svn commit: r335402 - head/sbin/veriexecctl
Conrad Meyer
cem at freebsd.org
Wed Jun 20 03:33:38 UTC 2018
On Tue, Jun 19, 2018 at 6:08 PM, Stephen J. Kiernan <stevek at freebsd.org> wrote:
> Author: stevek
> Date: Wed Jun 20 01:08:54 2018
> New Revision: 335402
> URL: https://svnweb.freebsd.org/changeset/base/335402
>
> Log:
> This application (veriexecctl) handles reading a fingerprints file
Hi,
This patchset needed design and code review prior to commit. It
appears to have serious problems.
First and foremost: nothing is actually signed, anywhere. The
veriexecctl tool parses and tells the kernel to trust a file input.
But if we don't trust other files on the filesystem, why do we trust
that one? There is no embedded signature mechanism proving the hash
list file is trustworthy.
As a corollary to the above, the name "signature file" is used
repeatedly in the code, which is misleading. The file contains hashes
(digests), not signatures (MACs). The file itself is unsigned.
Nothing about this has signatures.
There's absolutely no reason to use sha1 or ripemd in new designs.
These should be removed.
The patchset is littered with style issues. One fairly obvious issue
is mixed indentation styles — some files vary between space and tab
indentation from line to line.
Please revert this patchset. It's not ready.
Some suggestions for a second attempt:
- Maybe use HMACs instead of raw hashes
- Maybe sign the source-of-trust file
- Fix the style issues
- Fix the compiler warnings at 6
Thank you,
Conrad
More information about the svn-src-all
mailing list