svn commit: r335402 - head/sbin/veriexecctl
Xin LI
delphij at gmail.com
Wed Jun 20 18:09:24 UTC 2018
On Wed, Jun 20, 2018 at 10:58 AM Jonathan T. Looney <jtl at freebsd.org> wrote:
>
> On Tue, Jun 19, 2018 at 8:34 PM Conrad Meyer <cem at freebsd.org> wrote:
>>
>> Please revert this patchset. It's not ready.
>
>
> I'm not sure I understand the need to revert the patches. They may need some refinement, but they also do provide some functionality upon which you can build the tooling that Simon discussed.
>
> Unless I missed something, this feature only impacts the system when it is specifically compiled in. In cases like that, I think its reasonable to give the committer some time to refine them in place prior to the code slush/freeze, at which point we can decide what to do.
+1 for all points.
I do agree with others that SHA-1 support should not be included
(unless I have missed something, but I think firmware integrity check
counts as a "Digital signature" verification, according to SP 800-131A
"9 Hash algorithms", SHA-1 verification should only be used for legacy
usage, which does not apply on FreeBSD because this is new feature).
But even that, given the code only impacts systems that have it
explicitly compiled in, it's reasonable to give the committer more
time to make further improvements rather than reverting it as a whole
as this would give the code more exposure.
Cheers,
More information about the svn-src-all
mailing list