Trust system write-up

[Simon J. Gerraty]

Eric McCorkle <eric at metricspace.net> wrote:
> That is also an option; however, I prefer the configuration where only
> the local system key is a root and everything else is an intermediate,
> as each root key represents a source of trust that is hard to revoke
> (you have to power-cycle).  It's almost always better to have a single
> root, and make everything else an intermediate, though I'm not sure
> enough of that to bake it into the specification.

While we as an embedded vendor might not necessarily want to support any
local signing ability - or to be able to limit the scope of any such
ability, there should be no reason you cannot allow a FreeBSD.org root
cert to be honored in parallel with local root.  This should allow
updating system with both locally build s/w and pre-built packages from
FreeBSD.

FWIW when designing the trust model for Junos, preventing any local 
control of trust store was an explicit goal.
With the advent of secure boot and TPM's, there is potentially scope to
allow for mixed control.

Please have a look at stevek's mac_veriexec patches in phabricator.
The verified exec model easily allows for "signing" any sort of file,
not just ELF binaries or needing to use special "attached" signature
formats.  Thus it allows adding "signing" with minimal impact to most of
the system.   This could probably work well in conjunction with your
trust database.

And of course my loader mods follow the same model, so signing
loader.conf, modules etc is all simple with minimal impact to loader
itself.

--sjg