While the Xen sources have recently become digitally signed by xen.org
(which is just great), there is still a problem that its various
Makefiles download (and subsequently build) various 3rd party software
via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something,
the downloaded 3rd part software is never verified in any way.
From the security point of view, it is equal to say that Xen downloads
random code from the web, and unconditionally executes it. So, this not
only allows for building potentially compromised Xen packages, but also
is a threat to the developers machine, where the (untrusted) Makefiles
of the unverified 3rd party software are run.
Consequently, I have the following suggestions:
1) Push on the vendors of the 3rd party components you use in the build
to sign their software, verify the signatures after download in your
Makefile,
2) Until the 3rd party vendors implement signing of their software, add
hardcoded list of hashes for the specific versions of the software
version you use in the build (e.g. md5sum and then use md5sum --check in
the Makefile for verification that what you downloaded is good).
joanna.
signature.asc
Description: OpenPGP digital signature
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|