update clef pages

This commit is contained in:
Joe 2022-08-15 11:44:04 +01:00
parent b9356e6894
commit 99a756517a
3 changed files with 117 additions and 94 deletions

@ -1,18 +1,25 @@
---
title: Clique-signing with Clef
sort_key: C
title:Clique signing
---
The 'classic' way to sign PoA blocks is to use the "unlock"-feature of `geth`. This is a highly dangerous thing to do, because "unlock" is totally un-discriminatory. Meaning: if an account is unlocked and an attacker obtains access to the RPC api, the attacker can have anything signed by that account, without supplying a password.
Clique is a proof-of-authority system where new blocks can be created by authorized signers only. The initial set of authorized signers is configured in the genesis block. Signers can be authorized and de-authorized using a voting mechanism, thus allowing the set of signers to change while the blockchain operates. Signing blocks in Clique networks classically uses the "unlock" feature of Geth so that each node is always ready to sign without requiring a user to manually provide authorization.
The idea with `clef` was to remove the `unlock` capability, yet still provide sufficient usability to make it possible to automate some things while maintaining a high level of security. This post will show how to integrate `clef` as a sealer of clique-blocks.
However, using the `--unlock` flag is generally a highly dangerous thing to do because it is indiscriminate, i.e. if an account is unlocked and an attacker obtains access to the RPC api, the attacker can sign anything without supplying a password.
## Part 0: Prepping a Clique network
Clef provides a way to safely circumvent `--unlock` while maintaining a enough automation for the network to be useable.
Feel free to skip this section if you already have a Clique-network.
## Prerequisites
First of all, we'll set up a rudimentary testnet to have something to sign on. We create a new keystore (password `testtesttest`)
```
It is useful to have basic knowledge of private networks and Clef. These topics are covered on our [private networks](/content/docs/developers/geth-developer/private-network) and [Introduction to Clef](/content/docs/tools/Clef/introduction) pages.
{:toc}
- this will be removed by the toc
## Prepping a Clique network
First of all, set up a rudimentary testnet to have something to sign. Create a new keystore (password `testtesttest`)
```terminal
$ geth account new --datadir ./ddir
INFO [06-16|11:10:39.600] Maximum peer count ETH=50 LES=0 total=50
Your new account is locked with a password. Please give a password. Do not forget this password.
@ -30,7 +37,8 @@ Path of the secret key file: ddir/keystore/UTC--2022-06-16T09-10-48.578523828Z--
- You must REMEMBER your password! Without the password, it's impossible to decrypt the key!
```
And create a genesis with that account as a sealer:
Create a genesis with that account as a sealer:
```json
{
"config": {
@ -57,7 +65,9 @@ And create a genesis with that account as a sealer:
}
}
```
And init `geth`
Initiate Geth:
```
$ geth --datadir ./ddir init genesis.json
...
@ -66,16 +76,16 @@ INFO [06-16|11:14:54.125] Persisted trie from memory database nodes=1 size=
INFO [06-16|11:14:54.125] Successfully wrote genesis state database=lightchaindata hash=187412..4deb98
```
At this point, we have a Clique network which we can start sealing on.
At this point a Clique network exists with blocks that can be signed.
## Part 1: Prepping Clef
## Prepping Clef
In order to make use of `clef` for signing, we need to do a couple of things.
In order to make use of Clef for signing:
1. Make sure that `clef` knows the password for the keystore.
2. Make sure that `clef` auto-approves clique signing requests.
1. Ensure Clef knows the password for the keystore.
2. Ensure Clef auto-approves clique signing requests.
These two things are independent of each other. First of all, however, we need to `init` clef (for this test I use the password `clefclefclef`)
These two things are independent of each other. First of all, however, Clef must be initiated (for this example the password is `clefclefclef`)
```
$ clef --keystore ./ddir/keystore --configdir ./clef --chainid 15 --suppress-bootwarn init
@ -97,11 +107,11 @@ You should treat 'masterseed.json' with utmost secrecy and make a backup of it!
* The master seed does not contain your accounts, those need to be backed up separately!
```
After this operation, `clef` has it's own vault where it can store secrets and attestations, which we will utilize going forward.
After this operation, `clef` has it's own vault where it can store secrets and attestations.
