-
Notifications
You must be signed in to change notification settings - Fork 191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When encrypting, allow some info in clear in the manifest #919
Comments
In the current design, the encrypted CMS wraps the (plain-text) signature CMS completely, which allows keeping the existing bundle structure and doesn't require an additional (rauc-specific) container to keep the encrypted and plain-text parts separate. Any such container would have to be unsigned and so the code to handle it in RAUC would be additional attack surface. One of the sponsors of this feature also had a use-case where the bundle meta-data should be encrypted as well. So, to keep the overall complexity as low a possible, we decided to only support the fully encrypted approach. One additional reason of this design is the following (see also https://rauc.readthedocs.io/en/latest/advanced.html#scalability): That tool would take the CMS signature part (which contains the manifest) from the unencrypted bundle and use This way, there is some additional complexity in the management tooling, but as it's outside of the signed/authenticated path, it's not as critical. |
Thanks for the explainations. I get your point (and I never doubted about the usefulness of the use-case). If we wanted to envision and design a solution where:
For what I understand:
Now:
|
I can see some use-cases, but I'm not sure if it's a good idea. A detailed design would probably allow us to decide that. Some things that would need to be ensured:
We currently don't have a project that requires this, so (for now) please don't expect us to push this. |
After some investigation, it looks like adding clear, signed information would have a big impact on the current solution. Both the code and the bundle would be modified a lot. (Mostly because currently the secret key, in clear text, is signed.) As this RFE seems to get no traction, an alternative solution could get the job done without modifying RAUC. Simply adding the metadata (Model, Version, ...) to the encrypted CMS as un-encrypted, un-signed attributes. The question is: would RAUC be interested in adding extra attributes to the final CMS?
|
Personally I would answer this with a clear 'yes and no'.
I would prefer this solution since I assume that your are not the only one with such a use case. But, currently I do not have a good feeling about what kind of information should be exposed and which not. So for example, what kind of decisions would you base on verified/unverified information if they were available?
If in the end it turns out that this is the only way for now, keeping us informed would be really helpful indeed. |
@BrunoVernay any update on this? Have you found a solution to add some clear text? It looks like the crypt bundle does not have any special header/trailer struct. It simply has a 8 trailing bytes (uint64) defining the signature size. The signature size is used to calculate the signature offset (seekend(file) - signature size) But would it be ok if a cleartext trailer is added before the last 8 bytes and the signature size is increased accordingly? |
RAUC supports encryption: https://rauc.readthedocs.io/en/latest/advanced.html#bundle-encryption This is great.
Currently, the whole manifest is encrypted https://rauc.readthedocs.io/en/latest/reference.html?highlight=manifest#sec-ref-formats
It would be nice to encrypt only the symmetric key used to (de)crypt the payload. That would leave the meta-data (Compatible targets, Version, Description, Signature, ...) in clear, allowing tools to manage the bundle without requiring the key.
The text was updated successfully, but these errors were encountered: