Re: Cryptographic signatures of installer sets
On Wed, Feb 12, 2020 at 03:22:21PM +, Glen Barber wrote: > > Have you considered the possibility of simply publishing a detached > > signature with every MANIFEST, in a similar manner to what is done for > > the installer images? > > > > I have not, as a change to the misc/freebsd-release-manifests port will > generate an email (or at minimum, a change in the repository), which > would be a red flag for nefarious behavior. Gotcha. So it sounds like your solution is the best path forward. Looking forward to seeing your patch! -nd. ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Cryptographic signatures of installer sets
On Tue, Feb 11, 2020 at 11:31:32PM +, Nathan Dorfman wrote: > > The patch I have at the moment looks for the MANIFEST (rather, the > > --) file in the location they are > > installed by the misc/freebsd-release-manifests package. > > This seems reasonable, but I think the checksum script is also used by > the system installer (not just the jail setup script). > No, they are two different sets of functionality. The system installer *always* uses the MANIFEST from the installation medium, but when fixing that, I did not notice the jail subcommand, nor that it fetches a remote MANIFEST file. > Have you considered the possibility of simply publishing a detached > signature with every MANIFEST, in a similar manner to what is done for > the installer images? > I have not, as a change to the misc/freebsd-release-manifests port will generate an email (or at minimum, a change in the repository), which would be a red flag for nefarious behavior. Glen signature.asc Description: PGP signature
Re: Cryptographic signatures of installer sets
Sorry for my delayed response. On Mon, Feb 03, 2020 at 01:57:10PM +, Glen Barber wrote: > First, if one installs from a snapshot, the MANIFEST file would only be > valid until the next snapshot build. > > The second and third problems are somewhat related: the various > distribution sets (base.txz, lib32.txz, etc.) are not updated with each > patch release. (I have been pondering the "right way(tm)" to do this > for some time, but that is more or less orthogonal to the real problem > at hand here.) The other issue is freebsd-update(8) does not work with > snapshot builds (from stable/X or head). Oops. I hadn't realized freebsd-update, with the -r option, couldn't be used to upgrade to the next snapshot. Since that is the case, it seems fine to support -RELEASEs only. > But for X.Y-RELEASE, one could use 'bsdinstall jail' to create the jail, > then invoke freebsd-update(8) with the '-b' flag to the jail location. Right, and this is no different than the current situation. > The patch I have at the moment looks for the MANIFEST (rather, the > --) file in the location they are > installed by the misc/freebsd-release-manifests package. This seems reasonable, but I think the checksum script is also used by the system installer (not just the jail setup script). Have you considered the possibility of simply publishing a detached signature with every MANIFEST, in a similar manner to what is done for the installer images? Those use PGP, requiring the gnupg package to verify, but OpenSSL could also be used. -nd. ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Cryptographic signatures of installer sets
On Sat, Feb 01, 2020 at 11:34:20PM +, Nathan Dorfman wrote: > On Thu, Jan 30, 2020 at 01:22:39PM +, Glen Barber wrote: > > I honestly wasn't aware there was a jail subcommand to bsdinstall. > > I think, rather than creating /usr/freebsd-dist on the host system, we > > should instead check if the misc/freebsd-release-manifests package is > > installed and bail if it does not. This package contains the MANIFEST > > files from past releases (and in-progress releases, including BETA and > > RC builds). > > > > Does that seem like a reasonable solution? > > Well, that only works for actual releases. The one from the installation > medium would work in all cases, such as if one installs a snapshot, or a > custom build. It would have to be kept up to date by freebsd-update, > though. > There are three problems here. First, if one installs from a snapshot, the MANIFEST file would only be valid until the next snapshot build. The second and third problems are somewhat related: the various distribution sets (base.txz, lib32.txz, etc.) are not updated with each patch release. (I have been pondering the "right way(tm)" to do this for some time, but that is more or less orthogonal to the real problem at hand here.) The other issue is freebsd-update(8) does not work with snapshot builds (from stable/X or head). But for X.Y-RELEASE, one could use 'bsdinstall jail' to create the jail, then invoke freebsd-update(8) with the '-b' flag to the jail location. > Also, you would need to add logic to select the correct manifest from > the ones in the package, whereas one from the initial install (and > freebsd-update) would be the only one. That could be as simple as > stripping the -p123 suffixes from `uname -r`, but why? > I have a patch locally to just this, but I haven't committed it yet because I am not entirely fond of the approach, and want to think about it a bit more. > FWIW, the /usr/freebsd-dist location can be overridden by setting > $BSDINSTALL_DISTDIR, but the checksum script[1] will expect to find the > manifest and sets in the same directory regardless. > The patch I have at the moment looks for the MANIFEST (rather, the --) file in the location they are installed by the misc/freebsd-release-manifests package. Glen signature.asc Description: PGP signature
Re: Cryptographic signatures of installer sets
