shared: generalize signature schemes #303
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…t packages Now, it is possible to build any package of the workspace in a fine grained fashion.
We want here to capture the required data to assemble a stub, here is a partial structure modulo ESP generation paths. Other pieces of code can consume this structure, validate it before passing it to the PE assembler and the signer. We convert everything into owned structures because we cannot really do deserialization in any context with lifetimes going around, but, allocations are generally very cheap in this context.
RaitoBezarius
force-pushed
the
refactor-signature
branch
3 times, most recently
from
a8fabe0
to
0ca99b0
Compare
In order to offer more flexible signature mechanisms in lanzaboote, we need to take a step back and offer a general PE signature trait. After this, we will be able to plug various different implementations.
Our lanzaboote integration tests are getting more and more sophisticated and ambitious. Let's extract them into a "lanzalib", so they can be used with multiple backends.
We didn't test if there *was* a signature, idempotency of removal of signatures (i.e. removing an non-existent signature is the identity operation) could fool us into believing we had a signed thing then not signed.
We fabricated a lot of initrds which were exactly the same as the one in our store when we had no initrd secrets. This ends this practice.
RaitoBezarius
force-pushed
the
refactor-signature
branch
from
0ca99b0
to
1b40d87
Compare
|
@blitz I added more documentation (overview too), let me know if this is what you had in mind or where would you like me to expand. |
blitz
reviewed
Mar 19, 2024
| @@ -0,0 +1,34 @@ | |||
| # Signatures capabilities of Lanzaboote | |||
There was a problem hiding this comment.
This documentation is nice, but it looks like it should be the module documentation for the signature module and not a standalone README. Part of this can also go away, because it duplicates documentation of the LanzabooteSigner trait.
blitz
reviewed
Mar 19, 2024
|
|
||
| use crate::pe::StubParameters; | ||
|
|
||
| pub trait LanzabooteSigner { |
There was a problem hiding this comment.
nit: This could just be Signer. Otherwise we can start to prefix everything with the project name. :)
blitz
reviewed
Mar 19, 2024
| if std::io::stderr().write_all(&output.stderr).is_err() { | ||
| return Ok(false); | ||
| }; | ||
| // XXX(Raito): do we want to bubble up this type of errors? :/ |
There was a problem hiding this comment.
If !success means "either not signed or something else went wrong", we might not want to treat this as an error. But I also understand the other side of the argument.
blitz
requested changes
Mar 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Split off #278. Contains only signature generalization contents and misc refactoring to make things easier for the remote signing PR.