@sjg wrote (email):

In D16155#342583, @cem wrote:

• Why are we using PGP in any new cryptosystem?

Because lots of people in the real world want to be able to use it?

I suspect most people don't really care for PGP specifically. They want the end result — cryptographically verified filesystem manifests.

PGP in particular has a poor security track record.

Like everything else, it is optional.

Poor-quality "optional" modes do not benefit, and sometimes harm, crypto systems (e.g., POODLE, FREAK, Logjam). Why include it when we've already got a better mode?

• Why are we using ASN.1 / x509 — a notoriously difficult scheme to parse correctly — in the kernel or loader?

Because it provides a high level of flexibility.

Flexibility and good crypto system design do not go well together. What you want is the most limited solution that will meet your needs. I'm have not been convinced that a CA system with intermediary authority makes any sense for manifest verification. What's wrong with a single public key?

Ie. I can load a brand new version of Junos on a 10+ year old version,
and it will be able to verify all the signatures.
Unlike some other designs that would force me to install intermediate
versions in sequence.

Is this really something you need to do with any frequency? Note that you'll have similar problems with, say, upgrading from 10 year old web browsers.

• Why the plethora of duplicated functionality (e.g., above)? (Also, the five different SHA hashes. Pick one that's good enough

For the above requirement I need to ensure that the s/w I shipped 10+
years ago, knows how to handle hashes that were not required then.

Again, if you want to keep the options in JunOS, you are welcome to. But for FreeBSD there is no reason to have more than one hash and one signature method.

and just use it everywhere.  SHA512 provides no meaningful benefit
over SHA256, but it also isn't clear that a basic hash is the
right construct anyway.  There is no reason to use SHA384 at all.)

Yes, there is - if/when SHA256 is deprecated.

I don't think this is responsive to my comment. SHA512 uses a more or less identical construction to SHA256. I suspect the entire SHA-2 family would be deprecated at the same time.

Hopefully SHA512/256 will be approved before then.

Approved? What is there to approve? It's just a truncated SHA512 with different initial constants — and still a member of the SHA-2 family.

• What alternatives to x509 or PGP were considered and dismissed? Please make it clear that you've done your research and examined other options.

I gave a talk about this at BSDCan in June.

Feel free to clip a specific excerpt you think is relevant, or please write a summary.

At the end of the day, you can propose and implement an alternate design
and see if anyone wants it.

That's not how review works. It's up to the submitter to meet the bar.

• Why RSA or ECDSA (both have easy ways to foot-shoot) in new cryptosystems, vs something like Ed25519?

Because as a vendor who sells to US Govt I'm limited to algorithms
approved for that purpose.

Maybe a great reason for JunOS, but not really relevant for FreeBSD. The best argument I can come up with for RSA or ECDSA veriexec in FreeBSD is that BearSSL does not support any others.

Some people, especially those in non-US countries, suspect that the NIST ECDSA curves are backdoored by the NSA. Additionally, although this probably does not matter very much, ECDSA signatures are slower to verify than RSA certificates of similar strength. ECDSA is more complicated to implement.

Given that, I'm not sure there's any reason to have ECDSA at all.

• SHA1 should not be used at all.

It is optional for that reason and not enabled by default.
However we are using it and will continue to until NIST ban it.

Again — you can keep it in JunOS. There is absolutely no reason to put it in FreeBSD.

Meta issues:

- Use of strcmp() for signature comparison.  You want timingsafe_memcmp().

In the loader? It is a single threaded app.

Sorry, I did not realize what files correspond to what contexts. It isn't super clear. If signatures are public then leaking them is not a concern.

• Have you thought about wiping key memory before releasing it? I don't see any invocations of explicit_bzero() (or bzero/memset, for that matter).

There are no private keys involved here at all.
Public keys do not need any such treatment - they are not sensitive
data.

Right.

+#define VE_GUESS -1 /* let verify_file work it out */
+#define VE_TRY 0 /* we don't mind if unverified */
+#define VE_WANT 1 /* we want this verified */

Both of these concepts seem pretty dubious.

The loader and kernel should not be guessing signing policy — period.

