NetBSD Problem Report #57629
From www@netbsd.org Mon Sep 25 20:34:59 2023
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 16E4A1A9238
for <gnats-bugs@gnats.NetBSD.org>; Mon, 25 Sep 2023 20:34:59 +0000 (UTC)
Message-Id: <20230925203457.772651A9239@mollari.NetBSD.org>
Date: Mon, 25 Sep 2023 20:34:57 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: mkimage images don't have trust anchors configured (armv7.img, arm64.img, ...)
X-Send-Pr-Version: www-1.0
>Number: 57629
>Category: install
>Synopsis: mkimage images don't have trust anchors configured (armv7.img, arm64.img, ...)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: install-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Sep 25 20:35:01 +0000 2023
>Closed-Date: Mon Oct 02 15:14:49 +0000 2023
>Last-Modified: Mon Oct 02 15:14:49 +0000 2023
>Originator: Taylor R Campbell
>Release: current, netbsd-10
>Organization:
The NetBSD Foundification Nonauthority
>Environment:
>Description:
Nothing in the mkimage process -- either image creation or initial boot -- causes postinstall or certctl to generate the hashed directory of certificates.
>How-To-Repeat:
code inspection
>Fix:
Yes, please!
1. Can't do certctl rehash at build time because we don't have openssl as a tool.
2. Would strongly prefer not to do certctl rehash unconditionally at boot time because I don't want to create new reasons to require /etc to be writable during normal boot.
3. Everyone would probably prefer not to do `postinstall check' unconditionally at boot time (as a way to test whether we need to do `postinstall fix' or `certctl rehash') because it's fairly expensive -- it rehashes into a temporary directory to see whether anything changed, which is somewhat computationally expensive.
4. For reliability, I would like to avoid writing logic for a `certctl check' or something (other than what `postinstall check' already does) because there's a lot of edge cases to get right and I'd really rather defer that to mtree(8) like `postinstall check' does.
>Release-Note:
>Audit-Trail:
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57629 CVS commit: src
Date: Wed, 27 Sep 2023 00:24:13 +0000
Module Name: src
Committed By: riastradh
Date: Wed Sep 27 00:24:13 UTC 2023
Modified Files:
src/distrib/amd64/liveimage/emuimage: rc.conf.emuimage
src/distrib/evbarm/liveimage/armimage: rc.conf.armimage
src/distrib/sets/lists/etc: mi
src/distrib/utils/embedded/conf: evbarm.conf evbmips.conf riscv.conf
usermode.conf x86.conf
src/etc/rc.d: Makefile
Added Files:
src/etc/rc.d: certctl_init
Log Message:
/etc/rc.d/cerctl_init: New script for certctl rehash in live images.
This is very limited -- it does not supplant postinstall to rehash
certificates on upgrade; it only runs certctl rehash if
/etc/openssl/certs is an empty directory, as you get in live images
not created with sysinst.
We could also have a more general-purpose way to run postinstall(8)
on first boot of an image, but that has a lot more moving parts to
think about, so let's start with this limited-scope low-risk
approach.
PR install/57629
XXX pullup-10
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 \
src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage
cvs rdiff -u -r1.1 -r1.2 \
src/distrib/evbarm/liveimage/armimage/rc.conf.armimage
cvs rdiff -u -r1.272 -r1.273 src/distrib/sets/lists/etc/mi
cvs rdiff -u -r1.41 -r1.42 src/distrib/utils/embedded/conf/evbarm.conf
cvs rdiff -u -r1.3 -r1.4 src/distrib/utils/embedded/conf/evbmips.conf
cvs rdiff -u -r1.1 -r1.2 src/distrib/utils/embedded/conf/riscv.conf
cvs rdiff -u -r1.6 -r1.7 src/distrib/utils/embedded/conf/usermode.conf
cvs rdiff -u -r1.10 -r1.11 src/distrib/utils/embedded/conf/x86.conf
cvs rdiff -u -r1.117 -r1.118 src/etc/rc.d/Makefile
cvs rdiff -u -r0 -r1.1 src/etc/rc.d/certctl_init
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57629 CVS commit: src/etc/defaults
Date: Wed, 27 Sep 2023 01:27:32 +0000
Module Name: src
Committed By: riastradh
Date: Wed Sep 27 01:27:32 UTC 2023
Modified Files:
src/etc/defaults: rc.conf
Log Message:
/etc/rc.d/certctl_init: Default off.
