Search

US-12619704-B2 - Establishment of signing pipelines and validation of signed software images

US12619704B2US 12619704 B2US12619704 B2US 12619704B2US-12619704-B2

Abstract

Methods and systems for using signing pipelines to secure endpoint systems are disclosed. Endpoint systems may be secured using signed images that are signed by the signing pipelines. The signing pipelines may be based on validation rules implemented by the endpoint systems. The validation rules may be analyzed to identify how images must be signed based on the validation rules. The manner in which the images must be signed may be used to instantiate the signing pipeline.

Inventors

  • Bradley K. Goodman
  • Joseph Caisse
  • Eric Joseph Bruno

Assignees

  • DELL PRODUCTS L.P.

Dates

Publication Date
20260505
Application Date
20230531

Claims (20)

  1. 1 . A method for managing secure execution of software images, the method comprising: obtaining a software image of the software images; identifying, prior to obtaining a multiply signed copy of the software image, validation rules for the software image, the validation rules specifying: at least two groups of entities and that the multiply signed copy of the software image be signed by one member of each of the at least two groups, that at least one of the at least two groups has at least two members so that alternative authorized signingusers for the multiply signed copy of the software image are available, a number of keys required for signing of the multiply signed copy of the software image where each of the keys are associated with at least one of the at least two groups and each of the keys are used to sign an entirety of the software image, a key type for each of the keys, a dependency requirement between the keys, and one or more alternative keys for each of the keys in case any of the keys are unavailable in signing systems of the at least two groups; performing a signing analysis for the software image using the validation rules to obtain a signing pipeline description; instantiating a signing pipeline based on the signing pipeline description to cause, at a start of the signing pipeline, the software image to be transmitted to and multiply signed by a portion of the entities, all of the entities among the portion of the entities apply different security frameworks from one another; receiving, at an end of the signing pipeline, the multiply signed copy of the software image from at least one of the entities; deploying the multiply signed copy of the software image to an endpoint device that implements the validation rules; and initiating validation of the software image using the multiply signed copy of the software image, the validation rules, and a trusted key repository to initiate secure execution of the software image by the endpoint device.
  2. 2 . The method of claim 1 , wherein the validation rules for the software image specify that a signed copy of the software image be multiply signed with at least two different keys associated with the at least two groups, the two differentkeys being part of the number of keys specified in the validation rules.
  3. 3 . The method of claim 2 , wherein the validation rules for the software image further specify that a first key of the at least two different keys be from a first pool of keys associated with a first group of the at least two groups and a second key of the at least two different keys be from a second pool of keys associated with a second group of the at least two groups.
  4. 4 . The method of claim 3 , wherein the first pool of keys comprises keys associated with a first organization and the second pool of keys comprises keys associated with a second organization, the first organization and the second organization being ones of the entities.
  5. 5 . The method of claim 1 , wherein the validation rules for the software image further specify that software be multiply signed with two keys from a first pool of keys and two keys from a second pool of keys.
  6. 6 . The method of claim 1 , wherein performing the signing analysis comprises: identifying at least two organizations based on the validation rules, wherein instantiating the signing pipeline comprises: instructing, using the signing pipeline description, a first signing service managed by a first of the at leasttwo organizations and a second signing service managed by a second of the at least two organizations to cooperatively sign the software image, the at least two organizations being ones of the entities.
  7. 7 . A non-transitory machine-readable medium having instructions stored therein, which when executed by at least one processor, cause a data processing system to perform operations for managing secure execution of software images, the operations comprising: obtaining a software image of the software images; identifying, prior to obtaining a multiply signed copy of the software image, validation rules for the software image, the validation rules specifying: at least two groups of entities and that the multiply signed copy of the software image be signed by one member of each of the at least two groups, that at least one of the at least two groups has at least two members so that alternative authorized signing users for the multiply signed copy of the software image are available, a number of keys required for signing of the multiply signed copy of the software image where each of the keys are associated with at least one of the at least two groups and each of the keys are used to sign an entirety of the software image, a key type for each of the keys, a dependency requirement between the keys, and one or more alternative keys for each of the keys in case any of the keys are unavailable in signing systems of the at least two groups; performing a signing analysis for the software image using the validation rules to obtain a signing pipeline description; instantiating a signing pipeline based on the signing pipeline description to cause, at a start of the signing pipeline, the software image to be transmitted to and multiply signed by a portion of the entities, all of the entities among the portion of the entities apply different security frameworks from one another different security frameworks from one another; receiving, at an end of the signing pipeline, the multiply signed copy of the software image from at least one of the entities; deploying the multiply signed copy of the software image to an endpoint device that implements the validation rules; and initiating validation of the software image using the multiply signed copy of the software image, the validation rules, and a trusted key repository to initiate secure execution of the software image by the endpoint device.
