /media/gpg_keys/otrust.txt
+#Flush changes to external media: 
+mount -o,remount ro /media
+#Flash modified reproducible rom with inserted public key and trustdb export from precedent step. Flushes actual rom's keys (-c: clean):
+flash.sh -c /media/coreboot.rom
+#Attest integrity of firmware as it is
+seal-totp
+#Verify Intel ME state:
 cbmem --console | grep '^ME'
 cbmem --console | less
diff --git a/initrd/.gnupg/gpg-agent.conf b/initrd/.gnupg/gpg-agent.conf
@@ -0,0 +1,3 @@
+scdaemon-program /bin/scdaemon
+pinentry-program /bin/pinentry-tty
+daemon
diff --git a/initrd/.gnupg/gpg.conf b/initrd/.gnupg/gpg.conf
@@ -0,0 +1 @@
+use-agent
diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh
@@ -101,9 +101,9 @@ while true; do
           if (whiptail --title 'Flash ROM?' \
               --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
             if [ "$menu_choice" == "c" ]; then
-              /bin/flash.sh -c $ROM
+              /bin/flash.sh -c "$ROM"
             else
-              /bin/flash.sh $ROM
+              /bin/flash.sh "$ROM"
             fi
             whiptail --title 'ROM Flashed Successfully' \
               --msgbox "$ROM flashed successfully. Press Enter to reboot" 16 60
@@ -137,18 +137,43 @@ while true; do
             ROM=$FILE
           fi
 
-          cat $PUBKEY | gpg --import
-          cp $ROM /tmp/gpg-gui.rom
-          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg") then
-            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
+          cat "$PUBKEY" | gpg --import
+          #update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
+          gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust
+          gpg --update-trust
+
+          cp "$ROM" /tmp/gpg-gui.rom
+          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then
+            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
+            if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then
+              cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
+              if [ -e /.gnupg/pubring.gpg ];then
+                rm /.gnupg/pubring.gpg
+              fi
+            fi
+          fi
+
+          #to be compatible with gpgv1
+          if [ -e /.gnupg/pubring.kbx ];then
+            cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
+            if [ -e /.gnupg/pubring.gpg ];then
+              rm /.gnupg/pubring.gpg
+            fi
+          fi
+          if [ -e /.gnupg/pubring.gpg ];then
+            cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
           fi
-          cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
 
           if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
             cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
           fi
           cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
 
+          #Remove old method owner trust exported file
+          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
+            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
+          fi
+
           if (whiptail --title 'Flash ROM?' \
               --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
             /bin/flash.sh /tmp/gpg-gui.rom
@@ -179,17 +204,42 @@ while true; do
             exit 1
           fi
 
-          cat $PUBKEY | gpg --import
-          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg") then
-            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
+          cat "$PUBKEY" | gpg --import
+          #update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
+          gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust
+          gpg --update-trust
+
+          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then
+            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
+            if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then
+              cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
+              if [ -e /.gnupg/pubring.gpg ];then
+                rm /.gnupg/pubring.gpg
+              fi
+            fi
+          fi
+
+          #to be compatible with gpgv1
+          if [ -e /.gnupg/pubring.kbx ];then
+            cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
+            if [ -e /.gnupg/pubring.gpg ];then
+              rm /.gnupg/pubring.gpg
+            fi
+          fi
+          if [ -e /.gnupg/pubring.gpg ];then
+            cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
           fi
-          cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
 
           if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
             cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
           fi
           cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
 
+          #Remove old method owner trust exported file
+          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
+            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
+          fi
+
           if (whiptail --title 'Update ROM?' \
               --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
             /bin/flash.sh /tmp/gpg-gui.rom

diff --git a/initrd/bin/key-init b/initrd/bin/key-init
@@ -5,9 +5,13 @@ set -e -o pipefail
 # Post processing of keys
 
 # Import user's keys
-gpg --import /.gnupg/keys/* 2>/dev/null || true
+gpg --import /.gnupg/keys/*.key  /.gnupg/keys/*.asc 2>/dev/null || true
 
 # Import trusted distro keys allowed for ISO signing
 gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || true
+#Set distro keys trust level to ultimate (trust anything that was signed with these keys)
+gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || true
+gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || true
+
 # Add user's keys to the list of trusted keys for ISO signing
 gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || true
diff --git a/initrd/init b/initrd/init
@@ -49,6 +49,9 @@ if [ "$CONFIG_LINUXBOOT" = "y" ]; then
 	/bin/uefi-init
 fi
 
+# Set GPG_TTY before calling gpg in key-init
+export GPG_TTY=$(tty)
+
 /bin/key-init
 
