From owner-svn-src-head@freebsd.org  Wed Jun 20 18:09:24 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id EECA31001C94;
 Wed, 20 Jun 2018 18:09:23 +0000 (UTC)
 (envelope-from delphij@gmail.com)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com
 [IPv6:2607:f8b0:4001:c0b::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 68E046B3DE;
 Wed, 20 Jun 2018 18:09:23 +0000 (UTC)
 (envelope-from delphij@gmail.com)
Received: by mail-it0-x230.google.com with SMTP id a3-v6so963950itd.0;
 Wed, 20 Jun 2018 11:09:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=ZiFLRClMsk4szyaujuHDh9r9UuXc/VZu1vkha2Zj61A=;
 b=h7raXzBf622gxPbz3cyKg/t4AQqHyE+a8fydneQSEIKJWmI3wmc8JJpsu3FwnAvgrJ
 L4o3GcdFTSXUTk5tGbFEUiT2ZzVQLDWMobu3HjLZoH+IA9t9f3cLYtzpACwvF9mJnbU+
 gPT86sqaFXK0Lhf8uALz63I+DrBM6KsHgu/nPim6cWqh4lDBt5/MquLbx3ZJX7cqRr2o
 GyUv0CsuAQbKnoNCCKGMmeb7CEw/DWjBeLi/ROvotWwTEiEfqCjBwnsrnJvIl4dnXsn3
 uwOS8R5MmDKvfQogqb08t95+b5TkLe7Y7Rq4YqdO7nFSkewhURYIgIIT4yaJTXBpsfhS
 Hogw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=ZiFLRClMsk4szyaujuHDh9r9UuXc/VZu1vkha2Zj61A=;
 b=TCZSsChHc/6jBmHjHyDUMDgKHZK3avBfrTNN9hwXGd97xEKfSJM63XxNUm560EBrmX
 x92im6Z6D/vf926TWS2Hm3hSqR9Fs8DYJ5cXsFOgcIWq3wzO/WR1FyaYcLcGdEM+Dw4R
 DxQMqCNVOSGBniQX+16nbg2bknNCtCIzHGtvn/O5eXgDp0YOMNQXtCE6ndF6hpQlHDhR
 1vn2JehASv6sCmrDC6Nuum5M+QBRBVDoUyO2KsOsG4xbxB5robENpqOm6pvE6Zhf8Wi2
 dr3xBoRiR49c3EHjYR4LJHt7Da/y8hoWq1ikjJ1eb0yotMltTeq7eXZjNGs7DVXLXAxS
 zx2Q==
X-Gm-Message-State: APt69E3kh+L51f6A92B57sCXBc4/Nhln0CSM1AKAkoZ+z9Ykrb9o4+E+
 99Cpic3MCLycCOz8Dg2dIPZ7PqgAE23+DNCltmqEJa+N
X-Google-Smtp-Source: AAOMgpeHLvco/Rtkeo0ELwRP9kDFvMv0O54dEvdQtZ6HE8hvjZ7rHjD4gWX6eIq5WtqB/O1hWbcEBhJXhj13G47eThw=
X-Received: by 2002:a24:ed4a:: with SMTP id
 r71-v6mr2443009ith.53.1529518162186; 
 Wed, 20 Jun 2018 11:09:22 -0700 (PDT)
MIME-Version: 1.0
References: <201806200108.w5K18sIR050132@repo.freebsd.org>
 <CAG6CVpV124ze+Y6xX2ZFqbM+3hJNEJWR2qpnChpey=PmiW6qXg@mail.gmail.com>
 <CADrOrmuhBAe0kZQ3vxAbKNCUUWKnaPgZRz8DeRQy1QSOp_y5bw@mail.gmail.com>
In-Reply-To: <CADrOrmuhBAe0kZQ3vxAbKNCUUWKnaPgZRz8DeRQy1QSOp_y5bw@mail.gmail.com>
From: Xin LI <delphij@gmail.com>
Date: Wed, 20 Jun 2018 11:09:10 -0700
Message-ID: <CAGMYy3sU0gLLfN+pWMhkOANvjv_jnGnwT+bapM+KBuj1VQoUAQ@mail.gmail.com>
Subject: Re: svn commit: r335402 - head/sbin/veriexecctl
To: "Jonathan T. Looney" <jtl@freebsd.org>
Cc: Conrad Meyer <cem@freebsd.org>, stevek@freebsd.org, 
 "src-committers@freebsd.org" <src-committers@freebsd.org>, 
 "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, 
 "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 18:09:24 -0000

On Wed, Jun 20, 2018 at 10:58 AM Jonathan T. Looney <jtl@freebsd.org> wrote=
:
>
> On Tue, Jun 19, 2018 at 8:34 PM Conrad Meyer <cem@freebsd.org> wrote:
>>
>> Please revert this patchset.  It's not ready.
>
>
> I'm not sure I understand the need to revert the patches. They may need s=
ome refinement, but they also do provide some functionality upon which you =
can build the tooling that Simon discussed.
>
> Unless I missed something, this feature only impacts the system when it i=
s specifically compiled in. In cases like that, I think its reasonable to g=
ive the committer some time to refine them in place prior to the code slush=
/freeze, at which point we can decide what to do.

+1 for all points.

I do agree with others that SHA-1 support should not be included
(unless I have missed something, but I think firmware integrity check
counts as a "Digital signature" verification, according to SP 800-131A
"9 Hash algorithms", SHA-1 verification should only be used for legacy
usage, which does not apply on FreeBSD because this is new feature).
But even that, given the code only impacts systems that have it
explicitly compiled in, it's reasonable to give the committer more
time to make further improvements rather than reverting it as a whole
as this would give the code more exposure.

Cheers,