Changeset View
Changeset View
Standalone View
Standalone View
share/man/man7/trust-config.7
- This file was added.
.\" Copyright (c) 2017 Eric McCorkle | |||||
.\" All rights reserved. | |||||
.\" | |||||
.\" Redistribution and use in source and binary forms, with or without | |||||
.\" modification, are permitted provided that the following conditions | |||||
.\" are met: | |||||
.\" 1. Redistributions of source code must retain the above copyright | |||||
.\" notice, this list of conditions and the following disclaimer. | |||||
.\" 2. Redistributions in binary form must reproduce the above copyright | |||||
.\" notice, this list of conditions and the following disclaimer in the | |||||
.\" documentation and/or other materials provided with the distribution. | |||||
.\" | |||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |||||
.\" SUCH DAMAGE. | |||||
.\" | |||||
.\" $FreeBSD$ | |||||
.\" | |||||
.Dd April 25, 2017 | |||||
.Dt TRUST-CONFIG 7 | |||||
.Os | |||||
.Sh NAME | |||||
.Nm trust-config | |||||
.Nd "trust system configuration" | |||||
.Sh DESCRIPTION | |||||
The trust system configuration specifices the the trust root | |||||
certificates, intermediate certificates, and provides the trusted | |||||
signing keys, allowing users to create signed executables (see | |||||
.Xr signed-elf 5) | |||||
as well as other signed assets. It provides the default keys to | |||||
.Xr signelf 8 | |||||
and other utilities, and controls which keys are included in critical | |||||
system components as the builtin trust root set. | |||||
.Sh TERMINOLOGY | |||||
The trust configuration controls the behavior of a system consisting | |||||
of several parts with interlocking functions; thus, it is essential to | |||||
be clear about the terminology used to describe both the system and | |||||
its configuration. | |||||
.Ss Trust Root Certificates | |||||
The | |||||
.Sy trust root certificates | |||||
are a set of public (verification) certificates which are built | |||||
directly in to critical system components. The trust root | |||||
certificates are then used to verify intermediate certificates, | |||||
revocation lists, signed executables, and other signed assets. | |||||
.Pp | |||||
System components such as the kernel and | |||||
.Xr loader 8 | |||||
which play an essential role in the chain of custody from boot to user | |||||
must necessarily include the trust root set into their binaries (which | |||||
are presumably verified by earlier boot stages or stored in flash | |||||
memory). The build process must therefore collect a set of desired | |||||
keys and build them into these components. The | |||||
.Sy trust root configuration | |||||
is the set of certificates and additional information that controls | |||||
this aspect of the build process. | |||||
.Ss Intermediate Certificates | |||||
The | |||||
.Sy intermediate certificates | |||||
are a set of public (verification) certificates which have a valid | |||||
signature chain back to a trust root certificate. The combined set of | |||||
intermediate and root certificates are known as the | |||||
.Sy trust certificates . | |||||
.Ss Trusted Signing Keys | |||||
The | |||||
.Sy trusted signing keys | |||||
are a set of private keys that correspond to public keys in the trust | |||||
certificates. These are used to produce signatures for various assets | |||||
that can be verified by the trust certficates. | |||||
.Ss Trust System Configuration | |||||
The | |||||
.Sy trust system configuration | |||||
is the combination of the trust root configuration and the trusted | |||||
signing keys. | |||||
.Sh FILES | |||||
The trust system configuration consists of the following files and | |||||
directories: | |||||
.Bl -bullet indent | |||||
.It | |||||
.Pa /etc/trust/ : | |||||
The base directory for the trust system configuration | |||||
.It | |||||
.Pa /etc/trust/certs/ : | |||||
The directory containing the intermediate trust certificates | |||||
.It | |||||
.Pa /etc/trust/priv/ : | |||||
The directory containing the intermediate signing keys | |||||
.It | |||||
.Pa /etc/trust/root : | |||||
The base directory for the trust root configuration | |||||
.It | |||||
.Pa /etc/trust/root/certs/ : | |||||
The directory containing the trust root certificates | |||||
.It | |||||
.Pa /etc/trust/root/priv/ : | |||||
The directory containing the trust root signing keys | |||||
.El | |||||
.Pp | |||||
The trusted signing key directories | |||||
.Pa /etc/trust/priv/ | |||||
and | |||||
.Pa /etc/trust/root/priv/ | |||||
contain PEM-encoded private keys or PKCS#8 data structures. The | |||||
standard file naming convention for a key named | |||||
.Qq mykey | |||||
is | |||||
.Pa mykey.pem . | |||||
.Pp | |||||
The trusted certificate directories | |||||
.Pa /etc/trust/certs/ | |||||
and | |||||
.Pa /etc/trust/root/certs/ | |||||
contain PEM-encoded X509 certificates, and is generally compatible | |||||
with OpenSSL CA directory parameters or configuration options. | |||||
Certificates under | |||||
.Pa /etc/trust/root/certs/ | |||||
will typically be self-signed certificates, though nothing prevents | |||||
the inclusion of certificates signed by a third party. Note, however, | |||||
that signatures on trust root keys are ignored by all trust system | |||||