### Storing passwords in `clef`
## Storing passwords in `clef`
With that done, we can now make `clef` aware of the password. We invoke `setpw <address>` to store a password for a given address. `clef` asks for the password, and it also asks for the clef master-password, in order to update and store the new secrets inside clef vault.
With that done, Clef can be made aware of the password. To do this `setpw <address>` is invoked to store a password for a given address. Clef asks for the password, and it also asks for the Clef master-password, in order to update and store the new secrets inside Clef vault.
```
$ clef --keystore ./ddir/keystore --configdir ./clef --chainid 15 --suppress-bootwarn setpw 0x9CD932F670F7eDe5dE86F756A6D02548e5899f47
@ -113,25 +123,27 @@ Repeat password:
Decrypt master seed of clef
Password:
INFO [06-16|11:27:09.153] Credential store updated set=0x9CD932F670F7eDe5dE86F756A6D02548e5899f47
```
At this point, if we were to use clef as a sealer, we would be forced to manually click Approve for each block, but we would not be required to provide the password.
At this point, if Clef is used as a sealer, each block would require manual approval, but without needing to provide the password.
#### Testing stored password
### Testing stored password
Let's test using the stored password when sealing Clique-blocks. Start `clef` with
```
To test that the stored password is correct and being properly handled by Clef, first start Clef:
```sh
$ clef --keystore ./ddir/keystore --configdir ./clef --chainid 15 --suppress-bootwarn
```
And start `geth` with
```
then start Geth:
```sh
$ geth --datadir ./ddir --signer ./clef/clef.ipc --mine
```
Geth will ask what accounts are present, to which we need to manually enter `y` to approve:
Geth will ask what accounts are present - enter `y` to approve:
```
```terminal
-------- List Account request--------------
A request has been made to list all accounts.
You can select which accounts the caller can see
@ -139,7 +151,7 @@ You can select which accounts the caller can see
URL: keystore:///home/user/tmp/clique_clef/ddir/keystore/UTC--2022-06-16T09-10-48.578523828Z--9cd932f670f7ede5de86f756a6d02548e5899f47
-------------------------------------------
Request context:
NA -> ipc -> NA
NA - ipc - NA
Additional HTTP header data, provided by the external caller:
User-Agent: ""
@ -149,7 +161,7 @@ Approve? [y/N]:
DEBUG[06-16|11:36:42.499] Served account_list reqid=2 duration=3.213768195s
```
After this, `geth` will start asking `clef` to sign things:
After this, Get will start asking Clef to sign things:
```
-------- Sign data request--------------
@ -169,17 +181,18 @@ Additional HTTP header data, provided by the external caller:
Approve? [y/N]:
> y
```
And indeed, after approving with `y`, we are not required to provide the password -- the signed block is returned to geth:
```
And indeed, after approving with `y`, the password is not required - the signed block is returned to Geth:
```terminal
INFO [06-16|11:36:46.714] Successfully sealed new block number=1 sealhash=9589ed..662d03 hash=bd20b9..af8b87 elapsed=4.214s
```
This mode of operation is somewhat unusable, since we'd need to keep "Approving" each block to be sealed. So let's fix that too.
This mode of operation offers quite a poor UX because each block to be sealed requires manual approval. That is fixed in the following section.
### Using rules to approve blocks
## Using rules to approve blocks
The basic idea with clef rules, is to let a piece of javascript take over the Approve/Deny decision. The javascript snippet has access to the same information as the manual operator.
Clef rules allow a piece of Javascript take over the Approve/Deny decision. The Javascript snippet has access to the same information as the manual operator.
Let's try with a simplistic first approach, which approves listing, and spits out the request data for `ApproveListing`
The first approach, which approves listing, and returns the request data for `ApproveListing`, is demonstrated below:
```js
function ApproveListing(){
@ -191,21 +204,28 @@ function ApproveSignData(r){
console.log(JSON.stringify(r))
}
```
In order to use a certain rule-file, we must first `attest` it. This is to prevent someone from modifying a ruleset-file on disk after creation.
```
In order to use a certain ruleset, it must first be 'attested'. This is to prevent someone from modifying a ruleset-file on disk after creation.
```sh
$ clef --keystore ./ddir/keystore --configdir ./clef --chainid 15 --suppress-bootwarn attest `sha256sum rules.js | cut -f1`
```
which returns:
```terminal
Decrypt master seed of clef
Password:
INFO [06-16|13:49:00.298] Ruleset attestation updated sha256=54aae496c3f0eda063a62c73ee284ca9fae3f43b401da847ef30ea30e85e35d1
```
And then we can start clef, pointing out the `rules.js` file. OBS: if you later modify this file, you need to redo the `attest`-step.
