From owner-freebsd-hackers@freebsd.org Mon Oct 23 16:44:44 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2BF7E4FB48; Mon, 23 Oct 2017 16:44:44 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0115.outbound.protection.outlook.com [104.47.36.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5A23276DE8; Mon, 23 Oct 2017 16:44:43 +0000 (UTC) (envelope-from sjg@juniper.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=yMde/2kKxMrODPN/KYl1VtOtyrUSnW7Dzu4Nz07SchI=; b=XArATkeXvmDqbQv/+8lqV0OAlyCJBMhl1ooCRPCYzjAXkajGiDk0CWRtQAp4twqas8erprSx1j2iJZBHqfkKTqvjYIt/enYm0SEtCpCE5h3KkeyKbC2yMlmcFer/+HXoUl1Rkjl92Qghwax7c+N8p85ud7Kd+Vz2s5tuQoW7nGc= Received: from DM5PR05CA0010.namprd05.prod.outlook.com (10.173.226.20) by BY2PR0501MB2070.namprd05.prod.outlook.com (10.163.197.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.178.3; Mon, 23 Oct 2017 16:44:42 +0000 Received: from DM3NAM05FT035.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e51::204) by DM5PR05CA0010.outlook.office365.com (2603:10b6:3:d4::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.156.4 via Frontend Transport; Mon, 23 Oct 2017 16:44:42 +0000 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender) Received: from p-emfe01a-sac.jnpr.net (66.129.239.12) by DM3NAM05FT035.mail.protection.outlook.com (10.152.98.148) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256) id 15.20.156.4 via Frontend Transport; Mon, 23 Oct 2017 16:44:41 +0000 Received: from p-mailhub01.juniper.net (10.47.226.20) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 23 Oct 2017 09:44:34 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.21.30.60]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id v9NGiXmw010661; Mon, 23 Oct 2017 09:44:34 -0700 (envelope-from sjg@juniper.net) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id 6302B385567; Mon, 23 Oct 2017 09:44:34 -0700 (PDT) To: Eric McCorkle CC: , "freebsd-hackers@freebsd.org" , Subject: Re: Trust system write-up In-Reply-To: References: <1a9bbbf6-d975-0e77-b199-eb1ec0486c8a@metricspace.net> <20171023071120.GA72383@blogreen.org> Comments: In-reply-to: Eric McCorkle message dated "Mon, 23 Oct 2017 07:56:33 -0400." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 25.