ubuntu-image security overview¶
Overview of security aspects of ubuntu-image.
Privileged execution¶
ubuntu-image requires elevated permissions to properly run. It is recommended to use a dedicated building machine. Make sure ubuntu-image is installed from a trusted source, and the provided configuration is trusted.
Cryptography¶
ubuntu-image is a wrapper around several lower level tools to build an Ubuntu image. Therefore, the use of cryptographic technologies can be divided into two categories:
Direct use in the
ubuntu-imagetoolIndirect use in one of the wrapped tools
Cryptography in ubuntu-image itself and Go libraries¶
Tarball SHA256 checksum: When building a
classicimage, user can provide a tarball serving as the rootfs content of the image. The SHA256 checksum of the tarball can optionally be provided to verify it has not been altered. This verification uses the crypto/sha256 Go standard library package, which implements the SHA256 hash algorithm as defined in FIPS 180-4.Disk UUIDs: To generate unique disk IDs,
ubuntu-imageuses theRead()function from the crypto/rand Go standard library package, which implements a cryptographically secure random number generator.Model assertion signature: When building a
snapimage, the user must provide a signed model assertion. Verification of this signature is handled by the snapd library, which relies on SHA3-384 and SHA512 for hashing and on OpenPGP v4 signatures with RSA 4096/8192 keys.
Cryptography in wrapped tools¶
PPA handling: During the build, PPAs (Personal Package Archives) can be added to the
aptconfiguration of the image. The fingerprint of the PPA can be declared in the configuration provided toubuntu-image. This value is passed togpgto fetch the keys to validate the package signatures. The correct handling of these keys is delegated togpgup to the point whereubuntu-imagewrites them to the resultingaptconfiguration.Downloaded resources: During the build, various resources are fetched from remote sources (seeds, packages, gadget trees).
ubuntu-imageis not enforcing the use of encrypted communication channels, but if they are used (HTTPS, Git over SSH, etc.), their correct handling is delegated to the tool actually pulling the resource (Germinate, Git, etc.). In this case, if any security-related error is causing a tool to fail,ubuntu-imagealso fails and displays the error, so the user is alerted and can take appropriate measures to remedy the problem.
Miscellaneous¶
Secrets (passwords and hashes) can be present in the configuration files (image definition YAML) provided to
ubuntu-imageto build images. Specifically:In the
extra-ppascustomization section, authentication tokensuser:passwordcan be defined to access private PPAs. These values are used to write theaptconfiguration without any treatment.In the
manualcustomization section, user accounts can be defined with plain text or hashed passwords. These values are directly passed to thechpasswordutility without any treatment.In the
cloud-initcustomization section, the given cloud-init configuration can contain hashed passwords. These values are written into cloud-init configuration files without any treatment.
These configuration files should then be securely stored, and if secrets are used, they should ideally be injected at runtime.