Dasharo bios firmware (Msi pro z690-A motherboard)

jjones274 · May 26, 2023, 3:01am

I am looking to flash Dasharo into the bios of my msi pro z690a motherboard and I ran into a few problems. Specifically they offer a release signing key (“Desharo Tools Suite open-source software release 1.2.x signing key”) but this key isn’t signed by the master key (“3mdeb Dasharo Master Key”). Am I making the error and it actually is signed? or is it just not signed?

It seems they are defeating the purpose of having a master key to verify release keys if it is the case that it isn’t signed by it. Am I missing something?

renehoj · May 26, 2023, 3:53am

Isn’t the master key specially for the Dasharo firmware?

I don’t think it’s the master key for everything released, and DTS is a different project.

jjones274 · May 26, 2023, 12:27pm

The DTS (“Dasharo Tools Suite”) is closely related so it seems like it would make sense for them to sign it with the Dasharo Master key but also they include a video as a guide to verify the install in the releases part of their website. In the video it includes the retrieval of the “3mdeb master key”, “3mdeb Dasharo master key”, and “Desharo Tools Suite open-source software release 1.2.x signing key”. The “3mdeb master key” signed the “3mdeb Dasharo master key” and then the next logical step would be for the “3mdeb Dasharo master key” to sign the “Desharo Tools Suite open-source software release 1.2.x signing key” but it doesn’t.

pietrushnic · May 26, 2023, 12:46pm

@jjones274, maybe we have something messed up in 3mdeb-secpack. Feel free to contact us over Dashro Matrix to discuss this issue directly or submit an issue in the repository. The signature structure should be as follows:

vault% gpg --list-sigs "Dasharo Tools Suite"
pub   rsa4096 2022-10-28 [SCA] [expires: 2023-10-28]
      DB30C300C63ECC259C59C55CFEA59F60BB020E53
uid           [ultimate] Dasharo Tools Suite  open-source software release 1.1.x signing key
sig 3        FEA59F60BB020E53 2022-10-28  Dasharo Tools Suite  open-source software release 1.1.x signing key
sig          ABE1D0BC66278008 2022-10-28  3mdeb Dasharo Master Key
sub   rsa4096 2022-10-28 [E] [expires: 2023-10-28]
sig          FEA59F60BB020E53 2022-10-28  Dasharo Tools Suite  open-source software release 1.1.x signing key

pub   rsa4096 2023-03-29 [SCA] [expires: 2024-03-28]
      74DFCE2041B21EC2F316D65469C1B19860C5167B
uid           [ultimate] Dasharo Tools Suite open-source software release 1.2.x signing key
sig 3        69C1B19860C5167B 2023-03-29  Dasharo Tools Suite open-source software release 1.2.x signing key
sig          ABE1D0BC66278008 2023-03-29  3mdeb Dasharo Master Key
sub   rsa4096 2023-03-29 [E] [expires: 2024-03-28]
sig          69C1B19860C5167B 2023-03-29  Dasharo Tools Suite open-source software release 1.2.x signing key

vault% gpg --list-sigs "3mdeb Dasharo Master Key"
pub   rsa4096 2021-02-03 [SC] [expires: 2026-02-02]
      0D5F6F1DA800329EB7C597A2ABE1D0BC66278008
uid           [ultimate] 3mdeb Dasharo Master Key
sig 3        ABE1D0BC66278008 2021-02-03  3mdeb Dasharo Master Key
sig          4AFD81D97BD37C54 2021-02-03  3mdeb Master Key <contact@3mdeb.com>
sub   rsa4096 2021-02-03 [E] [expires: 2026-02-02]
sig          ABE1D0BC66278008 2021-02-03  3mdeb Dasharo Master Key

vault% gpg --list-sigs "3mdeb Master Key" 
pub   rsa4096 2019-02-12 [SC]
      1B5785C2965D84CF85D1652B4AFD81D97BD37C54
uid           [  full  ] 3mdeb Master Key <contact@3mdeb.com>
sig 3        4AFD81D97BD37C54 2019-02-12  3mdeb Master Key <contact@3mdeb.com>
sig          B2EE71E967AA9E4C 2019-02-12  Piotr Król <piotr.krol@3mdeb.com>

Please let me know if this clarifies the concern about signatures. Also, if we can improve anything in that scheme, we are glad to listen to your recommendations.

jjones274 · May 26, 2023, 2:16pm

@pietrushnic Can you think of a reason mine would look like this? I have the other keys imported.