```
And Clef can be started, pointing out the `rules.js` file.
```sh
$ clef --keystore ./ddir/keystore --configdir ./clef --chainid 15 --suppress-bootwarn --rules ./rules.js
```
Once `geth` starts asking it to seal blocks, we will now see the data. And from that, we can decide on how to make a rule which allows signing clique headers but nothing else.
Once Geth starts asking Clef to seal blocks, the data will be displayed. From that data, rules can be defined that allow signing clique headers but nothing else.
The actual data that gets passed to the js environment (and which our ruleset spit out to the console) looks like this:
The actual data that gets passed to the js environment (and which the ruleset display in the terminal) looks as follows:
```json
{
"content_type": "application/x-clique-header",
@ -230,9 +250,9 @@ The actual data that gets passed to the js environment (and which our ruleset sp
}
```
If we wanted our js to be extremely trustless/paranoid, we could (inside the javascript) take the `raw_data` and verify that it's the rlp structure for a clique header:
To create an extremely trustless ruleset, the `raw_data` could be verified to ensure it has the right rlp structure for a Clique header:
```
```sh
echo "+QIUoL0guY+66jZpzZh1wDX4Si/ycX4zD8FQqF/1Apy/r4uHoB3MTejex116q4W1Z7bM1BrTEkUblIp0E/ChQv1A1JNHlAAAAAAAAAAAAAAAAAAAAAAAAAAAoF0xJQr87ifQZc7HdMxcPwk0do8Gy/igUDX+TuoPZv6coFboHxcbzFWm/4NF5pLA+G5bSOAbmWytwAFiL7XjY7QhoFboHxcbzFWm/4NF5pLA+G5bSOAbmWytwAFiL7XjY7QhuQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICg3pPDoCEYqsY1qDYgwEKFIRnZXRoiGdvMS4xOC4xhWxpbnV4AAAAAAAAAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIgAAAAAAAAAAA==" | base64 -d | rlpdump
[
bd20b98fbaea3669cd9875c035f84a2ff2717e330fc150a85ff5029cbfaf8b87,
@ -252,7 +272,7 @@ If we wanted our js to be extremely trustless/paranoid, we could (inside the jav
0000000000000000,
]
```
However, we can also use the `messages`. They do not come from the external caller, but are generated from the `clef` internals: `clef` parsed the incoming request and verified the Clique wellformedness of the content. So we let's just check for such a message:
However, `messages` could also be used. They do not come from the external caller, but are generated from the Clef internals: Clef parsed the incoming request and verified the Clique wellformedness of the content. The following simply checks for such a message:
```js
function OnSignerStartup(info){}
@ -273,24 +293,33 @@ function ApproveSignData(r){
return "Reject"
}
```
Attest
```
Attest the ruleset:
```sh
$ clef --keystore ./ddir/keystore --configdir ./clef --chainid 15 --suppress-bootwarn attest `sha256sum rules.js | cut -f1`
```
returning
```terminal
Decrypt master seed of clef
Password:
INFO [06-16|14:18:53.476] Ruleset attestation updated sha256=7d5036d22d1cc66599e7050fb1877f4e48b89453678c38eea06e3525996c2379
```
Run clef
```
$ clef --keystore ./ddir/keystore --configdir ./clef --chainid 15 --suppress-bootwarn --rules ./rules.js
Run clef:
```sh
$ clef --keystore ./ddir/keystore --configdir ./clef --chainid 15 --suppress-bootwarn --rules ./rules.js
```
Run geth
```
Run Geth:
```sh
$ geth --datadir ./ddir --signer ./clef/clef.ipc --mine
```
And you should now see `clef` happily signing blocks:
```
And Clef should now happily sign blocks:
```terminal
DEBUG[06-16|14:20:02.136] Served account_version reqid=1 duration="131.38µs"
INFO [06-16|14:20:02.289] Op approved
DEBUG[06-16|14:20:02.289] Served account_list reqid=2 duration=4.672441ms
@ -302,18 +331,18 @@ INFO [06-16|14:20:32.823] Op approved
DEBUG[06-16|14:20:33.584] Served account_signData reqid=5 duration=766.840681ms
```
### Further refinements
## Refinements
If an attacker find the clef "external" interface (which would only happen if you start it with `http` enabled) , he
If an attacker find the Clef "external" interface (which would only happen if you start it with `http` enabled), they
- cannot make it sign arbitrary transactions,
- cannot sign arbitrary data message,
However, he could still make it sign e.g. 1000 versions of a certain block height, making the chain very unstable.
