From owner-freebsd-stable@FreeBSD.ORG Wed May 21 17:37:33 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEEE71065682 for ; Wed, 21 May 2008 17:37:33 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 0E5158FC2E for ; Wed, 21 May 2008 17:37:32 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.1/8.14.1) with ESMTP id m4LHbV3C023380; Wed, 21 May 2008 19:37:31 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.1/8.14.1/Submit) id m4LHbVuX023379; Wed, 21 May 2008 19:37:31 +0200 (CEST) (envelope-from olli) Date: Wed, 21 May 2008 19:37:31 +0200 (CEST) Message-Id: <200805211737.m4LHbVuX023379@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG In-Reply-To: <20080403170050.c0110778.torfinn.ingolfsen@broadpark.no> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.2-STABLE-20070808 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Wed, 21 May 2008 19:37:31 +0200 (CEST) Cc: Subject: Re: Digitally Signed Binaries w/ Kernel support, etc. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2008 17:37:33 -0000 Sorry for replying to an old mail here, but there's an important point that was unanswered so far ... Torfinn Ingolfsen wrote: > David Schwartz wrote: > > > He would face a chicken and egg problem. To make a signed executable > > to set his key to be accepted, he would need his key to already be > > accepted. > > Uhm, if the attacker managed to get a hole in the sustem and get > in, he / she will surely manage to get the necessary tools (a signed > binrary) onto the system. As an added bonus, this is a binary he > created himself, so it works with his key. That wouldn't work. How is he going to sign a binary if he doesn't have the private key? When you set up a system with signed binaries, you usually store the private key somewhere else (on a floppy, USB stick or whatever). Maybe it could even be just a pass- phrase that only exists in the admin's mind, but not on any physical media. So an attacker _cannot_ create a binary with a valid signature. Of course, the kernel doesn't contain the private key either, because you only need the public key to verify the signature. I agree with Peter Wemm: There are legitimate uses for signed binaries. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Life is short (You need Python)" -- Bruce Eckel, ANSI C++ Comitee member, author of "Thinking in C++" and "Thinking in Java"