From owner-freebsd-security@freebsd.org Mon Oct 23 22:53:10 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C03BE5735F; Mon, 23 Oct 2017 22:53:10 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0134.outbound.protection.outlook.com [104.47.33.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B3FFF3BF3; Mon, 23 Oct 2017 22:53:08 +0000 (UTC) (envelope-from sjg@juniper.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=gL7yP/zlyheW2y6AMkUzAYLenl6Y/1mSP8BNcXkHekU=; b=g+txXp8dUJNVcuXgqnIVZRS+qnMG0U6q70skpVRHgModiRdorjGO8AeaLfq63AafcOaCKc7OpqaEtOWE1ACkNwZSUh63ZPjhCYHjtPa9gBmNY5RkNFlrwJDymi65snE4WM87bPJOlXjAqExGc5Mi/jQvHfaFzIYgpvgqi8QPBjw= Received: from BY1PR0501CA0003.namprd05.prod.outlook.com (10.162.139.13) by BN6PR05MB3012.namprd05.prod.outlook.com (10.173.19.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.4; Mon, 23 Oct 2017 22:53:06 +0000 Received: from BY2NAM05FT037.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e52::201) by BY1PR0501CA0003.outlook.office365.com (2a01:111:e400:4821::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.178.2 via Frontend Transport; Mon, 23 Oct 2017 22:53:06 +0000 Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=fail action=none header.from=juniper.net; Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender) Received: from p-emfe01a-sac.jnpr.net (66.129.239.12) by BY2NAM05FT037.mail.protection.outlook.com (10.152.100.174) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256) id 15.20.156.4 via Frontend Transport; Mon, 23 Oct 2017 22:53:05 +0000 Received: from p-mailhub01.juniper.net (10.47.226.20) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 23 Oct 2017 15:53:05 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.21.30.60]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id v9NMr4LT015550; Mon, 23 Oct 2017 15:53:04 -0700 (envelope-from sjg@juniper.net) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id 29CAE385567; Mon, 23 Oct 2017 15:53:05 -0700 (PDT) To: Eric McCorkle CC: Ian Lepore , "freebsd-hackers@freebsd.org" , , , Subject: Re: Trust system write-up In-Reply-To: References: <1a9bbbf6-d975-0e77-b199-eb1ec0486c8a@metricspace.net> <1508775285.34364.2.camel@freebsd.org> Comments: In-reply-to: Eric McCorkle message dated "Mon, 23 Oct 2017 18:28:02 -0400." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 25.