From owner-svn-src-all@freebsd.org Wed Jun 20 20:20:34 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DAAF9100A128; Wed, 20 Jun 2018 20:20:33 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.pphosted.com", Issuer "thawte SHA256 SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 33AB3731D3; Wed, 20 Jun 2018 20:20:32 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w5KKJ0QG025994; Wed, 20 Jun 2018 13:20:31 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : date : message-id; s=PPS1017; bh=lp9eVcGxGD499uqGbFisu7hF3N2KYFLF8JSgUvd7B1c=; b=mKTfqEi7XpBN8qWHM3KM0RCg3uE9p8whfFxaKJTOlNWPT4Nd+fy/0DqP4crJwymY2Gbb x+uixatZ4+JVawdRxaKpj4ktCid9qhnFJB4BViLBKXQZ0zM9NUNfANKieanpDiYxhLj2 M8iRrfDUHmAlYjfTaUbnajdbnvvZnzIDZdTAg6t5zGkNW6Ny00SDkJFwtFeK+GTXAiBj mzRaFY1MMXWoqyqSnzpf9bm5WKZem/VA/5prTrBl/VCzTM9a9QtPkGTF0Im4aw8iegy7 suzRmyTeal+BggFsTeVKCknUgI6dnuNuKLR3PftoUrdIDLDNuBsMeh8iaW7QwpIgPG3+ 4Q== Received: from nam05-by2-obe.outbound.protection.outlook.com (mail-by2nam05lp0244.outbound.protection.outlook.com [216.32.181.244]) by mx0a-00273201.pphosted.com with ESMTP id 2jqwfwg13n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 20 Jun 2018 13:20:31 -0700 Received: from SN4PR0501CA0103.namprd05.prod.outlook.com (2603:10b6:803:42::20) by BN6PR05MB3106.namprd05.prod.outlook.com (2603:10b6:404:bb::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.884.12; Wed, 20 Jun 2018 20:20:30 +0000 Received: from CO1NAM05FT010.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e50::204) by SN4PR0501CA0103.outlook.office365.com (2603:10b6:803:42::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.906.10 via Frontend Transport; Wed, 20 Jun 2018 20:20:29 +0000 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.15 as permitted sender) Received: from P-EMFE01C-SAC.jnpr.net (66.129.239.15) by CO1NAM05FT010.mail.protection.outlook.com (10.152.96.117) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.20.884.14 via Frontend Transport; Wed, 20 Jun 2018 20:20:28 +0000 Received: from p-mailhub01.juniper.net (10.47.226.20) by P-EMFE01C-SAC.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 20 Jun 2018 13:19:49 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.21.30.60]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id w5KKJnNh025800; Wed, 20 Jun 2018 13:19:49 -0700 (envelope-from sjg@juniper.net) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id A06E264605; Wed, 20 Jun 2018 13:19:39 -0700 (PDT) To: Xin LI CC: "Jonathan T. Looney" , Conrad Meyer , , "src-committers@freebsd.org" , "svn-src-all@freebsd.org" , "svn-src-head@freebsd.org" , Subject: Re: svn commit: r335402 - head/sbin/veriexecctl In-Reply-To: References: <201806200108.w5K18sIR050132@repo.freebsd.org> Comments: In-reply-to: Xin LI message dated "Wed, 20 Jun 2018 11:09:10 -0700." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 25.3.