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <67124.1508777074.1@kaos.jnpr.net> Date: Mon, 23 Oct 2017 09:44:34 -0700 Message-ID: <67125.1508777074@kaos.jnpr.net> X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(346002)(376002)(39860400002)(2980300002)(189002)(199003)(24454002)(81156014)(81166006)(16586007)(55016002)(316002)(229853002)(9686003)(68736007)(8936002)(76176999)(54906003)(305945005)(478600001)(106466001)(97756001)(77096006)(105596002)(8676002)(86362001)(356003)(46406003)(53936002)(4326008)(189998001)(5890100001)(69596002)(23726003)(76506005)(117636001)(47776003)(50226002)(6246003)(7696004)(6266002)(53416004)(97736004)(2810700001)(7126002)(50986999)(97876018)(50466002)(6916009)(107886003)(2906002)(5660300001)(2950100002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR0501MB2070; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; DM3NAM05FT035; 1:2iRSCjxPQjeczHQT2ucvAqOHva/Yprb/WaCmqZWnYTMc9sLV9qRxVVpWQq9XJO2hYBYmlBVhG45k/hTlnPVR96LrlcPfa8XDtMdl1o9xjh3BCiW8cnj6sS6NkApUdBlG X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5807dd2c-0f3d-4b38-9dd3-08d51a355be6 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603229); SRVR:BY2PR0501MB2070; X-Microsoft-Exchange-Diagnostics: 1; BY2PR0501MB2070; 3:woq6UcgmC6fyVTTCEIUZ9/rELmslIJVnaRcUb/gvVop9EzBBOEeGrpREaSLDbHl77sgZJfi673tCJsSEaUUDq/DMqKHIjZOXeK+nUp22ew+WmdXDsj7vb9pI27WtYscmFgSV5oOyuJUWyGtVjWMmchFz2CWZmPkRTwqWn1D5IRJAxDCWRo4F9hf1cUbVMympaYMMuLwPFJgjE4qVPWHCyYnhe+M3fDNMEFWQ27nQetHheuOptL3EjHxbjQ8YsBjAKaI3IovC2mTOUpd84f9HiJkhfPvJCYUcnPgKb5GM9YRijk+0S0nhEhFLhXjyI0f+6SZKDotTwZApfF9TFo3t/+VItP//yNsb241GJJHw54U=; 25:FVPBOKX7nTAC+zzX9eHPk6snClOGLjnl9IiKpsAfwmXezR1AxC+5/NHbIVP9uQrsj4sNt95UPIzZlgX7OFwL7rvR1Ramq9brWIiZ/5JEguje/yJtMd6YishuA/+S8CT42oqTULd79D3FmwpU/9Mop3V8TR5VbJ1nWowGAoVfiqhkhJf+f1gkD8J/A0irgzc54RcPoS9lStj9Oh/42MBLMNNfUq1UG0JewnNlaWudATs816nCe0tiQxmiPQdOvYo1ph/sedtOL3QnwR8Nd9bLsOxp8of0QK3v4lw2dWgyDw+7QgNAlgqiYg3vOW6oz653tA8IH9mwr3mwcK32+e6Y0A== X-MS-TrafficTypeDiagnostic: BY2PR0501MB2070: X-Microsoft-Exchange-Diagnostics: 1; BY2PR0501MB2070; 31:P6lSPaSXcWBJ4z1J5ykj37uAHobclxUyq4+F3jhNTv4oWQVMMyPwUJaaW2Otm2iIwz9e29q+nCSNMNbZSlEs6/1YaDI+R62pS6Q3Q93C4XsogWM2gM5TgHYTF5omF14+WGMOt/WH6O/ZwL+BMkVWb0wrtnRkVUu1hxENA0SkNRXN2rXhh5meydMl29ixTZXRloltWk//aVA1CejaX2+Y/hCLGBhomM7lW9ovDhoEYew=; 20:5tjKzPZaPyVonTB/6AQC3Pb5c/2tkB4V/l51CL6s/BGUUQPZV3O2OF1tbsgJoEtkHGbTj0Z6XbCxTjZHwhr6mk6H3oEvhEgzbEXZeW0m7zA33gJ7/WRbV5u5DqxkcjfzJekNCR0aKVIodovqT1MOLLKr853NMqGZmKcbHaQpyVdA1fZbeaaJ0uoKojdiZL/ejTnIVZPd3rMZ2z9JCtDuje2klZzrgR9RUuPOY9PCDZSav8GO86YSDhB+RDtjR6WcIUyl84haHD9cwd4FbaX9Gj7RzMfsydI5auaox5j0G1tlrr7XVQKhrtOnF2PZ1M3Yh6TYfMXYvFRGaQjUkaMxSsEzUXLxKW/w1D7yL/ITgjffOFAm4wQtUwGyxoo0Qk87Ke7UjukhTlOnqfCzZWb8ULqIPHJ7xaVJZ0DJwkMmliri5XlAZD43I5mvhDqY+wsxG8aooZHZF5S+OAFnuP/NGiHxjh+pYw8NEmK4fwurcSQU95NbdnMAz0Vt58+nnOPo X-Exchange-Antispam-Report-Test: UriScan:; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(3231020)(100000703101)(100105400095)(93006095)(93003095)(10201501046)(6055026)(6041248)(20161123560025)(20161123562025)(20161123555025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY2PR0501MB2070; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY2PR0501MB2070; X-Microsoft-Exchange-Diagnostics: 1; BY2PR0501MB2070; 4:z/giGsvgobfxUErTwig0r/dstWtq43Q44ddWpdNAmF6Kb0wHLkzAT8jBN/ljy7zUoWvdXOWUbkCeZ51ui4TYP6uCPvpq6ZLBQOXe9SH9/n3CNCujsJN4n8gooXKJ3OF2la2LF4kDqguf2ms4DhWijkwtsYGMhPKZZFiRde8dPTxnqqtOosqxgyjM4zD4t2F5b32TVMQGZ5I9p13KGXmvAYsmiUM1A/1VyPrWr6jfLRwuZWW7VURjykLrBx1zKVMqCLMoaeoeD095MEBMmsr9/w== X-Forefront-PRVS: 046985391D X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BY2PR0501MB2070; 23:tvkNoxYOcb2BtQGCASrI0zNkdAOprOys1fqQ34J?= =?us-ascii?Q?WIu7CqnFlkk+yeis/Q3Zt7SZhwgUZVnPoLcBjRJEpxq3RjN1mkxlqC0fqCFm?= =?us-ascii?Q?7OlzAyDtyUaZyeIufqv+0DzuZ60f36MfvKpK+9Dbeg2g0LXMNe4ggEclcQ2v?= =?us-ascii?Q?YiKaMljOLTLOrhBNNvbHfUCLu8elPpwCu/mayOoNgeqnhC+/C21pHXpq5emI?= =?us-ascii?Q?FzXqjjaWSD9NWc1xT82wcsfv0W7+wcEFoeks/OWMVJBAb0qxjBtYrvrL4ba4?= =?us-ascii?Q?xqHXsTQCqhsGPoH7cHo/A8pArM1SQYUgqswbim+1kl3a5wjM6a2tLAmR2zii?= =?us-ascii?Q?Vfm6IGQluw9b/NALryezr1Az5VQfStCp7IzvgvhbR9g7NPWHGYF/fl/PbQm5?= =?us-ascii?Q?8dUTJx23C3Hsu0jhMFNGDAmR1nW2NFbTlcoK62xE9NPF3BAt5shufCfH51Jt?= =?us-ascii?Q?ywUkPvnFMTwmlAJLunm+cxru1bGn+hAmJL+LmgcRhdePXHta+0ULnxGzXyZz?= =?us-ascii?Q?LVE/cBT8svuMv8wlKfGkf+NPOBbbPUdCWB99Xb1qogtplfOsonscXmwmfLyQ?= =?us-ascii?Q?NuJoS3E52k4T9qZ4SzWiHWp9+T9ym4SIH4R+tHyjAQwDkbrOtozBVSjGYAmw?= =?us-ascii?Q?Mp5Q7aNhOY2dPE7MLLJruWN3QJHUW+KyitLwzi0TNvVZkH4UU2pUGW7ZKjY4?= =?us-ascii?Q?gX6ipXrujNGd74WMNjIQX/UTt9TSq/fC2ixnZYoJqnH85gseoTMNDWQ42jmH?= =?us-ascii?Q?ZAzB0u9GZKJn81E5CdVNCKkB/r63zv8drob6e52Ko5/bEmSQVlCwuvZ5Cmlj?= =?us-ascii?Q?oBdWWS6vABDMoD9sIgl/hRusIdUZzDcBCGdvIkyLoPQzyzDlPl9ie8JYr03W?= =?us-ascii?Q?U/Tv548FWT/QqV+wgDk8tK6p20BQGXNzYbznuRIhbeoDEiTtH8s/2Sy2rWof?= =?us-ascii?Q?05+u51VDPCsrCWzFR0PSUn0V2/hdmdt674bxVOZjXu+OgDbdppwT3oQeLvmE?= =?us-ascii?Q?dzoW2smjBpBYTEQdcVZZJxM45wgvmAE1WDCX31ijOzmQd6Ra3cesBgNdY0FL?= =?us-ascii?Q?rT6GhHdOKtnaw8kTv35PrslcfV4TASJZq/taEjc38o5xel+7FSiI5eF2wK41?= =?us-ascii?Q?9j4MbFj0icinmqHH8FncVtK6yePOq4YEF4D2PHWPMEXCV07zHUxcvFOF4pJQ?= =?us-ascii?Q?G2gmaAbWPq9LIRqoo4ovK7JMV6p1H8/j3gXrnLHVNblwGvvQZpaFQTT82wQZ?= =?us-ascii?Q?xw4q49uCD17S23rwkZ3OKG98bzMfvQMN2R+uMPdZ4E3DJLzxt2DHINUwf/VP?