From owner-freebsd-arch@freebsd.org Thu Aug 31 03:40:55 2017 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 877E4E14604 for ; Thu, 31 Aug 2017 03:40:55 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0119.outbound.protection.outlook.com [104.47.38.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EC0BF67148; Thu, 31 Aug 2017 03:40:54 +0000 (UTC) (envelope-from sjg@juniper.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=iDp48yrwQ2dV3+f2gP/eP2nsynnFdKWN/kIKlvUm/f0=; b=Rd9t9/msqFI6GVHOAl3cdkSPE9h9m4LvuCEWXC7vmRQpXZk0je3XuIyskl7CF6wJO+bldXlGDGeHX3Bd9znN3BDX+tq+pVefMYpXOPg1euSsw8ekKfMrPveaIbzYmOGTKaMNvhiIS8/mqqPg9OTRt5JoCnrNCzGJhkbQPXXxBQQ= Received: from BY2PR05CA024.namprd05.prod.outlook.com (2a01:111:e400:2c5f::14) by DM5PR0501MB3845.namprd05.prod.outlook.com (2603:10b6:4:7b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.13.2; Thu, 31 Aug 2017 03:40:52 +0000 Received: from DM3NAM05FT036.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e51::209) by BY2PR05CA024.outlook.office365.com (2a01:111:e400:2c5f::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.35.3 via Frontend Transport; Thu, 31 Aug 2017 03:40:52 +0000 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender) Received: from p-emfe01a-sac.jnpr.net (66.129.239.12) by DM3NAM05FT036.mail.protection.outlook.com (10.152.98.149) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256) id 15.1.1385.11 via Frontend Transport; Thu, 31 Aug 2017 03:40:51 +0000 Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 30 Aug 2017 20:40:50 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.21.30.60]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id v7V3eovS026937; Wed, 30 Aug 2017 20:40:50 -0700 (envelope-from sjg@juniper.net) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id 841F1385520; Wed, 30 Aug 2017 20:40:50 -0700 (PDT) To: Daniel Eischen CC: Ian Lepore , , Subject: Re: Import BearSSL ? (Adding verification to loader) In-Reply-To: References: <44449.1497382261@kaos.jnpr.net> <24256.1504130148@kaos.jnpr.net> <1504132983.56799.90.camel@freebsd.org> Comments: In-reply-to: Daniel Eischen message dated "Wed, 30 Aug 2017 21:21:20 -0400." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 25.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Date: Wed, 30 Aug 2017 20:40:50 -0700 Message-ID: <47823.1504150850@kaos.jnpr.net> X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(2980300002)(189002)(24454002)(199003)(97876018)(356003)(8676002)(81166006)(81156014)(305945005)(8746002)(8936002)(50226002)(6266002)(77096006)(15650500001)(4326008)(53936002)(626005)(450100002)(50466002)(97736004)(47776003)(6246003)(106466001)(76506005)(105596002)(229853002)(6916009)(2950100002)(93886005)(53416004)(110136004)(107886003)(23676002)(86362001)(189998001)(54906002)(50986999)(55016002)(76176999)(68736007)(117636001)(5660300001)(69596002)(7696004)(2810700001)(2906002)(7126002)(9686003)(478600001)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR0501MB3845; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; DM3NAM05FT036; 