From: Joanna Rutkowska <joanna@invisiblethingslab.com>
To: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>
Subject: Xen signing and wget
Date: Tue, 06 Jul 2010 17:12:08 +0200 [thread overview]
Message-ID: <4C3347C8.7020603@invisiblethingslab.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1189 bytes --]
While the Xen sources have recently become digitally signed by xen.org
(which is just great), there is still a problem that its various
Makefiles download (and subsequently build) various 3rd party software
via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something,
the downloaded 3rd part software is never verified in any way.
From the security point of view, it is equal to say that Xen downloads
random code from the web, and unconditionally executes it. So, this not
only allows for building potentially compromised Xen packages, but also
is a threat to the developers machine, where the (untrusted) Makefiles
of the unverified 3rd party software are run.
Consequently, I have the following suggestions:
1) Push on the vendors of the 3rd party components you use in the build
to sign their software, verify the signatures after download in your
Makefile,
2) Until the 3rd party vendors implement signing of their software, add
hardcoded list of hashes for the specific versions of the software
version you use in the build (e.g. md5sum and then use md5sum --check in
the Makefile for verification that what you downloaded is good).
joanna.
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 226 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
next reply other threads:[~2010-07-06 15:12 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-06 15:12 Joanna Rutkowska [this message]
2010-07-06 15:21 ` Xen signing and wget Keir Fraser
2010-07-06 15:23 ` Joanna Rutkowska
2010-07-06 15:24 ` Keir Fraser
2010-07-06 15:27 ` Joanna Rutkowska
2010-07-06 15:34 ` Keir Fraser
2010-07-06 15:42 ` Joanna Rutkowska
2010-07-06 15:50 ` Xen signing and wget [and 3 more messages] Ian Jackson
2010-07-06 15:56 ` Joanna Rutkowska
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C3347C8.7020603@invisiblethingslab.com \
--to=joanna@invisiblethingslab.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).