Date: Wed, 20 Jun 2018 11:09:10 -0700 From: Xin LI <delphij@gmail.com> To: "Jonathan T. Looney" <jtl@freebsd.org> Cc: Conrad Meyer <cem@freebsd.org>, stevek@freebsd.org, "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org> Subject: Re: svn commit: r335402 - head/sbin/veriexecctl Message-ID: <CAGMYy3sU0gLLfN%2BpWMhkOANvjv_jnGnwT%2BbapM%2BKBuj1VQoUAQ@mail.gmail.com> In-Reply-To: <CADrOrmuhBAe0kZQ3vxAbKNCUUWKnaPgZRz8DeRQy1QSOp_y5bw@mail.gmail.com> References: <201806200108.w5K18sIR050132@repo.freebsd.org> <CAG6CVpV124ze%2BY6xX2ZFqbM%2B3hJNEJWR2qpnChpey=PmiW6qXg@mail.gmail.com> <CADrOrmuhBAe0kZQ3vxAbKNCUUWKnaPgZRz8DeRQy1QSOp_y5bw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 20, 2018 at 10:58 AM Jonathan T. Looney <jtl@freebsd.org> wrote= : > > On Tue, Jun 19, 2018 at 8:34 PM Conrad Meyer <cem@freebsd.org> wrote: >> >> Please revert this patchset. It's not ready. > > > I'm not sure I understand the need to revert the patches. They may need s= ome refinement, but they also do provide some functionality upon which you = can build the tooling that Simon discussed. > > Unless I missed something, this feature only impacts the system when it i= s specifically compiled in. In cases like that, I think its reasonable to g= ive the committer some time to refine them in place prior to the code slush= /freeze, at which point we can decide what to do. +1 for all points. I do agree with others that SHA-1 support should not be included (unless I have missed something, but I think firmware integrity check counts as a "Digital signature" verification, according to SP 800-131A "9 Hash algorithms", SHA-1 verification should only be used for legacy usage, which does not apply on FreeBSD because this is new feature). But even that, given the code only impacts systems that have it explicitly compiled in, it's reasonable to give the committer more time to make further improvements rather than reverting it as a whole as this would give the code more exposure. Cheers,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGMYy3sU0gLLfN%2BpWMhkOANvjv_jnGnwT%2BbapM%2BKBuj1VQoUAQ>