Add support for encrypted credentials by poettering · Pull Request #19995 · systemd/systemd

poettering · 2021-06-22T21:40:51Z

This adds LoadCredentialEncrypted= and SetCredentialEncrypted=, similar in style to LoadCredential=/SetCredential=, but taking encrypted credentials. These credentials are symmetrically encrypted with a TPM2 key and/or a key stored in /var/lib/systemd/, and only decrypted the instant a service needing them is started.

This has the benefit that credentials can remain encrypted on disk, until they are needed. It also has the benefit that these credentials can be stored on untrusted storage (e.g. inside an initrd or an ESP) and still be used reasonably securely. Moreover, to steal a credential it is no longer sufficient to copy the storage disk, but the TPM2 chip has be stolen too. Additionally, it has the benefit that the keys can be pasted directly inside of unit files this way. Unit files are considered to be readable by unprivileged users after all, but if any embedded credentials are encrypted they aren't compromised by this.

Focus is on making it trivially easy to bind credentials to the TPM2, but provide a reasonably secure fallback in environments where TPM2 is not available.

This adds a tool "systemd-creds" for encrypting/decrypting the credentials easily.

Docs and integration tests still missing.

lgtm-com · 2021-06-22T22:20:58Z

This pull request introduces 2 alerts when merging 39c85df into b905f3b - view on LGTM.com

new alerts:

2 for FIXME comment

bluca · 2021-06-22T22:24:38Z

Nicea feature! And I have a use case for this coming up, so yay! Will look in detail tomorrow, in the meanwhile the CI is unhappy:

==32344==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000015 (pc 0x7f8678a988f2 bp 0x7ffc668f5900 sp 0x7ffc668f5800 T0)
==32344==The signal is caused by a READ memory access.
==32344==Hint: address points to the zero page.
    #0 0x7f8678a988f1 in extract_first_word ../../../../src/basic/extract-word.c:35
    #1 0x5596d24076f2 in config_parse_set_credential ../../../../src/core/load-fragment.c:4493
    #2 0x7f86787d07f4 in next_assignment ../../../../src/shared/conf-parser.c:137
    #3 0x7f86787d181e in parse_line ../../../../src/shared/conf-parser.c:244
    #4 0x7f86787d2a40 in config_parse ../../../../src/shared/conf-parser.c:384
    #5 0x5596d23cc1af in LLVMFuzzerTestOneInput ../../../../src/core/fuzz-unit-file.c:74
    #6 0x5596d23ccb10 in main ../../../../src/fuzz/fuzz-main.c:50
    #7 0x7f86771d80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #8 0x5596d23cab5d in _start (/home/runner/work/systemd/systemd/build/test/fuzz/sanitize-address-undefined-fuzzers/fuzz-unit-file+0x573b5d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/basic/extract-word.c:35 in extract_first_word

lgtm-com · 2021-06-23T08:19:53Z

This pull request introduces 2 alerts when merging 6f4ea2e into b905f3b - view on LGTM.com

new alerts:

2 for FIXME comment

lgtm-com · 2021-06-23T13:10:19Z

This pull request introduces 2 alerts when merging abfe702 into b905f3b - view on LGTM.com

new alerts:

2 for FIXME comment

lgtm-com · 2021-06-23T15:14:39Z

This pull request introduces 2 alerts when merging 1cbae50 into b905f3b - view on LGTM.com

new alerts:

2 for FIXME comment

poettering · 2021-06-24T09:13:17Z

Added docs and test. This is ready for review I guess. Post 249 material of course.

lgtm-com · 2021-06-24T09:57:15Z

This pull request introduces 2 alerts when merging c2c4253 into 6222acc - view on LGTM.com

new alerts:

2 for FIXME comment

lgtm-com · 2021-06-24T12:43:07Z

This pull request introduces 2 alerts when merging 1da349a into b80ef40 - view on LGTM.com

new alerts:

2 for FIXME comment

lgtm-com · 2021-06-24T14:54:47Z

This pull request introduces 2 alerts when merging 09c9453 into 86e24d6 - view on LGTM.com

new alerts:

2 for FIXME comment

lgtm-com · 2021-06-24T18:39:59Z

This pull request introduces 2 alerts when merging 9806867 into eb70d94 - view on LGTM.com

new alerts:

2 for FIXME comment

src/basic/fileio.c

src/shared/creds-util.c

keszybz

I like this a lot. It's genius in its simplicity and versatility.

