verify secure logs (part one)

This changes implements the log verification to the newlog endpoint, this is the first part of the secure log implementation and it uses a pre-shared key to verify the logs. Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
shjala · Nov 26, 2024 · 478cd64 · 478cd64
1 parent cf974d3
commit 478cd64
Show file tree

Hide file tree

Showing 12 changed files with 567 additions and 90 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 # Copyright (c) 2019 Zededa, Inc.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM lfedge/eve-alpine:12.1.0 AS build
+FROM lfedge/eve-alpine:591df01e581889c3027514c8a91feaca1c8ad49f AS build
 ENV BUILD_PKGS go git
 RUN eve-alpine-deploy.sh
 

diff --git a/Dockerfile.local b/Dockerfile.local
@@ -1,4 +1,4 @@
-FROM lfedge/eve-alpine:6.2.0 as build
+FROM lfedge/eve-alpine:591df01e581889c3027514c8a91feaca1c8ad49f as build
 ENV PKGS alpine-baselayout
 RUN eve-alpine-deploy.sh
 

diff --git a/Makefile b/Makefile
@@ -5,7 +5,7 @@
 
 IMG ?= lfedge/adam
 HASH ?= $(shell git show --format=%T -s)
-GOVER ?= 1.20.10-alpine3.18
+GOVER ?= 1.22.3-alpine3.18
 
 
 # check if we should append a dirty tag

diff --git a/README.md b/README.md
@@ -3,9 +3,11 @@
 Minimalist Adam is a fork of Adam, stripped down to only contain the essentials. It remains fully functional and is designed for rapid development, easy debugging, and exploring EVE APIs. All data is stored on disk in plain text. Checkout `scripts/bootstrap.sh` to see how to onboard a device.
 
 List of Changes:
-* Only device manager is file.
-* Device manager reworked.
+* Only avaiable device manager is file.
+* Device manager reworked and clean up.
 * "onboard" removed from CLI, now added device correctly gets onboarded.
+* Adam is not bound to only one EVE instance.
+* Implements secure log verification.
 * No need to race with controler to set the device config (after it registers).
 * Less tied to Eden and more like individual component.
 

diff --git a/cmd/device.go b/cmd/device.go
@@ -18,9 +18,12 @@ import (
 )
 
 var (
-	devUUID    string
-	configPath string
-	follow     bool
+	devUUID         string
+	configPath      string
+	follow          bool
+	cacheSecLogKeys bool
+	keyCacheBase    uint64
+	keyCacheMax     uint64
 )
 
