From owner-freebsd-arch@freebsd.org  Mon Oct 23 22:28:03 2017
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82F3DE56925;
 Mon, 23 Oct 2017 22:28:03 +0000 (UTC)
 (envelope-from eric@metricspace.net)
Received: from mail.metricspace.net (mail.metricspace.net
 [IPv6:2001:470:1f11:617::107])
 by mx1.freebsd.org (Postfix) with ESMTP id 520192A40;
 Mon, 23 Oct 2017 22:28:03 +0000 (UTC)
 (envelope-from eric@metricspace.net)
Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f] (unknown
 [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate) (Authenticated sender: eric)
 by mail.metricspace.net (Postfix) with ESMTPSA id B28ED2F80;
 Mon, 23 Oct 2017 22:28:02 +0000 (UTC)
Subject: Re: Trust system write-up
To: Ian Lepore <ian@freebsd.org>,
 "freebsd-hackers@freebsd.org" <freebsd-hackers@FreeBSD.org>,
 freebsd-security@freebsd.org, freebsd-arch@freebsd.org
References: <1a9bbbf6-d975-0e77-b199-eb1ec0486c8a@metricspace.net>
 <1508775285.34364.2.camel@freebsd.org>
From: Eric McCorkle <eric@metricspace.net>
Message-ID: <e4fb486c-fe8a-571e-8c95-f5f68c44b77c@metricspace.net>
Date: Mon, 23 Oct 2017 18:28:02 -0400
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <1508775285.34364.2.camel@freebsd.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 22:28:03 -0000

On 10/23/2017 12:14, Ian Lepore wrote:

> Any thoughts on how to validate executables which are not elf binaries,
> such as shell scripts, python programs, etc?

I hadn't really thought in depth about it, as my main initial goal is
signed kernel/modules, but I have given it some thought...

Arguably the "right" way to do it would be to have the signing mechanism
be part of the platform.  For example, the JVM has conventions for jar
signing.  Not clear how this relates to shell scripts though.


An alternative is something like the NetBSD veriexec framework, where
there's MACs for specific files.  That stuff is mostly orthogonal to the
public-key approach I'm working on here, but there's possibly some
interplay.