= =?us-ascii?Q?C8Q=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; BY2PR0501MB2070; 6:/a6En+FiEU8v5YF0hQdK3BLQLD/FTBOkmsYlPqMP/YwDlilpqScCysb84yZ900J0AIipA47xy+MqVUP7AxESq6NQhe7CUBRHX0XOF2unHlIqGLjCRTp9+3EkB9YjKcuk1kUoRS+3ZW0H9CsmQDZuJJUru0jX5YpPXGoAbr5hzX5M/ouqu+8gy3vB1nuaqECIESQACvwXaukcsquPQRh0tv8oDPt/8eIydBx/F4sH70Q+W2nUzdcT8Bg90ZtJrkdObxrgndQnGqaxPNRKkuhsIe/Ztag+u0nztfb+7ySn+7c8rCJRdZ7trJ+LL3RjH2Qnvq6VdHRKf3Tb6nEohEQue0CBxJ7rZHDXL1rvd3wMupw=; 5:IgAebuozMqZ1rzsCFqkGD7AocGN8942XS1DVXGr+BOT+TSVLprtBp6xZarj2Tze3e6tv/nQq3T5Y/8NHQs3+V6qwfjwgjRMbM6qaJ06aGvUtaaBfJUpKGas4pzHAkLkjpXxT9NPjdsOsB+8o6clRwD1r2yBBjcIm1coaUKKVm9g=; 24:X3pga876BuvSCEgZqETIt3sBV1rjTd08sl2vF7es6H57XJVQ5da30y3/3v0rO54RKpWtZPbSpFlSfylciX4SciMnrBN9FHO0sCHaDieVYIY=; 7:Todev4OSTdtNncpszEYJdskeCAAzZ8GyDbP8DEAM+C5QOjnJoMw+zRVHBL0hTGjLHMozvv3cdsd/bzxNAqIN+C6/JDaz7TxAeLEy2QtOpVysSHjd46c0mOz1Hj8miOH+5U6EtV7oUykJgOoOkGzieRQHcCaTetm1jOptsVu626Ad8dcKpBhVl5M9zRA32F1HHCYyqYfWjZH0gm7pfZyAu2W//Vl66gsFUvZPY8V+v9R4H4YNAaH5rW55N/ukNqIC SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Oct 2017 16:44:41.6472 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 5807dd2c-0f3d-4b38-9dd3-08d51a355be6 X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[p-emfe01a-sac.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR0501MB2070 X-Mailman-Approved-At: Mon, 23 Oct 2017 17:55:34 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2017 16:44:44 -0000 Eric McCorkle wrote: > That is also an option; however, I prefer the configuration where only > the local system key is a root and everything else is an intermediate, > as each root key represents a source of trust that is hard to revoke > (you have to power-cycle). It's almost always better to have a single > root, and make everything else an intermediate, though I'm not sure > enough of that to bake it into the specification. While we as an embedded vendor might not necessarily want to support any local signing ability - or to be able to limit the scope of any such ability, there should be no reason you cannot allow a FreeBSD.org root cert to be honored in parallel with local root. This should allow updating system with both locally build s/w and pre-built packages from FreeBSD. FWIW when designing the trust model for Junos, preventing any local control of trust store was an explicit goal. With the advent of secure boot and TPM's, there is potentially scope to allow for mixed control. Please have a look at stevek's mac_veriexec patches in phabricator. The verified exec model easily allows for "signing" any sort of file, not just ELF binaries or needing to use special "attached" signature formats. Thus it allows adding "signing" with minimal impact to most of the system. This could probably work well in conjunction with your trust database. And of course my loader mods follow the same model, so signing loader.conf, modules etc is all simple with minimal impact to loader itself. --sjg