Committee: Security meeting on 2024-07-12

Attendees:

• @dfh (Olly)
• @jakehamilton

Agenda

• Additional agenda items
• @dfh: Update emails project, next steps
• Via @aidalgol Should Aux Security be capable of handling embargo updates? What are the concequences of that decision?
• @dfh Short recap of thoughts around OpenSSH vuln
• @dfh Update on secrets project
  • @jakehamilton: Read thread last night
  • @jakehamilton: From hobbyist perspective/ homelab/ selfhosting needs some secrets but does not want to use additional services (e.g. hashicorp vault), how would they secure the master seed/ secret?
    • @dfh Possibly I would use nix-plugins similarly to this to load secrets for out-of-band deployment.
    • @dfh Generally there needs to be a way to sync secrets state out-of-band
    • @dfh The simplest form of exchanging secrets is a “file based API” as files are one of the basic buildings blocks of Unix/Linux Architecture
  • @jakehamilton: What’s next steps
    • @dfh:
      • Write up project proposal
      • Decide on
        • How to do out-of-band
        • Modularity of seed input mechanisms (TPM, read from file, tang&clevis) which ones to implement first
        • FUSE library - possibly prototype/ PoC in python, later rewrite in rust/go
      • Figure out/ write code
        • SystemD integration
        • NixOS module
      • Possible Proof-of-Concept, as simple as possible - focusing on Aux/NixOS
        • Only worry about generated secrets
        • Start with seed from file
        • Generate secrets as files via FUSE, calling gokey + seedfile
          • possibly write in Python for fast iteration
        • NixOS modules & integration
      • Next steps
        • Seed from TPM and/or other secure sources
  • @jakehamilton: Interpolated secrets aka secrets integrated in other config files
    • @dfh: We had talked about this before, templating configs would be a nice feature, could be implemented in the FUSE library.
  • @jakehamilton: I might be f*** with some go code today.
    • @dfh: Yes plz!
• Any other business
  • @jakehamilton: I’m playing with derivations defined via nixos-modules semantics, example
    This builds a new package set, the next following steps are service modules.
    Q: How would/ could secrets become a first class citizen in modules, scripts, packages?
    • @dfh If secrets are available as files, this should be fairly easy except for
      the build process, because of deterministic builds and all inputs are part of
      the store.
    • @jakehamilton: We could prevent storing secrets in the nix store by simple path
      path/ attribute set checks
      • @dfh: What if there’s a secure mode in the FUSE library that produces file system errors when the nix build users try to open a secrets file. Or with SELinux or other kernel functionalities.
      • @dfh: See [RFC 0041] SELinux Support by outergod · Pull Request #41 · NixOS/rfcs · GitHub for a discussion on SELinux support for NixOS. But it’s complicated since SELinux operates on a whitelist approach
      • @jakehamilton + @dfh Possibly other sandboxing approaches like bubblewrap that focus on blacklisting approach would be more feasible, especially for GUI tools.

Unfinished discussions points from past calls

• Brainstorming: Auxolotls security story Brainstorming: Auxolotls security story
• Wording the “Mission” section in the COMSEC wiki - https://wiki.auxolotl.org/en/contributing/sigs-and-committees/security/aux-security-team

Action Items

Standing reminders

• Next meeting will be at the same time next week!