From owner-freebsd-hackers@freebsd.org Mon Oct 23 23:15:38 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E8818E57E77; Mon, 23 Oct 2017 23:15:38 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0090.outbound.protection.outlook.com [104.47.33.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 654E2642F3; Mon, 23 Oct 2017 23:15:37 +0000 (UTC) (envelope-from sjg@juniper.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=bpfZjxVg6JF7BOp7G6fWL6NSDMq+OVGKrzQwhZzlddU=; b=EvRYCeqbB16KsODRcu/spbodsBiJgoFJPL8BLBr8WY/Lz4qziQyGCBDEt3bz3LOVbdhNYZka8nblvqaSEpOs9ot358Y9VT9Vqv0mygGYYlNXbL/gt5GwsElvOeKP8c1pKGw3LXLFi9nRRQGwT2Az1bYEAWjcYhtspQbFfgGkWr4= Received: from BY2PR05CA039.namprd05.prod.outlook.com (10.141.250.29) by CY4PR05MB3607.namprd05.prod.outlook.com (10.171.244.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.178.3; Mon, 23 Oct 2017 23:15:36 +0000 Received: from BY2NAM05FT019.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e52::207) by BY2PR05CA039.outlook.office365.com (2a01:111:e400:2c5f::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.178.2 via Frontend Transport; Mon, 23 Oct 2017 23:15:35 +0000 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender) Received: from p-emfe01a-sac.jnpr.net (66.129.239.12) by BY2NAM05FT019.mail.protection.outlook.com (10.152.100.156) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256) id 15.20.156.4 via Frontend Transport; Mon, 23 Oct 2017 23:15:35 +0000 Received: from p-mailhub01.juniper.net (10.47.226.20) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 23 Oct 2017 16:15:21 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.21.30.60]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id v9NNFK60020696; Mon, 23 Oct 2017 16:15:20 -0700 (envelope-from sjg@juniper.net) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id BF0A2385567; Mon, 23 Oct 2017 16:15:20 -0700 (PDT) To: Eric McCorkle CC: , "freebsd-hackers@freebsd.org" , Subject: Re: Trust system write-up In-Reply-To: <1923f560-debf-b913-5cd0-a349444e451d@metricspace.net> References: <1a9bbbf6-d975-0e77-b199-eb1ec0486c8a@metricspace.net> <20171023071120.GA72383@blogreen.org> <67125.1508777074@kaos.jnpr.net> <1923f560-debf-b913-5cd0-a349444e451d@metricspace.net> Comments: In-reply-to: Eric McCorkle message dated "Mon, 23 Oct 2017 18:41:29 -0400." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 25.