Date: Mon, 23 Oct 2017 16:15:20 -0700 From: "Simon J. Gerraty" <sjg@juniper.net> To: Eric McCorkle <eric@metricspace.net> Cc: <freebsd-arch@freebsd.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>, <sjg@juniper.net> Subject: Re: Trust system write-up Message-ID: <73296.1508800520@kaos.jnpr.net> In-Reply-To: <1923f560-debf-b913-5cd0-a349444e451d@metricspace.net> References: <1a9bbbf6-d975-0e77-b199-eb1ec0486c8a@metricspace.net> <20171023071120.GA72383@blogreen.org> <cd7d0bfa-d620-1382-3ce6-28db874e6049@metricspace.net> <67125.1508777074@kaos.jnpr.net> <1923f560-debf-b913-5cd0-a349444e451d@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric McCorkle <eric@metricspace.net> wrote: > I'm a bit less enthusiastic about veriexec in the loader. The problem > there is it requires an update to the loader every single time you build > a new kernel, whereas the public key approach only needs updating if you No, that's exactly what you don't need to do. The whole advantage of the loader changes I've done is the flexibility of verification. One loader binary can be used to load any Junos release we've built in the last decade or the next. The only time we need a new loader binary, is if some code in the loader needs to change - or a new rootCA needs to be supported. The root CA is the only key the loader needs to know. The signed manifests have an associated certificate chain used for verification - exactly as we do for normal veriexec. > change root keys. (That's really the key difference: veriexec is an > anti-tampering mechanism, where the trust system I've described is a > trust-delegation mechanism). Take a closer look, the veriexec manifests can convey additional information to the kernel (not relevant to loader of course), which we've made use of to allow apps signed by keys given to 3rd parties to be run given suitable configuration. We can also assign labels to apps as a side effect of verification - labels that other mac modules can use. --sjg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?73296.1508800520>