Date: Mon, 23 Oct 2017 09:44:34 -0700 From: "Simon J. Gerraty" <sjg@juniper.net> To: Eric McCorkle <eric@metricspace.net> Cc: <freebsd-arch@freebsd.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>, <sjg@juniper.net> Subject: Re: Trust system write-up Message-ID: <67125.1508777074@kaos.jnpr.net> In-Reply-To: <cd7d0bfa-d620-1382-3ce6-28db874e6049@metricspace.net> References: <1a9bbbf6-d975-0e77-b199-eb1ec0486c8a@metricspace.net> <20171023071120.GA72383@blogreen.org> <cd7d0bfa-d620-1382-3ce6-28db874e6049@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric McCorkle <eric@metricspace.net> wrote: > That is also an option; however, I prefer the configuration where only > the local system key is a root and everything else is an intermediate, > as each root key represents a source of trust that is hard to revoke > (you have to power-cycle). It's almost always better to have a single > root, and make everything else an intermediate, though I'm not sure > enough of that to bake it into the specification. While we as an embedded vendor might not necessarily want to support any local signing ability - or to be able to limit the scope of any such ability, there should be no reason you cannot allow a FreeBSD.org root cert to be honored in parallel with local root. This should allow updating system with both locally build s/w and pre-built packages from FreeBSD. FWIW when designing the trust model for Junos, preventing any local control of trust store was an explicit goal. With the advent of secure boot and TPM's, there is potentially scope to allow for mixed control. Please have a look at stevek's mac_veriexec patches in phabricator. The verified exec model easily allows for "signing" any sort of file, not just ELF binaries or needing to use special "attached" signature formats. Thus it allows adding "signing" with minimal impact to most of the system. This could probably work well in conjunction with your trust database. And of course my loader mods follow the same model, so signing loader.conf, modules etc is all simple with minimal impact to loader itself. --sjg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?67125.1508777074>