From owner-freebsd-arch@freebsd.org Fri Oct 27 01:34:07 2017 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 24344E5846F; Fri, 27 Oct 2017 01:34:07 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0119.outbound.protection.outlook.com [104.47.37.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BA29371779; Fri, 27 Oct 2017 01:34:06 +0000 (UTC) (envelope-from sjg@juniper.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=a3iXHARXdmkUNqnkCZOFCSt/nCVDC/ON2liKbDUhM3c=; b=X0lNtI/r3h9XlbrMX24PfXZq5HXzEYZ8+FxxCuaxRAJhWQN1ZifHIe1Yv54cRMie+GGoAFycK0OUcVrkK4db82bcGjlEjxaSvetcSj+428UqD2qz0XOLSWh3rGfo5zzhPdg5SJxbqWRpHLkT4xiUL57SWnr810KaG/qOAuj51ao= Received: from SN1PR05CA0033.namprd05.prod.outlook.com (10.163.68.171) by MWHPR05MB3613.namprd05.prod.outlook.com (10.174.251.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.197.4; Fri, 27 Oct 2017 01:34:04 +0000 Received: from DM3NAM05FT023.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e51::203) by SN1PR05CA0033.outlook.office365.com (2a01:111:e400:5197::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.197.4 via Frontend Transport; Fri, 27 Oct 2017 01:34:04 +0000 Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=fail action=none header.from=juniper.net; Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender) Received: from p-emfe01a-sac.jnpr.net (66.129.239.12) by DM3NAM05FT023.mail.protection.outlook.com (10.152.98.133) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256) id 15.20.178.5 via Frontend Transport; Fri, 27 Oct 2017 01:34:04 +0000 Received: from p-mailhub01.juniper.net (10.47.226.20) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 26 Oct 2017 18:33:36 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.21.30.60]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id v9R1XZF8009830; Thu, 26 Oct 2017 18:33:35 -0700 (envelope-from sjg@juniper.net) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id 38E34385568; Thu, 26 Oct 2017 18:33:36 -0700 (PDT) To: Eric McCorkle CC: "freebsd-arch@freebsd.org" , , "freebsd-hackers@freebsd.org" , Subject: Re: Crypto overhaul In-Reply-To: References: Comments: In-reply-to: Eric McCorkle message dated "Thu, 26 Oct 2017 20:29:08 -0400." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 25.