1:AnTO9xS+AtrXk8u2xvYUhm0UcG3zEDQS9g81kECqunNVub/LBFiZq3b764k3fP3AUUUagR316JVyBoGBBRApfgroibEO6aXJfwQZHjRoZjz/LrL1POQjxvRUPlJ4Swvm X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2de3b431-4faf-4e9c-79e4-08d4f02213f2 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM5PR0501MB3845; X-Microsoft-Exchange-Diagnostics: 1; DM5PR0501MB3845; 3:JB5K1aiOZruffQwE1XV6udgCakFmDGwK044nFSytxL82+4l/ZcGb9r4K1A1OklSQMu4WsPQuoTlFScmoUesLNIz04U9Olh4ljVhI6tPY0Ph5zqOqE5KvgNgfQNPX5GX+JGhalWaun4V0KopCtdq9ao/GDfP2gGbQy4nQWY9fQbFyudqaXjhYo5WFGNpXB4CmP7eIA+cfJGdLo6Pjhw9yQICIlz/lbO8Yo0IcO3sg+PKXE9FNHMYjLLPjodrTspUbgAT4EOdiHVBcXeIZ/BGrh8gjVbgzrwq3TtbxIzVSYmmAf8QgrM7YA8lE+GoNtGqX21v1iq7eNQ+tt83AApynVh6c6vRkZN0IxCR/1bcLqpA=; 25:a7yVGgkMceI9QqtsMA/Uyh/B4xXZgnp8tRdZ/+tzUaJpMCUD8RvFSfyH9X2jhOzeEN//C8fK7eRB5//9RDfxg0GN9IjrN7DDv3CDgNxXtpTsE1ZnU/wuEelxQk25jRSztcNz1288ewhFX4tn4Xu7QioSMHeHOXWTtPzaHVEXtkNpr6kyIPUbLQL27fQK2WDe18lRd4x3ISfQ45Oib5aM4IFiVXuPoTN1R5hQ99Ut6e4CtZwFH7sMGaoXtSyxuMcV+N7rmzpJ8eg3bTQXRT2gTLtfSPNw52t6fmbyXabWo2lF5A9RADBpflACUowqddl/vyUChHyUvSNDVXFsTmLbwA== X-MS-TrafficTypeDiagnostic: DM5PR0501MB3845: X-Microsoft-Exchange-Diagnostics: 1; DM5PR0501MB3845; 31:q8/rgMZdqHlaqdp5SLe5cc96QLF0mdMPEBUpNLRE+6oTEgcegJGuiEZmou/dbULSxD+pSm6dDbkOFneMrTFavvDCnY0VJY9bMG9KxAfEHl4GCzdnL/ygf+VEZQqlb5d96ciLqtDpZ4mHx9/MlziSkNMu8bsBzDmLMnnAlbNTbj88UM3G0BiPQ01pS9PmefFhxL/WD+rBYQfKnMzTu0PBwmlUz1KDdKRYrPjpEmKwJNs=; 20:RGWxyKbAu+jxfNQmU1iszp9fJ0E8fdqymGNHMVSXsl1weg3bFIYVyIIfMEFficQ9BZ9WJcMdktN2XGPR5CVB3JR+gYW/NcqNFluIudWiceyp70OSu4RjoFcDYWZzxmL01IxE40TsbItnTTK5aNCydGBTlEeb4QQeWcNzvzN96DLdZyfEX0TZeH7Ahonyr7n/uazTiQyjxw4i3MMvcnWh3WikLAGttW4JDXRB2BA61Q6mnMw2DRUIGuEYuR1Gsd13DSRVQGKsMorbTaKgDV+mnbXZ10IUc/JHL9rpPS+7mANUR636K8pulAkRaIit7N+k9ySZqySFJvxmFFht68+Tk3qkJWAY7kONYChWc267M8PBWlEzvAxlgQsl+vkb5xpG+Qx23RwaKhmh4WxCKKi6a8j4ExahlBJd9ZDzeN65JxFH4xfkAPLBqii7CL2AJz4cq4DfvR8ls/m25UoBh8Cm01IQYAd05V6ESuACbIa3K0yEkwX8fLKAMjU17A3tU1Go X-Exchange-Antispam-Report-Test: UriScan:(158342451672863); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(13018025)(13016025)(8121501046)(93006095)(93003095)(3002001)(10201501046)(100000703101)(100105400095)(6055026)(6041248)(20161123564025)(20161123558100)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM5PR0501MB3845; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM5PR0501MB3845; X-Microsoft-Exchange-Diagnostics: 1; DM5PR0501MB3845; 4:/YGFf5d6hlxdK91gHN3p7fV+rOOaeMsWIZ0ZIXkLwDhNvXHj9mIBj8nWLKKwFgCP+zUbWnrU0QEpBN7i/GBVjPucuADj8R1RZKl1xhq5fM8f6juyYFxBB+t/cU3GkUh3wFL7wp/FLQe3fpJy7WyJrbhnjyXdxf1ak0B/n9pazeUqrifIcWOiwoBHHuebcNvH7Wt0mwY1f6PfSSMjX1FGnerxsCIc5iUdfR92SVsVb88a5juUkjKLgJw6gPxxtQ/5MJjti6hjBeCxAo8Frq5YQhwH/YWJ9HqJ/Bi3FoFqm/U= X-Forefront-PRVS: 04163EF38A X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTVQUjA1MDFNQjM4NDU7MjM6ZlRLUDU2YWZjaXdtUmIxcWtyM21MQ3A5?