You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nuttx.apache.org by Nathan Hartman <ha...@gmail.com> on 2022/05/15 14:23:40 UTC
Add license Kconfig for 3rd party binary blobs?
I noticed that we are downloading a 3rd party precompiled library,
libphy62xxble.a from www.phyplusinc.com. (One of the Linux build tests
on PR-6266 failed because curl failed to download it.)
This download is done in arch/arm/src/phy62xx/Make.defs:
if [ ! -f libphy62xxble.a ]; then \
echo "############download lib form server############"; \
curl -L -o libphy62xxble.a http://www.phyplusinc.com/phyplus/libphy62xxble.a; \
cp -a libphy62xxble.a ../../../staging; \
else \
echo "############file exist############"; \
fi \
Should we add a new item to Kconfig -> License Setup?
For example:
[ ] Use components that include 3rd party binary objects
Cheers,
Nathan
RE: Add license Kconfig for 3rd party binary blobs?
Posted by "Alin.Jerpelea@sony.com" <Al...@sony.com>.
Hi all,
Thanks for finding and reporting the issue
I will add a license guard and scout for all other binary files ASAP
Best regards
Alin
-----Original Message-----
From: Tomek CEDRO <to...@cedro.info>
Sent: den 15 maj 2022 23:40
To: dev@nuttx.apache.org
Subject: Re: Add license Kconfig for 3rd party binary blobs?
On Sun, May 15, 2022 at 10:35 PM Nathan Hartman wrote:
> On Sun, May 15, 2022 at 10:51 AM Tomek CEDRO wrote:
> > On Sun, May 15, 2022 at 4:23 PM Nathan Hartman wrote:
> > > I noticed that we are downloading a 3rd party precompiled library,
> > > libphy62xxble.a from
> > > https://urldefense.com/v3/__http://www.phyplusinc.com__;!!JmoZiZGB
> > > v3RvKRSx!9JL17Pkv7OE6IRnA6D1BnJPZ0cHcT3NCnrDoIr5N3A2Goa59Tm0jb4SbR
> > > x7PIutQJqv22asvg2yg4SY2iw$ . (One of the Linux build tests on
> > > PR-6266 failed because curl failed to download it.)
> > >
> > > This download is done in arch/arm/src/phy62xx/Make.defs:
> > >
> > > if [ ! -f libphy62xxble.a ]; then \ echo "############download lib
> > > form server############"; \ curl -L -o libphy62xxble.a
> > > https://urldefense.com/v3/__http://www.phyplusinc.com/phyplus/libp
> > > hy62xxble.a__;!!JmoZiZGBv3RvKRSx!9JL17Pkv7OE6IRnA6D1BnJPZ0cHcT3NCn
> > > rDoIr5N3A2Goa59Tm0jb4SbRx7PIutQJqv22asvg2wMFha_gw$ ; \ cp -a
> > > libphy62xxble.a ../../../staging; \ else \ echo "############file
> > > exist############"; \ fi \
> > >
> > > Should we add a new item to Kconfig -> License Setup?
> > > For example:
> > > [ ] Use components that include 3rd party binary objects
> >
> > This is a good catch! No Open-Source project should silently include
> > external closed-source binary blobs from internet.
>
>
> Yes, this is what I'm getting at.
>
> If we allow this at all, it should definitely be gated behind a
> "Licensing" Kconfig that is OFF by default.
>
> More below:
>
> > Not to mention insecure HTTP and no signature / certificate /
> > checksum residing in the project for download verification. This is
> > a serious security issue.
>
> If we allow this at all, there should be at least a basic mitigation:
> (1) The SHA-512 of the known-legitimate file should be written in
> arch/arm/src/phy62xx/Make.defs. (2) When the file is downloaded, it is
> initially saved to an alternate name, e.g.,
> libphy62xxble.a.downloaded. (3) The downloaded file's SHA-512 is
> computed and compared to the known-legitimate SHA-512. If there is a
> discrepancy then the build is aborted and the user is left to check
> what happened. If the file SHA-512 is verified then the file is
> renamed to its correct name.
