From owner-freebsd-security@freebsd.org Mon Feb 3 13:57:14 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 199B424D4CC for ; Mon, 3 Feb 2020 13:57:14 +0000 (UTC) (envelope-from gjb@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48B8X971yQz4b7Z; Mon, 3 Feb 2020 13:57:13 +0000 (UTC) (envelope-from gjb@freebsd.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by freefall.freebsd.org (Postfix) with ESMTPS id 9B44D80B2; Mon, 3 Feb 2020 13:57:13 +0000 (UTC) (envelope-from gjb@freebsd.org) Date: Mon, 3 Feb 2020 13:57:10 +0000 From: Glen Barber To: Nathan Dorfman Cc: freebsd-security@freebsd.org Subject: Re: Cryptographic signatures of installer sets Message-ID: <20200203135710.GK9584@FreeBSD.org> References: <20200125200007.GA11@rtfm.net> <20200127164201.GB9584@FreeBSD.org> <20200130005006.GA13@e398a4ce8009> <20200130132239.GG9584@FreeBSD.org> <20200201233420.GA18@rtfm.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="w6eK8LiNFwVbMpYg" Content-Disposition: inline In-Reply-To: <20200201233420.GA18@rtfm.net> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Feb 2020 13:57:14 -0000 --w6eK8LiNFwVbMpYg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 01, 2020 at 11:34:20PM +0000, Nathan Dorfman wrote: > On Thu, Jan 30, 2020 at 01:22:39PM +0000, Glen Barber wrote: > > I honestly wasn't aware there was a jail subcommand to bsdinstall. > > I think, rather than creating /usr/freebsd-dist on the host system, we > > should instead check if the misc/freebsd-release-manifests package is > > installed and bail if it does not. This package contains the MANIFEST > > files from past releases (and in-progress releases, including BETA and > > RC builds). > >=20 > > Does that seem like a reasonable solution? >=20 > Well, that only works for actual releases. The one from the installation > medium would work in all cases, such as if one installs a snapshot, or a > custom build. It would have to be kept up to date by freebsd-update, > though. >=20 There are three problems here. First, if one installs from a snapshot, the MANIFEST file would only be valid until the next snapshot build. The second and third problems are somewhat related: the various distribution sets (base.txz, lib32.txz, etc.) are not updated with each patch release. (I have been pondering the "right way(tm)" to do this for some time, but that is more or less orthogonal to the real problem at hand here.) The other issue is freebsd-update(8) does not work with snapshot builds (from stable/X or head). But for X.Y-RELEASE, one could use 'bsdinstall jail' to create the jail, then invoke freebsd-update(8) with the '-b' flag to the jail location. > Also, you would need to add logic to select the correct manifest from > the ones in the package, whereas one from the initial install (and > freebsd-update) would be the only one. That could be as simple as > stripping the -p123 suffixes from `uname -r`, but why? >=20 I have a patch locally to just this, but I haven't committed it yet because I am not entirely fond of the approach, and want to think about it a bit more. > FWIW, the /usr/freebsd-dist location can be overridden by setting > $BSDINSTALL_DISTDIR, but the checksum script[1] will expect to find the > manifest and sets in the same directory regardless. >=20 The patch I have at the moment looks for the MANIFEST (rather, the --) file in the location they are installed by the misc/freebsd-release-manifests package. Glen --w6eK8LiNFwVbMpYg Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjRJAPC5sqwhs9k2jAxRYpUeP4pMFAl44JrEACgkQAxRYpUeP 4pMtWRAAlCjHLDyZyX+AFPPL0K9Lc0J/6d4QS9BkQHo9XWv6b2jhASONwTGncNj5 lF4AqpowD/u5v6DV0KI8c8O64nK+BOPZe3dLRJIyi2Q46nD3uPkFqUQVL5Vsprv6 C1LfQRjtf5bqOT4qVrdIKUS6QevEh7Vs20qxpELVq+LOBGBi/rCjBemYN6IhA++b +gqUznsI4BfMGh2VbSSUYgIZXAez3BmMtkW/LGjGC8uIxvzoQWrzhfAZcRRIRjzJ f2VkcgJqDXPVLdrW9qq3kXWkITZhdVAlAqQf0UihRjgv2SeK6I3C0VwKYw8AQYhC you28lwGf7+wB83491JquuN2rSeaXJ5TwXV9xhv8KAow6lxuTqQfYCWPVtAusMTI KlCX216to8LXxNyJVrY7n0CiCIPLLP9wz7kSLXcbe+Eh5kco8C++MBlDjvaRmN0D pWSR9Qjz/wp1ivAIbo3fBGrjxYbtMN7oEj4Z8qhEHNSG7awUCgL7eOEGkgRLjT87 g5k3IP7f2M6HVMFvfD7iIHMFmaknSThumct+ObzksG/WSX31iwPlE3vNTt3ns2cW nDisbSBMqEm9lhqTM6kgHXFjAVbp1EFMPIM7r39s0qdVIw4m4gDijie6aUV/O6kq 6tI44ci0OrtoaxElSjBD6fnhMgunTO0bKPt6i0jYwPk6yaFWqnA= =zUo5 -----END PGP SIGNATURE----- --w6eK8LiNFwVbMpYg--