[Feature] request only : PSBTs to microSD

[mccolister1017]

Export signed PSBTs to microSD , if it's only possible what you guys think ? about that . could be good with SeedSigner OS .

[SeedSigner]

This will definitely be possible with SeedSigner OS, but we haven't made any concrete decisions about whether implementing such will be a priority. For larger PSBTs, it is definitely a more convenient way to move the PSBT back and forth between the signer and coordinator, but using a MicroSD card in that way opens up a bunch of new attack vectors for the device that we'll have to think very carefully about. The first experimental releases of SeedSigner-OS should be coming in a matter of weeks, we'll get a better feel for things as time goes on.

[mccolister1017]

sound fair ok all right

[Semisol]

Okay, so, I have been thinking about the security implications of this for a while, and it is possible to implement this with some restrictions without negatively impacting the security model.

First, we should define "tainted" devices/objects (see taint analysis): something is tainted when it directly observes private key material, or comes into contact with another tainted object except through a controlled, verifiable communication channel (QR codes).

A naive implementation would allow the import and export of PSBTs at any time. This would be problematic, as the following scenario could happen:

• SeedSigner started up
• SD card removed
• Seed is loaded, making the Pi tainted
• SD card with PSBT is inserted, which is now considered tainted
• Signing is done, and the signed PSBT is transmitted via QRs
• The tainted SD card is then re-inserted to the untrusted coordinator host, which is untrusted, to load new PSBTs

Not allowing any SD card operations after a seed is loaded ever (even if it is later removed) would fix this, but there is another security hole:

• SeedSigner started up
• SD card with PSBT is inserted, PSBT is loaded and SD card removed
• Seed is loaded, making the Pi tainted
• Signing is done, and the signed PSBT is transmitted via QRs
• The SeedSigner is restarted to wipe all seeds. The Pi is still tainted, as we cannot trust the restart functionality that is offered by a program that cannot be trusted to erase key material. (it could leave key material in a part of RAM not erased, or pretend to restart)
• SD card with another PSBT is inserted, making the SD card tainted
• ...
• This tainted SD card is re-inserted to the untrusted coordinator host later on to load more PSBTs

This would require an updated list of conditions:

• No seeds must have been loaded, ever, for SD card operations
• This must be a cold boot of the OS, as if it was a warm boot, any key material may linger in RAM, or the reboot could have been faked

The goal with these two requirements is to train the user to use the SD card functionality in a way that does not add additional risk to the SeedSigner security model.

The guardrails could be disabled by a special configuration setting, but this would always weaken the security model.