From owner-svn-src-head@freebsd.org Wed Jun 20 04:13:16 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58A9E1023B85; Wed, 20 Jun 2018 04:13:16 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F10385C01; Wed, 20 Jun 2018 04:13:15 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id VUS1fPlYOSzNNVUS2fQONN; Tue, 19 Jun 2018 22:10:36 -0600 X-Authority-Analysis: v=2.3 cv=KuxjJ1eN c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=8nJEP1OIZ-IA:10 a=7mUfYlMuFuIA:10 a=xfDLHkLGAAAA:8 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=-ZJvs42pOR2nT8F-j_UA:9 a=-gZcZOLFXhXnHIy1:21 a=s9kbt_ARPlio2ZTs:21 a=wPNLvfGTeEIA:10 a=IfaqVvZgccqrtc8gcwf2:22 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTPS id BFD2B140; Tue, 19 Jun 2018 21:10:32 -0700 (PDT) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id w5K4AWrn019388; Tue, 19 Jun 2018 21:10:32 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.15.2/8.15.2/Submit) with ESMTP id w5K4AWAt019385; Tue, 19 Jun 2018 21:10:32 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201806200410.w5K4AWAt019385@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: cem@freebsd.org cc: "Stephen J. Kiernan" , src-committers , svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r335402 - head/sbin/veriexecctl In-Reply-To: Message from Conrad Meyer of "Tue, 19 Jun 2018 20:33:30 -0700." Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Date: Tue, 19 Jun 2018 21:10:32 -0700 X-CMAE-Envelope: MS4wfCsgH37Ef3dZjXKEcHztBpMQDmJAfLfeqRbK38p7jbbLQtOxIK0RI10HzFFNLRkzzmn3otyBUeCGr5dwqYTY0tW7KUzN0d3NeyASqB5xFhRghXPWVchG Ad5tT7aYFTR+OBXhYkTV+2h/BtrWzPnrgVJPlyEfOiH+QnS9nraDHXaOagCyjyrD6J7SluTU6IJVMmCESeUjAUGHR3IO+s1pNj8q56/gnioPzGgUADLufm67 RVo4l1qvl0UP/X3gmC/52P2NrixbD8bZe2JEbjCaqOVDa4f3G8LsJDwdwaPX9D82NHBsadx+idJjH9Y/y+5k7DfFudFumKBQLvjAQFaNDyA= X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2018 04:13:16 -0000 In message , Conrad Meyer writes: > On Tue, Jun 19, 2018 at 6:08 PM, Stephen J. Kiernan wrot > e: > > Author: stevek > > Date: Wed Jun 20 01:08:54 2018 > > New Revision: 335402 > > URL: https://svnweb.freebsd.org/changeset/base/335402 > > > > Log: > > This application (veriexecctl) handles reading a fingerprints file > > Hi, > > This patchset needed design and code review prior to commit. It > appears to have serious problems. > > First and foremost: nothing is actually signed, anywhere. The > veriexecctl tool parses and tells the kernel to trust a file input. > But if we don't trust other files on the filesystem, why do we trust > that one? There is no embedded signature mechanism proving the hash > list file is trustworthy. > > As a corollary to the above, the name "signature file" is used > repeatedly in the code, which is misleading. The file contains hashes > (digests), not signatures (MACs). The file itself is unsigned. > Nothing about this has signatures. > > There's absolutely no reason to use sha1 or ripemd in new designs. > These should be removed. > > The patchset is littered with style issues. One fairly obvious issue > is mixed indentation styles — some files vary between space and tab > indentation from line to line. > > Please revert this patchset. It's not ready. > > Some suggestions for a second attempt: > > - Maybe use HMACs instead of raw hashes > - Maybe sign the source-of-trust file > - Fix the style issues > - Fix the compiler warnings at 6 - i386 format issues, build failures in multiple places -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.