I think we shouldn't merge this before v249 though, to give it a bit of time to settle. I'll do a proper review later.

man/systemd-creds.xml

src/shared/creds-util.c

bluca · 2021-07-01T16:52:45Z

Force pushed a new version, addressing all issues (except for the dbus docs one)

Maybe we should ask Github to enhance CoPilot to create those docs for us!

bluca

LGTM

lgtm-com · 2021-07-01T17:28:59Z

This pull request introduces 2 alerts when merging 556b682 into 66e6128 - view on LGTM.com

new alerts:

2 for FIXME comment

lgtm-com · 2021-07-07T20:26:35Z

This pull request introduces 2 alerts when merging 47b2b66 into f627855 - view on LGTM.com

new alerts:

2 for FIXME comment

…rks without "khash" So, as it turns out AF_ALG is turned off in a lot of kernels/container environments, including our CI. Hence, if we link against OpenSSL anyway, let's just use that client side. It's also faster. One of those days we should drop the khash code, and ust use OpenSSL, once the licensing issues are resolved.

…om journalctl This moves the code for setting chattr file attributes appropriate for "secrets" files from journalctl into generic chattr-util.c code so that we can use it elsewhere. Also, let's reuse the "bitwise" logic already implemented in the chattr code, instead of doing it again.

This is preparation for adding encryption support to the credentials logic, and we thus would like to add more deps. Let's hence move things from src/basic/ to src/shared, so that we can rely on the OpenSSL utilities already in src/shared.

…ntials

lgtm-com · 2021-07-08T08:25:06Z

This pull request introduces 2 alerts when merging 199b097 into 105a424 - view on LGTM.com

new alerts:

2 for FIXME comment

jameshilliard · 2021-09-23T13:58:23Z

TODO

+
+* credentials system:
+  - acquire from kernel command line
+  - acquire from EFI variable?


I like this idea a lot, I have to support a number of boards that don't have dedicated TPM's where it would be quite handy to be able to bind authentication credentials to motherboards, this could be used for a number of use cases such as:

ensuring that one can't accidentally duplicate authentication credentials when cloning hard drives by forcing a regeneration of credentials if decryption fails due to a missing EFI variable

simplify secure hard drive reuse/resale during upgrade cycles in cases where the hard disks are replaced with their associated motherboards being kept in operation

providing a clean transition path to more secure TPM based credential storage

would be delighted to review a patch for this

Hmm, I wonder...would this actually be possible to do already by just redirecting /var/lib/systemd/credentials.secret to something in /sys/firmware/efi/efivars?

Not sure how best/where to implement this though, would we want to have this integrated with systemd-boot in some way or just pull it from efivars once booted?

poettering added pid1 new-feature do-not-merge 💣 tpm2 labels Jun 22, 2021

github-actions bot added the journal label Jun 22, 2021

poettering force-pushed the cred-tool branch from 39c85df to 6f4ea2e Compare June 23, 2021 07:36

poettering force-pushed the cred-tool branch from 6f4ea2e to abfe702 Compare June 23, 2021 12:30

poettering force-pushed the cred-tool branch from abfe702 to 1cbae50 Compare June 23, 2021 14:35

poettering force-pushed the cred-tool branch from 1cbae50 to c2c4253 Compare June 24, 2021 09:12

poettering removed the do-not-merge 💣 label Jun 24, 2021

poettering force-pushed the cred-tool branch from c2c4253 to 1da349a Compare June 24, 2021 12:04

poettering force-pushed the cred-tool branch from 1da349a to 09c9453 Compare June 24, 2021 14:13

poettering force-pushed the cred-tool branch from 09c9453 to 9806867 Compare June 24, 2021 17:56