Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Remove support for VERIFIED_EXEC_FP_RMD160, VERIFIED_EXEC_FP...
details: https://anonhg.NetBSD.org/src/rev/ecb5869b923b
branches: trunk
changeset: 356267:ecb5869b923b
user: sevan <sevan%NetBSD.org@localhost>
date: Wed Sep 13 22:24:42 2017 +0000
description:
Remove support for VERIFIED_EXEC_FP_RMD160, VERIFIED_EXEC_FP_SHA1, and VERIFIED_EXEC_FP_MD5 options.
These algorithms are either broken or on their way to being broken.
Discussed on tech-security
http://mail-index.netbsd.org/tech-security/2017/08/21/msg000936.html
ok riastradh
diffstat:
share/man/man4/options.4 | 10 ++--------
share/man/man8/veriexec.8 | 4 ++--
sys/arch/acorn26/conf/GENERIC | 5 +----
sys/arch/acorn32/conf/GENERIC | 7 ++-----
sys/arch/alpha/conf/GENERIC | 7 ++-----
sys/arch/amd64/conf/ALL | 7 ++-----
sys/arch/amd64/conf/GENERIC | 7 ++-----
sys/arch/amiga/conf/DRACO | 7 ++-----
sys/arch/amiga/conf/GENERIC | 7 ++-----
sys/arch/amiga/conf/GENERIC.in | 7 ++-----
sys/arch/amiga/conf/INSTALL | 7 ++-----
sys/arch/amigappc/conf/GENERIC | 7 ++-----
sys/arch/amigappc/conf/NULL | 7 ++-----
sys/arch/arc/conf/GENERIC | 7 ++-----
sys/arch/bebox/conf/GENERIC | 7 ++-----
sys/arch/cats/conf/GENERIC | 5 +----
sys/arch/cesfic/conf/GENERIC | 5 +----
sys/arch/cobalt/conf/GENERIC | 7 ++-----
sys/arch/dreamcast/conf/G1IDE | 5 +----
sys/arch/dreamcast/conf/GENERIC | 5 +----
sys/arch/evbarm/conf/ARMADILLO-IOT-G3 | 5 +----
sys/arch/evbarm/conf/CUBOX | 5 +----
sys/arch/evbarm/conf/CUBOX-I | 5 +----
sys/arch/evbarm/conf/DUOVERO | 5 +----
sys/arch/evbarm/conf/GENERIC.common | 6 +-----
sys/arch/evbarm/conf/GUMSTIX | 5 +----
sys/arch/evbarm/conf/HPT5325 | 5 +----
sys/arch/evbarm/conf/IMX6UL-STARTER | 5 +----
sys/arch/evbarm/conf/MARVELL_NAS | 5 +----
sys/arch/evbarm/conf/MMNET_GENERIC | 7 ++-----
sys/arch/evbarm/conf/MPCSA_GENERIC | 7 ++-----
sys/arch/evbarm/conf/MV2120 | 5 +----
sys/arch/evbarm/conf/NITROGEN6X | 5 +----
sys/arch/evbarm/conf/OPENBLOCKS_A6 | 5 +----
sys/arch/evbarm/conf/OPENBLOCKS_AX3 | 5 +----
sys/arch/evbarm/conf/OVERO | 5 +----
sys/arch/evbarm/conf/PEPPER | 5 +----
sys/arch/evbarm/conf/SHEEVAPLUG | 5 +----
sys/arch/evbarm64/conf/A64EMUL | 7 ++-----
sys/arch/evbmips/conf/GDIUM | 7 ++-----
sys/arch/evbmips/conf/LOONGSON | 7 ++-----
sys/arch/evbmips/conf/SBMIPS | 7 ++-----
sys/arch/ews4800mips/conf/GENERIC | 7 ++-----
sys/arch/hp300/conf/GENERIC | 7 ++-----
sys/arch/hpcmips/conf/GENERIC | 7 ++-----
sys/arch/hpcsh/conf/GENERIC | 5 +----
sys/arch/hppa/conf/GENERIC | 7 ++-----
sys/arch/i386/conf/ALL | 7 ++-----
sys/arch/i386/conf/GENERIC | 7 ++-----
sys/arch/ibmnws/conf/GENERIC | 5 +----