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <11244.1509068016.1@kaos.jnpr.net> Date: Thu, 26 Oct 2017 18:33:36 -0700 Message-ID: <11245.1509068016@kaos.jnpr.net> X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(346002)(39860400002)(376002)(2980300002)(24454002)(189002)(199003)(5660300001)(97736004)(7116003)(47776003)(221733001)(478600001)(6916009)(69596002)(2950100002)(68736007)(23726003)(356003)(46406003)(117636001)(7126002)(54906003)(2906002)(50466002)(16586007)(2810700001)(316002)(7696004)(189998001)(8936002)(86362001)(81166006)(97756001)(50226002)(81156014)(8676002)(97876018)(305945005)(107886003)(3480700004)(50986999)(77096006)(106466001)(6246003)(105596002)(229853002)(53936002)(55016002)(53416004)(76176999)(6266002)(4326008)(76506005)(9686003)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR05MB3613; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; DM3NAM05FT023; 1:tutf51ZBf3DBn0F0xdAT0T/O9bcsviwMU/IwWo/y6qhBYR4P37n4rgyf3/2x6ibpXKk8CSgChHmurVaKY0FSkvj4+KbYWH7Uj3QwU+6jsTBpxQs1OBZY184Mg+oXchZL X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b4ae7ebb-f6c3-4d14-ba9d-08d51cdacf2d X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199); SRVR:MWHPR05MB3613; X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB3613; 3:SzEQvmnn/fXrpC31dGsjM4bqJkTqH4Jx0RkJmW8IQGfaUNeh8gO2BfcYGOF4osg7x5EBULnG9aj3vyMQIhrfcrMBe9IpmouHL4dE25miyBjAW2Kp86Yn9k9X7edqnXxSmjzkjcPr+xcE/uki5MmNspiiQx9EQi34yvWNMp9mdqy/CShhrbyq/tk1DCsxAJpw6g0jYbaJSkUj8syToe7KhfMMn1cUQgIpXDnQP5Bdss6TovnE+F6qkiR1snb23PxSyzS1CY7txSWlfmKd0V5o9GkqffSU7gjUHbgpZyoocbsMCWLdv9FtGOHItSdKkqyCb/XPHYyq201NMVrAiTve5PQH8uEeMMmifwme2rKS4G8=; 25:lQhz+c/mv32WIvtxxESEVTVTHRmUku9r9D7R/3OWQ+wMM3P+q9nYj0nCBJwsyTl7VAVfFdcQdGd/5GLGhy4zuYCsRuPym+yKXr6VZh275tnQIORecVd3+Tg7ddb3ANzm3xXs79GT9LQ2KgiN3NDddhZWt8gLoXYI+zOIIN27f71WStb1Xm1VQAEr4FCLUqgOY3x52ZCnGnF2AFAV5iSqLTE30qpU6BEOJxjYja3V8zCuSmd97vFR+s9INFQ3e8hryjoHuQgO0mHYiq9NzjX73uYHRenBj7fW7042R+ekWkDMGvWk6XQj65nEfYg9ZzDBWFrd85ArykxkSMdoFAqgVQ== X-MS-TrafficTypeDiagnostic: MWHPR05MB3613: X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB3613; 31:Kn/f9N8byNpr+g9u5pLxswEVJgp4SDSx+GDLICiDnwCQflvco3QZUz41RWObnl6MONd/efr9FbdHciCmX7H8/uLlUN2d5Vx7UMqPP3FlvPUwrDP8yLb60bKf2XqW4I0z5Sv3KPtYl9puKuXQdyRWAlMEHNzrdRdq4F5HpY1WqYE6iKrQa9weQpC0QcdMOWH0p+zGJQGJx/VI/8AXCG5r/mmoR5ZWisc6QuKVbdat3AI=; 20:PUw8E+kC0Iga2m3h4+vTtbyqzTphqpXxP+kxwB13EyKhkzskp8yn7AK05PrVpS5tnwFotMyRo7AVqNoWs6xaSvEH6Ut1wmkJXRzYfqTBl7Y4Ga5AugJoyPdd1DBbK6mVZ2BC3oB8AmPARIjpZny4rCZutK/KTHJUfaGIYwuTNJlnot1h7jOeXvlv1F3yR2ZP1zQivQgLQCKl56VsrbEo8Aq1RJqby2Z/OJj6sHtf5KcjpP9xES3yIaAKBXByBtJ+/uuqxJjSjuT+v5ckr6Bzk8w1eY80Wm07GtF9FDWMlUiHHokr+bvQ7/MM7yibQIIaobhT+cwDkMAOxTm2ZL6XoorClCx2yt4R0+l+rbQojqTh1/idOukNB0dy6EduVvGTkERlB7o2bL82z3NSf4YfgkSR1nB5Dgsv0chVV1EZUn3XO3AAFCcoA5extp+c35JayMJfP8kFrT1lKpT4aLRzQKRNadtcj4SJ5lqGibpUnjpZz5SuYP2Hqv7zwJb01kRs