Fedora and secure release upgrades [LWN.net]

By Nathan Willis
December 19, 2012

As Fedora 18 nears its final release, some project members are concerned that churn in the update tools has placed users in a risky position by eliminating secure paths to update an existing installation from Fedora 17. Although it looks like workarounds will be available, the resulting choice will pit convenience against security, which is rarely a trade-off that ends up in security's favor. But as the whole debate nicely illustrates, when it comes to verifying the authenticity of software acquired over the network, no matter how many steps are involved, eventually the chain of trust must start somewhere — because users always make a leap of trust when first clicking on the download option.

The root of the issue is FedUp, the brand-new updater currently being developed for deployment with F18, which does not check the cryptographic signatures of the RPM packages it downloads over the network (although FedUp also downloads initramfs and vmlinuz files at the start of an upgrade; it does verify the integrity of these by checking their SHA256 checksums). A bug highlighting that deficiency was filed in November, noting that fetching and installing unverified binaries over the network leaves the system vulnerable to man-in-the-middle attacks and to trojaned packages on compromised mirrors. Fedora's RPM packages are signed, and various package installer tools do verify the signatures; it is only the FedUp release-upgrading tool that does not check the signatures before installing them.

The Fedora Engineering Steering Committee (FESCo) discussed the subject in its December 5 meeting and decided that the absence of network verification would not block the release of F18. Rahul Sundaram raised the importance of the issue on the fedora-devel list a week and a half later, arguing that the lack of a secure method to update from F17 to F18 was irresponsible. Part of Sundaram's initial concern was that the still-unfinished FedUp did not yet support updating from an optical disc, which would provide some measure of protection against attack because Fedora's downloadable ISO images are provided with checksums. That concern turned out to be partly unfounded; as Red Hat's Tim Flink explained in a different thread, FedUp does support extracting packages from optical media — it just does not support booting from an optical disc to upgrade an existing installation, or pulling packages from an ISO file.

Upgrades and release blockers

But the optical disc upgrade option is not the default behavior for FedUp; the user must know to employ it with the --device switch. FedUp's default is still to fetch packages from a remote repository. At the moment, FedUp is also fetching these pre-release packages over an unencrypted HTTP connection, although that could change when the final F18 is released. One can always argue that users in the know will seek out the secure means to update their machines, but it is far less risky to make the default behavior secure. After all, "users in the know" are not the ones most in need of protection. On that point, Sundaram noted in his original email that FedUp's lack of package verification is not a regression, since the update tool that it replaces, PreUpgrade, did not check package signatures either. Neither does Anaconda, the Fedora installer.

The only release-upgrade path that ever has verified remote repository package signatures was that of upgrading via the yum package manager, which is an unsupported option that non-advanced users are steered away from — and with good reason. Yum is a lower-level package installation utility; it can be used to manually upgrade the entire system to a new release, but the procedure is not recommended because a release upgrade involves more than simple package installation. Dedicated upgrade tools like PreUpgrade and FedUp are designed to handle large or complicated system changes between releases, such as the merging of /bin and other directories into the /usr hierarchy. Some of these changes require a reboot, which PreUpgrade and FedUp are built to manage, but yum is not.

Sundaram opened a FESCo ticket asking FESCo to classify the FedUp signature-verification issue as a blocker — although he later closed it after determining that the local-media option does offer a secure upgrade path for those that seek it out. But the issue is also tangled up with the question of whether or not FedUp is ready for release on other grounds. It still lacks a GUI front-end, logging, and progress indication. The GUI in particular is a limitation that some see as critical in its own right (Sundaram called it "a severe regression").

The fedora of trust

FESCo decided to defer the FedUp GUI feature until F19, and the question of providing any secure way to upgrade an F17 machine to F18 appears, for the moment, to be settled. The deeper question of making such a secure upgrade the default, however, remains unanswered.

Fedora's distribution upgrade tools have never baked signature verification into the upgrade process, and the project knows it. The discussion dates all the way back to the infamous bug 998, first opened in 1999 and filled with mysterious references to forgotten technologies like floppy disks (hint for younger readers: imagine a really thin SSD). But securely checking package signatures requires a secure method for the user to acquire the right public key (with which to check said signatures) in the first place. Even yum, which was raised during the FedUp discussion as the secure upgrade option, needs the user to manually find and import the correct GPG key for the new release. That is a weak link even in the manual case, as Fedora QA team member Adam Williamson observed:

If you're doing things Properly, you should somehow verify you're importing the correct key and not just blindly typing what a wiki page tells you to, but of course what most people do is blindly type what the wiki page tells them to...

Finding a way for the Fedora N release upgrade tool to securely fetch and install the correct key for release N+1 automatically is a tricky problem indeed. For example, Will Woods proposed a plan to add GPG signatures for the initramfs and vmlinuz files FedUp fetches at the beginning of the upgrade. As mentioned above, currently only a SHA256 checksum is used to verify the integrity of these files — courtesy of checksums found in the repository's .treeinfo file. Woods proposed adding GPG signatures to the repository at .treeinfo.signed, but noted that there still needs to be a way to get the F18 key onto F17 systems, and some way for the user to decide if the F18 key is trustworthy.

If we consider the contents of /etc/pki/rpm-gpg trusted, the F18 key(s) could be packaged for F17. The package would be signed with the F17 key, which sort of establishes a chain of trust from F17 to F18.

This won't work for completely offline systems, though. But if the F18 public key *itself* was signed with the F17 key, the F18 key could be included on the install media, and tools could use that to get the F18 key into the F17 keyring.

Another option is to sign .treeinfo with both the F17 and F18 keys, but this would require using a detached signature and tweaking things to accept the file if *any* signature can be verified.