sys/arch/iyonix/conf/GENERIC | 7 ++-----
sys/arch/landisk/conf/GENERIC | 7 ++-----
sys/arch/luna68k/conf/GENERIC | 7 ++-----
sys/arch/luna68k/conf/INSTALL | 5 +----
sys/arch/mac68k/conf/GENERIC | 7 ++-----
sys/arch/macppc/conf/GENERIC | 7 ++-----
sys/arch/macppc/conf/GENERIC_601 | 7 ++-----
sys/arch/mipsco/conf/GENERIC | 5 +----
sys/arch/mmeye/conf/GENERIC | 7 ++-----
sys/arch/mmeye/conf/MMEYE_WLF | 7 ++-----
sys/arch/mvme68k/conf/GENERIC | 7 ++-----
sys/arch/netwinder/conf/GENERIC | 5 +----
sys/arch/news68k/conf/GENERIC | 7 ++-----
sys/arch/newsmips/conf/GENERIC | 7 ++-----
sys/arch/next68k/conf/GENERIC | 7 ++-----
sys/arch/ofppc/conf/GENERIC | 7 ++-----
sys/arch/playstation2/conf/GENERIC | 5 +----
sys/arch/pmax/conf/GENERIC | 7 ++-----
sys/arch/pmax/conf/GENERIC64 | 7 ++-----
sys/arch/prep/conf/GENERIC | 7 ++-----
sys/arch/rs6000/conf/GENERIC | 7 ++-----
sys/arch/sandpoint/conf/GENERIC | 7 ++-----
sys/arch/sbmips/conf/GENERIC | 7 ++-----
sys/arch/sgimips/conf/GENERIC32_IP12 | 7 ++-----
sys/arch/sgimips/conf/GENERIC32_IP2x | 7 ++-----
sys/arch/sgimips/conf/GENERIC32_IP3x | 7 ++-----
sys/arch/shark/conf/GENERIC | 7 ++-----
sys/arch/sparc/conf/GENERIC | 7 ++-----
sys/arch/sparc/conf/KRUPS | 7 ++-----
sys/arch/sparc64/conf/GENERIC | 7 ++-----
sys/arch/sun2/conf/GENERIC | 7 ++-----
sys/arch/sun3/conf/GENERIC | 7 ++-----
sys/arch/sun3/conf/GENERIC3X | 7 ++-----
sys/arch/vax/conf/GENERIC | 7 ++-----
sys/arch/vax/conf/VAX780 | 5 +----
sys/arch/x68k/conf/GENERIC | 7 ++-----
sys/conf/files | 7 ++-----
sys/kern/kern_veriexec.c | 19 ++-----------------
88 files changed, 148 insertions(+), 425 deletions(-)
diffs (truncated from 2340 to 300 lines):
diff -r 71b6f81ba96b -r ecb5869b923b share/man/man4/options.4
--- a/share/man/man4/options.4 Wed Sep 13 22:15:25 2017 +0000
+++ b/share/man/man4/options.4 Wed Sep 13 22:24:42 2017 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: options.4,v 1.473 2017/09/13 08:26:38 wiz Exp $
+.\" $NetBSD: options.4,v 1.474 2017/09/13 22:24:42 sevan Exp $
.\"
.\" Copyright (c) 1996
.\" Perry E. Metzger. All rights reserved.
@@ -30,7 +30,7 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\"
-.Dd September 12, 2017
+.Dd September 13, 2017
.Dt OPTIONS 4
.Os
.Sh NAME
@@ -2320,12 +2320,6 @@
.Xr sysctl 8
and
.Xr sysctl 3 .
-.It Cd options VERIFIED_EXEC_FP_MD5
-Enables support for MD5 hashes in Veriexec.
-.It Cd options VERIFIED_EXEC_FP_SHA1
-Enables support for SHA1 hashes in Veriexec.
-.It Cd options VERIFIED_EXEC_FP_RMD160
-Enables support for RMD160 hashes in Veriexec.
.It Cd options VERIFIED_EXEC_FP_SHA256
Enables support for SHA256 hashes in Veriexec.