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <8056.1529525979.1@kaos.jnpr.net> Date: Wed, 20 Jun 2018 13:19:39 -0700 Message-ID: <11191.1529525979@kaos.jnpr.net> X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.15; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(396003)(346002)(376002)(39380400002)(39860400002)(2980300002)(189003)(199004)(476003)(4326008)(106466001)(126002)(23726003)(6246003)(6266002)(486006)(97876018)(186003)(356003)(105596002)(7126003)(446003)(97756001)(39060400002)(53416004)(11346002)(2810700001)(117636001)(2906002)(76506005)(107886003)(316002)(9686003)(16586007)(93886005)(47776003)(336012)(46406003)(68736007)(59450400001)(97736004)(305945005)(7696005)(54906003)(50466002)(478600001)(229853002)(86362001)(5660300001)(69596002)(6916009)(26005)(81166006)(81156014)(8936002)(77096007)(50226002)(53936002)(55016002)(1411001)(8676002)(76176011)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR05MB3106; H:P-EMFE01C-SAC.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1; X-Microsoft-Exchange-Diagnostics: 1; CO1NAM05FT010; 1:5a+VgD0ZdiqbAdZ+2c03v9HahuZdKaH2o4t0AwqbD0aTs/QXe4fFm4O3wNutoEcVVrUw07cvs1HTGnn+GFF0ir30xQ9Z92GT8epfYFchEX2Xcxp1+f+9fUJzlJUxEVXI X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ce44f19b-a96a-4c7a-b10a-08d5d6eb4423 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(711020)(2017052603328)(7153060); SRVR:BN6PR05MB3106; X-Microsoft-Exchange-Diagnostics: 1; BN6PR05MB3106; 3:q3cWkRgF8pwhqU6KIxEwUTiOZr61Prp/4eI8gsNK6aku0VV3LdHaEp2P6q1yETTnYzO1+xxBPTmEZoe5Vv5iO2SLnDRFRdIn1D7UHr9r5BO392ElJ/PxFoUIJfL3GgULPYvpXeYACoALC+uzsI0k2jkjyVKUSqdZJVndtil385F59sMg2twKOJcYoB+AujpWbULk10BytS3sJ7ymCnsijZ3+0HxeejvYY+Li5P2GmFf1pnUDM4qtsC8+9Fwk6qiuQPM5zHIFj9XzFu6vb0dRTzzut9ERGcyfB/sT3GuHLa+2drdUwjTNLsNoDHwwO4JE2YoeQIgHaII8oxxSFxTV7i0C+1D01kgFm5NEg6BHKkM=; 25:jyPUddHLQNLbHGYB7AJbyhgnMC2T8h7sLNUHxd51dt5U7dQto6IW2MODgmrSHrBzdkfn9Af3bq9E/RwxKcsPAHn/+LWEzDRL9nBooYNQCEFH2PZkpOIMRd1oMjpIjoG4ieR19o2EQyemCGI+R/oRnk/Q6reFWiWj1juO4EmrstvvIzoh1Q8mYWPQJJlsdDTutFtZ8APtP57rU5AdxfBwjsNTYcCTnwikhTIWnbqZZ1WBPws34BABj2vZVJYTgPASmC4DKJOgQyY1NxPM3OMFtAGf+Dshp5P+TJzZT/zQK9NDoGV2gvthwIJnxsEylegQ8A7TwU5jVqHcTf3a7wCXDg== X-MS-TrafficTypeDiagnostic: BN6PR05MB3106: X-Microsoft-Exchange-Diagnostics: 1; BN6PR05MB3106; 31:w16xldIBW/HUvF4RcJdLrkZLlBfiYD2SlNIUAlDn62E5q3R+4/nFNWIGEcjBSq8/Z/95yvXhjRxZG1igdUGliIVd7USs8pr0M7/7QuuK3cc3UjbvS7+Cd2JAIue8WwTWgtaAwH3frj5HEGvZtT6tYNcI3gR7qEQ5PnrednCT+TzjHcunHyohkjUuVWvbHnfxlQe5ivdUCt2ovzqoWvi/ad2mcX5ZzJ73c02gZV8xrOM=; 20:dPlgL6pfu+51VJPXPGphPtnBkvKiFLqLpIA6yPSZiUmm6bleS71qp1WS3+GjII5oS/lKTNZGrrG8fmIijDbg1kn7hyukHo1VrFsecG45ZrznBlb/xqgi5JIwyrixrS/buEubQ6hbzxg/mpf6JcpSb3Vn/QfmYqrwyKpglvE5NKLKqUIdS6wwZsjSDlCja48IJ7sT8lL1YUQAtDC0DZM75BYUksVJhkM2AnDJKkN9yxR6IHdATbsDeXmRDqJK4swpm8xCw1LcDWapDkrREWTfhlx+e3Dt+BtxrdAGLJr3IQvHdCTglGT5dhqzhmbMujNB5BzzijJfGN8KTz/sqPdeueVezPFIfDda9iUptFyT/Nlrz6GPD21+9V5M5Ue21kHb18rKWs5+/NnSMRhdHtLo6fTkS+DBRYV9FjL47yi1+Or9RcMDU5pmBfxKz6Vn5AvhcNBypnFaoc7jbdf7+CTHPk6dw748yV+iRLxx6Su+cWwTl/zIOjwfo7cl6tn2W7+o