Date: Wed, 29 Mar 2017 15:10:52 +0300 From: Peter Pentchev <roam@ringlet.net> To: Eric McCorkle <eric@metricspace.net> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@FreeBSD.org>, freebsd-security@freebsd.org Subject: Re: Proposal for a design for signed kernel/modules/etc Message-ID: <20170329121052.l6e7ajvvq6yfltpt@office.storpool.com> In-Reply-To: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> References: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--2y6ant3anwcqndju Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 27, 2017 at 01:54:44PM -0400, Eric McCorkle wrote: > Hello everyone, >=20 > The following is a design proposal for signed kernel and kernel module > loading, both at boot- and runtime (with the possibility open for signed > executables and libraries if someone wanted to go that route). I'm > interested in feedback on the idea before I start actually writing code > for it. >=20 > =3D=3D Goals =3D=3D >=20 [snip] >=20 > =3D=3D Non-Goals =3D=3D >=20 [snip] >=20 > =3D=3D Existing Solution(s) =3D=3D >=20 [snip] > While functional, this design doesn't meet the goals I outlined: >=20 [snip] > * Finally, the gnupg signature format doesn't actually seem to be > documented anywhere, or at least not anywhere that doesn't require a lot > of digging... Erm, actually, the so-called "gnupg signature format", better known as "the OpenPGP signature format", is pretty well documented in RFC 4880. Note that this remark has no bearing on any of your other arguments, or on your work as a whole; I just wanted to clarify this particular point :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 --2y6ant3anwcqndju Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAljbpEwACgkQZR7vsCUn 3xOT7w/+Ico4GO6e9BFic2UJs4n3cgyo/tzEwbV+JZ75w5uhPHeBmxsQo6q49Bbu JaCas1w7mPpDIiKK5oBLUTDVSEsHyDfBfBQn6yY7qax/pehi8EAAmxy6cLBj5LNL 4BJUrUbGlJVWe4Y/kxFiCxUhkDYTHzJTv7G2BsQeH/xGDhAnXtcNs7TSpxuTrUK8 jimOKLWNmxUPLuxTPIDuVmzV6nXFc7wrrdiqWOyaxOG7t16auuaou0OHIs0PBxND ZIXh5OBXQWhIW1DhQBTx5Anmi6oihOzeQSw1Ppt7OMoIbpZVwX+y8VYW6NFDCa9H 1xuLdqsxnMGuUsZw0QAgEfnEU7oFXnmhjcGLFL0AOabk2vP820bLhWNYefBDXlFw WYW677hrpCnNMT8SphUE4uHURJ93RnSudwRQVpkb6pdRAUr2iIOx3R6gsqJhs7gU HiUzoiiMhcizKyXRjrYLDL131HD1fCXwk967I7ggcDccfJ3v0FWblacMYsfRy8mT yS6234vL10tRkFMifQ65s5EVzsfiTUxYJubJhnGBqDWhiWrpytqQogRtgYqBbp3t zimxG8/jZ/h6eM+BeQuEdz9qqCwCa+Y+fUhV3SA7UEhpJKW3fXkKB6sFTagVjTyD 1pfQ7iUySFdnDDmMvOd/SJFU5jYfWRPUMy38iXD90T4jUSYtd54= =aH/a -----END PGP SIGNATURE----- --2y6ant3anwcqndju--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170329121052.l6e7ajvvq6yfltpt>