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <73295.1508800520.1@kaos.jnpr.net> Date: Mon, 23 Oct 2017 16:15:20 -0700 Message-ID: <73296.1508800520@kaos.jnpr.net> X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(376002)(346002)(2980300002)(199003)(24454002)(189002)(305945005)(97756001)(356003)(68736007)(77096006)(8676002)(7696004)(117636001)(229853002)(50466002)(6266002)(6246003)(23726003)(4326008)(107886003)(97736004)(86362001)(55016002)(53936002)(9686003)(5660300001)(16586007)(7126002)(478600001)(105596002)(76176999)(2810700001)(2906002)(316002)(106466001)(76506005)(53416004)(81166006)(50986999)(81156014)(2950100002)(50226002)(8936002)(69596002)(6916009)(93886005)(54906003)(97876018)(47776003)(189998001)(46406003)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR05MB3607; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BY2NAM05FT019; 1:2qsTOlgJYkWcdIwfd4JOJ+Z2fI0/DqP6KsoqJHXIK05iIQrEzAi+aT59kWO547PgYziBZUnpYzsP8EmdiN1rG9Cx3J2SqwH0tASB1sUNiDQNitH6O1/gCEniIzuAAqoD X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c120c167-01d1-4cc2-f3be-08d51a6bf777 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603229); SRVR:CY4PR05MB3607; X-Microsoft-Exchange-Diagnostics: 1; CY4PR05MB3607; 3:Ke37Bm0FJhdwoAQ3N/gfXPDdiLoSK5MONeHntiChzQO8UDlnmqOP9oTnrKQxR8qxeAWLvTc0ESvMyBH4xS3xvo0+eqEP6bDtjih27T0hla/a3HTwOUZ2j0nqp3Spe4QFWORMOzIxEhultzpm88ZQTVVsPgfHaayNWGWVoRAovvo/jJcB5j0o9jRh9477MUTaHQcb7/oXW+4i4WtHWgk1bH+7w9MX/2Upj3bZjITRu/yv0rMNEkC8fUNuPIViy9kvKsrRjz4u1p7kypGzhgSLdJOvt77Jaah6FpLyx7XA4xbfa1iY3XTxFg3hx4puL3pMP4PpwmL0RSFZSUxcBsAlNry3P6ST2IMvfiDLQ22zihw=; 25:fA+uVwwTc1DW27XpA5RTlV9NICwS+LyuU/q5KPjgPwRv+wd6j5LHPYC61+K+mcku6QFXh6KoAxYShMalcaT0VRNOgZZ18omirUIOxo9BZ75AHhI8rwuPlWzADZKY5LcifHmlVmBcgQWfUXg25Nm+g75nBSSZUbNzsGrSFYh9L/dAd8iIhJ3eSxifj6H9g1j5rl/sB3+PeQQNbdjVcZfBOtL5pey1RSgbi6ZJk7no2MoSnhorebolBl2R79Tw7GsLmfdmI6k7aamzZVVsMHh1LvniOYDEumUGUI2/NuZsP29sVNtejFFZ8DKM27w7NXJgzGcvbIwAdPBkIAsVsBEAPA== X-MS-TrafficTypeDiagnostic: CY4PR05MB3607: X-Microsoft-Exchange-Diagnostics: 1; CY4PR05MB3607; 31:w4CkATwTztXIkm24WZS4QaSAKUuosqfG+6yUujfkduLgzmpYuYBY6S0ljM8Y4eRWSA5P5ALl+pHMUMUWKxGkwdvLY5Wvr2bP0/B2be6pOQw6KqcxGIPcTxWgsXPyqhlM2zbWGEloqQbFum6ACpsTAcwLPKgsE/v41MRILaV8LpOUfzluHwlS2L/8SetY5Le79K23Fwerb4qknpjLqmuukuuXSIqwkmfyHB5JU5d9M9M=; 20:pKJ768HlZkN+1MUMxYoD9scay7IiXewmnDw0gPK+fVosVv5KQcsSOt6Y6Qz1z1ySCBMH0budGBWwKtnXkkd3oM35tLhrhtMIZF0UTQWMBTimtB7w+TzMbyR++FSigVUzFdEiIzH/mTwYCaRcgGOIgRG94o5kEugYhfbaP/UYaJ61VFWlS3PP6vUiTPoNNTrEXeLAP2YEmqd4WdtXB5RnZs2nceb+2dXcpisFYqHchQUj0Ljk8lrlaaqCpAWS25c6jHaDMk4XQjRJUwihxZ3UrPsnStIZ0pPF6bwOwcPKppJ9NnR+ZHPIl8AkVf2LofvezfHf67RHoZl18mocR06HKsyJ4qzNVraiwHK6udY5oTPo3bYoMLMqX8+giqxe9nEOXGnopKrve7KWU+gTFSyN39A66bfytId9JVeaPZmAmwIJhxPEJzhanVsfwo73KlC6Y2+aoyI0SbvUTWL7+bzjMQldhJ4IWoS2882iWvfyhtb1u6Z8PfhPRkpb+lQwWhvi