Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 19 Jun 2018 20:33:30 -0700
From:      Conrad Meyer <cem@freebsd.org>
To:        "Stephen J. Kiernan" <stevek@freebsd.org>
Cc:        src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org,  svn-src-head@freebsd.org
Subject:   Re: svn commit: r335402 - head/sbin/veriexecctl
Message-ID:  <CAG6CVpV124ze%2BY6xX2ZFqbM%2B3hJNEJWR2qpnChpey=PmiW6qXg@mail.gmail.com>
In-Reply-To: <201806200108.w5K18sIR050132@repo.freebsd.org>
References:  <201806200108.w5K18sIR050132@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Jun 19, 2018 at 6:08 PM, Stephen J. Kiernan <stevek@freebsd.org> wr=
ote:
> Author: stevek
> Date: Wed Jun 20 01:08:54 2018
> New Revision: 335402
> URL: https://svnweb.freebsd.org/changeset/base/335402
>
> Log:
>   This application (veriexecctl) handles reading a fingerprints file

Hi,

This patchset needed design and code review prior to commit.  It
appears to have serious problems.

First and foremost: nothing is actually signed, anywhere.  The
veriexecctl tool parses and tells the kernel to trust a file input.
But if we don't trust other files on the filesystem, why do we trust
that one?  There is no embedded signature mechanism proving the hash
list file is trustworthy.

As a corollary to the above, the name "signature file" is used
repeatedly in the code, which is misleading.  The file contains hashes
(digests), not signatures (MACs).  The file itself is unsigned.
Nothing about this has signatures.

There's absolutely no reason to use sha1 or ripemd in new designs.
These should be removed.

The patchset is littered with style issues.  One fairly obvious issue
is mixed indentation styles =E2=80=94 some files vary between space and tab
indentation from line to line.

Please revert this patchset.  It's not ready.

Some suggestions for a second attempt:

- Maybe use HMACs instead of raw hashes
- Maybe sign the source-of-trust file
- Fix the style issues
- Fix the compiler warnings at 6

Thank you,
Conrad

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpV124ze%2BY6xX2ZFqbM%2B3hJNEJWR2qpnChpey=PmiW6qXg>