 var deviceCmd = &cobra.Command{
@@ -69,7 +72,7 @@ var deviceGetCmd = &cobra.Command{
 		if err != nil {
 			log.Fatalf("unable to read data from URL %s: %v", u, err)
 		}
-		var t server.DeviceCert
+		var t server.DeviceInfo
 		err = json.Unmarshal(buf, &t)
 		fmt.Printf("\nUUID: %s\nDevice Cert:\n%s\nOnboard Cert:\n%s\nOnboard Serial: %s", devUUID, string(t.Cert), string(t.Onboard), string(t.Serial))
 	},
@@ -80,6 +83,7 @@ var deviceAddCmd = &cobra.Command{
 	Short: "add new device",
 	Long:  `Add new device and retrieve the UUID`,
 	Run: func(cmd *cobra.Command, args []string) {
+		var deviceInfo server.DeviceInfo
 		dCert, err := os.ReadFile(certPath)
 		switch {
 		case err != nil && os.IsNotExist(err):
@@ -94,15 +98,38 @@ var deviceAddCmd = &cobra.Command{
 		case err != nil:
 			log.Fatalf("error reading cert file %s: %v", certPath, err)
 		}
+
+		deviceInfo.Cert = dCert
+		deviceInfo.Onboard = oCert
+		deviceInfo.Serial = serial
+
+		if cacheSecLogKeys {
+			if keyCacheMax < keyCacheBase {
+				log.Fatalf("keyCacheMax must be greater than or equal to keyCacheBase")
+			}
+			if keyCacheBase == 0 {
+				log.Fatalf("keyCacheBase must be greater than 0")
+			}
+			if keyCacheMax == 0 {
+				log.Fatalf("keyCacheMax must be greater than 0")
+			}
+			if keyCacheMax%keyCacheBase != 0 {
+				log.Fatalf("keyCacheMax must be a multiple of keyCacheBase")
+			}
+
+			deviceInfo.CacheKeys = true
+			deviceInfo.KeyCacheBase = keyCacheBase
+			deviceInfo.KeyCacheMax = keyCacheMax
+		}
+
+		body, err := json.Marshal(deviceInfo)
+		if err != nil {
+			log.Fatalf("error encoding json: %v", err)
+		}
 		u, err := resolveURL(serverURL, "/admin/device")
 		if err != nil {
 			log.Fatalf("error constructing URL: %v", err)
 		}
-		body, err := json.Marshal(server.DeviceCert{
-			Cert:    dCert,
-			Onboard: oCert,
-			Serial:  serial,
-		})
 		if err != nil {
 			log.Fatalf("error encoding json: %v", err)
 		}
@@ -329,6 +356,9 @@ func deviceInit() {
 	deviceAddCmd.Flags().StringVar(&certPath, "path", "", "path to certificate to add")
 	deviceAddCmd.Flags().StringVar(&onboardCertPath, "onboard-path", "", "path to onboard certificate to add")
 	deviceAddCmd.Flags().StringVar(&serial, "serial", "", "serials to include with the onboard certificate")
+	deviceAddCmd.Flags().BoolVar(&cacheSecLogKeys, "cache-seclog-keys", false, "whether to cache the security log keys on disk")
+	deviceAddCmd.Flags().Uint64Var(&keyCacheBase, "cache-seclog-keys-base", server.DefaultKeyCacheBase, fmt.Sprintf("the base key to start caching from; default value is %d", server.DefaultKeyCacheBase))
+	deviceAddCmd.Flags().Uint64Var(&keyCacheMax, "cache-seclog-keys-max", server.DefaultKeyCacheMax, fmt.Sprintf("the maximum key to cache up to; default value is %d", server.DefaultKeyCacheMax))
 	deviceAddCmd.MarkFlagRequired("path")
 	// deviceRemove
 	deviceCmd.AddCommand(deviceRemoveCmd)

diff --git a/go.mod b/go.mod
@@ -1,37 +1,41 @@
 module github.com/lf-edge/adam
 
-go 1.16
+go 1.22
 
 require (
 	github.com/aohorodnyk/mimeheader v0.0.6
-	github.com/fsnotify/fsnotify v1.4.9 // indirect
-	github.com/go-redis/redis v6.15.7+incompatible
 	github.com/golang/protobuf v1.5.0
 	github.com/google/go-tpm v0.3.3
 	github.com/gorilla/mux v1.7.2
-	github.com/kr/text v0.2.0 // indirect
 	github.com/lf-edge/eve-api/go v0.0.0-20240816135418-f858514b03a3
+	github.com/satori/go.uuid v1.2.1-0.20181028125025-b2ce2384e17b
+	github.com/schollz/progressbar/v3 v3.17.1
+	github.com/spf13/cobra v1.0.0
+	github.com/spf13/viper v1.7.1
+	google.golang.org/protobuf v1.33.0
+)
+
+require (
+	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/magiconair/properties v1.8.4 // indirect
+	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/mitchellh/mapstructure v1.4.1 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
-	github.com/onsi/ginkgo v1.12.0 // indirect
-	github.com/onsi/gomega v1.10.0 // indirect
 	github.com/pelletier/go-toml v1.8.1 // indirect
-	github.com/satori/go.uuid v1.2.1-0.20181028125025-b2ce2384e17b
+	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/spf13/afero v1.5.1 // indirect
 	github.com/spf13/cast v1.3.1 // indirect
-	github.com/spf13/cobra v1.0.0
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.7.1
-	github.com/stretchr/testify v1.7.0
-	github.com/vmihailenco/msgpack/v4 v4.3.11
+	github.com/subosito/gotenv v1.2.0 // indirect
+	golang.org/x/sys v0.27.0 // indirect
+	golang.org/x/term v0.26.0 // indirect
 	golang.org/x/text v0.3.8 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.33.0
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0 // indirect
 )