components. Certificates under | |||||
.Pa /etc/trust/certs/ | |||||
must have a valid chain of signatures back to a certificate under | |||||
.Pa /etc/trust/root/certs/ . | |||||
.Ss Trusted Signing Keys | |||||
Some certificates in the trust certificate directories correspond to | |||||
trusted signing keys in | |||||
.Pa /etc/trust/priv | |||||
or | |||||
.Pa /etc/trust/root/priv. | |||||
The naming convention for signing keys and their corresponding | |||||
certificates is as follows. Signing key filenames consist of the | |||||
key's name, followed by ".pem". The corresponding certificate | |||||
consists of the same name, followed by ".pub.pem". Certificates in | |||||
the | |||||
.Pa /etc/trust/certs/ | |||||
may be optionally preceeded by up to four numerals (0-9), followed by | |||||
a "." (this allows administrators to control the order in which | |||||
intermediate certificates will be encountered when listing a directory). | |||||
.Pp | |||||
For example, the filename for a private key named | |||||
.Qq mykey | |||||
would be | |||||
.Pa mykey.pem , | |||||
and its corresponding certificate would be | |||||
.Pa mykey.pub.pem | |||||
(or possibly | |||||
.Pa 00.mykey.pub.pem , | |||||
if it were stored in | |||||
.Pa /etc/trust/certs/ | |||||
). Additionally, keys in | |||||
.Pa /etc/trust/priv | |||||
may only correspond to keys in | |||||
.Pa /etc/trust/certs/ ; | |||||
similarly, keys in | |||||
.Pa /etc/trust/root/priv | |||||
may only correspond to keys in | |||||
.Pa /etc/trust/root/certs/ . | |||||
It is an illegal configuration to have a key in | |||||
.Pa /etc/trust/priv | |||||
and a corresponding cert in | |||||
.Pa /etc/trust/root/certs/ , | |||||
or vice versa. It is also an illegal configuration to have | |||||
certificates or keys with the same name in both | |||||
.Pa /etc/trust/root/ , | |||||
and | |||||
.Pa /etc/trust/ . | |||||
.Ss Third-Party Trust Keys | |||||
It is not required that all public key certificates in the trust root | |||||
configuration have a corresponding trusted signing key (with one | |||||
exception; see below). There are many circumstances in which this may | |||||
be desirable, such as administration of large networks or distribution | |||||
of pre-built binaries from a trusted source. Public-key certificates | |||||
in the trust root configuration without a corresponding trusted | |||||
signing key are known as | |||||
.Qq third-party keys . | |||||
.Pp | |||||
It is important to consider the security implications of third-party | |||||
keys before accepting such a key into a trust root configuration. | |||||
Because of the severity of these implications, there is no requirement | |||||
that any configuration include any third-party key(s), nor will there | |||||
ever be such a requirement. | |||||
.Pp | |||||
Furthermore, the | |||||
.Xr signelf 5 | |||||
utility is perfectly capable of overwriting signatures from | |||||
third-party keys with a signature generated by a locally-controlled | |||||
keypair; thus, assets signed by a third party can easily be inspected | |||||
and re-signed locally at the behest of the system administrator. | |||||
.Ss Local Keypair | |||||
The key name | |||||
.Qq local | |||||
(which corresponds to the private key path | |||||
.Pa /etc/trust/root/priv/local.pem | |||||
and the public key path | |||||
.Pa /etc/trust/root/certs/local.pub.pem | |||||
by the file naming conventions) is used as the default keypair by | |||||
tools such as | |||||
.Xr signelf 8 . | |||||
This keypair is known as the | |||||
.Ar local keypair , | |||||
should be generated locally on each installation, and should generally | |||||
not be exported to other installations. Most user-oriented systems | |||||
and all systems that build the base system or packages locally for | |||||
their own use should have a local keypair. | |||||
.Pp | |||||
It is possible for some installations to lack a local keypair, | |||||
particularly on infrastructure-type systems that are set up using | |||||
standardized images or configuration management systems. Such systems | |||||
generally do not build anything locally and rely on pre-built packages | |||||
for installation and upgrades. | |||||
.Pp | |||||
However, it is an illegal configuration for there to be a public key | |||||
certificate named | |||||
.Pa /etc/trust/root/certs/local.pub.pem | |||||
without a corresponding private key. | |||||
.Sh DEFAULT | |||||
The default trust system configuration consists solely of a local | |||||
keypair which is generated during OS installation. Any additional | |||||
trusted keys (including third-party keys) are signed by the local | |||||
keypair and loaded as intermediate keys rather than being added | |||||
directly to the trust root configuration. This is the preferred | |||||
configuration, and alternatives should only be used if there is a | |||||
specific and compelling reason to do so. | |||||
.Sh SEE ALSO | |||||
.Xr trust 7 , | |||||
.Xr signed-elf 5 , | |||||
.Xr signelf 5 , | |||||
.Xr openssl 1 | |||||
.Sh HISTORY | |||||
The trust system first appeared in | |||||
.Fx 12.0 . | |||||
.Sh AUTHORS | |||||
This manual page was written by | |||||
.An Eric L. McCorkle Aq Mt emc2@metricspace.net . |