However, they could still make it sign e.g. 1000 versions of a certain block height, making the chain very unstable.
It is possible for rule execution to be stateful -- storing data. In this case, one could for example store what block heights have been sealed, and thus reject sealing a particular block height twice. In other words, we can use these rules to build our own version of an Execution-Layer slashing-db.
It is possible for rule execution to be stateful (i.e. storing data). In this case, one could, for example, store what block heights have been sealed and reject sealing a particular block height twice. In other words, these rules could be used to build a miniature version of an execution layer slashing-db.
We simply split the `clique header 2 [0xae525b65bc7f711bc136f502650039cd6959c3abc28fdf0ebfe2a5f85c92f3b6]` line, and store/check the number, using `storage.get` and `storage.put`:
The `clique header 2 [0xae525b65bc7f711bc136f502650039cd6959c3abc28fdf0ebfe2a5f85c92f3b6]` line is split, and the number stored using `storage.get` and `storage.put`:
```js
function OnSignerStartup(info){}
@ -343,7 +372,8 @@ function ApproveSignData(r){
}
```
Running with this ruleset:
```
```terminal
JS:> number 45 latest 44
INFO [06-16|22:26:43.023] Op approved
DEBUG[06-16|22:26:44.305] Served account_signData reqid=3 duration=1.287465394s
@ -351,13 +381,13 @@ JS:> number 46 latest 45
INFO [06-16|22:26:44.313] Op approved
DEBUG[06-16|22:26:45.317] Served account_signData reqid=4 duration=1.010612774s
```
This might be a bit over-the-top, security-wise, and may cause problems, if for some reason a clique-deadlock needs to be resolved by rolling back and continuing on a side-chain. It is mainly meant as a demonstration that rules can use javascript and statefulness to construct very intricate signing logic.
This might be a bit over-the-top, security-wise, and may cause problems if, for some reason, a clique-deadlock needs to be resolved by rolling back and continuing on a side-chain. It is mainly meant as a demonstration that rules can use Javascript and statefulness to construct very intricate signing logic.
### TLDR quick-version
## TLDR quick-version
Creation and attestation is a one-off event:
```bash
```sh
## Create the rules-file
cat << END > rules.js
function OnSignerStartup(info){}
@ -384,10 +414,15 @@ clef --keystore ./ddir/keystore \
--suppress-bootwarn --signersecret ./clefpw \
attest `sha256sum rules.js | cut -f1`
```
The normal startup command for `clef`:
```bash
The normal startup command for Clef:
```sh
clef --keystore ./ddir/keystore \
--configdir ./clef --chainid 15 \
--suppress-bootwarn --signersecret ./clefpw --rules ./rules.js
```
For `geth`, the only change is to provide `--signer <path to clef ipc>`.
For Geth, the only change is to provide `--signer <path to clef ipc>`.
## Summary
Clef can be used as a signer that automatically seals Clique blocks. This is a much more secure option than unlocking accounts using Geth's built-in account manager.

@ -3,17 +3,17 @@ title: Advanced setup
sort_key: D
---
Clef is a signer and account management tool that is external to Geth. This means it can be run as a separate process or even on a separate machine to the one running Geth, for example on secure hardware that is not connected to any external network, or on secure virtual machines.
This page describes how Clef can be used with Qubes OS to provide a more secure setup than a normal laptop. Using Clef with USBArmory hardware is also briefly described.
This document describes how Clef can be used in a more secure manner than executing it from your everyday laptop,
in order to ensure that the keys remain safe in the event that your computer should get compromised.
{:toc}
- this will be removed by the toc
## Qubes OS
### Background
The Qubes operating system is based around virtual machines (qubes), where a set of virtual machines are configured, typically for
different purposes such as:
The Qubes operating system configures a set of virtual machines for different purposes such as:
- personal
- Your personal email, browsing etc
@ -28,14 +28,12 @@ A couple of dedicated virtual machines handle externalities:
- sys-firewall handles firewall rules
- sys-usb handles USB devices, and can map usb-devices to certain qubes.
