From owner-svn-src-head@freebsd.org  Wed Jun 20 03:52:31 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0E6621022E88;
 Wed, 20 Jun 2018 03:52:31 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: from mail-io0-f171.google.com (mail-io0-f171.google.com
 [209.85.223.171])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 98B4684FD6;
 Wed, 20 Jun 2018 03:52:30 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: by mail-io0-f171.google.com with SMTP id k3-v6so2227696iog.3;
 Tue, 19 Jun 2018 20:52:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:reply-to:in-reply-to:references
 :from:date:message-id:subject:to:cc:content-transfer-encoding;
 bh=E73/qX4afXQbjt7/JWnJHhw673GlqbY02pq1KVEv7Ps=;
 b=TSnoOiETYWDEsSgtZohwONYfjweXXPalDzBySq98IrBKg26ZKp+ttgyMKFhLJC4/hy
 OdolgfPr6urkCYNPf8v8qIfNFihloysbglUNPg5OzTbq2uKIYPl6KXpsjvg5gUshc4nV
 cB2IQntAfdr8vADoxRrMv5+0fTx89HEE5QuQNoaBGzPf/8Kutkbdo1HG3R8Oj1DzSixP
 qiviyB/k1aNixxckFjoWMxx0VuS7VF+qe1QfrfcIhM11DhEH1tzsColfjmarpEMwayyS
 DN2jjnwC9+egeR6vj+Sph26WMwa+tYYc7SOgN9DzPRmSy4FipEUXqWMJIw/l3tMFKsNo
 AE1Q==
X-Gm-Message-State: APt69E2rAnt8xSqgMRTlN8v8VXhNzRWesIvSfDuaZ1GB3vkZFrYxsdhX
 TLKSi20dbKKFYZhVBcUDr5+Su+J4
X-Google-Smtp-Source: ADUXVKITiILL3RdFwqMVkQITKDoKkF9ETk75TX0wLR4cLmzYDUufsLBsnSTZ+un3kCRiwmWeiRn7Vg==
X-Received: by 2002:a6b:c309:: with SMTP id
 t9-v6mr16323229iof.157.1529466327841; 
 Tue, 19 Jun 2018 20:45:27 -0700 (PDT)
Received: from mail-it0-f43.google.com (mail-it0-f43.google.com.
 [209.85.214.43])
 by smtp.gmail.com with ESMTPSA id i193-v6sm662294ioi.38.2018.06.19.20.45.27
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 19 Jun 2018 20:45:27 -0700 (PDT)
Received: by mail-it0-f43.google.com with SMTP id a195-v6so3514725itd.3;
 Tue, 19 Jun 2018 20:45:27 -0700 (PDT)
X-Received: by 2002:a24:100f:: with SMTP id 15-v6mr263673ity.61.1529466327548; 
 Tue, 19 Jun 2018 20:45:27 -0700 (PDT)
MIME-Version: 1.0
Reply-To: cem@freebsd.org
Received: by 2002:a02:5995:0:0:0:0:0 with HTTP; Tue, 19 Jun 2018 20:45:27
 -0700 (PDT)
In-Reply-To: <CAG6CVpV124ze+Y6xX2ZFqbM+3hJNEJWR2qpnChpey=PmiW6qXg@mail.gmail.com>
References: <201806200108.w5K18sIR050132@repo.freebsd.org>
 <CAG6CVpV124ze+Y6xX2ZFqbM+3hJNEJWR2qpnChpey=PmiW6qXg@mail.gmail.com>
From: Conrad Meyer <cem@freebsd.org>
Date: Tue, 19 Jun 2018 20:45:27 -0700
X-Gmail-Original-Message-ID: <CAG6CVpUrPjJfVh3upvzOqsJdaTfTboyrm36EDN3F3jbXQeOkSA@mail.gmail.com>
Message-ID: <CAG6CVpUrPjJfVh3upvzOqsJdaTfTboyrm36EDN3F3jbXQeOkSA@mail.gmail.com>
Subject: Re: svn commit: r335402 - head/sbin/veriexecctl
To: "cem@FreeBSD.org" <cem@freebsd.org>
Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, 
 svn-src-head@freebsd.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 03:52:31 -0000

I forgot to mention that the kernel code also introduces severe
performance problems due to really pessimal data structures, small IO
sizes, and problematic locking.

Again: please revert and proceed through a round or two of design review.

Thank you,
Conrad

On Tue, Jun 19, 2018 at 8:33 PM, Conrad Meyer <cem@freebsd.org> wrote:
> On Tue, Jun 19, 2018 at 6:08 PM, Stephen J. Kiernan <stevek@freebsd.org> =
wrote:
>> Author: stevek
>> Date: Wed Jun 20 01:08:54 2018
>> New Revision: 335402
>> URL: https://svnweb.freebsd.org/changeset/base/335402
>>
>> Log:
>>   This application (veriexecctl) handles reading a fingerprints file
>
> Hi,
>
> This patchset needed design and code review prior to commit.  It
> appears to have serious problems.
>
> First and foremost: nothing is actually signed, anywhere.  The
> veriexecctl tool parses and tells the kernel to trust a file input.
> But if we don't trust other files on the filesystem, why do we trust
> that one?  There is no embedded signature mechanism proving the hash
> list file is trustworthy.
>
> As a corollary to the above, the name "signature file" is used
> repeatedly in the code, which is misleading.  The file contains hashes
> (digests), not signatures (MACs).  The file itself is unsigned.
> Nothing about this has signatures.
>
> There's absolutely no reason to use sha1 or ripemd in new designs.
> These should be removed.
>
> The patchset is littered with style issues.  One fairly obvious issue
> is mixed indentation styles =E2=80=94 some files vary between space and t=
ab
> indentation from line to line.
>
> Please revert this patchset.  It's not ready.
>
> Some suggestions for a second attempt:
>
> - Maybe use HMACs instead of raw hashes
> - Maybe sign the source-of-trust file
> - Fix the style issues
> - Fix the compiler warnings at 6
>
> Thank you,
> Conrad