From owner-freebsd-arch@freebsd.org Mon Oct 23 22:41:36 2017 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AEB1FE56F21; Mon, 23 Oct 2017 22:41:36 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 88048339F; Mon, 23 Oct 2017 22:41:36 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id B733A2F8E; Mon, 23 Oct 2017 22:41:29 +0000 (UTC) Subject: Re: Trust system write-up To: "Simon J. Gerraty" Cc: freebsd-arch@freebsd.org, "freebsd-hackers@freebsd.org" References: <1a9bbbf6-d975-0e77-b199-eb1ec0486c8a@metricspace.net> <20171023071120.GA72383@blogreen.org> <67125.1508777074@kaos.jnpr.net> From: Eric McCorkle Message-ID: <1923f560-debf-b913-5cd0-a349444e451d@metricspace.net> Date: Mon, 23 Oct 2017 18:41:29 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <67125.1508777074@kaos.jnpr.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2017 22:41:36 -0000 On 10/23/2017 12:44, Simon J. Gerraty wrote: > Eric McCorkle wrote: >> That is also an option; however, I prefer the configuration where only >> the local system key is a root and everything else is an intermediate, >> as each root key represents a source of trust that is hard to revoke >> (you have to power-cycle). It's almost always better to have a single >> root, and make everything else an intermediate, though I'm not sure >> enough of that to bake it into the specification. > > While we as an embedded vendor might not necessarily want to support any > local signing ability - or to be able to limit the scope of any such > ability, there should be no reason you cannot allow a FreeBSD.org root > cert to be honored in parallel with local root. This should allow > updating system with both locally build s/w and pre-built packages from > FreeBSD. You could do that. You can have as many root certs as you'd like. The rationale behind the "preferred" configuration is that it's simpler (fewer attack vectors) and it takes a stance that users should have exclusive control over their own machine. But nothing stops you from installing any number of vendor certs as roots. > > FWIW when designing the trust model for Junos, preventing any local > control of trust store was an explicit goal. > With the advent of secure boot and TPM's, there is potentially scope to > allow for mixed control. That sounds similar to the high-security setup I described. > Please have a look at stevek's mac_veriexec patches in phabricator. > The verified exec model easily allows for "signing" any sort of file, > not just ELF binaries or needing to use special "attached" signature > formats. Thus it allows adding "signing" with minimal impact to most of > the system. This could probably work well in conjunction with your > trust database. > > And of course my loader mods follow the same model, so signing > loader.conf, modules etc is all simple with minimal impact to loader > itself. I've seen that work. The NetBSD veriexec stuff is of interest. I don't really see it as a "competing" approach, more of a closely-related security mechanism. I don't see any reason why both mechanisms couldn't coexist, and there's probably some sort of beneficial interaction between the two. I could see, for example, veriexec being used to protect specific files from tampering, with the MACs themselves being provided by a signed file. I'm a bit less enthusiastic about veriexec in the loader. The problem there is it requires an update to the loader every single time you build a new kernel, whereas the public key approach only needs updating if you change root keys. (That's really the key difference: veriexec is an anti-tampering mechanism, where the trust system I've described is a trust-delegation mechanism).