= =?utf-8?B?NFM3VDQxdDNXMDUrTHVXcEVkY0F5NzI4YWluMXRZNGVXdEpTdnR5MTl1eUFF?= =?utf-8?B?OHlJUmZLN0RqU2dXWHNvL1kzZnJqTUhVdE5KWVBwaVVCTzZ5eElDSDRZb0JJ?= =?utf-8?B?Rk90ZVBKb2h6azFZK1NnTXBRd0EvNEhCL0N4YitOQURROWoraDlzWHVBUnVN?= =?utf-8?B?ZitpYng5NGJuQ1ZwVnkzdlNrMlpBZEFTRU8zcnl5N0xrcHJvVUF1QUs3Y2Jq?= =?utf-8?B?NkNMWGNRUitrZHpoT2dIN09RUEx1RjhybVdTK1ZKT2JTSGJsVTlDc25qVndi?= =?utf-8?B?am1VQnM0OXBRMUEzUVhQajZIMVJxM1EvNDNYOVY2TzVYS2Qxb0ZHMG5kWFlC?= =?utf-8?B?STNhQmR3VXhJMWtYY29EU0JmTUJGU1ZwQTE0bTBWQ2tMeWhLVGsvSjcrN1Mw?= =?utf-8?B?R1FiMmF1cUVMc2NYYjlzVWRzeHlhbEc3WU1Heis5WUhsUlNWbGdHOXRpMHRT?= =?utf-8?B?SHE0cjBiZmM2NUFWRGVvYWRSYnlXL3lBM1pEeHNBMWFjbS9hQlptbXU4U1pu?= =?utf-8?B?YjJ2ZFZxVnVQazhzZTd1Q3FXZENJdHc3d0FpODdHdDIyd3dkd0QzQ1JpUEVB?= =?utf-8?B?Y2l1T0lZUm9MTDBNMHVCWERKMHE2cEZpWUxlalBOVC8xdVJBRzlRTFA4UlQ2?= =?utf-8?B?OTFlTDJTSXRwSTAyWGJPdWhiNHhVQnA0WGFBb1NvaFhua1hETnJ0UXRqZUVJ?= =?utf-8?B?NS82WFd5VllZZlA2OHU1bHM4bEsrY3dhd2kzTjJEeStESE1BU0QxQStPY3NO?= =?utf-8?B?WThrT3p0RVRZVU9zU3duZGxPN3F5ekVpcExSaUJBTkV6M0tVV3RKeTRPella?= =?utf-8?B?MHdHRjcxNzg5S2ZuUEVYREVPSW1iRTUvL2tCNEFmRWg5aWJHMTV2RXVKdDNV?= =?utf-8?B?Zk1qQURNd0hQTjJZdkVZbzJjSzdiYyttM2hGOUZkM0dWUStoTUNWWFJzRVdU?= =?utf-8?B?ZFJxZDFMZHlhZ01YL1BtL3lPZXBCcEZDRG9VVll1Q01sRFNSTm5VVGtVOGp6?= =?utf-8?B?SlV1aCtCOUhObU5OYkhRcG9KTGJiOWdzN04xN0NlRkUyZitKSWwweG02czdH?= =?utf-8?B?SldXaW85TVdFd2l0dU1XbU1aMVVSbmNuamgvNXhPTHI0VkxXdzNORm5lcHJi?= =?utf-8?B?V1ZaVDdJMVJ3TWZjL0pXWTg2ajBMYWRhZWluWFg3Z1lWMFpPMlFxZ3Q5bUla?= =?utf-8?B?SkZ4aUd5b3ZnV0JIVHdhQjE1QkRVVmtCdklUNkRlODdySTFsUjloZHdnSjVu?= =?utf-8?B?dzVKeWU2bEdxdjk2NFM5U0JVTjl3RHZya2dib1h3Uk5sUmdBZ054RG1TKzhZ?= =?utf-8?B?MGxYbGwvbUR6MHcyc3g5ZlFJZXlVeURQRVZ5bEZMUDB3Ly9uMXZYWWpoNFVo?= =?utf-8?B?TWJYNVp3WWl1YUlyQlYvZUtRdWt3bjR1TVlJRTF6cFY3b01vbGtub0VIQTNB?= =?utf-8?B?VlJOMWhjcHJKVkZ6MXV5b1FOZ21UdTB2UHk5Z3lTdkdxK28xVk1JQndsL0t5?= =?utf-8?B?QmJMUE5UNURIaVhNNzIyaUx4OFJhUjdFUDBwa2EwRlhiWkkwZlVJTy9nYis1?= =?utf-8?B?dUNZQ1NvQkFUeEZzeWdEdlNWaE1Rb0YyKzlHTTBuRTB6OG1kb3JMU0dFT3Iy?= =?utf-8?Q?kZEaPFP0uzZSvCT/cpT3vv9wAJC2y/KoDB3fr0ggw?= X-Microsoft-Exchange-Diagnostics: 1; DM5PR0501MB3845; 6:D2rQRCB+o1ananIr2YZnRCXdmvPpcy3r9ak9RFUxC2eXu/MTct0aDRpDT5BvpeSQ/L5pqqgTZsTwtF8nEzka2sj8bfecl9EaC+fTXyQJ/kTwglT4A6M3uP6Ug/rGk4NPSBb8yqQUXGtANU4KeJ0SF++yDT+Gk+i9Q9+P7rgnrDtPAVVhQcq0z0OiRa4s2vBqi38n4C8zyyOBYQBLO/Y+lEmV046tv1xJShaEvENzFvsfE3f8evSvyuRh5S0vj21HI5y+AK5ADjHKJjq0GE+MeZ9vMxD0VZnNyTg8QiToddx3zbpw90j1rZggtoqPWPuWcWrOY7gU1sQ8761WRTq86Q==; 5:M0MeluGAqNH+7DCjqu4On4M9ktoRZNYUbAtHzYGCEma0NLOtNHKIPn6/Rl7NqZz2NQXmt6GkT251RN+ryD2WV2dvqa75dPzGnwcOs01nTbO/aeUVnPWiEUtvSNPJNjAO+CjnqCdY8BuffRJwkD4QCw==; 24:dfrc3vLJO6LgcjqBHyMbemFpBBHSkB/KsjySFUbLMhzcfDij5izh0/hXUpGdzQqIN84LJO3efNKrkrI4AVs97A4vmcZK93W1SWX3o4d6f2U=; 7:XZ5lCX3pTeFxcJeu88pvP4sAUrxiLbo62ZmBCPEoonpOzcI9u0tRGYcb9fwc5dG6c/YbyugaTVwLg/gjYbRHvfmXB11Hq83lP/uAIMGWsllWac21HGLdK9W9UuDENVjIdbMpwsSHVDJWe5y9RuPCl0fhcXwilKLQT8v5OOhCCU6talR2uJj9UTv48rvtN/Eo1muJBQpX+waxEorcGlBa3p2n9xm1K8CSCZxUTQEblI8= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Aug 2017 03:40:51.7013 (UTC) X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[p-emfe01a-sac.