 # Setup recovery serial shell

diff --git a/modules/gpg2 b/modules/gpg2
@@ -0,0 +1,60 @@
+modules-$(CONFIG_GPG2) += gpg2
+
+gpg2_version := 2.2.10
+gpg2_dir := gnupg-$(gpg2_version)
+gpg2_tar := gnupg-$(gpg2_version).tar.bz2
+gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar)
+gpg2_hash := 799dd37a86a1448732e339bd20440f4f5ee6e69755f6fd7a73ee8af30840c915
+
+# For reproducibility reasons we have to override the exec_prefix
+# and datarootdir on the configure line so that the Makefiles will
+# be generated with the correct paths, but then re-write them when
+# we use the install target so that they will be copied to the correct
+# location.
+gpg2_configure := ./configure \
+	$(CROSS_TOOLS) \
+	CPPFLAGS="-I$(INSTALL)/include/libusb-1.0" \
+	--host x86_64-linux-musl \
+	--with-libusb="$(INSTALL)" \
+	--with-libgpg-error-prefix="$(INSTALL)" \
+	--with-libgcrypt-prefix="$(INSTALL)" \
+	--with-libassuan-prefix="$(INSTALL)" \
+	--with-ksba-prefix="$(INSTALL)" \
+	--with-npth-prefix="$(INSTALL)" \
+	--prefix "/" \
+	--libexecdir "/bin" \
+	--enable-scdaemon \
+	--enable-ccid-driver \
+	--disable-tofu \
+	--disable-rpath \
+        --disable-regex \
+        --disable-doc \
+	--disable-bzip2 \
+	--disable-asm \
+	--disable-exec \
+	--disable-photo-viewers \
+	--disable-keyserver-helpers \
+	--disable-ldap \
+	--disable-hkp \
+	--disable-finger \
+	--disable-dns-srv \
+	--disable-dns-cert \
+	--disable-regex \
+	--disable-nls \
+	--disable-all-tests \
+	--disable-wks-server \
+	--disable-wks-tools \
+	--disable-gnutls \
+	--disable-dirmngr \
+
+# Run one build to generate the executables with the pre-defined
+# exec_prefix and datarootdir, then a second make to install the binaries
+# into our actual target location
+gpg2_target := $(MAKE_JOBS) \
+	&& $(MAKE) -C $(build)/$(gpg2_dir) \
+		DESTDIR="$(INSTALL)" \
+		install
+
+gpg2_output := g10/gpg agent/gpg-agent scd/scdaemon
+
+gpg2_depends := libgpg-error libgcrypt libksba libassuan npth libusb-compat $(musl_dep)
diff --git a/modules/libassuan b/modules/libassuan
@@ -0,0 +1,24 @@
+modules-$(CONFIG_GPG2) += libassuan
+libassuan_version := 2.5.1
+libassuan_dir := libassuan-$(libassuan_version)
+libassuan_tar := libassuan-$(libassuan_version).tar.bz2
+libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar)
+libassuan_hash := 47f96c37b4f2aac289f0bc1bacfa8bd8b4b209a488d3d15e2229cb6cc9b26449
+
+libassuan_configure := ./configure \
+	$(CROSS_TOOLS) \
+	--host x86_64-linux-musl \
+	--prefix "/" \
+	--disable-static \
+	--disable-nls \
+	--with-libgpg-error-prefix="$(INSTALL)" \
+	--disable-asm \
+
+libassuan_target := $(MAKE_JOBS) \
+	DESTDIR="$(INSTALL)" \
+	$(CROSS_TOOLS) \
+	install \
+
+libassuan_libraries := src/.libs/libassuan.so.0
+
+libassuan_depends := libgpg-error $(musl_dep)
diff --git a/modules/libgcrypt b/modules/libgcrypt
@@ -0,0 +1,24 @@
+modules-$(CONFIG_GPG2) += libgcrypt
+libgcrypt_version := 1.8.3
+libgcrypt_dir := libgcrypt-$(libgcrypt_version)
+libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2
+libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar)
+libgcrypt_hash := 66ec90be036747602f2b48f98312361a9180c97c68a690a5f376fa0f67d0af7c
+
+libgcrypt_configure := ./configure \
+	$(CROSS_TOOLS) \
+	--host=x86_64-linux-musl \
+	--prefix "/" \
+	--disable-static \
+	--with-libgpg-error-prefix="$(INSTALL)" \
+	--disable-asm \
+	--disable-nls \
+
+libgcrypt_target := $(MAKE_JOBS) \
+	DESTDIR="$(INSTALL)" \
+	$(CROSS_TOOLS) \
+	install \
+
+libgcrypt_libraries := src/.libs/libgcrypt.so.20
+
+libgcrypt_depends := libgpg-error $(musl_dep)
diff --git a/modules/libgpg-error b/modules/libgpg-error
@@ -0,0 +1,26 @@
+modules-$(CONFIG_GPG2) += libgpg-error
+libgpg-error_version := 1.32
+libgpg-error_dir := libgpg-error-$(libgpg-error_version)
+libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2
+libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar)
+libgpg-error_hash := c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca
+
+libgpg-error_configure := ./configure \
+	$(CROSS_TOOLS) \
+	--prefix "/" \
+	--host=x86_64-linux-musl \
+	--disable-static \
+	--disable-nls \
+	--disable-languages \
+	--disable-doc \
+	--disable-tests \
+	--disable-asm \
+
+libgpg-error_target := $(MAKE_JOBS) \
+	DESTDIR="$(INSTALL)" \
+	$(CROSS_TOOLS) \
+	install \
+
+libgpg-error_libraries := src/.libs/libgpg-error.so.0
+
+libgpg-error_depends := $(musl_dep)