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <72902.1508799185.1@kaos.jnpr.net> Date: Mon, 23 Oct 2017 15:53:05 -0700 Message-ID: <72903.1508799185@kaos.jnpr.net> X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(376002)(346002)(39860400002)(2980300002)(24454002)(199003)(189002)(50986999)(76176999)(4326008)(105596002)(46406003)(97876018)(7696004)(6916009)(69596002)(2950100002)(2810700001)(50466002)(305945005)(81166006)(23726003)(68736007)(81156014)(47776003)(106466001)(8676002)(50226002)(356003)(478600001)(53416004)(76506005)(2906002)(8936002)(5660300001)(229853002)(107886003)(86362001)(189998001)(97736004)(117636001)(54906003)(7126002)(316002)(9686003)(55016002)(16586007)(6246003)(53936002)(6266002)(97756001)(77096006)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR05MB3012; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BY2NAM05FT037; 1:5lJiF6R0vHAsKDfuqb2+3kH0xb8WP8vB4mkUgyffEu2FZ2sejv5TP+BQoLP+sbYTD3d0kfvtZTEYhh8aYmuP/s2SxWdzikUa9w6XjpXyhPH89pMlNrzz6g01HZbMwq1b X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ea03b818-4e0d-41cb-a096-08d51a68d2a9 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199); SRVR:BN6PR05MB3012; X-Microsoft-Exchange-Diagnostics: 1; BN6PR05MB3012; 3:dMgwDwonGgbA4DypvWJOlt/WLcRJp93C1OhdCdwlHaaQbbVe+1/oHLkS8SipU3WRn0jBEEXf36SXKxtQKEBz65SW42KufjTTLmNyQMdm6RW4zJIey3FRxmGOjln+NpL8G7WEwvLeVXhRK4NjV4brlz6XuCOu0skftdK1SZGLSzGT+hQ9omQFqGiNCnrKkGxmSfAbOdj6uox+Qy/A8DytZYq5A/uA1K9vrVXwmKvZmlZLFu5fOLID39Zmw7cyOvd1oMKkWPYMzlAMWnrh9m2sNpwH6qTpc24sTOHbn8dBuztsm40WL+0hRlTYI/2KMsgBg8L5o1FKZPXT/Qk30sRJM6Ezlg3bFGogj7EApyy3fPQ=; 25:9kBWzNzt4Dvpf5/1sJkDwBBC2zx+TYXtOb2HY0QMiVj0gtkQqTLc8L1W6NDBjRrGnOb3TkYb1QWgeotEV4zX6k09d0uJ7/5xhNUhQj/6jWFimP2MbvpIpCn9HrdRofYg41/GfvuhuTlcOZ4wDAkJC0gq+pdqtTBM98UCGVoJbME4LyLDfE1t54Jm4Z9PpaJokleAIgcdS/T1pQr4VZ4v8Vo1XGcfUpsap6ucjajRRwLpxkqGX8WvurF6Fygyw4fCNSJpRFD46GwLMFaSFg3YRQ1D/EByEM/PljrK0DNThWWeKHdVZKY4hCNGOWRfff02eA/OzUNlZLBQUU8EE56m4J3HWZwUwQKV2ptHGUYgWFc= X-MS-TrafficTypeDiagnostic: BN6PR05MB3012: X-Microsoft-Exchange-Diagnostics: 1; BN6PR05MB3012; 31:27pbbRLJkKVTUAU8eICFT1zeQS5Q/EJYrfAcGHX7Z7jsml6qlVnDmEVYGhoz/dgF9WhE6tSAIM5170RP8KDJJ3dhLXY6iOs8G789IdjEDefbB23RUvSUu0xokuLQpToR6gN8PANmp4QccmTd3XzkAn2yfacQVSWQHt95OnGgbWr973pu8EIM6ep0sTCgBNXR9k21tLhaLl1+PWsuaviPNA+o2NCDXQBMLnLY+l4c7lc=; 20:1VMgI5TTgxM0pmryAlMQQiQsjmyDE4/6YqoAGkS3q3pYUlaRXgk57MSM3npci28N8h6oVKINA06wSmJUyUvDoT8mF87Zn+mL/wkIgeG8yRYT+TkCqZWOLeaHSQe0ymUCN1GgIa0SPbEnS8M9F2gGKRgeuiZkr8GJz3tJHmYo0pprGNnPnxvMWwWb7R11QC3pDUdrxJu+4+Xe8W2bW4ov9t0K7TA3kVRBSwtetPgGK7p54weykkgHGy0k+PJpRRnRsR/wStbCF4Xe9fWBjwqqKQ9Xh+qdrkfYDxnKEIpDo6b4kxLAJFlwBicpTLbFW+cGnWuvkm35pRTTxdC1zTFrryG0/b3rDRGGJ222snpBwbWemHAOo7uWBt/dWuyMkh6V1XNUm6P0XH5jPqsDu+zLQSye8tUaEfapRRYYIpIXzTJ50wa7UDNYU56VYo6FIXxbPL/7pJFm3tZn+rSp0ST/MJdckGtjuJAA7c3iRPIQ7F5hK2Le/vm8/A2DHwOAftON