Date: Tue, 19 Jun 2018 21:10:32 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: cem@freebsd.org Cc: "Stephen J. Kiernan" <stevek@freebsd.org>, src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r335402 - head/sbin/veriexecctl Message-ID: <201806200410.w5K4AWAt019385@slippy.cwsent.com> In-Reply-To: Message from Conrad Meyer <cem@freebsd.org> of "Tue, 19 Jun 2018 20:33:30 -0700." <CAG6CVpV124ze%2BY6xX2ZFqbM%2B3hJNEJWR2qpnChpey=PmiW6qXg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <CAG6CVpV124ze+Y6xX2ZFqbM+3hJNEJWR2qpnChpey=PmiW6qXg@mail.gma il.com> , Conrad Meyer writes: > On Tue, Jun 19, 2018 at 6:08 PM, Stephen J. Kiernan <stevek@freebsd.org> wrot > e: > > Author: stevek > > Date: Wed Jun 20 01:08:54 2018 > > New Revision: 335402 > > URL: https://svnweb.freebsd.org/changeset/base/335402 > > > > Log: > > This application (veriexecctl) handles reading a fingerprints file > > Hi, > > This patchset needed design and code review prior to commit. It > appears to have serious problems. > > First and foremost: nothing is actually signed, anywhere. The > veriexecctl tool parses and tells the kernel to trust a file input. > But if we don't trust other files on the filesystem, why do we trust > that one? There is no embedded signature mechanism proving the hash > list file is trustworthy. > > As a corollary to the above, the name "signature file" is used > repeatedly in the code, which is misleading. The file contains hashes > (digests), not signatures (MACs). The file itself is unsigned. > Nothing about this has signatures. > > There's absolutely no reason to use sha1 or ripemd in new designs. > These should be removed. > > The patchset is littered with style issues. One fairly obvious issue > is mixed indentation styles — some files vary between space and tab > indentation from line to line. > > Please revert this patchset. It's not ready. > > Some suggestions for a second attempt: > > - Maybe use HMACs instead of raw hashes > - Maybe sign the source-of-trust file > - Fix the style issues > - Fix the compiler warnings at 6 - i386 format issues, build failures in multiple places -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806200410.w5K4AWAt019385>