current-users: heads up: major changes to verified exec

Subject: heads up: major changes to verified exec
To: None <current-users@netbsd.org>
From: Brett Lymn <blymn@baesystems.com.au>
List: current-users
Date: 04/20/2005 23:51:06

Folks,
	I have just committed a significant rototill of the verified exec
code.  The major changes and new features are:

1) The in-kernel fingerprints are no longer stored in linked lists, rather
   they are now in a hash table.  This should make things faster in some
   instances - particularly when files are opened for write as the old code
   would traverse a couple of lists to check if the file was there in order
   to prevent fingerprinted files being overwritten.

2) More fingerprint methods are now supported - in addition to the old md5
   and sha1 we now have rmd160, sha256, sha384 and sha512.  Note that there
   is no tool in the base NetBSD toolset to generate the longer sha hashes
   but pkgsrc has one in pkgtools/digest that will

3) The command line for veriexecctl has changed, to load a set of
   fingerprints you must now do "veriexecctl load fingerprint.file".  This
   was done to allow other veriexecctl commands - the only other command
   at the moment is "veriexecctl fingerprints" which will report the
   fingerprint methods supported the running kernel (fingerprint
   methods can now be tailored in/out using the kernel config)

There were many other changes made to the kernel level code that make it
much easier to add in new fingerprint methods and open up the possibility
of even being able to have fingerprint methods as lkm's (whether that
is really a good idea or not is open to debate but it now _can_ be done
whereas before it was flat out impossible)

If you are using verified exec then you must ensure that you update your
userland _and_ the /etc/init.d/veriexec script before booting the new
kernel otherwise your fingerprints will fail to load which will cause
mayhem if you raise securelevel.

As a bit of a pre-warning, in the near future I will be changing the
major number of the veriexec device to a machine independent one instead
of the current i386-centric one.  This should make verified exec available
on all architectures.

Finally, I would like to thank Elad Efrat for all his hard work.  Most of
the code committed is a lightly modified version of his code.  Thanks a
lot!

-- 
Brett Lymn