On Wed, Feb 26, 2020 at 04:11:40PM -0400, Jason Gunthorpe wrote: > > If you look at the contents of the patch attestation message > > (https://lore.kernel.org/signatures/202002251425.E7847687B@keescook/), > > you will notice a yaml-style formatted document with a series of > > three hashes. Let's take the first one as example: > > > > 2a02abe0-215cf3f1-2acb5798: > > i: 2a02abe02216f626105622aee2f26ab10c155b6442e23441d90fc5fe4071b86e > > m: 215cf3f133478917ad147a6eda1010a9c4bba1846e7dd35295e9a0081559e9b0 > > p: 2acb5798c366f97501f8feacb873327bac161951ce83e90f04bbcde32e993865 > > > > The source of these hashes is the following patch: > > https://lore.kernel.org/kernel-hardening/20200225051307.6401-2-keescook@xxxxxxxxxxxx/ > > If you define an alternative message signature algorithm like this, > then is there still value in detatching the PGP signature from the > patch email? I believe that yes, because it offers better workflows around the following scenarios: - developer does all their work on a remote VM that doesn't have access to their PGP keys and submits actual attestation when they get back to their workstation - developer configures their smartcard to require a PIN during each operation and disables the pgp-agent; sending a series of 40 patches requires a single PIN entry instead of 40 - developer submits a v1 of the patch that they don't expect to pass on the first try and doesn't bother submitting attestation; shockingly, the maintainer accepts it as-is and the developer can attest their patches post-fact *without* needing to collect all the acked-by's reviewed-by's etc from all others who have already responded to the v1 submission > The usual PGP signature computes a hash of the message in a certain > way (with unquoting etc). If you instead replace that with your method > and then just generate the normal base64 blob using: > > msg_hash = HASH(HASH(i) || HASH(m) || HASH(p)) > sig = RSA_Sign(msg_hash) The reason I want to leave i/m/p hashes individually present is because it makes it possible to query patch attestation information based on a subset of full information. For example, a maintainer will almost certainly edit the message content to add their own Signed-off-by, and may edit the patch for minor nitpicking. Full i-m-p attestation will fail in this case, but we can then query the signatures archive for each individual hash to identify which part of the submission fails validation: https://lore.kernel.org/signatures/?q=2a02abe02216f626105622aee2f26ab10c155b6442e23441d90fc5fe4071b86e This lets us present the maintainer with more useful info, like: "full attestation failed, but the only changed part is actually the message and not the patch content, so it's probably still okay to apply." > Then the base64 of the sig can just be dropped at the end of the > message, and doesn't need to be detached, or need the various ---BEGIN > PGP--- overheads > > The magic I see here is defining a way to compute the message hash of > a patch email that doesn't cause a big mess. I still think that one of the key benefits of this proposal is being able to submit patch attestation data post-fact. For signatures included with patches, I'd rather see this happen during the git-format-patch step following Vagard Nossum's work of fully reconstructing commits from patches -- see my email to the git list here: https://lore.kernel.org/git/20200226200929.z4aej74ohbkgcdza@chatter.i7.local/T/#u Best, -K
