From owner-svn-src-all@freebsd.org Wed Jun 20 03:33:38 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5042510221F1; Wed, 20 Jun 2018 03:33:38 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: from mail-io0-f175.google.com (mail-io0-f175.google.com [209.85.223.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7DFE78449B; Wed, 20 Jun 2018 03:33:37 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: by mail-io0-f175.google.com with SMTP id s26-v6so2203247ioj.4; Tue, 19 Jun 2018 20:33:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=1lSEkkkgbfZqDCzuUwLfJecXZxHs3pRBu6bR9dMx0sY=; b=bsU7TBOQXhpdP2qQ7cmqv/jl9rZZEdPnAc4yMGPqzgUnMT7Acikv+3KbyAjk7fdg2u CYKuWPfVKLwcA4JGhA3NZoPPDCBQzSjDCZdsZj3nWWAmJOpmIOFNYpm+UzCZAo0m5nJE 6RezBNDSWxlpk9L2xd1tKqkVybTmtgBzOeeTTHKJzfOAydv4mzkZ2G4e+isAJI2CP2v7 9sdbLCZ7wPP6bvN6UmPBh7471gEFWv9tXQ1RiEOLQelfuCnd31pr42BQq5HHl6NOdoCq a10+OEuuq0N1QqIutmyVYZo2FT6mcuhu5y0X1nXfybu9hbpKgZyYNiaCIBBHYlIKRKl2 xx3A== X-Gm-Message-State: APt69E0xD7knE6x4+Aywhss9H1lCikfJxwfq4avq42pHhs+Wk5OSCzQv dMXU2WdIlrUDecnv9jgZ6b5PNloV X-Google-Smtp-Source: ADUXVKJymyaAUTGxQoT5MRcW1pP6wkP6YQ38emUtgBMACN5bPCtoFWaGlA6hOyUXZuWGqJhOhPXcnA== X-Received: by 2002:a6b:3bcb:: with SMTP id i194-v6mr15180823ioa.86.1529465611257; Tue, 19 Jun 2018 20:33:31 -0700 (PDT) Received: from mail-it0-f51.google.com (mail-it0-f51.google.com. [209.85.214.51]) by smtp.gmail.com with ESMTPSA id 65-v6sm820011itu.6.2018.06.19.20.33.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Jun 2018 20:33:31 -0700 (PDT) Received: by mail-it0-f51.google.com with SMTP id u4-v6so3512829itg.0; Tue, 19 Jun 2018 20:33:31 -0700 (PDT) X-Received: by 2002:a24:ed4a:: with SMTP id r71-v6mr237420ith.53.1529465611013; Tue, 19 Jun 2018 20:33:31 -0700 (PDT) MIME-Version: 1.0 Reply-To: cem@freebsd.org Received: by 2002:a02:5995:0:0:0:0:0 with HTTP; Tue, 19 Jun 2018 20:33:30 -0700 (PDT) In-Reply-To: <201806200108.w5K18sIR050132@repo.freebsd.org> References: <201806200108.w5K18sIR050132@repo.freebsd.org> From: Conrad Meyer Date: Tue, 19 Jun 2018 20:33:30 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: svn commit: r335402 - head/sbin/veriexecctl To: "Stephen J. Kiernan" Cc: src-committers , svn-src-all@freebsd.org, svn-src-head@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2018 03:33:38 -0000 On Tue, Jun 19, 2018 at 6:08 PM, Stephen J. Kiernan wr= ote: > Author: stevek > Date: Wed Jun 20 01:08:54 2018 > New Revision: 335402 > URL: https://svnweb.freebsd.org/changeset/base/335402 > > Log: > This application (veriexecctl) handles reading a fingerprints file Hi, This patchset needed design and code review prior to commit. It appears to have serious problems. First and foremost: nothing is actually signed, anywhere. The veriexecctl tool parses and tells the kernel to trust a file input. But if we don't trust other files on the filesystem, why do we trust that one? There is no embedded signature mechanism proving the hash list file is trustworthy. As a corollary to the above, the name "signature file" is used repeatedly in the code, which is misleading. The file contains hashes (digests), not signatures (MACs). The file itself is unsigned. Nothing about this has signatures. There's absolutely no reason to use sha1 or ripemd in new designs. These should be removed. The patchset is littered with style issues. One fairly obvious issue is mixed indentation styles =E2=80=94 some files vary between space and tab indentation from line to line. Please revert this patchset. It's not ready. Some suggestions for a second attempt: - Maybe use HMACs instead of raw hashes - Maybe sign the source-of-trust file - Fix the style issues - Fix the compiler warnings at 6 Thank you, Conrad