dasharo-issues icon indicating copy to clipboard operation
dasharo-issues copied to clipboard
verified publisher icon Dasharo

DTS firmware signature verification issues

Open marmarek opened this issue 3 months ago • 1 comments

Component

Dasharo Tools Suite

Device

other

Dasharo version

v2.7.0

Dasharo Tools Suite version

No response

Test case ID

No response

Brief summary

When flashing firmware using DTS it tries to verify signature, with is good. But there are a few issues with that...

How reproducible

No response

How to reproduce

Review how DTS verifies firmware signatures

Expected behavior

There is a full unbroken chain of trust from DTS image to the firmare release. Specifically:

  1. Prerequisite: User gets DTS image and verifies its signature (using 3mdeb-secpack). iPXE situation could be better (https://github.com/Dasharo/dasharo-issues/issues/270) but at least one can workaround it with using USB and manual verification.
  2. DTS should have one of master keys embedded already (so the 1th step already establishes trust in that key). It probably should be "3mdeb Dasharo Master Key".
  3. Then DTS should check what keys are needed for each platform, fetch them, and either explicitly verify key signature, or have the master key preloaded and set to (ultimately) trusted. In the latter case, gpg --status-fd option will be useful and look for [GNUPG:] TRUST_FULLY (similar example, generally fail verification if gpg complains "WARNING: This key is not certified with a trusted signature!"); in the former option, look at gpg -k ... output, should have "full" or "ultimate" trust, not "unknown" (I don't know any script-friendly way of checking it this way, or on key import...). If you'd go with the first option, then file verification can use simpler gpgv instead of gpg --verify.
  4. Having relevant platform key, downloaded artifacts should be verified before using them.

Alternatively to fetching keys in 3, DTS can simply include signing keys for all releases. But that means the need for DTS release when any of them changes, so may not be ideal. OTOH, key URLs are already hardcoded in DTS, so that is already the case if new key version is introduced, so maybe not that bad? Definitely the script will be simpler if DTS would have all relevant keys included already.

Actual behavior

  1. The get_signing_keys function fetches the release key without checking its signature: https://github.com/Dasharo/dts-scripts/blob/b43ab58df36dbe6fa55f044b45860c9565a2c1ea/include/dts-functions.sh#L719-L730. There is also no master key preloaded in DTS.
  2. The verify_artifacts function uses file before checking its signature: https://github.com/Dasharo/dts-scripts/blob/main/include/dts-functions.sh#L769-L780 (the sha256sum call should be after gpg --verify)
  3. PLATFORM_SIGN_KEY is set only for Novacustom laptops, for example it is not set for MSI desktops (where releases are also signed): https://github.com/Dasharo/dts-scripts/blob/main/include/dts-functions.sh#L270

Screenshots

No response

Additional context

No response

Solutions you've tried

No response

marmarek avatar Sep 19 '25 12:09 marmarek

@marmarek about point 3, board config is being migrated to https://github.com/Dasharo/dts-configs and PLATFORM_SIGN_KEY is defined there:

iwanicki92 avatar Sep 19 '25 17:09 iwanicki92