The goal of this document is to describe how we can set up clef to provide secure transaction
signing from a `vault` vm, to another networked qube which runs Dapps.
The goal of this document is to describe how we can set up Clef to provide secure transaction signing from a `vault` vm, to another networked qube which runs Dapps.
### Setup
There are two ways that this can be achieved: integrated via Qubes or integrated via networking.
#### 1. Qubes Integrated
Qubes provides a facility for inter-qubes communication via `qrexec`. A qube can request to make a cross-qube RPC request
@ -46,7 +44,7 @@ to another qube. The OS then asks the user if the call is permitted.
A policy-file can be created to allow such interaction. On the `target` domain, a service is invoked which can read the
`stdin` from the `client` qube.
This is how [Split GPG](https://www.qubes-os.org/doc/split-gpg/) is implemented. We can set up Clef the same way:
This is how [Split GPG](https://www.qubes-os.org/doc/split-gpg/) is implemented. Clef can be set up in the same way:
##### Server
@ -54,8 +52,6 @@ This is how [Split GPG](https://www.qubes-os.org/doc/split-gpg/) is implemented.
On the `target` qubes, we need to define the RPC service.
[qubes.Clefsign](qubes.Clefsign):
```bash
#!/bin/bash
@ -80,7 +76,7 @@ It will forward the data received on `stdin` (forwarded by the OS) to Clef's HTT
It would have been possible to send data directly to the `/home/user/.clef/.clef.ipc`
socket via e.g `nc -U /home/user/.clef/clef.ipc`, but the reason for sending the request
data over `HTTP` instead of `IPC` is that we want the ability to forward `HTTP` headers.
data over `HTTP` instead of `IPC` is for the ability to forward `HTTP` headers.
To enable the service:
@ -94,14 +90,9 @@ with minimal requirements.
##### Client
On the `client` qube, we need to create a listener which will receive the request from the Dapp, and proxy it.
[qubes-client.py](qubes-client.py):
On the `client` qube, a listener is required to receive the request from the Dapp, and proxy it.
```python
"""
This implements a dispatcher which listens to localhost:8550, and proxies
requests via qrexec to the service qubes.EthSign on a target domain
@ -124,13 +115,11 @@ class Dispatcher(http.server.BaseHTTPRequestHandler):
with socketserver.TCPServer(("",PORT), Dispatcher) as httpd:
print("Serving at port", PORT)
httpd.serve_forever()
```
#### Testing
To test the flow, if we have set up `debian-work` as the `target`, we can do
To test the flow, with `debian-work` as the `target`:
```bash
$ cat newaccnt.json
@ -147,7 +136,7 @@ Followed by a GTK-dialog to approve the operation:
![two](qubes_newaccount-2.png)
To test the full flow, we use the client wrapper. Start it on the `client` qube:
To test the full flow, start the client wrapper on the `client` qube:
```
[user@work qubes]$ python3 qubes-client.py
```
@ -186,16 +175,14 @@ from other qubes.
![Clef via http](clef_qubes_http.png)
## USBArmory
The [USB armory](https://inversepath.com/usbarmory) is an open source hardware design with an 800 MHz ARM processor. It is a pocket-size
computer. When inserted into a laptop, it identifies itself as a USB network interface, basically adding another network
to your computer. Over this new network interface, you can SSH into the device.
to your computer that can be used to SSH into the device.
Running Clef off a USB armory means that you can use the armory as a very versatile offline computer, which only
ever connects to a local network between your computer and the device itself.
Running Clef off a USB armory means that the armory can be used as a very versatile offline computer, which only
ever connects to a local network between the local computer and the device itself.
Needless to say, while this model should be fairly secure against remote attacks, an attacker with physical access
to the USB Armory would trivially be able to extract the contents of the device filesystem.

@ -5,7 +5,8 @@ sort_key: F
## UI Client interface
These data types are defined in the channel between clef and the UI
These data types are defined in the channel between Clef and the UI
### SignDataRequest
SignDataRequest contains information about a pending request to sign some data. The data to be signed can be of various types, defined by content-type. Clef has done most of the work in canonicalizing and making sense of the data, and it's up to the UI to present the user with the contents of the `message`