X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(85827821059158); X-MS-Exchange-SenderADCheck: 1 X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231254)(944501410)(52105095)(93006095)(93001095)(10201501046)(3002001)(6055026)(149027)(150027)(6041310)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:BN6PR05MB3106; BCL:0; PCL:0; RULEID:; SRVR:BN6PR05MB3106; X-Microsoft-Exchange-Diagnostics: 1; BN6PR05MB3106; 4:wy0SXmQc9JMRSNuIxJ7r7AHYEBCbpAJvC06XNCMNC8gsGBEztAU8GiH8I/L6Wf02qrnMXQJIlgn0JUNbuDSB8AAiNMMxU6V5qDmNL8crim9Vy4XtIzr+Guzn2i+eUmgCy2/Cn7MR8vnNsuelyY3YaS5Hs3jeiNherAkv3L2kd3ePpwKgsK8H8YjFwjgRgTX4jaRVA2XDBTU9T70ud7dBTzjd+iUJFy/UIyn8x4TKmwyHUZJhTa3oXfXTpjXISosATfOnA7kelXXdotTyYykNuPwS8+lKsWrNivWTHhuqeRg0a/YqY+CaiC9S+z7V9VqA X-Forefront-PRVS: 070912876F X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BN6PR05MB3106; 23:KNlIeCtsyu6wuMCGtoHrRsHbbNaJa4zNbx2hDSN2Z?= =?us-ascii?Q?oOrW5Slk7fUupKb37uotIPEPbWNSKnamvT/GiOAsh6Wj7+cx5Wp/xzZBgyfQ?= =?us-ascii?Q?wE6mXh0AG4rk8OEv/zSBJh+8iMd6mWvfv9StGkQ0JzbePM41MstXMnyKjHk1?= =?us-ascii?Q?3vUK4uTjp0VlDYqx42Kvv7WVhEaTrs6UKtVcnfPOFfZ0SZJJj143SGod73o2?= =?us-ascii?Q?6i3+xygere4lqSwOpeeH60b0JWXBE0qf2qGXdtv0vYf56yKqqC8NGi5+A6QZ?= =?us-ascii?Q?3Wk4OzAl9SJ8MjWuUH9Gn67Ag4KnlPNodzhnlezUhZT6j6lBlBdJEJyUk7rj?= =?us-ascii?Q?j3NGAR8CnMQaxCOz2XWR6fgBNO5HDPr5cxhr8YQR40jrx0GvqqUMVFhbolDP?= =?us-ascii?Q?IU+7tYckFYSwLJNI02r2pZBNQUkJdbjsZmCo0330jYDRZGbrOsiWKREoz9OM?= =?us-ascii?Q?7PyR9YjOi8CHTyGRsGnLWp3jLTcefKcQGd94bgJzJrkeLx5176Htl/l/TXDy?= =?us-ascii?Q?Ugg6BmuzOd5WO4+drFu6XDMW81vPKbHo+MWoIr0Np8RzwF7oE8RRNKnpIXrP?= =?us-ascii?Q?dwrrzcaj7T83bZKyEotMb1z0SyyMOrn5lP/lT6uOV8OqKynwm7ngx3+jF9xa?= =?us-ascii?Q?yIpbTzDLb3RVMwRtRcqDDOa+Vvudd/PgPN/P3zA48ZiYW6XR0EWNKmfQ9+Zb?= =?us-ascii?Q?2+UQxypI5BK83/fhxu0Dbkg7HBLaVxSN7XFdG5PEendS9pJcZrutt6nD2Snf?= =?us-ascii?Q?2d6ptQRDAO0D3Sf9jzqYVEN7iJvh5l1y5/HKqbK1RwMiKkjmmrezwZ62BC3W?= =?us-ascii?Q?74D6shbyJk20QJgaIyxfhfmqdY5A3acClkQ3C0EeP1m5RzbzTxmCo/Qy2ZyN?= =?us-ascii?Q?vWbsbVaD+/6viCxaMmSRaMMw2Dra5k2dDvFCyH2nJaBoekGtLa+2Fpzpi4j6?= =?us-ascii?Q?2cDwsCbwbMQ6x7ymBeYU62au3RHIqRcUGPWswECOcwFUSwBr6E/CyTYMo1cZ?= =?us-ascii?Q?UQbtyRqI4BjtmCAIq7ywuWKId+aw4dR633SquUgGUwbPWnrW/1rpRLlLPKn1?= =?us-ascii?Q?0PWgDNcm4Jbb92C2H7h9M6c4vKAsqjStpibcbjCJTdikqcYwVfFvBiRI/VgR?= =?us-ascii?Q?m3g5yvckL45s3i0Gy8RkJK+uWdb+atGK8HlwK1vfucc9tgT+VxtWWJ4DX3oP?= =?us-ascii?Q?azXkldF5fmSgwXxLWscoGQtzrisc77dOgAV9vDAEWaEw4weWOgn/Lc3SG6NB?= =?us-ascii?Q?MFna+UWbZXZR/8JMkB9O/V3W4GCfpQ5JQJztr+stjZx0b42I/zwK7yA9XC31?= =?us-ascii?Q?yRtfVphKvaaXDBlxjOWkJuocRglMDwCE5TNeeQokci5If/1FVuUf7Uos93Gj?= =?us-ascii?Q?kt8UpxDmfbN1yGXTNTRIhStqGkFzI0kLwGd9eAmjMPSE1quZ//ti03BRSeMk?= =?us-ascii?Q?OeNR3hkLw=3D=3D?