Proposal 64: Allowlist signing and verification improvements

[mbestavros]

Accompanies #64

Signed-off-by: Mark Bestavros mbestavr@redhat.com

[mbestavros]

@lukehinds @mpeters likely of interest to both of you 😄

[mpeters]

Can this be expanded to things beyond just allowlists? Can we also include measured boot refstates? Payloads? Just spitballing a bit here.

[THS-on]

It would be nice if we could combine this proposal with the completion of https://github.com/keylime/enhancements/blob/master/38-allowlist-management.md and put the entire verification code on the server side not the tenant.
This has the advantage, that if you integrate Keylime into other products directly with the Keylime APIs (this is what we are doing) this feature is still useful.

[lukehinds]

Can this be expanded to things beyond just allowlists? Can we also include measured boot refstates? Payloads? Just spitballing a bit here.

other things is a good idea, but I think payloads are already protected as part of the agent k,v key schema?

[lukehinds]

we should also look at signed bundles here, for air gapped machines. They do something similar in cosign, and we can replicate that into the keylime tenant CLI

[mpeters]

You can include the signed bundle work flow as another user story.

[lukehinds]

I know you plan to refactor the key verification into the verifier (good move), would this enhancement follow that work? If so I expect the inclusion proofs will occur in the verifier (or maybe both)?

[mpeters]

I agree. I think this is a good time to move this verification into the verifier and it should be part of this propsoal.

[lukehinds]

just a nit, but i would go for allowlist-verify-tlog or rekor-verify to save a few keystrokes for users :)

[mpeters]

Agreed. We're already using some pretty long options to the tenant, no need to make it worse.

[lukehinds]

It would be nice if we could combine this proposal with the completion of https://github.com/keylime/enhancements/blob/master/38-allowlist-management.md and put the entire verification code on the server side not the tenant. This has the advantage, that if you integrate Keylime into other products directly with the Keylime APIs (this is what we are doing) this feature is still useful.

Yep, agree. We could have the tenant generate keys and sign things, but all verification should happen on the verifier side. That way any client side implementation can do the signing however it wants to. I spoke with @mbestavros and he has the same view and onboard with that.

[lukehinds]

p.s whats the status of https://github.com/keylime/enhancements/blob/master/38-allowlist-management.md, did that get underway?

[THS-on]

p.s whats the status of https://github.com/keylime/enhancements/blob/master/38-allowlist-management.md, did that get underway?

Basic CRUD functionality is there, but the lists are not shared between agents. In the current scenario the tenant downloads the list and then adds it to the agent when it is added to the verifier which is not ideal.
A better way would be that the only allowlist name is sent and the verifier gets that information when needed from the database.

[mpeters]

You can include the signed bundle work flow as another user story.

[mpeters]

Since this is a feature for enhanced security, we should add some notes about how the security review will take place.

[mbestavros]

What would that look like? Are there any existing enhancement proposals that have suitable language I could draw on?

[mpeters]

I agree. I think this is a good time to move this verification into the verifier and it should be part of this propsoal.

[mpeters]

Agreed. We're already using some pretty long options to the tenant, no need to make it worse.

[mpeters]

Useful defaults are good.

[mpeters]

This will need to be done carefully. We can't always assume tests will have access to the outside internet. CI should be fine as that needs to download packages, etc, but local runs might not be connected. So we should have a way to skip the test if the public tlog can't be reached, or at least fail gracefully so devs can know if they need to be concerned.

[mpeters]

The "more or less" seems wishy washy. Maybe something like "Sigstore is the best known suitable transparency log for this kind of application. While the public-good version is a great option, users can always run their own internal versions for enhanced control and security. And our design does not preclude the use of other compatible transparency logs in the future". Or something like that.

[mbestavros]

I've written a second draft of the proposal that incorporates verifier-side signing as part of the design, and have addressed various bits of feedback. Would love another round of review!

cc @mpeters @lukehinds @THS-on

[THS-on]

@mbestavros @mpeters what do you thing about using JSON Web Signature as a standard format for the IMA policy signatures?

[mpeters]

I could be wrong, but my reading of the JWS spec is that it's more akin to JWT in that it's for small structures that are then hashed/signed and passed around with HMACs, suitable for cookies and HTTP headers. Nothing as large and sprawling as a host's allowlist.

[lukehinds]

Not a big fan of JWS myself, its prone to multiple attacks and users can easily shoot themselves in the foot with how loosely opinionated it is on setting algorithm types etc. A lot of the flaws are covered in here: https://nathantypanski.com/blog/2021-12-24-jws-nightmare.html

It's a lot simpler to just have a key pair coupled with X509, it works well and is not as error prone.

[THS-on]

@lukehinds thanks for the link. I was just looking if there is a standard for putting signatures in json objects, but I agree that for our use case JWS is not a great fit.

We can do just something like this:

{
  "payload": "BASE64(ima_policy)",
  "signature": "BASE64(signature)",
  "type": "(GPG|X509)"
}

[lukehinds]

@THS-on , ahh, I get you now. Interesting!

So what you outlined there, is quite similar to TUF (theupdateframework.org), the use a very similair manifest layout, where you sign over the body (or payload as you have here). https://theupdateframework.github.io/specification/latest/#rootjson

I think something like this is a good idea as we could even parse out different styles of manifest, so to take your example:

{
  "payload": "BASE64(ima_policy)",
  "signature": "BASE64(signature)",
  "type": "SPDX",
  "alg": "(GPG|X509)"
}

My thinking here is @THS-on that we could have keylime attest SBOMs. Someone for example compiles a go binary (or any compiled lang). They then sign the digest (or list of digests) using a keypair. This SBOM can then be fed into Keylime who will in turn measure the binary at execution time using IMA.

This way a developer or a CI system could build some source code and then at the other end, when it runs in production, we ensure it has not been tampered with.

I think I will try and sketch some ideas out in a google doc and share it back with you.

@mbestavros apologies about noodling on this matter, mid flight of your PR, but I think this is an exciting topic.

[THS-on]

@lukehinds this kind of format makes sense. SBOMs sound interesting, but I have no experience with that. Can we encode your current IMA configuration (keys, allowlist, exclude list, several configuration settings) as an SBOM?

The question is where we want to implement support for this?
If it is part of the tenant, it is not useful to all Keylime users because for example we directly use the verifier API.
If it is part of the verifier, we need to make sure that the API that we expose is rather easy to integrate and that feature is long term maintainable because it is now part of the Keylime API.

[THS-on]

I think this is now superseded by #89, @mbestavros correct?

[mbestavros]

@THS-on More or less. Some details of this PR are already in Keylime as natural consequences of other work, like storing unmodified policies on the verifier and verifier-side signature checks. But this didn't account for attached signatures, which supersedes most of the ideas here.