And so on. There's a lot of options. This is a distro-wide policy decision about establishing trust between versions of Fedora, so I'm guessing it's going to require a bunch of meetings and discussions and voting.

Establishing a chain of trust can be a bit of a chicken-and-egg problem: eventually one has to place one's trust in something on which the subsequent links build. Till Maas suggested to Woods that the F18 key could be securely fetched from the Fedora project from a well-known location over HTTPS. Of course, that relies on the security of HTTPS and the DNS system, which relies on the security of the certificate authorities, and so on.

For most mortals, however, some security — however limited — is still better than no security, which is what FedUp's default usage provides now. As recently as the end of November, users were still writing to the list confused about how best to upgrade their machines. There are clearly many more discussions ahead; even if Fedora establishes a workable plan for its main releases, also problematic is how downstream distributions (including Fedora "spins") and customized ISOs are handled. Whatever solution develops, one thing is for certain: it will not arrive until the F19 release cycle at the earliest.

(Log in to post comments)

Fedora and secure release upgrades

Posted Dec 20, 2012 13:29 UTC (Thu) by n8willis (editor, #43041) [Link]

My understanding is that the problem with the scenario you describe is that the F17 tool you use to download said file does not have signature-checking built into _it_, thus you cannot guarantee that a MITM attacker doesn't silently replace the download at some network node in between your machine and the Fedora server. Likely? Probably not.

In short, it's like an induction problem; since the very first version of the tool did not check sigs, the chain of trust cannot be "bootstrapped". The problem has become inserting the fixed/trustable tool somewhere into the insecure sequence.

Nate

Fedora and secure release upgrades

Posted Dec 20, 2012 15:05 UTC (Thu) by etienne (subscriber, #25256) [Link]

> cannot guarantee that a MITM attacker doesn't silently replace the download

I was saying that this download is inside a package, so its signature is checked by RPM with Fedora 17 signature - or Fedora 16 signature if you are currently running F16 and have downloaded the F16 upgrade package.
If the problem is that you currently have an insecure/compromised Fedora 17 and you want to upgrade to a secured Fedora18, then there is a problem: the updater cannot use anything of the running system.
But that is not a new problem, if you have an compromised system, you have to wipe it clean and install from fresh.
It is true that encrypting the updater with F18 key is not really useful if you cannot trust the software to decrypt it (which is a Fedora 17 package).

Fedora and secure release upgrades

Posted Dec 20, 2012 15:34 UTC (Thu) by n8willis (editor, #43041) [Link]

But the issue that you cannot *know* whether or not your F17 system is compromised by checking it with F17 itself. That's the trust chain problem. To be sure you could trust the alleged F17 key, you would have had to have already downloaded a key asserting to be F16-signed. But to verify that, you would have to have downloaded a key asserting to be F15-signed, and you would have to have an F14-signed key for that, so on. Even if that chain-of-trust would work in theory, all the way back to the bootstrapping of the project, reality is that those older signed-key-packages don't exist (and never will).

Nate

Way to have FedUp users

Posted Dec 20, 2012 18:59 UTC (Thu) by smoogen (subscriber, #97) [Link]

Here is the 1 million dollar question... what do other distributions do? When I looked last time they pretty much did the same thing or ignored the bootstrap problem by assuming it was ok. Has that changed?

Way to have FedUp users

Posted Dec 21, 2012 0:12 UTC (Fri) by smcv (subscriber, #53363) [Link]

In Debian (and derivatives like Ubuntu), the chain of trust goes like this:

1. some prominent developers sign...
2. a "role" GPG key which signs...
3. a file containing cryptographic hashes of...
4. the installation media, which contain...
5. the (debian|ubuntu|...)-archive-keyring package, which contains...
6. a "role" GPG key which signs...
7. the Release file, containing cryptographic hashes of...
8. the Packages and Sources files, containing cryptographic hashes of...
9. each installable package

For a naive user who doesn't verify anything, skip directly to (4).

For upgrades, skip directly to (5) (assuming no key revocations have been required), because each release's -archive-keyring package contains the public key with which the project intends to sign the next release.

(Some prominent developers also sign (6), providing a shorter chain of trust to that.)

Way to have FedUp users

Posted Dec 21, 2012 17:16 UTC (Fri) by smoogen (subscriber, #97) [Link]

Ok thanks for that information on the Debian way of confirming the package chain.

How does a network installer confirm the web of trust? Is there a prompt for the user to go to XYZ website and upload a key and check to see that the key matches what the website says (or some kind of prompt.. )

How does someone behind a Great Firewall of XYZ nation know that they aren't getting MITM somehow and the packages aren't fake.

Way to have FedUp users

Posted Dec 21, 2012 17:28 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

the network installer has the key needed to validate the packages. the media the packages come from does not materially change things (it's just network vs disk)

if you are behind GREAT FIREWALL of X, you have no way of knowing if the install media you are using has been tampered with, you have no way of knowing if your attempts to validate the key are being tampered with, you could try and make a phone call to someone outside the firewall, or smuggle in media from outside and validate things that way

But once you have trusted install media (for whatever value of trust you want to go to), that install media will validate the packages.

The chain of trust is traceable to individual keys, not to CA entities, so the fact that the government is a CA entity doesn't change things.

Way to have FedUp users

Posted Dec 21, 2012 22:22 UTC (Fri) by pkern (subscriber, #32883) [Link]

You can verify the installation media by checking its hash against the list of hashes signed by the Debian CD release key, though. Now how you bootstrap that trust is obviously still an interesting exercise behind a great firewall with no friends outside.