X-Exchange-Antispam-Report-Test: UriScan:; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3231020)(3002001)(10201501046)(100000703101)(100105400095)(93006095)(93003095)(6055026)(6041248)(20161123562025)(20161123555025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN6PR05MB3012; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN6PR05MB3012; X-Microsoft-Exchange-Diagnostics: 1; BN6PR05MB3012; 4:4Bd8ehGZAtnIbEXO+/Dcn/9fU1qJyT1ALvlMakdQW0BfmtFx/Q6IMpYWvONMihbrdSz3LwAfKV/ji8hUlZ80aDWbXo9O9W42PD27sYYz5VkdqjZJvH/cVk4B9hZQeCKHW6EKddLicLc+9NPVV0c+zTHlJHI/AY7DCm5ILC5KqSiBBcNChRs0ZYdWxE1Zl6g0s6GnGu2OHtMupdEUHJzvzBbUXbSG3dTVMeVhRyT21yM4+95TtM0q6D4YS9cU9b+I X-Forefront-PRVS: 046985391D X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BN6PR05MB3012; 23:2kUZ3nPRndR2j3HQUmgN+XSe7N80N5pxeMwIEwfQO?= =?us-ascii?Q?K1lkehWoyQfZ5JPi741lT5MKpUv9iNSL65j5KQyW6XOVJWS2HONwfcfIqfSE?= =?us-ascii?Q?X3rP+AWhDLjUNoD9Iy1q41+wXnMjt+WVVbBmIiMa9Pegej9c0Up6uW+SkwW/?= =?us-ascii?Q?xy3g+ZeFYewr9SIubJRjBObGfz18JBAq65w17bMGWqDKgWGIOONIMUlICP6S?= =?us-ascii?Q?nHzB6suYMHerPDnLp6SO0bJrzdbzBcMPUDdYkPEnpDJC1Xvon5qON+eLLg4b?= =?us-ascii?Q?teZfEMdqGDIZ8u+dz1t1ehwhzhE5mH34GJk5VLPblVEqmUgAcSAytAXAElwZ?= =?us-ascii?Q?FgrsX/NpsHlzNsiApouwBpr2X0HBQqjzVIvoNYxsjVIBmsl1oDFDSXT4PO1j?= =?us-ascii?Q?Pkw4x8oOrEH9ynwtmZGIwxfN28sK0v84FIbWiUjJaDKTHq/PbJkjQ+gvPwXA?= =?us-ascii?Q?88Gcq/CaqdZ5OgATksOv/8M0M1mdSnzlwO8mr7vlYc3QqEkNvp5ui/sRX6ZY?= =?us-ascii?Q?LPFJvpRwxEOLvPvPlzLE6MU/Jr3lzt83UcKiskck+rkAx/6NQZ1+GKR99cLO?= =?us-ascii?Q?44TsClPe5hJhbt0ixz7O26quxv6tuiy828LGHAMBWj2IYzejCtHcNi4OErad?= =?us-ascii?Q?fwLSCnbesmylClBOl1oC1y0mnMSNXN2hj3tlEiDOs8IQjYyh9wwDbHCHC92+?= =?us-ascii?Q?t6M2AENHyyrudF/pt5KvepDWUItoXqWmxFbolh9NPyoeJa6u4fBqIE3y/i4q?= =?us-ascii?Q?mk/RPKzGdgzDMyVMGdxoayCR/zvLcua7IiDy69S0i5SVsQlFkb9E/TBmnjqQ?= =?us-ascii?Q?+LY99mTiQAifBhMEgwQaRua9yFYprC806c1nU1malK92u8lVxR8XccYN4nm3?= =?us-ascii?Q?cv5PP6ftehtRnrWmE52j9f98Vlm7by2oiY91daNSRch32Wrz+rSAv6Hngg/7?= =?us-ascii?Q?QjWxZSHgq/mpPbVbZLjls+g461gzufGRvs828tB4m5cTudzGF+jaf1RGZQ1V?= =?us-ascii?Q?1Yq4GWEQgdDYImDAHNDiTWL0DxqblpF2QXMZe1v02iBhpukaDCDCoS+MU7sy?= =?us-ascii?Q?05CxxtRzAVguz6+XXg8fcU6x79OGcx6XTunV1IcUx0YHX79E+6OIDJXHFFPC?= =?us-ascii?Q?o7iW9msaqJcJP504Va39qiHDYtg7hkbYaAwmuM0p2g66TBqmGKMICYZ7o3jt?= =?us-ascii?Q?iL/2i00BqaE0TvGte7krSN0SSw+QV7qwaONXwl8S0q2axCNbxliKXUwcqc0s?= =?us-ascii?Q?PbCUo4uXD/lvTZtd0U=3D?