Otherwise in systems without certctl_init=YES, such as systems
installed with sysinst(8) where it's unnecessary because the rehash
has already happened at install time, you'll get spurious warnings.
PR install/57629
XXX pullup-10
To generate a diff of this commit:
cvs rdiff -u -r1.165 -r1.166 src/etc/defaults/rc.conf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 29 Sep 2023 08:49:35 +0000
State-Changed-Why:
fix committed, needs pullup-10
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57629 CVS commit: [netbsd-10] src
Date: Mon, 2 Oct 2023 13:26:05 +0000
Module Name: src
Committed By: martin
Date: Mon Oct 2 13:26:04 UTC 2023
Modified Files:
src/distrib/amd64/liveimage/emuimage [netbsd-10]: rc.conf.emuimage
src/distrib/evbarm/liveimage/armimage [netbsd-10]: rc.conf.armimage
src/distrib/sets/lists/etc [netbsd-10]: mi
src/distrib/utils/embedded/conf [netbsd-10]: evbarm.conf evbmips.conf
usermode.conf x86.conf
src/etc/defaults [netbsd-10]: rc.conf
src/etc/rc.d [netbsd-10]: Makefile
Added Files:
src/etc/rc.d [netbsd-10]: certctl_init
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #381):
distrib/utils/embedded/conf/evbarm.conf: revision 1.42
distrib/sets/lists/etc/mi: revision 1.273
etc/rc.d/Makefile: revision 1.118
distrib/utils/embedded/conf/usermode.conf: revision 1.7
etc/rc.d/certctl_init: revision 1.1
distrib/evbarm/liveimage/armimage/rc.conf.armimage: revision 1.2
etc/defaults/rc.conf: revision 1.166
distrib/amd64/liveimage/emuimage/rc.conf.emuimage: revision 1.3
distrib/utils/embedded/conf/x86.conf: revision 1.11
distrib/utils/embedded/conf/evbmips.conf: revision 1.4
/etc/rc.d/cerctl_init: New script for certctl rehash in live images.
This is very limited -- it does not supplant postinstall to rehash
certificates on upgrade; it only runs certctl rehash if
/etc/openssl/certs is an empty directory, as you get in live images
not created with sysinst.
We could also have a more general-purpose way to run postinstall(8)
on first boot of an image, but that has a lot more moving parts to
think about, so let's start with this limited-scope low-risk
approach.
PR install/57629
/etc/rc.d/certctl_init: Default off.
Otherwise in systems without certctl_init=YES, such as systems
installed with sysinst(8) where it's unnecessary because the rehash
has already happened at install time, you'll get spurious warnings.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.2.2.1 \
src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage
cvs rdiff -u -r1.1 -r1.1.2.1 \
src/distrib/evbarm/liveimage/armimage/rc.conf.armimage
cvs rdiff -u -r1.270.2.1 -r1.270.2.2 src/distrib/sets/lists/etc/mi
cvs rdiff -u -r1.41 -r1.41.2.1 src/distrib/utils/embedded/conf/evbarm.conf
cvs rdiff -u -r1.3 -r1.3.2.1 src/distrib/utils/embedded/conf/evbmips.conf
cvs rdiff -u -r1.6 -r1.6.2.1 src/distrib/utils/embedded/conf/usermode.conf
cvs rdiff -u -r1.10 -r1.10.2.1 src/distrib/utils/embedded/conf/x86.conf
cvs rdiff -u -r1.162.2.1 -r1.162.2.2 src/etc/defaults/rc.conf
cvs rdiff -u -r1.116 -r1.116.2.1 src/etc/rc.d/Makefile
cvs rdiff -u -r0 -r1.1.2.2 src/etc/rc.d/certctl_init
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: needs-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 02 Oct 2023 15:14:49 +0000
State-Changed-Why:
fixed
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.