  8. 8 . The non-transitory machine-readable medium of claim 7 , wherein the validation rules for the software image specify that a signed copy of the software image be multiply signed with at least two different keys associated with the entities.
  9. 9 . The non-transitory machine-readable medium of claim 8 , wherein the validation rules for the software image further specify that a first key of the at least two different keys be from a first pool of keys and a second key of the at least two different keys be from a second pool of keys.
  10. 10 . The non-transitory machine-readable medium of claim 9 , wherein the validation rules for the software image further specify that the first pool of keys and the second pool of keys be any two different pools of keys of multiple pools of keys.
  11. 11 . The non-transitory machine-readable medium of claim 9 , wherein the first pool of keys comprises keys associated with a first organization and the second pool of keys comprises keys associated with a second organization, the first organization and the second organization being ones of the entities.
  12. 12 . The non-transitory machine-readable medium of claim 7 , wherein the validation rules for the software image further specify that software be multiply signed with two keys from a first pool of keys and two keys from a second pool of keys.
  13. 13 . The non-transitory machine-readable medium of claim 7 , wherein performing the signing analysis comprises: identifying at least two organizations based on the validation rules, wherein instantiating the signing pipeline comprises: instructing, using the signing pipeline description, a first signing service managed by a first of the at least two organizations and a second signing service managed by a second of the at least two organizations to cooperatively sign the software image, the at least two organizations being ones of the entities.
  14. 14 . A data processing system, comprising: at least one processor; and a memory coupled to the processor to store instructions, which when executed by the processor, cause the data processing system to perform operations for managing secure execution of software images, the operations comprising: obtaining a software image of the software images; identifying, prior to obtaining a multiply signed copy of the software image, validation rules for the software image, the validation rules specifying: at least two groups of entities and that the multiply signed copy of the software image be signed by one member of each of the at least two groups, that at least one of the at least two groups has at least two members so that alternative authorized signing users for the multiply signed copy of the software image are available, a number of keys required for signing of the multiply signed copy of the software image where each of the keys are associated with at least one of the at least two groups and each of the keys are used to sign an entirety of the software image, a key type for each of the keys, a dependency requirement between the keys, and one or more alternative keys for each of the keys in case any of the keys are unavailable in signing systems of the at least two groups; performing a signing analysis for the software image using the validation rules to obtain a signing pipeline description; instantiating a signing pipeline based on the signing pipeline description to cause, at a start of the signing pipeline, the software image to be transmitted to and multiply signed by a portion of the entities, all of the entities among the portion of the entities apply different security frameworks from one another applying different security frameworks from one another; receiving, at an end of the signing pipeline, the multiply signed copy of the software image from at least one of the entities; deploying the multiply signed copy of the software image to an endpoint device that implements the validation rules; and initiating validation of the software image using the multiply signed copy of the software image, the validation rules, and a trusted key repository to initiate secure execution of the software image by the endpoint device.
  15. 15 . The method of claim 1 , wherein the multiply signed copy of the software image can only be validated using one or more trusted keys stored in a trusted key repository that is accessible to an endpoint device to which the multiply signed copy of the software image is to be deployed and executed, and all of the one or more trusted keys are further signed using a different key that is associated with a root of trust of the endpoint device and that is not among the one or more trusted keys stored within the trusted key repository.
  16. 16 . The method of claim 1 , wherein the software image is transmitted to the entities along with the signing pipeline description, and each of the entities use the signing pipeline description to at least determine where the software image should be transmitted next after each of the entities has signed the software image.
  17. 17 . The method of claim 15 , wherein the signing systems of the at least two groups comprise a first signing system of a first group of the at least two groups and a second signing system of a second group of the at least two groups, the first signing system and the second signing system operate independently of one another and each comprises differently configured identity and access management systems and hardware modules for security, and the identity and access management systems of each of the first signing system and the second signing system store and sign the multiply signed copy of the software image on behalf of each the authorized signing users without any of the authorized signing users having access to the keys used for the signing.
  18. 18 . The data processing system of claim 14 , wherein the validation rules for the software image specify that a signed copy of the software image be multiply signed with at least two different keys associated with the entities.
  19. 19 . The data processing system of claim 18 , wherein the validation rules for the software image further specify that a first key of the at least two different keys be from a first pool of keys and a second key of the at least two different keys be from a second pool of keys.
  20. 20 . The data processing system of claim 19 , wherein the validation rules for the software image further specify that the first pool of keys and the second pool of keys be any two different pools of keys of multiple pools of keys.

