On Sun, May 15, 2022 at 10:35 PM Nathan Hartman wrote:
> On Sun, May 15, 2022 at 10:51 AM Tomek CEDRO wrote:
> > On Sun, May 15, 2022 at 4:23 PM Nathan Hartman wrote:
> > > I noticed that we are downloading a 3rd party precompiled library,
> > > libphy62xxble.a from www.phyplusinc.com. (One of the Linux build tests
> > > on PR-6266 failed because curl failed to download it.)
> > >
> > > This download is done in arch/arm/src/phy62xx/Make.defs:
> > >
> > > if [ ! -f libphy62xxble.a ]; then \
> > > echo "############download lib form server############"; \
> > > curl -L -o libphy62xxble.a
> > > http://www.phyplusinc.com/phyplus/libphy62xxble.a; \
> > > cp -a libphy62xxble.a ../../../staging; \
> > > else \
> > > echo "############file exist############"; \
> > > fi \
> > >
> > > Should we add a new item to Kconfig -> License Setup?
> > > For example:
> > > [ ] Use components that include 3rd party binary objects
> >
> > This is a good catch! No Open-Source project should silently include
> > external closed-source binary blobs from internet.
>
>
> Yes, this is what I'm getting at.
>
> If we allow this at all, it should definitely be gated behind a
> "Licensing" Kconfig that is OFF by default.
>
> More below:
>
> > Not to mention insecure HTTP and no signature / certificate / checksum
> > residing in the project for download verification. This is a serious
> > security issue.
>
> If we allow this at all, there should be at least a basic mitigation:
> (1) The SHA-512 of the known-legitimate file should be written in
> arch/arm/src/phy62xx/Make.defs. (2) When the file is downloaded, it is
> initially saved to an alternate name, e.g.,
> libphy62xxble.a.downloaded. (3) The downloaded file's SHA-512 is
> computed and compared to the known-legitimate SHA-512. If there is a
> discrepancy then the build is aborted and the user is left to check
> what happened. If the file SHA-512 is verified then the file is
> renamed to its correct name.
>
> Nathan
Exactly :-)
`sha512 -c sum filename` works on BSD like a charm and status can be
checked with `echo $?` :-)
Also `curl --hostpubsha256` can be used here to verify the server
public certificate :-)
--hostpubsha256 <sha256>
(SFTP SCP) Pass a string containing a Base64-encoded SHA256 hash
of the remote host's public key. Curl will refuse the connection
with the host unless the hashes match.
Example:
curl --hostpubsha256
NDVkMTQxMGQ1ODdmMjQ3MjczYjAyOTY5MmRkMjVmNDQ= sftp://example.com/
See also --hostpubmd5. Added in 7.80.0.
--
CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
