Date: Thu, 6 Sep 2012 09:45:14 -0700 From: David O'Brien <obrien@FreeBSD.org> To: Doug Barton <dougb@FreeBSD.org> Cc: Arthur Mesh <arthurmesh@gmail.com>, freebsd-security@FreeBSD.org, freebsd-rc@FreeBSD.org, Mark Murray <markm@FreeBSD.org> Subject: Re: svn commit: r239598 - head/etc/rc.d Message-ID: <20120906164514.GA14757@dragon.NUXI.org> In-Reply-To: <50468326.8070009@FreeBSD.org> References: <201208222337.q7MNbORo017642@svn.freebsd.org> <5043E449.8050005@FreeBSD.org> <20120904220126.GA85339@dragon.NUXI.org> <50468326.8070009@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 04, 2012 at 03:39:34PM -0700, Doug Barton wrote: > Regarding your changes in r240108: > > 1. Adding kenv to the mix is probably a good idea, however the output of > the ps command won't be the same both times it is run, which is why it > was in there twice. Doug, Have you actually looked at the 'ps' output from the two runs from within 'initrandom'? I have. On my test system I got 1608 bytes of output on 24 well structured lines. The two runs differed so little (only 5 lines) about all you could claim is might add 1 bit of entropy. But the search space to find the differences given the first run is so minimal I don't see that it adds any real value. You should be suggesting totally different commands to run that will provide better than a second run of 'ps'. > I'll have to give the kenv output a look. I would > also like to confirm that it's available on all platforms. Geez, I'm not that stupid. Do you see any guards within bin/Makefile that only build it for for some architectures? I verified we have it on MIPS, ARM, and PowerPC and gives some output. It does not give as much system-specific output as on x86 -- I wish it did, but the output can be rather unique on x86 it is worth including it. > 2. I'm not sure I like the change from cat'ing /bin/ls to the hash of > the kern.bootfile output. Given that most users stick with the GENERIC > kernel or the same custom kernel on multiple machines I'm not confident > that there will be a statistically significant difference in the amount > entropy between the 2, Vs /bin/ls? We have a chapter in the handbook on building your own kernel [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html]. Do we have a chapter on building a custom /bin/ls? A kernel build is a combination of 946 knobs. /bin/ls has 1, leading to two different results. So you really think there is more chance that /bin/ls will vary between two installations of the same version of FreeBSD? You don't believe most users use the same /bin/ls across multiple machines? > 3. Given that we're running the same set of commands at each boot, it's > not clear to me how changing the order helps, but I don't necessarily > disagree with that change. It's the same point that Ian Lepore made about variance. Also http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix98.pdf page 9. [usenix98.pdf is one of the yarrow paper's references] > Thanks. In case it's not clear, please hold off on any further changes > until we have a better consensus on what the changes should be. The commit was 15 days ago, and its been 4 days since you started this thread. At this point you're the only one that has spoken up against the changes. Arthur and I have provided you our reasoning. I've provided references, pointed out the code, discussed my changes and reasoning with multiple security professionals at $WORK where we make products based on FreeBSD and have FIPS-140 Level 2 certificates[*]. I will only wait but so much longer before I feel there is near-unanimous consensus. -- -- David (obrien@FreeBSD.org) [*] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120906164514.GA14757>