Trust system write-up
    Simon J. Gerraty 
    sjg at juniper.net
       
    Mon Oct 23 23:15:39 UTC 2017
    
    
  
Eric McCorkle <eric at metricspace.net> wrote:
> I'm a bit less enthusiastic about veriexec in the loader.  The problem
> there is it requires an update to the loader every single time you build
> a new kernel, whereas the public key approach only needs updating if you
No, that's exactly what you don't need to do.
The whole advantage of the loader changes I've done is the flexibility
of verification.  One loader binary can be used to load any Junos
release we've built in the last decade or the next.
The only time we need a new loader binary, is if some code in the loader
needs to change - or a new rootCA needs to be supported.
The root CA is the only key the loader needs to know.
The signed manifests have an associated certificate chain used for
verification - exactly as we do for normal veriexec.
> change root keys.  (That's really the key difference: veriexec is an
> anti-tampering mechanism, where the trust system I've described is a
> trust-delegation mechanism).
Take a closer look, the veriexec manifests can convey additional
information to the kernel (not relevant to loader of course), which
we've made use of to allow apps signed by keys given to 3rd parties to
be run given suitable configuration.  We can also assign labels to apps
as a side effect of verification - labels that other mac modules can
use.
--sjg
    
    
More information about the freebsd-hackers
mailing list