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR0501MB3845 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Aug 2017 03:40:55 -0000 Daniel Eischen wrote: > >> Background: > >> > >> I've been adding what amounts to a mini "verified exec" to the freebsd > >> loader for use in Junos. > >> > >> What this means is that the loader verifies the kernel and all the > >> modules before loading them, and can reject anything for which a > >> registered fingerprint (eg. sha1 hash) does not match. > [ ... ] > > > > We need this exact feature (verification of kernel and modules) for an > > upcoming product at work. =C2=A0Including the library code in contrib > > certainly sounds attractive to me, too. > > > > I wouldn't be surprised if interest in this goes beyond those of us > > building embedded appliances. >=20 > Indeed, why couldn't it be enabled by default for FreeBSD.org > packaged distribs? Or am I jumping the gun by a few years? The problem with that, boils down to key management. As an embeded device vendor we totally controll the "trust anchors" and the keys used to sign things. And absent the signing, this is all pretty pointless. My loader for example has 3 Juniper root CA certs in its trust store, which it can use to verify any signature we have generated over the last 10+ years. But it will not accept anything signed by anyone else. That's perfect for an embedded device, not not exactly useful for a stock system. That's why I said this is all mostly likely of interest to embedded vendors - since the generic case is much harder ;-) Now, there is absolutely nothing to stop anyone/everyone doing as we did, and setting up their own X.509 hierarchy, and the signing server we use (freely available from crufty.net) helps a lot with keeping private keys private even in a company with 1000's of people signing stuff. And perhaps FreeBSD.org could sign releases with their own keys. But if you want to build your own modules you need a way to sign them such that your loader will accept them. For something like the loader, an embedded trust-store is a must IMO. But there's no way you could classify this as a zero effort thing. Still, with all that said, I currently have the loader defaulting to a "best effort" mode - where it will attempt to verify everything, but won't get upset if there is no fingerprint for some file - it will tell you (unless it was loader.conf - which is more or less expected to be mutable), though it will not accept a fingerprint miss-match. This lets me experiment with various platforms etc without bricking lots of boxes (makes the test folk unhappy). So you can boot using a verifying loader without everything signed just fine. The behavior is of course tunable from "off", to "strict". --sjg