X-Exchange-Antispam-Report-Test: UriScan:; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(10201501046)(3231020)(93006095)(93003095)(100000703101)(100105400095)(3002001)(6055026)(6041248)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123564025)(20161123558100)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR05MB3607; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR05MB3607; X-Microsoft-Exchange-Diagnostics: 1; CY4PR05MB3607; 4:fTcub7/5gis2BZNGIm8GU+uEuCeW0sQ1xicyjd5jLn9RUXhN/Ey0YpOSTQeZFdkWGYFuT8xWOMkk++JXM7RdRyR6uI5TFrC4ONAbYhJyO9pkxqNYRIhFopWLRh10ADuSMS6AhE0PkOl+5hmc76O+5HwW4eq7cVR1iVGvAaZexEgwFTJ9exvLXGnn21xHjpmQ8cTqlS3MYJveqX3JHrG9WkKFhMrsE/o7z2AsSNQ6RbDnp1XXQhmET3P0N5qMOQt9TPaGpW2BneXW2MNyLnK5VA== X-Forefront-PRVS: 046985391D X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY4PR05MB3607; 23:YsvxPENMmT8Gpb1zvih/+oVZxEngBMkJIht/cNBFe?= =?us-ascii?Q?ilKTnvY6ZBy1G5JsA0Zjl0jthrl7l0Nq7uc4nQC7UnCg64YPJau4ZjlccCMs?= =?us-ascii?Q?zu6VFZCxP5IGpH4B9+s502Q1555J7TVnJNYWg2Mh087IVAGWN4KkFzYA1ME7?= =?us-ascii?Q?VIW7kz6N++dKfk/pFCn7upGXn15W6hxkKTyWKwnvFraxOLzaT08D79W5R2UQ?= =?us-ascii?Q?o45mEjy0J4CmF0qvW/WqOW8yjLJbHOs259rIqF4PHd+N/vbRBvKBZkw2iKv7?= =?us-ascii?Q?nnQXrysxtW2IiN7Yxa1edvx7HYdNexD2JmFrCnR7kdPB172VqO8W8+fSJbtY?= =?us-ascii?Q?cqdYxjAfworKzB6Ysp8wHvXAdP2yjrNz4TxMW3tORk2/FYO5nU7l5DrNjijX?= =?us-ascii?Q?VYMA5W4JRljmB2lf3q6Rh0SaRkZimSXSY0e2yn7Hv4mp+XmmdJv/VVEGDLYY?= =?us-ascii?Q?Kkf9bmcxVzgFeAK4pr8XRcB5CjjiJ2h1t16TC2SSeH2aWrQ/on6alz97YdJD?= =?us-ascii?Q?4/YsDzmkNy/cZ8iB0x4MCV2WGK9wHkXAy3pctpxxnB2b8ziQaZXJH2cnt/7z?= =?us-ascii?Q?Mzezt+YQ2v7wutzlY6OV8bzx6oJ092QV3jyxGd2Nkt2rWYEv6hDoeTp0y2XR?= =?us-ascii?Q?KWjcVUA0dDIWKvmq31goj5ZfOQu+Iv/J9ls80TAkLwLVBFuWpW1LjEulG0at?= =?us-ascii?Q?DmGRw7cB7X9Ag2dJlzNacQD2lPVp9Or5bbByI3D9AhXMCMNobPlttqK1ziW6?= =?us-ascii?Q?t4+Jwzij8b12Iz06hqJWvCSe7CPvKIiaKwNe8i3xmtfP0qRR8s88XzT88uEq?= =?us-ascii?Q?XoyjBxC9pWgLCbv0v1d8nO52X7ya0zQoO40JhVTxzWcXHnM/I9OZiuqoIs2o?= =?us-ascii?Q?yN0zbJN7/gxyW8O3E0Yexh0CNXJnWq7qwKdA70Jk6nPVqAYWq+r174XVtCnE?= =?us-ascii?Q?FLfhV00NGNm8Z0JhYiOME/M20gAObcJMb4Va/e9XRWmWTJtQACgCmS9fvYVz?= =?us-ascii?Q?1H25WMDJjEqMYR8BMhEi3TC0Nxk1FZDZjIZicv2tVKK5QsKACX40VmYpCof+?= =?us-ascii?Q?KJeMjpkKgHDMzil/Op2NXWQSHQywpHua7FzvZRa2pDYxnQYBaoLjBtLAyix1?= =?us-ascii?Q?G3uIsGJxZlUvLTQpPo+rIRJHTJUOCI4RIfYzZjyrwHL+hET69tLSzZl5LkgP?= =?us-ascii?Q?qNLfoksRsA21fjeSCZlNhjJjnleP+NFCK30yrh/HenDW1rmC9lNQ77CLhucl?= =?us-ascii?Q?UVTf3RM48gONZflJ+UkMXTnk0Tfwcdn4Apx2N6Y?