gpg --list-sigs "Dasharo Tools Suite"
pub   rsa4096/0x69C1B19860C5167B 2023-03-29 [SCA] [expires: 2024-03-28]
      74DFCE2041B21EC2F316D65469C1B19860C5167B
uid                   [ unknown] Dasharo Tools Suite open-source software release 1.2.x signing key
sig 3        0x69C1B19860C5167B 2023-03-29  Dasharo Tools Suite open-source software release 1.2.x signing key
sub   rsa4096/0x893AE238F425A664 2023-03-29 [E] [expires: 2024-03-28]
sig          0x69C1B19860C5167B 2023-03-29  Dasharo Tools Suite open-source software release 1.2.x signing key

pietrushnic · May 29, 2023, 1:06pm

We continue the discussion about this problem on Dasharo Matrix. Key question is:

What is the hash of this public key?
Where did you get it?
What is your version of gpg?

We will try to resolve things directly on Matrix and return with a summary. TBH, I have no idea how this is possible. This is a disposable qube (no networking) with files downloaded from 3mdeb-secpack in another VM:

my-new-qube% sha256sum ~/QubesIncoming/work/dasharo-tools-suite-open-source-software-release-1.2.x-signing-key-pub.asc 
813a7afc487a41a43506d3b50346c52bf9b2b0f73ef5d2e9099e359a123b3a26  /home/user/QubesIncoming/work/dasharo-tools-suite-open-source-software-release-1.2.x-signing-key-pub.asc
my-new-qube% gpg --import ~/QubesIncoming/work/dasharo-tools-suite-open-source-software-release-1.2.x-signing-key-pub.asc 
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: key 69C1B19860C5167B: 1 signature not checked due to a missing key
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 69C1B19860C5167B: public key "Dasharo Tools Suite open-source software release 1.2.x signing key" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
my-new-qube% gpg --list-sigs Dasharo
pub   rsa4096 2023-03-29 [SCA] [expires: 2024-03-28]
      74DFCE2041B21EC2F316D65469C1B19860C5167B
uid           [ unknown] Dasharo Tools Suite open-source software release 1.2.x signing key
sig 3        69C1B19860C5167B 2023-03-29  Dasharo Tools Suite open-source software release 1.2.x signing key
sig          ABE1D0BC66278008 2023-03-29  [User ID not found]
sub   rsa4096 2023-03-29 [E] [expires: 2024-03-28]
sig          69C1B19860C5167B 2023-03-29  Dasharo Tools Suite open-source software release 1.2.x signing key

my-new-qube% sha256sum ~/QubesIncoming/work/3mdeb-dasharo-master-key.asc 
21fe29600d1aecc7e856dea57ffb15739e4fa43ee92daf3966228d2eed7d1f1d  /home/user/QubesIncoming/work/3mdeb-dasharo-master-key.asc
my-new-qube% gpg --import ~/QubesIncoming/work/3mdeb-dasharo-master-key.asc 
gpg: key ABE1D0BC66278008: 1 signature not checked due to a missing key
gpg: key ABE1D0BC66278008: public key "3mdeb Dasharo Master Key" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
my-new-qube% gpg --list-sigs Dasharo                                       
pub   rsa4096 2023-03-29 [SCA] [expires: 2024-03-28]
      74DFCE2041B21EC2F316D65469C1B19860C5167B
uid           [ unknown] Dasharo Tools Suite open-source software release 1.2.x signing key
sig 3        69C1B19860C5167B 2023-03-29  Dasharo Tools Suite open-source software release 1.2.x signing key
sig          ABE1D0BC66278008 2023-03-29  3mdeb Dasharo Master Key
sub   rsa4096 2023-03-29 [E] [expires: 2024-03-28]
sig          69C1B19860C5167B 2023-03-29  Dasharo Tools Suite open-source software release 1.2.x signing key

pub   rsa4096 2021-02-03 [SC] [expires: 2026-02-02]
      0D5F6F1DA800329EB7C597A2ABE1D0BC66278008
uid           [ unknown] 3mdeb Dasharo Master Key
sig 3        ABE1D0BC66278008 2021-02-03  3mdeb Dasharo Master Key
sig          4AFD81D97BD37C54 2021-02-03  [User ID not found]
sub   rsa4096 2021-02-03 [E] [expires: 2026-02-02]
sig          ABE1D0BC66278008 2021-02-03  3mdeb Dasharo Master Key

gpg version 2.2.27