X-Exchange-Antispam-Report-Test: UriScan:(244540007438412); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(3231020)(100000703101)(100105400095)(93006095)(93003095)(10201501046)(6055026)(6041248)(20161123560025)(20161123564025)(20161123558100)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:MWHPR05MB3613; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:MWHPR05MB3613; X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB3613; 4:z5SzSYLZNbGliA4tOWtpS6H2o/BhYnOzmwAkqMA30ksXrpYkalZ3XQtnZtESvUwiIViPDszqNGEF52rVBtCmySlLnOuMaSYtAnTgYfrOgS4MBnuw/3+zxb9FNofN9/nBZlYlSelkCEOcfJUsBfXmrItvS73DmysE9cwtkNdpj42H31W/ghph0FaOeP65v/2SFxw4GM9NlRNPo16ijLhhIpBcY2UkirBxCeLFmwRN4zBt23bn13tgHT8VRLtt8xF+vNPWTqVQsKNx3ogvzW4AMQzbj+DlrXDOmck694FDa5WNjxJK8kn8Bv6v50OWT6JS X-Forefront-PRVS: 0473A03F3F X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; MWHPR05MB3613; 23:Ko5e/wNIhH8wAt3VzWt+BZHv94qjBfpaUMs45UkA2?= =?us-ascii?Q?zKKgOWUwk0cEq+B07YDsH4vRFbHxFxSe21wr8Pd4OUGw7qwyYQKOykkIC8Ny?= =?us-ascii?Q?MWZjPPAZKR2SoK2vSFHlVYtH9+VTS0+XAxWqDNWVOTpTW8NN8Nifc9Gc4rNR?= =?us-ascii?Q?fraLNGikDRyXJL3xuHnEWL32sEwFbVE2tmPuhH4GFZUZOVXAKxGMfMPkT/LS?= =?us-ascii?Q?x5loI6zuvUQtNPIvpZAp23zGqF0bSV0e7Nns2XNFdXNVpowBJ1Be2W+qNtC9?= =?us-ascii?Q?xKRz3GWQx0E5J4+I5kcY3GzVilKP884aRbjjxQRdoJba9aARgZLf7piRJZCA?= =?us-ascii?Q?fcRioLDwEa512+bomKDHV78kpje00r3XGeMg8OR/7OOtKVjnGzmmzpICUZnQ?= =?us-ascii?Q?SrYQzio0wfeTRdbEbwR7BDZYKmmjft4w0RTV3WRWlLGCU+/mMBTYmHiGhzWg?= =?us-ascii?Q?PmH43+zUKmMbhSdLLUcEIhE6dUC+/ttN78zvz2YkapU1umJG7lfqfuwwCNSN?= =?us-ascii?Q?zxdb1K0nX/zGTOWJ7r7XnpFxB1kSuFpZUnTLhilRSjlmKXZGAMFmP1+0JaXC?= =?us-ascii?Q?7SzGNxrWe9RQZnnmQFNu/lcwv9F4eDy5WriB/QNC8+3f47mrVDsO8cXBWrJA?= =?us-ascii?Q?NgRm1AHhksLYa8J7nGUiLg9zVOi62hFwG9x6FSeeW2Wyafktde5Rr677BmwK?= =?us-ascii?Q?ZsnxHmonrfcNcKSuzhJuOPeXR5uR6rqK0ziUh58V7ch6MYvslD6gJ2rYuyar?= =?us-ascii?Q?HD5iiNCp1SPb2OLT7QfcIUhB67CreRvcdMfzNsvHsfwtrZTaLsHozYrN8uBZ?= =?us-ascii?Q?chIS3J7t0UgjpChX9VkkizrbogFonPCDg+VucDz6+Sk+mHGsSWdFRNhA9j4Y?= =?us-ascii?Q?uYLaIJTIqfwAhU02XkM2fK+P02dcnchKe82yNG2mhNiXBOI2h4UTzwWt9Wrf?= =?us-ascii?Q?QXBZuy4BzVEdCo1OB6qF99MMjTvM3EFbWWtjmzzVcxSnuOKbhr2pF13OX5zk?= =?us-ascii?Q?cCszbZA+06VYnpXrKA8wHyAYSaqCHM6htW0P+HlvYlJ77y8j77M9etlI+Y8T?= =?us-ascii?Q?61sRDOv8HRyg89WKqW9ORp8SgO5YKxnB2Jk2gpH6KtkZkXaU0nSHbh2/3oO9?= =?us-ascii?Q?OP1/x3ze+NY2HUbgFf5DQ5NZsyWjqnvsrANDPRsuq/cM+e8LiZzHdVwXORzO?= =?us-ascii?Q?Dnji5/xeUeYJ5b00CDDMvZwX9xfDCkxHFt1F7B7UhUw97jQKDZ1b0gsagK6f?