Date: Thu, 5 Jul 2018 13:48:07 -0400 From: "Stephen J. Kiernan" <stevek@freebsd.org> To: cem@freebsd.org Cc: "freebsd-arch@freebsd.org" <arch@freebsd.org> Subject: Re: Veriexec Message-ID: <CAEm%2B2uWJTyF1QyYraGxNS3TpJNPyT0hMnsVAXj%2BUSayH%2BJi4nA@mail.gmail.com> In-Reply-To: <CAG6CVpW3xL5pmiU91WgzXKram7ogMYNzBF3a-ggaXjkD3fMbWw@mail.gmail.com> References: <CAG6CVpW3xL5pmiU91WgzXKram7ogMYNzBF3a-ggaXjkD3fMbWw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 3, 2018 at 7:09 PM, Conrad Meyer <cem@freebsd.org> wrote: > Hi, > > It's been two weeks since this went in broken. What's the status? > Has any progress been made on fixing the glaring issues? > > (If any fixes have been committed since the initial code dump I > complained about two weeks ago, I must have missed them.) > > I agree that perfect should not be the enemy of "good enough," but I > don't believe what's in the tree is "good enough." > The backout commits for the veriexecctl bits (r335681) and the hooks into the build to compile the kernel modules (r335682) happened on 26 Jun 2018. I never really liked veriexecctl to begin with, but wanted to give people something to be able to load fingerprints with in order to try things out. Especially since there was ongoing discussion about how provide a signed manifest or similar method (which is what Simon is working on) that folks could add their own trust store material to. The intention was then to have veriexecctl go away. However, veriexecctl, as it was, did not have much practical use and could provide a false sense of security, so it was better to just purge it. There's work in progress on fixing the issues with the meta-data store and its use. However, family obligations and work has been taking up time. -Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEm%2B2uWJTyF1QyYraGxNS3TpJNPyT0hMnsVAXj%2BUSayH%2BJi4nA>