Comments (3)
Strongly agree that OpenPubkey should support KMS and HSMs and associated RNGs. This is the ideal solution for people that use KSM or HSMs. Everything I am going to say below is thinking about how to support openpubkey for users that may not have or want to use KSM/HSMs.
rdrand, rdseed, RNDR, /dev/hwrng
I don't see any harm in using HAVAGE
as an additional source of entropy. I think if we are concerned about rand.Reader not providing sufficient entropy one of the first places we should look at is the x86 rdrand
and rdseed
instructions. I modified your test code to show that GHA ubuntu runner has access to the rdrand
and rdseed
instructions.
The action output is here: https://github.com/EthanHeilman/gha-vm-rdtsc-test/actions/runs/6757557761/job/18368221015
We could use RDRAND-Tester to check if rdrand is available on the system and fail if it isn't evaluable. While rdrand
and rdseed
only exists on x86. we should get ARM support by using the RNDR ARM instruction.
Linux provides the /dev/hwrng
device which provides a nice place to plug in hardware sources of entropy. RaspberryPI exposes their HW RNG via that device. Not sure if all ARM systems do this. Some hypervisors and emulators use /dev/hwrng
as a way of exposing true random number generation to each of their host virtual machines.
Additional hardening in Github Actions
This might be overkill but we could use the SHA3(ACTIONS_ID_TOKEN_REQUEST_TOKEN)
, and in case of GQ signatures SHA3(OP RSA Signature)
, as an additional source of entropy on top of what rand.Reader provides. The preimage resistance of SHA3 should protect the value from leaking assuming the github OpenID Provider does not have an entropy generation problem and is not generating low entropy tokens and RSA signatures.
from openpubkey.
rdrand, rdseed, RNDR, /dev/hwrng
I don't see any harm in using
HAVAGE
as an additional source of entropy. I think if we are concerned about rand.Reader not providing sufficient entropy one of the first places we should look at is the x86rdrand
andrdseed
instructions. I modified your test code to show that GHA ubuntu runner has access to therdrand
andrdseed
instructions.The action output is here: https://github.com/EthanHeilman/gha-vm-rdtsc-test/actions/runs/6757557761/job/18368221015
Very nice! It looks like the GHA runners are fairly well provisioned with entropy sources. Agreed that this will be good support for users without KMS/HSM access. Thanks for taking a look at it!
from openpubkey.
@mrjoelkamp Closing this. If you think this should be reopened please reopen.
from openpubkey.
Related Issues (20)
- Should we change `clientinstance.Claims` to support ZKP Commitments HOT 1
- Look into Release-Drafter for tracking releases in gha
- Compact Representation Format for PK Tokens HOT 1
- SignGQ and GQSign Confusion
- Add option in provider.Options to disable opening the browser
- JKT in GQ ID Token
- Docs on PK Token
- Move all tests over to testify/require HOT 4
- More Godoc on all public functions and structs HOT 5
- Should Non-GQ Signed PK Tokens set the JKT
- Find and fix spelling errors in comments
- Should client return PK Tokens by reference or value? HOT 4
- We should use algorithm from public key rather than alg from token in verification HOT 4
- Create an Expiration Policy for the Verifier
- Create a list and manage a list of all known repos that depend on OpenPubkey
- A better name for the openpubkey/oidc package HOT 11
- Refreshed ID Token Support in Cosigner
- Add Gitlab user OIDC OP
- Notes on the SSH3 plugin system
- VerifySignedMessage should let you override the typ
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openpubkey.