Description

FIELD Embodiments disclosed herein relate generally to validation. More particularly, embodiments disclosed herein relate to image validation. BACKGROUND Computing devices may provide computer-implemented services. The computer-implemented services may be used by users of the computing devices and/or devices operably connected to the computing devices. The computer-implemented services may be performed with hardware components such as processors, memory modules, storage devices, and communication devices. The operation of these components and the components of other devices may impact the performance of the computer-implemented services. BRIEF DESCRIPTION OF THE DRAWINGS Embodiments disclosed herein are illustrated by way of example and not limitation in the figures of the accompanying drawings in which like references indicate similar elements. FIG. 1 shows a block diagram illustrating a system in accordance with an embodiment. FIGS. 2A-2C show data flow diagrams in accordance with an embodiment. FIG. 3 shows a flow diagram illustrating a method in accordance with an embodiment. FIG. 4 shows a block diagram illustrating a data processing system in accordance with an embodiment. DETAILED DESCRIPTION Various embodiments will be described with reference to details discussed below, and the accompanying drawings will illustrate the various embodiments. The following description and drawings are illustrative and are not to be construed as limiting. Numerous specific details are described to provide a thorough understanding of various embodiments. However, in certain instances, well-known or conventional details are not described in order to provide a concise discussion of embodiments disclosed herein. Reference in the specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in conjunction with the embodiment can be included in at least one embodiment. The appearances of the phrases “in one embodiment” and “an embodiment” in various places in the specification do not necessarily all refer to the same embodiment. References to an “operable connection” or “operably connected” means that a particular device is able to communicate with one or more other devices. The devices themselves may be directly connected to one another or may be indirectly connected to one another through any number of intermediary devices, such as in a network topology. In general, embodiments disclosed herein relate to methods and systems for establishing signing pipelines usable to secure endpoint devices. The signing pipelines may be used to sign software images used by the endpoint devices. The endpoint devices may use the signatures from the signed software images to discriminate trustworthy from untrustworthy software. To discriminate the trustworthy software images, the endpoint devices may use a set of validation rules that require a software image to be signed multiple times. The validation rules may also require that the signatures be applied by different signing systems and that the keys used for signing be associated with different entities that authorize use of the keys in the signing. By doing so, compromises of signing systems may be less likely to result in compromises of endpoint devices. For example, to compromise an endpoint device, a malicious entity may be required to compromise multiple signing systems. Because the signing systems may be implemented by different organization with different security frameworks, compromise of multiple systems sufficient to sign software images maliciously may be unlikely. To obtain the signed software images, the validation rules may be analyzed to obtain a signing pipeline description. The signing pipeline description may be used to configure multiple signing systems into a signing pipeline. The signing pipeline may allow software images to be signed multiple times and in accordance with the validation rules. Thus, embodiments disclosed herein may address, among other technical problems, the technical problem of security in systems that rely on cryptographic verification such as signatures. Because signatures may only provide security when the keys and processes used in the signing remain secure, even a cryptographically signed data structure may still be untrustworthy. To address this technical problem, embodiments disclosed herein may facilitate multiple signing of data structures thereby improving the trustworthiness of the signed data structures. In an embodiment, a method for managing secure execution of software images is provided. The method may include obtaining a software image of the software images; identifying validation rules for the software image; performing a signing analysis for the software image using the validation rules to obtain a signing pipeline description; instantiating a signing pipeline based on the signing pipeline description; and obtaining a signed copy of the software image using the signing