= X-Microsoft-Antispam-Message-Info: FVDinMvt0hYdHzmKs9SKK0Dbi/zKYuHcjSVS+cIwctYB8rzDroR3ycODEq3PIFYYF6WOPi/jc9DeHHHJj38+wAr0TP/y1cLsRBkkeyWhuE2o64C2AnmYVLZQuCjM6m8PXTGd9aOcKAfl/kn3SaDeakojwqhLHLrXdKOgqgmJYuiNuorebm/3ZoPuq/DXqJF3yNjBTaBuQon7vJJ4b0hWESu5ZYTl3Xbw/QaSdzJcB67Bif2LKrgFyWiaVAVvaxuM1GtvEKKsMXtqDBwGADd9tCGDMO+61QJ0ciyLIWpFRmUEblZdVgfHAtRsgMO1c51GKDRRoML9NSLEWQWc3OLNmw== X-Microsoft-Exchange-Diagnostics: 1; BN6PR05MB3106; 6:JdOKO+wGTJfpW9C7Nks18xNsGcGS+5vMyNc3vhFboqo9W9R6fQH0tMrL1ur1GoJIJ0hYZrRY0xASjaz/v+VPqs/IuFDxNHVMjd5cQfCobM6Ro1FP0VBol/G23/yorG+Gx/vWBOYzjfr5Y5hhhMic7qwxbsHBwm2cHnpzu+/CZdkcjbCR+7sDy1HC6l2ufghZr2TrjmEv2XkSKbzONdXtyuh7JrPdQhq3Avfw0sYLSrj/VyPpcWXwnjXWw3H84HaKn5xyYKzP+XRCcrP3PiCMy1BICEnc4eSuNa2hbHH5BywoNCowJf2WMWKGc7K18ZLIzgIXpjUcLWa329T1uKFAwsOUojSwvZ9Zya/8uLh+JDiBSAEyD2hOeQbz7OIE4H87JmNtwbsn5q1PQHsX4ZsHncDLLfoj/keqUJvbypXcAmnNW2CVegagCp4bJcBOs+ojv42GpX+TYI8JgTBXNbz25g==; 5:T/LKG5gOD6exl+AoVKKRPqrXDvv6fgj+/Po6OI3j8/S3g9EdUD+w88JnG7gMAzu6S4lkKOg0fen9hAwyicaY/t18jq/T1WIlDpgKbjVHdKyagVcw9GptYFeatJQbhUlyYuI+iNof3T4vvtVIFD001uJ8l9AyrQWrBx8hp5IxYOM=; 24:AQCr+qt7LMoHOTsdc7e8CXDYvP2I5ZwLIOXclehPIXMDYYSKwz6V+mNyvLa1ockl+DiT98eqiUWGwr8bPfvIYJBKnOBsFHQP+XZQJxuBMTU= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; BN6PR05MB3106; 7:oQqhEUMb839k5FthHoszoEaUnNrycIwWM2xaYyNRUHNRWf9dtyf4VKGNKIdnjaSU3navx/e9Dkk6LNitVIDBYalG/tjqS5vReSxWvStiuOvGXNxfhXqORNlZYiRxweZ2nccy3oi9hIrl+U03XzAwYJMgPSzSLz1QQi4Lle3wUZ0nfyu1S+wP406GLnyqM41mCXBDVW4PPyY5DfuCcwQnkKU3khrhPlJgja3USZt1E6FotiMJ5ugu5p5dM9djbrJz X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jun 2018 20:20:28.8985 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ce44f19b-a96a-4c7a-b10a-08d5d6eb4423 X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.15]; Helo=[P-EMFE01C-SAC.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR05MB3106 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-20_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=734 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806200221 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2018 20:20:34 -0000 Xin LI wrote: > I do agree with others that SHA-1 support should not be included It can certainly be disabled by default. > (unless I have missed something, but I think firmware integrity check > counts as a "Digital signature" verification, according to SP 800-131A A "Digital signature" verification is an accepted form of firmware integrity check, but a simple hash (inlcuding SHA-1) is also acceptible. We of course perform both - and the Digital signature does *not* use SHA-1, it has been deprecated for that purpose for some years now. > "9 Hash algorithms", SHA-1 verification should only be used for legacy > usage, which does not apply on FreeBSD because this is new feature). I've managed to get out of having to memorize all those SP's, so will check with one of the pour souls who still does - as to whether we are claiming "legacy" status... > But even that, given the code only impacts systems that have it > explicitly compiled in, it's reasonable to give the committer more > time to make further improvements rather than reverting it as a whole > as this would give the code more exposure. Indeed - thanks --sjg