WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Xen signing and wget

To: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] Xen signing and wget
From: Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 06 Jul 2010 17:12:08 +0200
Delivery-date: Tue, 06 Jul 2010 08:13:28 -0700
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com; h=message-id:date:from:mime-version:to:subject:content-type; s=smtpout; bh=PeUNc24ZiMGTo2QJTAirebZ3bBc=; b=KLHbGrSeBjb+28LeQ2fU2usRchAy5wlYLaHu+++iv3r6QcsPs6dgfxR8Qj89P8NuhsRWgDq2baMXoohF6oSwJVtvw1b7OarCI1LnIn0r3biOPQt4rktbQz9UtgWjuSKwG5nnc/YAXKkKZXPp16b8vGtttcRvr/CX8dXWgqHpxO8=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10) Gecko/20100621 Fedora/3.0.5-1.fc13 Lightning/1.0b2pre Thunderbird/3.0.5
While the Xen sources have recently become digitally signed by xen.org
(which is just great), there is still a problem that its various
Makefiles download (and subsequently build) various 3rd party software
via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something,
the downloaded 3rd part software is never verified in any way.

From the security point of view, it is equal to say that Xen downloads
random code from the web, and unconditionally executes it. So, this not
only allows for building potentially compromised Xen packages, but also
is a threat to the developers machine, where the (untrusted) Makefiles
of the unverified 3rd party software are run.

Consequently, I have the following suggestions:

1) Push on the vendors of the 3rd party components you use in the build
to sign their software, verify the signatures after download in your
Makefile,

2) Until the 3rd party vendors implement signing of their software, add
hardcoded list of hashes for the specific versions of the software
version you use in the build (e.g. md5sum and then use md5sum --check in
the Makefile for verification that what you downloaded is good).

joanna.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel