From c9df5dcce462af13685236bf7a1d4dd896b1406b Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 10 Jul 2020 23:42:23 +0200 Subject: major refactoring of installer roles --- roles/installer/openbsd/fetch/defaults/main.yml | 6 +++++ roles/installer/openbsd/fetch/tasks/main.yml | 34 +++++++++++++++++++++++++ roles/installer/openbsd/fetch/vars/main.yml | 7 +++++ 3 files changed, 47 insertions(+) create mode 100644 roles/installer/openbsd/fetch/defaults/main.yml create mode 100644 roles/installer/openbsd/fetch/tasks/main.yml create mode 100644 roles/installer/openbsd/fetch/vars/main.yml (limited to 'roles/installer/openbsd/fetch') diff --git a/roles/installer/openbsd/fetch/defaults/main.yml b/roles/installer/openbsd/fetch/defaults/main.yml new file mode 100644 index 00000000..eeeaf2d0 --- /dev/null +++ b/roles/installer/openbsd/fetch/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# openbsd_installer_version: 6.7 +openbsd_installer_arch: amd64 + +openbsd_installer_force_download: no +openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD" diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml new file mode 100644 index 00000000..0ab9070c --- /dev/null +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: prepare directories for installer iso files + file: + name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + state: directory + +- name: download installer iso files + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + mode: 0644 + force: "{{ openbsd_installer_force_download }}" + +- name: download signed sha256 files + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + mode: 0644 + force: "{{ openbsd_installer_force_download }}" + +- name: create signing key files + copy: + content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" + +- name: verfiy downloaded iso files + command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig install{{ openbsd_installer_version_short }}.iso" + args: + chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + changed_when: false + register: openbsd_installer_signify_result + +- debug: + var: openbsd_installer_signify_result.stdout_lines diff --git a/roles/installer/openbsd/fetch/vars/main.yml b/roles/installer/openbsd/fetch/vars/main.yml new file mode 100644 index 00000000..dad9f064 --- /dev/null +++ b/roles/installer/openbsd/fetch/vars/main.yml @@ -0,0 +1,7 @@ +--- +openbsd_installer_version_short: "{{ openbsd_installer_version | replace('.', '') }}" + +openbsd_installer_signing_keys: + "6.7": | + untrusted comment: openbsd 6.7 base public key + RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj -- cgit v1.2.3 From 4eec4384e5408a87b6ad2b77b4819b65c500a3bc Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 11 Jul 2020 01:18:15 +0200 Subject: openbsd installer: extract sha256 checksum from iso before downloading it --- roles/installer/openbsd/fetch/tasks/main.yml | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) (limited to 'roles/installer/openbsd/fetch') diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml index 0ab9070c..d8f37018 100644 --- a/roles/installer/openbsd/fetch/tasks/main.yml +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -4,13 +4,6 @@ name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" state: directory -- name: download installer iso files - get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - - name: download signed sha256 files get_url: url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" @@ -18,6 +11,27 @@ mode: 0644 force: "{{ openbsd_installer_force_download }}" +## Unfortunately signify can't be used to verify just the sha256 file. This means that the checksum we extract here +## might be wrong. Using this an attacker could trick us into deleting a valid ISO file and downloading a harmful +## image instead. Since the signature of the sha256 file will be checked eventually the attacker however cannot trick +## us into booting the image. +## Despite this flaw it is imho still better to extract the hash so that get_url below can check a potentially +## existing file without the need to query the server. This should speed up the installation process quite a bit +## and take care of spurious re-downloads. + +- name: extract sha256 hash for iso file + command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + changed_when: false + register: openbsd_installer_sha256sum + +- name: download installer iso files + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 + - name: create signing key files copy: content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" -- cgit v1.2.3 From 8bfbc9b54f28cb5e25714e40e96f752f98f40568 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 11 Jul 2020 01:37:51 +0200 Subject: openbsd installer: improve image verification --- roles/installer/openbsd/fetch/tasks/main.yml | 55 +++++++++++++++------------- 1 file changed, 29 insertions(+), 26 deletions(-) (limited to 'roles/installer/openbsd/fetch') diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml index d8f37018..97e8fb57 100644 --- a/roles/installer/openbsd/fetch/tasks/main.yml +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -4,31 +4,13 @@ name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" state: directory -- name: download signed sha256 files +- name: download signed sha256 and buildinfo files + loop: + - SHA256.sig + - BUILDINFO get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - -## Unfortunately signify can't be used to verify just the sha256 file. This means that the checksum we extract here -## might be wrong. Using this an attacker could trick us into deleting a valid ISO file and downloading a harmful -## image instead. Since the signature of the sha256 file will be checked eventually the attacker however cannot trick -## us into booting the image. -## Despite this flaw it is imho still better to extract the hash so that get_url below can check a potentially -## existing file without the need to query the server. This should speed up the installation process quite a bit -## and take care of spurious re-downloads. - -- name: extract sha256 hash for iso file - command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - changed_when: false - register: openbsd_installer_sha256sum - -- name: download installer iso files - get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/{{ item }}" force: "{{ openbsd_installer_force_download }}" mode: 0644 @@ -37,8 +19,16 @@ content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" -- name: verfiy downloaded iso files - command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig install{{ openbsd_installer_version_short }}.iso" +## Unfortunately signify can't be used to verify just the sha256 file. If we would use the sha256 hashes without +## verification an attacker could trick us into deleting a valid ISO file and downloading a harmful image instead. +## Since the signature would be checked eventually the attacker cannot trick us into booting it but re-downlaoding +## hundreds of megabytes is not fun. +## As a workaround we download the smallest file that exists on the download server and use this file (BUILDINFO) +## to verfiy the signature. +## This process should speed up the installation quite a bit and make the overall image download process more solid. + +- name: verify downloaded files + command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig BUILDINFO" args: chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" changed_when: false @@ -46,3 +36,16 @@ - debug: var: openbsd_installer_signify_result.stdout_lines + +- name: extract sha256 hash for iso file + command: grep -E "^SHA256 \(install{{ openbsd_installer_version_short }}.iso\) = [0-9a-z]{64}$" "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + changed_when: false + register: openbsd_installer_sha256sum + +- name: download installer iso file + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + checksum: "sha256:{{ openbsd_installer_sha256sum.stdout.split('=') | last | trim }}" + force: "{{ openbsd_installer_force_download }}" + mode: 0644 -- cgit v1.2.3