From owner-freebsd-arch@freebsd.org  Thu Jul  5 17:48:16 2018
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41044104207D
 for <freebsd-arch@mailman.ysv.freebsd.org>;
 Thu,  5 Jul 2018 17:48:16 +0000 (UTC)
 (envelope-from hackagadget@gmail.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 830D78C3DF
 for <freebsd-arch@freebsd.org>; Thu,  5 Jul 2018 17:48:15 +0000 (UTC)
 (envelope-from hackagadget@gmail.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 43C4B1042076; Thu,  5 Jul 2018 17:48:15 +0000 (UTC)
Delivered-To: arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1FD8C1042070
 for <arch@mailman.ysv.freebsd.org>; Thu,  5 Jul 2018 17:48:15 +0000 (UTC)
 (envelope-from hackagadget@gmail.com)
Received: from mail-oi0-f44.google.com (mail-oi0-f44.google.com
 [209.85.218.44])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A3E0A8C3D8;
 Thu,  5 Jul 2018 17:48:14 +0000 (UTC)
 (envelope-from hackagadget@gmail.com)
Received: by mail-oi0-f44.google.com with SMTP id b15-v6so18455770oib.10;
 Thu, 05 Jul 2018 10:48:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=tWHeioIyGHR6KTXbEkF4FIEZa01uH9+2q1GDIUraRIA=;
 b=tBZuo5sulK8Ds6UNaUo8pQwujGW1MNJvxT38JCA5z7uEuOFBJzRlSRH2Y6e0WP5uyS
 ZygHmGo/lolVP2lEiEHJfb5RoG4PptOcPOUQZ/O63OL/0XAr/jp09xVHPER5PBA3fHYQ
 AgsZLYO96iWXg0CPL9yJq8bZ55lFQy+LCrCpPtEeYSshm36ErHHo4To5J6NlWeecXnRS
 82kBm7KE83n7OjLgwmAYZkIEkTOlTBZ8I5rvy40LOVxnvV2MQzc3bpNUPuJaoYhiUKcg
 Y4PkbszbFAoTaYCGos5oxm0xFBLeiyobScyl0lVyyiIzXsQ2jnH0POh5i/OJs0i85bM3
 uINg==
X-Gm-Message-State: APt69E3s1EHjuu/uWsQu91i1DCoVFj2pNrrDvFbLeyFXuCm/2A3pNrfb
 3thC14XiLF+S6PoLQ6q0rXAIa9Iz
X-Google-Smtp-Source: AAOMgpdhNWFF10RGTnq1d/D44Wi14MoaQ0vKdnVuJvfHBhj7+mJiFKzGzbjkP0YxTBCf+Tazn6tPAA==
X-Received: by 2002:aca:b1c1:: with SMTP id
 a184-v6mr8690477oif.182.1530812888146; 
 Thu, 05 Jul 2018 10:48:08 -0700 (PDT)
Received: from mail-oi0-f46.google.com (mail-oi0-f46.google.com.
 [209.85.218.46])
 by smtp.gmail.com with ESMTPSA id x64-v6sm3536973oig.44.2018.07.05.10.48.07
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 05 Jul 2018 10:48:07 -0700 (PDT)
Received: by mail-oi0-f46.google.com with SMTP id c6-v6so18523388oiy.0;
 Thu, 05 Jul 2018 10:48:07 -0700 (PDT)
X-Received: by 2002:aca:ac54:: with SMTP id v81-v6mr7378009oie.1.1530812887678; 
 Thu, 05 Jul 2018 10:48:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:b0e:0:0:0:0:0 with HTTP;
 Thu, 5 Jul 2018 10:48:07 -0700 (PDT)
In-Reply-To: <CAG6CVpW3xL5pmiU91WgzXKram7ogMYNzBF3a-ggaXjkD3fMbWw@mail.gmail.com>
References: <CAG6CVpW3xL5pmiU91WgzXKram7ogMYNzBF3a-ggaXjkD3fMbWw@mail.gmail.com>
From: "Stephen J. Kiernan" <stevek@freebsd.org>
Date: Thu, 5 Jul 2018 13:48:07 -0400
X-Gmail-Original-Message-ID: <CAEm+2uWJTyF1QyYraGxNS3TpJNPyT0hMnsVAXj+USayH+Ji4nA@mail.gmail.com>
Message-ID: <CAEm+2uWJTyF1QyYraGxNS3TpJNPyT0hMnsVAXj+USayH+Ji4nA@mail.gmail.com>
Subject: Re: Veriexec
To: cem@freebsd.org
Cc: "freebsd-arch@freebsd.org" <arch@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.27
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 17:48:16 -0000

On Tue, Jul 3, 2018 at 7:09 PM, Conrad Meyer <cem@freebsd.org> wrote:

> Hi,
>
> It's been two weeks since this went in broken.  What's the status?
> Has any progress been made on fixing the glaring issues?
>
> (If any fixes have been committed since the initial code dump I
> complained about two weeks ago, I must have missed them.)
>
> I agree that perfect should not be the enemy of "good enough," but I
> don't believe what's in the tree is "good enough."
>

The backout commits for the veriexecctl bits (r335681) and the hooks
into the build to compile the kernel modules (r335682) happened on
26 Jun 2018.

I never really liked veriexecctl to begin with, but wanted to give people
something to be able to load fingerprints with in order to try things out.
Especially since there was ongoing discussion about how provide a
signed manifest or similar method (which is what Simon is working
on) that folks could add their own trust store material to. The intention
was then to have veriexecctl go away. However, veriexecctl, as it was,
did not have much practical use and could provide a false sense of
security, so it was better to just purge it.

There's work in progress on fixing the issues with the meta-data store
and its use. However, family obligations and work has been taking up
time.

-Steve