ownership and security

[orangecms]

Requirements

Create an interface to manage access tokens, just like OAuth.

For the owner, have some password/PIN/key (think WebAuthn or similar) mechanism.

There be an authenticated (!) API for the OS to provision/reconfigure.

On first boot, possibly offer a TOFU based scheme; i.e., the OS gets an initial token, and the end user can export it, use it to set a different trust anchor, have the OS signed and store its keys, etc..

https://mastodon.social/@CyReVolt/116368437236543350

[orangecms]

ownership establishment

Design

The OS will get a token on first boot - TOFU style.

It shall sign itself, and use the token to authenticate when storing its signing keys via a firmware interface.

It shall deploy a key for signing custom firmware.

It shall offer storing the private keys on a hardware token, such as a USB one (for private use or sysadmins) or a network attached one (for data centers).

There be a physical mechanism for reset in case of key loss, such as a jumper or button on the board.

As soon as key material is stored, the firmware shall only boot an OS signed with it.

The firmware itself shall always be verified with a signing key.
That mandates hardware support and a mechanism in the mask ROM.

[orangecms]

mutual trust/authentication

Question: How does the owner know that the firmware is safe?

Goal: prevent / detect physical attacks, i.e. someone initiating a reset and deploying their keys

references

• DTMF SPDM
  https://www.dmtf.org/standards/spdm
• DICE attestation https://trustedcomputinggroup.org/resource/dice-attestation-architecture/

Design idea

• have the first code signed and initiate a challenge/response protocol
  • let the RoT unlock a key to sign a challenge with IFF the signature on the first code is okay (or some hash); verification key/hash be part of the RoT
• see also Heads, using a QR code, or use a USB key for this; maybe Tillitis?