All of lore.kernel.org
 help / color / mirror / Atom feed
* [BUG] binman does not check signature of toolchain
@ 2021-10-26 19:42 Heinrich Schuchardt
  2021-10-27 14:05 ` Simon Glass
  0 siblings, 1 reply; 4+ messages in thread
From: Heinrich Schuchardt @ 2021-10-26 19:42 UTC (permalink / raw)
  To: Simon Glass; +Cc: U-Boot Mailing List

Downloading binaries and executing without checking the authenticity is 
at least unwise.

When binman downloads GCC it should also download and verify the GPG 
signatures.

Additionally binman could hold a list of the SHA256 hashes of all 
binaries in question for a further check.

Best regards

Heinrich

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [BUG] binman does not check signature of toolchain
  2021-10-26 19:42 [BUG] binman does not check signature of toolchain Heinrich Schuchardt
@ 2021-10-27 14:05 ` Simon Glass
  2021-10-27 14:22   ` [BUG] buildman " Heinrich Schuchardt
  0 siblings, 1 reply; 4+ messages in thread
From: Simon Glass @ 2021-10-27 14:05 UTC (permalink / raw)
  To: Heinrich Schuchardt; +Cc: U-Boot Mailing List

Hi Heinrich,

On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt
<heinrich.schuchardt@canonical.com> wrote:
>
> Downloading binaries and executing without checking the authenticity is
> at least unwise.
>
> When binman downloads GCC it should also download and verify the GPG
> signatures.
>
> Additionally binman could hold a list of the SHA256 hashes of all
> binaries in question for a further check.

Buildman? Yes that sounds like a nice feature. Did you hit a problem,
or just come up with this idea? You could try the new issue tracker!

Regards,
Simon

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [BUG] buildman does not check signature of toolchain
  2021-10-27 14:05 ` Simon Glass
@ 2021-10-27 14:22   ` Heinrich Schuchardt
  2021-10-31 23:46     ` Simon Glass
  0 siblings, 1 reply; 4+ messages in thread
From: Heinrich Schuchardt @ 2021-10-27 14:22 UTC (permalink / raw)
  To: Simon Glass; +Cc: U-Boot Mailing List

On 10/27/21 16:05, Simon Glass wrote:
> Hi Heinrich,
> 
> On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt
> <heinrich.schuchardt@canonical.com> wrote:
>>
>> Downloading binaries and executing without checking the authenticity is
>> at least unwise.
>>
>> When binman downloads GCC it should also download and verify the GPG
>> signatures.
>>
>> Additionally binman could hold a list of the SHA256 hashes of all
>> binaries in question for a further check.
> 
> Buildman? Yes that sounds like a nice feature. Did you hit a problem,
> or just come up with this idea? You could try the new issue tracker!

tools/buildman/toolchain.py

I have seen this script downloading binaries and executing them on my 
machine without verification. This makes me feel insecure.

test/run invokes buildman.

The same is true for tools/docker/Dockerfile. As Docker does not use its 
own kernel you should avoid running untrusted binaries in a container.

Best regards

Heinrich


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [BUG] buildman does not check signature of toolchain
  2021-10-27 14:22   ` [BUG] buildman " Heinrich Schuchardt
@ 2021-10-31 23:46     ` Simon Glass
  0 siblings, 0 replies; 4+ messages in thread
From: Simon Glass @ 2021-10-31 23:46 UTC (permalink / raw)
  To: Heinrich Schuchardt; +Cc: U-Boot Mailing List

Hi Heinrich,

On Wed, 27 Oct 2021 at 08:23, Heinrich Schuchardt
<heinrich.schuchardt@canonical.com> wrote:
>
> On 10/27/21 16:05, Simon Glass wrote:
> > Hi Heinrich,
> >
> > On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt
> > <heinrich.schuchardt@canonical.com> wrote:
> >>
> >> Downloading binaries and executing without checking the authenticity is
> >> at least unwise.
> >>
> >> When binman downloads GCC it should also download and verify the GPG
> >> signatures.
> >>
> >> Additionally binman could hold a list of the SHA256 hashes of all
> >> binaries in question for a further check.
> >
> > Buildman? Yes that sounds like a nice feature. Did you hit a problem,
> > or just come up with this idea? You could try the new issue tracker!
>
> tools/buildman/toolchain.py
>
> I have seen this script downloading binaries and executing them on my
> machine without verification. This makes me feel insecure.

This should only happen with --fetch-arch but if you see it happening
without that, there is some kind of bug.

>
> test/run invokes buildman.
>
> The same is true for tools/docker/Dockerfile. As Docker does not use its
> own kernel you should avoid running untrusted binaries in a container.

OK I will leave this as an exercise for the reader.

Regards,
Simon

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-10-31 23:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-26 19:42 [BUG] binman does not check signature of toolchain Heinrich Schuchardt
2021-10-27 14:05 ` Simon Glass
2021-10-27 14:22   ` [BUG] buildman " Heinrich Schuchardt
2021-10-31 23:46     ` Simon Glass

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.