Date: Wed, 20 Jun 2018 13:19:39 -0700 From: "Simon J. Gerraty" <sjg@juniper.net> To: Xin LI <delphij@gmail.com> Cc: "Jonathan T. Looney" <jtl@freebsd.org>, Conrad Meyer <cem@freebsd.org>, <stevek@freebsd.org>, "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>, <sjg@juniper.net> Subject: Re: svn commit: r335402 - head/sbin/veriexecctl Message-ID: <11191.1529525979@kaos.jnpr.net> In-Reply-To: <CAGMYy3sU0gLLfN%2BpWMhkOANvjv_jnGnwT%2BbapM%2BKBuj1VQoUAQ@mail.gmail.com> References: <201806200108.w5K18sIR050132@repo.freebsd.org> <CAG6CVpV124ze%2BY6xX2ZFqbM%2B3hJNEJWR2qpnChpey=PmiW6qXg@mail.gmail.com> <CADrOrmuhBAe0kZQ3vxAbKNCUUWKnaPgZRz8DeRQy1QSOp_y5bw@mail.gmail.com> <CAGMYy3sU0gLLfN%2BpWMhkOANvjv_jnGnwT%2BbapM%2BKBuj1VQoUAQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Xin LI <delphij@gmail.com> wrote: > I do agree with others that SHA-1 support should not be included It can certainly be disabled by default. > (unless I have missed something, but I think firmware integrity check > counts as a "Digital signature" verification, according to SP 800-131A A "Digital signature" verification is an accepted form of firmware integrity check, but a simple hash (inlcuding SHA-1) is also acceptible. We of course perform both - and the Digital signature does *not* use SHA-1, it has been deprecated for that purpose for some years now. > "9 Hash algorithms", SHA-1 verification should only be used for legacy > usage, which does not apply on FreeBSD because this is new feature). I've managed to get out of having to memorize all those SP's, so will check with one of the pour souls who still does - as to whether we are claiming "legacy" status... > But even that, given the code only impacts systems that have it > explicitly compiled in, it's reasonable to give the committer more > time to make further improvements rather than reverting it as a whole > as this would give the code more exposure. Indeed - thanks --sjg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11191.1529525979>