If you can propose a means whereby every bit of lua and .4th can
communicate to the loader the verification requirements...

Policy should be dictated by the administrator via manifest. No?

Files either have a signature or do not. If they do, they must be
verified. If they don't, they cannot be verified. Not sure what try
or want has to do with that.

Please go watch my talk from BSDCan.
This is all covered.

Again, please point me at a specific clip or excerpt.

Yes, anything which has a hash must verify correctly.

The above all only apply when no hash is found.
Whether that is acceptible depends on the caller - never acceptible for
modules, but may be ok for loader.conf and other files which may need to
be mutable.

I see. The problem with the manifests is that they do not distinguish between "this file must not exist" and "this file may exist, but we don't care about the signature." I don't like this approach, but I don't have a good counter-proposal either; I'll think about it.

Ah, and I should add: NaCl is permissively licensed, supports Ed25519 and SHA-2 hashes, and is similarly suitable for embedding in loader (TweetNaCl without any LTO is about 7.5kB of code and 2kB of data).

I spent an hour or so this morning responding to cem's comments above, only to find that email responses bounce.
I'm not going to type it all in again, some of your comments are hard to respond to without coming off as antagonistic...

OpenPGP might suck - I don't much care - it is widely deployed and understood, and provides a handy get out of jail card for GPLv3 - which is a big deal as soon as you start signing software.

What you want is the most limited solution that will meet your
needs.  I'm have not been convinced that a CA system with
intermediary authority makes any sense for manifest verification.
What's wrong with a single public key?

Sorry, but a "single public key" might be fine for a personal use box, but does not come close to cutting it for a commercial product that needs to accommodate evolving requirements over an extended lifetime. What happens when you need to revoke that key?

We use X.509 for precisely that reason, and have field tested this on 1000's of devices for nearly 15 years.
And yes it is very common for core routers (that carry the Internet) to run very old versions of Junos, new hardware is the main driver for software updates in core networks.
At the edge of the network, the opposite holds.

Regardless; the design here allows you to just use your single PGP key if you want.
But don't force that design choice on everyone else.
Same holds for choice of hashes - you can choose one - and for the loader that's quite practical.
But others might want to choose differently.

> Hopefully SHA512/256 will be approved before then.

Approved?  What is there to approve?  It's just a truncated SHA512
with different initial constants \u2014 and still a member of the SHA-2
family.

I've mentiontion before that I'm only interested in ciphers, hashes
and such that I can use in systems that need to pass evaluations by
numerous governments, eg FIPS 140-2 and various Common Criteria
protection profiles (which for the crypto usually have FIPS 140 as a
basis even if they change the names).

So for me and and anyone in the same boat, that means NIST (and NSA)
need to "approve".

> Yes, anything which has a hash must verify correctly.
>
> The above all only apply when no hash is found.
>  Whether that is acceptible depends on the caller - never acceptible for
>  modules, but may be ok for loader.conf and other files which may need to
>  be mutable.

I see.  The problem with the manifests is that they do not
distinguish between "this file must not exist" and "this file may
exist, but we don't care about the signature."  I don't like this
approach, but I don't have a good counter-proposal either; I'll
think about it.

Actually you can express both of those.
The "this file must not exist" can be handled by a manifest entry with
a hash that will never match - all 0's for example.
The other is trivial and done extensively in Junos - a file entry with
no corresponding hash.

This manifest design has been field tested for almost 15 years.
We've not found a reason to change it.

After discussion with imp, breaking this up to a set of smaller reviews:

https://reviews.freebsd.org/D16337 for build options etc
https://reviews.freebsd.org/D16336 for changes to stand/
https://reviews.freebsd.org/D16335 for libve
https://reviews.freebsd.org/D16334 for libbearssl

Little tip, if you use just the short D##### tag Phabricator will automatically add links both ways:

• D16337 for build options etc
• D16336 for changes to stand/
• D16335 for libve
• D16334 for libbearssl

I needed to add -O1 to stand/defs.mk else the loader was too big
to boot.

This is the i386 CSM loader I assume? How about the UEFI loader? Do you have before/after file sizes handy?