= =?us-ascii?Q?P7XX+5znwZ2aj8lQQtNe49NHaGb9e8xfjNGcrw7CG8msttbMqs1TatKT1mWD?= =?us-ascii?Q?7cFcSwQK90DVX33APvEgMk=3D?= X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB3613; 6:PpuNmw3FLXvvQTF6B+OBJNII8byauNTCcil+B1EJpKVweZkrSTBdmn1F7dUvAbZKxtkUsjBxmajbBVYMebr2aB0XPHL0cKKCF+qEYE74FatvCYzhWYcuoMeS3vmOPk3KdEjj5eVQXQRQwvLYbMBI3HGDlrajayQ+/97g9SmFjwdeAvLlSe8xquIBYB7MT+KU/PHtulotx8Nf3KG/qmN9fuu/roDRa3jTLfaQ/oDhmHtfP7R1lO+e/z+zSZXzUjYVsPOBDsc8vb/vZ5SZWVEcZ7W+EJNAIZzDy4moyNkPXaFyThngKnqQelvE77LGzRf86USncECv1htPEnl8zIM/nRhH3BANSDKGD800e1o5vA0=; 5:RVssx7qCRizlvs9mTrsy66CVfbWz9Lv3SAlD1Cs41Mq/+7810TmlKAYuAyx21/6roOiu8B2wkr4lOG+Ma98gl18Cq/+oRAmLxNshpT4sXE/wPbdHOCFLHP0O2IncwM8uKAQ2Uiy1NVUVrBIwckNhoQwCZfOJf/HclE0AsqvJ8Ow=; 24:XNXfxkBua9xiLjH5t1qigWXLKyeY92sK+RUCgN4tprD3wHKNykFOaORsyXsJ6osWAHTeqY+RiCCY+1hl/6GmtBJySx6rNferidg9iv0rrpE=; 7:VwCmypqcCq6N/UeW+gGvaVq4LzIGFJh8IHto0+/K7Zrl7yUXERY1u1yIKfn8xQzm/SGgIje829+g6eMXJiAxxt9QewSXupq+k60cGUTzp9DSoMEMDPHuMehcvqsvNa3AL/tp5HOcjNMOqEbpevP7qGJcUlF0VSyatQvKR4TBCh+SMoMn7EtuKEsYYWGEQ9CCxhKMNOVkNds99p/Z+mljby+xtX/WsUNiGexTmCMabMthD2FPiLXiPNIb6000Wbim SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Oct 2017 01:34:04.3996 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b4ae7ebb-f6c3-4d14-ba9d-08d51cdacf2d X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[p-emfe01a-sac.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR05MB3613 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Oct 2017 01:34:07 -0000 Eric McCorkle wrote: > * BearSSL's design seemingly lends itself to acting as a userland, > kernel, and bootloader library. On the other hand, it's new (which > means it will need to be reviewed by crypto experts and thoroughly > tested), and has one developer at this point. BearSSL is indeed very new, and review by crypto experts would be most welcome. It works very nicely though for verifying signatures, X.509 cert chains etc - everything I needed for the loader to do verification of modules. And it is *tiny* I think all the verification stuff added about 80-90K to the size of the loader. The author, has been extremely responsive and helpful, nice to work with. The API is very different to OpenSSL so I would not contemplate trying to use it as a replacement for userland crypto lib anytime soon. But for the loader (and kernel if needed) it could be a very good option. FWIW I did not need to touch kernel, since I have the loader verify the kernel and the mdimg it uses for /, thus init etc are also verified before we pass control to kernel.