On Thu, Jan 30, 2020 at 01:22:39PM +, Glen Barber wrote: > I honestly wasn't aware there was a jail subcommand to bsdinstall. > I think, rather than creating /usr/freebsd-dist on the host system, we > should instead check if the misc/freebsd-release-manifests package is > installed and bail if it does not. This package contains the MANIFEST > files from past releases (and in-progress releases, including BETA and > RC builds). > > Does that seem like a reasonable solution? Well, that only works for actual releases. The one from the installation medium would work in all cases, such as if one installs a snapshot, or a custom build. It would have to be kept up to date by freebsd-update, though. Also, you would need to add logic to select the correct manifest from the ones in the package, whereas one from the initial install (and freebsd-update) would be the only one. That could be as simple as stripping the -p123 suffixes from `uname -r`, but why? FWIW, the /usr/freebsd-dist location can be overridden by setting $BSDINSTALL_DISTDIR, but the checksum script[1] will expect to find the manifest and sets in the same directory regardless. Perhaps this default could be changed to something under /usr/share? -nd. [1] https://svnweb.freebsd.org/base/release/12.1.0/usr.sbin/bsdinstall/scripts/checksum?view=markup#l29 ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Cryptographic signatures of installer sets
Hi Nathan, On Thu, Jan 30, 2020 at 12:50:06AM +, Nathan Dorfman wrote: > On Mon, Jan 27, 2020 at 04:42:01PM +, Glen Barber wrote: > > No, this last part is not true. The installer always verifies the > > checksums against /usr/freebsd-dist/MANIFEST on the installation medium. > > > > In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS > > variable explicitly contains the MANIFEST. > > Thank you, Glen. You're correct of course; the installer uses its > embedded MANIFEST and doesn't even fetch it from the mirror... during > system installation, at least. > > However, the first time a jail is set up, using the `bsdinstall jail` > command, it does in fact fetch and trust the mirror's MANIFEST. I just > tested this with a freshly installed 12.1-RELEASE system and a local > mirror with a modified base.txz and manifest. It installs the modified > files into the new jail without any complaint. > > Simply, after a clean installation /usr/freebsd-dist doesn't exist on > the new system, so the jail script creates it and downloads the MANIFEST > from the mirror. See lines 60-70, here: > > https://svnweb.freebsd.org/base/release/12.1.0/usr.sbin/bsdinstall/scripts/jail?view=markup#l60 > > After the first jail, this downloaded manifest and package(s) are saved > in /usr/freebsd-dist. So you are only at risk the first time, and there > will be some evidence of the tampering. Still, I hope you'll agree that > this should be fixed. The installer already has a trusted manifest as > you point out, why not simply install that one into the target system's > /usr/freebsd-dist at setup time? > I honestly wasn't aware there was a jail subcommand to bsdinstall. I think, rather than creating /usr/freebsd-dist on the host system, we should instead check if the misc/freebsd-release-manifests package is installed and bail if it does not. This package contains the MANIFEST files from past releases (and in-progress releases, including BETA and RC builds). Does that seem like a reasonable solution? Glen signature.asc Description: PGP signature
Re: Cryptographic signatures of installer sets
On Mon, Jan 27, 2020 at 04:42:01PM +, Glen Barber wrote: > No, this last part is not true. The installer always verifies the > checksums against /usr/freebsd-dist/MANIFEST on the installation medium. > > In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS > variable explicitly contains the MANIFEST. Thank you, Glen. You're correct of course; the installer uses its embedded MANIFEST and doesn't even fetch it from the mirror... during system installation, at least. However, the first time a jail is set up, using the `bsdinstall jail` command, it does in fact fetch and trust the mirror's MANIFEST. I just tested this with a freshly installed 12.1-RELEASE system and a local mirror with a modified base.txz and manifest. It installs the modified files into the new jail without any complaint. Simply, after a clean installation /usr/freebsd-dist doesn't exist on the new system, so the jail script creates it and downloads the MANIFEST from the mirror. See lines 60-70, here: https://svnweb.freebsd.org/base/release/12.1.0/usr.sbin/bsdinstall/scripts/jail?view=markup#l60 After the first jail, this downloaded manifest and package(s) are saved in /usr/freebsd-dist. So you are only at risk the first time, and there will be some evidence of the tampering. Still, I hope you'll agree that this should be fixed. The installer already has a trusted manifest as you point out, why not simply install that one into the target system's /usr/freebsd-dist at setup time? -nd. ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Cryptographic signatures of installer sets
On Sat, Jan 25, 2020 at 08:00:07PM +, Nathan Dorfman wrote: > Hello all, > > I really hope I'm missing something here, and we can all have a nice > chuckle at my expense. > > But I can't see any way the integrity of the installer sets (base.txz, > kernel.txz and friends) can be verified cryptographically? There is a > MANIFEST file containing SHA256 checksums, but it itself does not appear > to be signed in any way. > > The installer images do come with PGP-signed checksums. So, when using > an image that already contains all the sets, one can be sure they are > authentic. What happens when one uses a network-only installer, though? > How can it authenticate the sets it downloads from the user's chosen > mirror? > > A cursory glance at src/usr.sbin/bsdinstall suggests that it does not, > in fact, do that. Checksums are compared against the MANIFEST (in > scripts/checksum), but that is itself simply downloaded from the same > mirror (in scripts/jail), usually over plain FTP, without any > authentication. > No, this last part is not true. The installer always verifies the checksums against /usr/freebsd-dist/MANIFEST on the installation medium. In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS variable explicitly contains the MANIFEST. Glen signature.asc Description: PGP signature
