svn commit: r335402 - head/sbin/veriexecctl
Simon J. Gerraty
sjg at juniper.net
Wed Jun 20 20:20:34 UTC 2018
Xin LI <delphij at gmail.com> wrote:
> I do agree with others that SHA-1 support should not be included
It can certainly be disabled by default.
> (unless I have missed something, but I think firmware integrity check
> counts as a "Digital signature" verification, according to SP 800-131A
A "Digital signature" verification is an accepted form of firmware
integrity check, but a simple hash (inlcuding SHA-1) is also acceptible.
We of course perform both - and the Digital signature does *not* use
SHA-1, it has been deprecated for that purpose for some years now.
> "9 Hash algorithms", SHA-1 verification should only be used for legacy
> usage, which does not apply on FreeBSD because this is new feature).
I've managed to get out of having to memorize all those SP's, so will
check with one of the pour souls who still does - as to whether we are
claiming "legacy" status...
> But even that, given the code only impacts systems that have it
> explicitly compiled in, it's reasonable to give the committer more
> time to make further improvements rather than reverting it as a whole
> as this would give the code more exposure.
Indeed - thanks
--sjg
More information about the svn-src-head
mailing list