.It Cd options VERIFIED_EXEC_FP_SHA384
diff -r 71b6f81ba96b -r ecb5869b923b share/man/man8/veriexec.8
--- a/share/man/man8/veriexec.8 Wed Sep 13 22:15:25 2017 +0000
+++ b/share/man/man8/veriexec.8 Wed Sep 13 22:24:42 2017 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: veriexec.8,v 1.6 2017/09/13 22:15:25 sevan Exp $
+.\" $NetBSD: veriexec.8,v 1.7 2017/09/13 22:24:42 sevan Exp $
.\"
.\" Copyright (c) 2008 Elad Efrat <elad%NetBSD.org@localhost>
.\" All rights reserved.
@@ -165,7 +165,7 @@
It reports the currently supported fingerprinting algorithms, for example:
.Bd -literal -offset indent
# /sbin/sysctl kern.veriexec.algorithms
-kern.veriexec.algorithms = RMD160 SHA256 SHA384 SHA512 SHA1 MD5
+kern.veriexec.algorithms = SHA256 SHA384 SHA512
.Ed
.Pp
It reports the current verbosity and strict levels, for example:
diff -r 71b6f81ba96b -r ecb5869b923b sys/arch/acorn26/conf/GENERIC
--- a/sys/arch/acorn26/conf/GENERIC Wed Sep 13 22:15:25 2017 +0000
+++ b/sys/arch/acorn26/conf/GENERIC Wed Sep 13 22:24:42 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.83 2017/07/29 18:08:56 maxv Exp $
+# $NetBSD: GENERIC,v 1.84 2017/09/13 22:24:42 sevan Exp $
#
# GENERIC machine description file
#
@@ -272,9 +272,6 @@
# removing fingerprint methods will have almost no impact on the kernel
# code size.
#
-#options VERIFIED_EXEC_FP_RMD160
#options VERIFIED_EXEC_FP_SHA256
#options VERIFIED_EXEC_FP_SHA384
#options VERIFIED_EXEC_FP_SHA512
-#options VERIFIED_EXEC_FP_SHA1
-#options VERIFIED_EXEC_FP_MD5
diff -r 71b6f81ba96b -r ecb5869b923b sys/arch/acorn32/conf/GENERIC
--- a/sys/arch/acorn32/conf/GENERIC Wed Sep 13 22:15:25 2017 +0000
+++ b/sys/arch/acorn32/conf/GENERIC Wed Sep 13 22:24:42 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.121 2017/07/28 19:26:15 maxv Exp $
+# $NetBSD: GENERIC,v 1.122 2017/09/13 22:24:42 sevan Exp $
#
# GENERIC --- NetBSD/acorn32 complete configuration
#
@@ -22,7 +22,7 @@
options INCLUDE_CONFIG_FILE # embed config file in kernel binary
-#ident "GENERIC-$Revision: 1.121 $"
+#ident "GENERIC-$Revision: 1.122 $"
# estimated number of users
maxusers 32
@@ -353,12 +353,9 @@
# removing fingerprint methods will have almost no impact on the kernel
# code size.
#
-#options VERIFIED_EXEC_FP_RMD160
#options VERIFIED_EXEC_FP_SHA256
#options VERIFIED_EXEC_FP_SHA384
#options VERIFIED_EXEC_FP_SHA512
-#options VERIFIED_EXEC_FP_SHA1
-#options VERIFIED_EXEC_FP_MD5
# If the standard modes don't work for your monitor, you can specify
# a RISC-OS-format monitor definition file and a list of modes here.
diff -r 71b6f81ba96b -r ecb5869b923b sys/arch/alpha/conf/GENERIC
--- a/sys/arch/alpha/conf/GENERIC Wed Sep 13 22:15:25 2017 +0000
+++ b/sys/arch/alpha/conf/GENERIC Wed Sep 13 22:24:42 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.376 2017/07/29 18:08:56 maxv Exp $
+# $NetBSD: GENERIC,v 1.377 2017/09/13 22:24:42 sevan Exp $
#
# This machine description file is used to generate the default NetBSD
# kernel.
@@ -19,7 +19,7 @@
options INCLUDE_CONFIG_FILE # embed config file in kernel binary
-ident "GENERIC-$Revision: 1.376 $"
+ident "GENERIC-$Revision: 1.377 $"