= X-Microsoft-Exchange-Diagnostics: 1; BN6PR05MB3012; 6:brZ9nsuRsrOq5KmSpuuGtCM0V4sPmmdUklsBw5odC9hyrLrpzgCvRZuaVbUHf1udppt9z9vACH2/O7GUiSi37A1hZyq6jMXjZVEyQ7Q4wPbwNVxPdx5QNjxE3ibv+0aOMRMVve+tXoM7MbXEIJeDf5PDeleGjXntuvArnvUYezfn9I23w5Fy1snt4uJLTwmdkZaK49Rdm6O9NJVb+VRhMJzfqUju+SSa0itDDttbWAhGKvrw0yqk0kuPCK2Iqyx12CrNEsNNQLa1thXGIos7ZkDYmh4D9p8I7YyzJoomStVpbQOhOsmjGR5NRr1QP11be80j4sesOMva1Bk6b3Y09Q==; 5:Pp9fw2YGFeP9+MRHfff0bvFe5MHIgrPkGmf3BCX92KWRrKQ+PQmrfRb1s53WUOVfUfh5VwXplSNJUVP09vITSmMeVUrLSmr0o0ORvExToCZlcA68q+ys7F0vu1yQZHrunJFeT5M/b6KgCdZxRdaUKw==; 24:X9QyNlQ6eY3+yAS6VWm0qtudtozFOrpr/FKai/+77nEfvvT3WYnzemgcihe4846ZbW3txqmgiwhLV+gSjcw1GdXWyVmVbCmxtjXud2I+a9A=; 7:7i8VKfrFK2EpPAKeAz/eSwcOkYNveEdMGB7gRFL7lhb+KGQqR95fvAV2qZXoFmAdARuMx/lZE9odW5Qo06g7nYTkDW8QRjIISzD0/AiHdUclIzAeOOtNkukX5ynMfPl+GMu9dIgslK9NOvYSeTCMiF9X7fiez81lA+M4ZRYZ/3BEBtNxtl9B+Wj1GVAk/OPfwrjD2/USP7K41EaVskQCm/X3yMnb3RgSZingVXatgCc= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Oct 2017 22:53:05.3702 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ea03b818-4e0d-41cb-a096-08d51a68d2a9 X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[p-emfe01a-sac.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR05MB3012 X-Mailman-Approved-At: Tue, 24 Oct 2017 01:42:00 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2017 22:53:10 -0000 Eric McCorkle wrote: > > Any thoughts on how to validate executables which are not elf binaries, > > such as shell scripts, python programs, etc? > > I hadn't really thought in depth about it, as my main initial goal is > signed kernel/modules, but I have given it some thought... > > An alternative is something like the NetBSD veriexec framework, where Yes, as previously mentioned the verified exec model deals with this neatly, and btw is more efficient than signing individual files - as is needed with ELF signing etc. I think for linux based platforms using IMA we need to generate 20-30k+ signatures, vs about a dozen for platforms using verified exec, verification is also more expensive I'm told. > there's MACs for specific files. That stuff is mostly orthogonal to the > public-key approach I'm working on here, but there's possibly some > interplay. Yes, you use the public key stuff to sign the manifests containing the blessed fingerprints. This is what Junos has been doing for more than a decade. Your "trust" database, might be useful in being able to extend that to general use. The trust model we use for Junos is deliberately very restrictive and thus of most use to embedded vendors.