Re: BMC image generation without private key

[Patrick Williams <patrick@stwcx.xyz>]

[-- Attachment #1: Type: text/plain, Size: 1388 bytes --]

On Tue, Jan 17, 2023 at 03:21:40PM -0500, Michael Richardson wrote:

> The build server requires authorization from the holder of the private key to
> create signatures.   One way is have direst access to the private key.
> I think that if the build server is so untrusted, then maybe there are other
> problems :-)

I don't have any security guidelines or NIST papers[1] to quote here, but
my impression is that this is a great over-simplification.  Every design 
for signing firmware I've ever seen used in production separates the build
server from the signing server, so there must be good reason for it.

I suspect it stems from it being a lesser-evil if someone unauthorized signs
a one-off image than it is if the private key escapes.  Build servers run
a lot of code and thus have a lot of surface to attack.  A signing
server can have a single remote API ("here is an image and my identity
... give me a signature"), which keeps the signing key(s) safer.

Requiring the private key to be present on the build server likely also
precludes any use of HSMs[2].

1. https://csrc.nist.gov/CSRC/media/Publications/white-paper/2018/01/26/security-considerations-for-code-signing/final/documents/security-considerations-for-code-signing.pdf

2. https://www.opencompute.org/documents/ibm-white-paper-best-practices-for-firmware-code-signing
-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]