maxusers 32
@@ -790,12 +790,9 @@
# removing fingerprint methods will have almost no impact on the kernel
# code size.
#
-#options VERIFIED_EXEC_FP_RMD160
#options VERIFIED_EXEC_FP_SHA256
#options VERIFIED_EXEC_FP_SHA384
#options VERIFIED_EXEC_FP_SHA512
-#options VERIFIED_EXEC_FP_SHA1
-#options VERIFIED_EXEC_FP_MD5
options PAX_MPROTECT=0 # PaX mprotect(2) restrictions
options PAX_ASLR=0 # PaX Address Space Layout Randomization
diff -r 71b6f81ba96b -r ecb5869b923b sys/arch/amd64/conf/ALL
--- a/sys/arch/amd64/conf/ALL Wed Sep 13 22:15:25 2017 +0000
+++ b/sys/arch/amd64/conf/ALL Wed Sep 13 22:24:42 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: ALL,v 1.69 2017/09/03 08:52:18 maxv Exp $
+# $NetBSD: ALL,v 1.70 2017/09/13 22:24:42 sevan Exp $
# From NetBSD: GENERIC,v 1.787 2006/10/01 18:37:54 bouyer Exp
#
# ALL machine description file
@@ -17,7 +17,7 @@
options INCLUDE_CONFIG_FILE # embed config file in kernel binary
-#ident "ALL-$Revision: 1.69 $"
+#ident "ALL-$Revision: 1.70 $"
maxusers 64 # estimated number of users
@@ -1703,12 +1703,9 @@
# removing fingerprint methods will have almost no impact on the kernel
# code size.
#
-options VERIFIED_EXEC_FP_RMD160
options VERIFIED_EXEC_FP_SHA256
options VERIFIED_EXEC_FP_SHA384
options VERIFIED_EXEC_FP_SHA512
-options VERIFIED_EXEC_FP_SHA1
-options VERIFIED_EXEC_FP_MD5
options PAX_SEGVGUARD=0 # PaX Segmentation fault guard
options PAX_MPROTECT=1 # PaX mprotect(2) restrictions
diff -r 71b6f81ba96b -r ecb5869b923b sys/arch/amd64/conf/GENERIC
--- a/sys/arch/amd64/conf/GENERIC Wed Sep 13 22:15:25 2017 +0000
+++ b/sys/arch/amd64/conf/GENERIC Wed Sep 13 22:24:42 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.464 2017/08/13 08:48:30 christos Exp $
+# $NetBSD: GENERIC,v 1.465 2017/09/13 22:24:42 sevan Exp $
#
# GENERIC machine description file
#
@@ -22,7 +22,7 @@
options INCLUDE_CONFIG_FILE # embed config file in kernel binary
-#ident "GENERIC-$Revision: 1.464 $"
+#ident "GENERIC-$Revision: 1.465 $"
maxusers 64 # estimated number of users
@@ -1334,12 +1334,9 @@
# removing fingerprint methods will have almost no impact on the kernel
# code size.
#
-options VERIFIED_EXEC_FP_RMD160
options VERIFIED_EXEC_FP_SHA256
options VERIFIED_EXEC_FP_SHA384
options VERIFIED_EXEC_FP_SHA512
-options VERIFIED_EXEC_FP_SHA1
-options VERIFIED_EXEC_FP_MD5
options PAX_SEGVGUARD=0 # PaX Segmentation fault guard
options PAX_MPROTECT=1 # PaX mprotect(2) restrictions
diff -r 71b6f81ba96b -r ecb5869b923b sys/arch/amiga/conf/DRACO
--- a/sys/arch/amiga/conf/DRACO Wed Sep 13 22:15:25 2017 +0000
+++ b/sys/arch/amiga/conf/DRACO Wed Sep 13 22:24:42 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: DRACO,v 1.182 2017/07/30 13:12:49 maxv Exp $
+# $NetBSD: DRACO,v 1.183 2017/09/13 22:24:42 sevan Exp $
#
# This file was automatically created.
# Changes will be lost when make is run in this directory.
@@ -29,7 +29,7 @@
options INCLUDE_CONFIG_FILE # embed config file in kernel binary
-#ident "GENERIC-$Revision: 1.182 $"
+#ident "GENERIC-$Revision: 1.183 $"
makeoptions COPTS="-O2 -fno-reorder-blocks" # see share/mk/sys.mk
@@ -375,11 +375,8 @@
# removing fingerprint methods will have almost no impact on the kernel
# code size.
#
-#options VERIFIED_EXEC_FP_RMD160
#options VERIFIED_EXEC_FP_SHA256
#options VERIFIED_EXEC_FP_SHA384
#options VERIFIED_EXEC_FP_SHA512
-#options VERIFIED_EXEC_FP_SHA1
-#options VERIFIED_EXEC_FP_MD5
config netbsd root on ? type ?
