Veriexec

[Stephen J. Kiernan]

On Tue, Jul 3, 2018 at 7:09 PM, Conrad Meyer <cem at freebsd.org> wrote:

> Hi,
>
> It's been two weeks since this went in broken.  What's the status?
> Has any progress been made on fixing the glaring issues?
>
> (If any fixes have been committed since the initial code dump I
> complained about two weeks ago, I must have missed them.)
>
> I agree that perfect should not be the enemy of "good enough," but I
> don't believe what's in the tree is "good enough."
>

The backout commits for the veriexecctl bits (r335681) and the hooks
into the build to compile the kernel modules (r335682) happened on
26 Jun 2018.

I never really liked veriexecctl to begin with, but wanted to give people
something to be able to load fingerprints with in order to try things out.
Especially since there was ongoing discussion about how provide a
signed manifest or similar method (which is what Simon is working
on) that folks could add their own trust store material to. The intention
was then to have veriexecctl go away. However, veriexecctl, as it was,
did not have much practical use and could provide a false sense of
security, so it was better to just purge it.

There's work in progress on fixing the issues with the meta-data store
and its use. However, family obligations and work has been taking up
time.

-Steve