From patchwork Thu Nov 22 23:36:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sam Mendoza-Jonas X-Patchwork-Id: 1002059 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 431G7Q6jN5z9s0t for ; Fri, 23 Nov 2018 10:37:06 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="gvtkUZPa"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="fDscPwsK"; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 431G7P65L6zDqS1 for ; Fri, 23 Nov 2018 10:37:05 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="gvtkUZPa"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="fDscPwsK"; dkim-atps=neutral X-Original-To: petitboot@lists.ozlabs.org Delivered-To: petitboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=mendozajonas.com (client-ip=66.111.4.28; helo=out4-smtp.messagingengine.com; envelope-from=sam@mendozajonas.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="gvtkUZPa"; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="fDscPwsK"; dkim-atps=neutral Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 431G751GcVzDqS2 for ; Fri, 23 Nov 2018 10:36:48 +1100 (AEDT) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 049CC21F83; Thu, 22 Nov 2018 18:36:43 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 22 Nov 2018 18:36:43 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= mendozajonas.com; h=from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; s=fm1; bh=AfEaSlg1RKcXv H9LkyNgKRbBpOUVw6AFxEhbtTr4DoM=; b=gvtkUZPaf/CUED8HyGYJaQ/PT04fC TniYAthwsihewexy83Y4foNGH4RSwZfm0i5iVCeGkbqaZNdoOfXFJVWunApZYLMk +FjJql3PSFSyFuSACOrTVwfhZfPes6n6x8exKvmspOFwS3vn5khx/HoAbtwZY3ES co0uHkQesorrSxbzyD+vFCZSQYVHhrR5IYYGESVfE/JQ1d33Xpk/LHam/Z/GH96m OtXI1oSdfWrvB4URS89494TTPDB+rl9zb91ykxYC99YqmAKgweejod3u3U/IFJeN SQrMcB0fKi5EcY/GhFeNlYT6yiqLKCdQsLikhnKiGzWzxImofiI8814zg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=AfEaSlg1RKcXvH9Lk yNgKRbBpOUVw6AFxEhbtTr4DoM=; b=fDscPwsKf2eIgY8r/6anyPCZdHgGVdMAN LlPBMe9CfxUhf9In0UVWqyO51nLu/oAXps9rdP8uDOl2cHbwWmzHyOxXLbuK9xE5 rQ91S8iXePVeFvzlD9CkAg3c9r8Tj/dlpPFgL1de+2DLl53vl2w46klVQbE6WQv7 GoRmRQVWB9nC+n88lP4CPJiQ2gNWPjx5pnUnhE38kNi+kzo8Tk4L5IPpxzC0xMB8 zlKcNrAPjBecA9jY7WTPtuChVXdNeHl6rVfO3YGJQubVFpOhPt81Qd/LR9/rUKoT pFDLfy9d064dgBYYBHmd9cyAUsA+SRdyGrrk/AdLI1k1CIy8vGYiw== X-ME-Sender: X-ME-Proxy: Received: from v4.ozlabs.ibm.com (unknown [122.99.82.10]) by mail.messagingengine.com (Postfix) with ESMTPA id 3FC15102E4; Thu, 22 Nov 2018 18:36:40 -0500 (EST) From: Samuel Mendoza-Jonas To: petitboot@lists.ozlabs.org Subject: [PATCH 00/13] User support and client permissions Date: Fri, 23 Nov 2018 10:36:17 +1100 Message-Id: <20181122233630.6303-1-sam@mendozajonas.com> X-Mailer: git-send-email 2.19.1 MIME-Version: 1.0 X-BeenThere: petitboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Petitboot bootloader development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Samuel Mendoza-Jonas Errors-To: petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Petitboot" There has been interest in having methods to "lock down" Petitboot for a while now (existing changes like restricting access to the shell, requested features such as adding a big "Password" screen before being able to do anything), and this makes a big jump in that direction as part of the overall journey to trusted/secure boot. Rather than rely on implementing a bunch of password checks in ncurses and keeping the user from getting shell access this instead leans on having Linux do it for us for the most part by running all user facing parts of Petitboot as an unprivileged user, with only pb-discover and its utilities running with root permissions. Assuming the environment has been set up correctly this means that when a user drops to the shell they are completely unprivileged unless they know the root password. Since non-root users can't init, mount, or kexec anything all normal actions must be done via pb-discover. Unless the user authorises with pb-discover (handled by a new nc-auth subscreen) they are restricted to a subset of actions that don't affect the configuration or default boot option of the system. For platform-powerpc clients are restricted by default if we find a "petitboot,password" value in NVRAM which is a hash of the password to be used as the root password. Users can also set a password which will be hashed and stored in NVRAM. In the future this could be something we do with a TPM but as a first step this should be sufficient as NVRAM is only accessible by root anyway. Along the way we also pick up some fixes that make using the shell a little nicer such as actual job control finally. Thoughts, comments, and criticisms welcome, I'm sure I've stared at this for too long and forgotten something. Note also that this depends on proper user accounts being configured by Buildroot for example. Samuel Mendoza-Jonas (13): utils/pb-console: Support agetty's autologin option utils/pb-sos: Don't create files in root by default utils/pb-console: Set up controlling terminal utils/pb-console: Ignore SIGINT lib/crypt: Add helpers for operating on /etc/shadow lib/pb-protocol: Add PB_PROTOCOL_ACTION_AUTHENTICATE discover/discover-server: Restrict clients based on uid discover/device-handler: Prevent normal users changing boot target discover/platform-powerpc: Read and write password hash from NVRAM ui/ncurses: Simplify starting shell ui/common: Client authentication helpers ui/ncurses: Add nc-auth and authenticate when required. ui/ncurses: Keep track of the default boot option configure.ac | 22 +++ discover/device-handler.c | 18 +- discover/device-handler.h | 2 +- discover/discover-server.c | 236 ++++++++++++++++++++++++++- discover/discover-server.h | 3 + discover/pb-discover.c | 3 + discover/platform-powerpc.c | 29 ++++ discover/platform.c | 13 ++ discover/platform.h | 4 + discover/user-event.c | 7 +- lib/Makefile.am | 9 + lib/crypt/crypt.c | 126 ++++++++++++++ lib/crypt/crypt.h | 49 ++++++ lib/param_list/param_list.c | 1 + lib/pb-protocol/pb-protocol.c | 94 +++++++++++ lib/pb-protocol/pb-protocol.h | 26 +++ lib/types/types.h | 1 + ui/common/discover-client.c | 81 +++++++++ ui/common/discover-client.h | 12 ++ ui/ncurses/Makefile.am | 4 +- ui/ncurses/nc-add-url.c | 63 ++++--- ui/ncurses/nc-auth.c | 299 ++++++++++++++++++++++++++++++++++ ui/ncurses/nc-auth.h | 33 ++++ ui/ncurses/nc-config.c | 64 ++++++-- ui/ncurses/nc-cui.c | 204 ++++++++++++++++++++--- ui/ncurses/nc-cui.h | 6 + ui/ncurses/nc-lang.c | 127 ++++++++++----- ui/ncurses/nc-plugin.c | 44 ++--- ui/ncurses/nc-plugin.h | 2 - ui/ncurses/nc-scr.h | 1 + ui/ncurses/nc-widgets.h | 1 + utils/pb-console | 18 +- utils/pb-sos | 13 +- 33 files changed, 1479 insertions(+), 136 deletions(-) create mode 100644 lib/crypt/crypt.c create mode 100644 lib/crypt/crypt.h create mode 100644 ui/ncurses/nc-auth.c create mode 100644 ui/ncurses/nc-auth.h