diff -r 71b6f81ba96b -r ecb5869b923b sys/arch/amiga/conf/GENERIC
--- a/sys/arch/amiga/conf/GENERIC Wed Sep 13 22:15:25 2017 +0000
+++ b/sys/arch/amiga/conf/GENERIC Wed Sep 13 22:24:42 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.316 2017/07/30 13:12:49 maxv Exp $
+# $NetBSD: GENERIC,v 1.317 2017/09/13 22:24:42 sevan Exp $
#
# This file was automatically created.
# Changes will be lost when make is run in this directory.
@@ -29,7 +29,7 @@
options INCLUDE_CONFIG_FILE # embed config file in kernel binary
-#ident "GENERIC-$Revision: 1.316 $"
+#ident "GENERIC-$Revision: 1.317 $"
makeoptions COPTS="-O2 -fno-reorder-blocks" # see share/mk/sys.mk
@@ -622,11 +622,8 @@
# removing fingerprint methods will have almost no impact on the kernel
# code size.
#
-#options VERIFIED_EXEC_FP_RMD160
#options VERIFIED_EXEC_FP_SHA256
#options VERIFIED_EXEC_FP_SHA384
#options VERIFIED_EXEC_FP_SHA512
-#options VERIFIED_EXEC_FP_SHA1
-#options VERIFIED_EXEC_FP_MD5
config netbsd root on ? type ?
diff -r 71b6f81ba96b -r ecb5869b923b sys/arch/amiga/conf/GENERIC.in
--- a/sys/arch/amiga/conf/GENERIC.in Wed Sep 13 22:15:25 2017 +0000
+++ b/sys/arch/amiga/conf/GENERIC.in Wed Sep 13 22:24:42 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: GENERIC.in,v 1.134 2017/07/30 13:12:49 maxv Exp $
+# $NetBSD: GENERIC.in,v 1.135 2017/09/13 22:24:42 sevan Exp $
#
##
# GENERIC machine description file
@@ -52,7 +52,7 @@
options INCLUDE_CONFIG_FILE # embed config file in kernel binary
-#ident "GENERIC-$Revision: 1.134 $"
+#ident "GENERIC-$Revision: 1.135 $"
m4_ifdef(`INSTALL_CONFIGURATION', `m4_dnl
makeoptions COPTS="-Os"
@@ -731,11 +731,8 @@
# removing fingerprint methods will have almost no impact on the kernel
# code size.
#
-#options VERIFIED_EXEC_FP_RMD160
#options VERIFIED_EXEC_FP_SHA256
#options VERIFIED_EXEC_FP_SHA384
#options VERIFIED_EXEC_FP_SHA512
-#options VERIFIED_EXEC_FP_SHA1
-#options VERIFIED_EXEC_FP_MD5
config netbsd root on ? type ?
diff -r 71b6f81ba96b -r ecb5869b923b sys/arch/amiga/conf/INSTALL
--- a/sys/arch/amiga/conf/INSTALL Wed Sep 13 22:15:25 2017 +0000
+++ b/sys/arch/amiga/conf/INSTALL Wed Sep 13 22:24:42 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: INSTALL,v 1.126 2015/08/21 01:52:07 uebayasi Exp $
+# $NetBSD: INSTALL,v 1.127 2017/09/13 22:24:42 sevan Exp $
#
# This file was automatically created.
# Changes will be lost when make is run in this directory.
@@ -29,7 +29,7 @@
options INCLUDE_CONFIG_FILE # embed config file in kernel binary
-#ident "GENERIC-$Revision: 1.126 $"
+#ident "GENERIC-$Revision: 1.127 $"
makeoptions COPTS="-Os"
Home |
Main Index |
Thread Index |
Old Index