= X-Microsoft-Exchange-Diagnostics: 1; CY4PR05MB3607; 6:lz9gbF0F+5OylRqbfc8oPxH948Av9NuOfaJQps+1DXlh+Uh3OP1OZ9ccXTFe8ROpPD0Q+HBJrUAEULyw2Ow7JQ5sM61cB1yRug00D2ONCFberHsv/xvh2dYca5J8eGmGDdJXKXg5xn34n1vmY1SSAsg4ZRptunlRs899AnGYS613Vp5GgMUMldt1j43Yo2crFTDHZ511Uf7IUk6jksI0VB52+ITSjYfywh4+5+D1kjsWJT1tibt2hd3M009z0KBzUuMNRl6pTsUs8Q6d/rQ4+SnfytjLvuqISP81osg67hWybDOcTe/71KFHhPFfm3UuSMA+iCeB6S6ZQtd9Tf1FqB6M47bPFbwYfE6rozY8vRA=; 5:3sOP3j/SLDeWbhkveNegUpRxiMcXhV6/ZydgjsCySBjxeolM3Hj8xAXLtVK4Izb8QKXYlzrZ4Gppf81jQo5L+3w6S9QXfmUde+UYY4m2JV2AS8hXJrS7kp6BZvb3EhxXiu/tyOFRWLfQfivgm6JJ/gqUkogdhWEzYu5Ouxae8Ss=; 24:0BsSYP8Z/mkLYLzox5cgUQB1JRpZdzxsp88sr6RpnsLLdguDKByay5/Fr91iTD0E2/hHmiODGDekFaRkx/zvGaIOayFAKFyXkEnAlUr+Ouw=; 7:UPbTzekTAoSi1edcY34dABn6cEOpzCGvDK2XvOb/HQq+B5bmcfl0ERSbhm7NNRZOLUegTbVcBjgN9toOFPYSXR0qsH5Meqvib9KBghOaRGHuk3N/iUGarlvj0pbct82UsDkt/KwlJFGrWM9EUNe1SjEg/wHNuc2vl1o1rvg9atbfccmQXVY1Y+L8wuzg0d+ktveIO0Hv9QN3Net1LUrpLTiZ0l/QbG+9CQhMamosbx6fTLknsfkHA9bVNxI7X5gl SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Oct 2017 23:15:35.6261 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c120c167-01d1-4cc2-f3be-08d51a6bf777 X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[p-emfe01a-sac.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR05MB3607 X-Mailman-Approved-At: Tue, 24 Oct 2017 01:41:07 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2017 23:15:39 -0000 Eric McCorkle wrote: > I'm a bit less enthusiastic about veriexec in the loader. The problem > there is it requires an update to the loader every single time you build > a new kernel, whereas the public key approach only needs updating if you No, that's exactly what you don't need to do. The whole advantage of the loader changes I've done is the flexibility of verification. One loader binary can be used to load any Junos release we've built in the last decade or the next. The only time we need a new loader binary, is if some code in the loader needs to change - or a new rootCA needs to be supported. The root CA is the only key the loader needs to know. The signed manifests have an associated certificate chain used for verification - exactly as we do for normal veriexec. > change root keys. (That's really the key difference: veriexec is an > anti-tampering mechanism, where the trust system I've described is a > trust-delegation mechanism). Take a closer look, the veriexec manifests can convey additional information to the kernel (not relevant to loader of course), which we've made use of to allow apps signed by keys given to 3rd parties to be run given suitable configuration. We can also assign labels to apps as a side effect of verification - labels that other mac modules can use. --sjg