>
> Nathan
Exactly :-)
`sha512 -c sum filename` works on BSD like a charm and status can be checked with `echo $?` :-)
Also `curl --hostpubsha256` can be used here to verify the server public certificate :-)
--hostpubsha256 <sha256>
(SFTP SCP) Pass a string containing a Base64-encoded SHA256 hash
of the remote host's public key. Curl will refuse the connection
with the host unless the hashes match.
Example:
curl --hostpubsha256
NDVkMTQxMGQ1ODdmMjQ3MjczYjAyOTY5MmRkMjVmNDQ= https://urldefense.com/v3/__sftp://example.com/__;!!JmoZiZGBv3RvKRSx!9JL17Pkv7OE6IRnA6D1BnJPZ0cHcT3NCnrDoIr5N3A2Goa59Tm0jb4SbRx7PIutQJqv22asvg2zfJiCpKA$
See also --hostpubmd5. Added in 7.80.0.
--
CeDeROM, SQ7MHZ, https://urldefense.com/v3/__http://www.tomek.cedro.info__;!!JmoZiZGBv3RvKRSx!9JL17Pkv7OE6IRnA6D1BnJPZ0cHcT3NCnrDoIr5N3A2Goa59Tm0jb4SbRx7PIutQJqv22asvg2zszpH-cg$
Re: Add license Kconfig for 3rd party binary blobs?
Posted by Tomek CEDRO <to...@cedro.info>.
On Sun, May 15, 2022 at 10:35 PM Nathan Hartman wrote:
> On Sun, May 15, 2022 at 10:51 AM Tomek CEDRO wrote:
> > On Sun, May 15, 2022 at 4:23 PM Nathan Hartman wrote:
> > > I noticed that we are downloading a 3rd party precompiled library,
> > > libphy62xxble.a from www.phyplusinc.com. (One of the Linux build tests
> > > on PR-6266 failed because curl failed to download it.)
> > >
> > > This download is done in arch/arm/src/phy62xx/Make.defs:
> > >
> > > if [ ! -f libphy62xxble.a ]; then \
> > > echo "############download lib form server############"; \
> > > curl -L -o libphy62xxble.a http://www.phyplusinc.com/phyplus/libphy62xxble.a; \
> > > cp -a libphy62xxble.a ../../../staging; \
> > > else \
> > > echo "############file exist############"; \
> > > fi \
> > >
> > > Should we add a new item to Kconfig -> License Setup?
> > > For example:
> > > [ ] Use components that include 3rd party binary objects
> >
> > This is a good catch! No Open-Source project should silently include
> > external closed-source binary blobs from internet.
>
>
> Yes, this is what I'm getting at.
>
> If we allow this at all, it should definitely be gated behind a
> "Licensing" Kconfig that is OFF by default.
>
> More below:
>
> > Not to mention insecure HTTP and no signature / certificate / checksum
> > residing in the project for download verification. This is a serious
> > security issue.
>
> If we allow this at all, there should be at least a basic mitigation:
> (1) The SHA-512 of the known-legitimate file should be written in
> arch/arm/src/phy62xx/Make.defs. (2) When the file is downloaded, it is
> initially saved to an alternate name, e.g.,
> libphy62xxble.a.downloaded. (3) The downloaded file's SHA-512 is
> computed and compared to the known-legitimate SHA-512. If there is a
> discrepancy then the build is aborted and the user is left to check
> what happened. If the file SHA-512 is verified then the file is
> renamed to its correct name.
>
> Nathan
Exactly :-)
`sha512 -c sum filename` works on BSD like a charm and status can be
checked with `echo $?` :-)
Also `curl --hostpubsha256` can be used here to verify the server
public certificate :-)
--hostpubsha256 <sha256>
(SFTP SCP) Pass a string containing a Base64-encoded SHA256 hash
of the remote host's public key. Curl will refuse the connection
with the host unless the hashes match.
Example:
curl --hostpubsha256
NDVkMTQxMGQ1ODdmMjQ3MjczYjAyOTY5MmRkMjVmNDQ= sftp://example.com/
See also --hostpubmd5. Added in 7.80.0.
--
CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
Re: Add license Kconfig for 3rd party binary blobs?
Posted by Nathan Hartman <ha...@gmail.com>.
On Sun, May 15, 2022 at 10:51 AM Tomek CEDRO <to...@cedro.info> wrote:
>
> On Sun, May 15, 2022 at 4:23 PM Nathan Hartman wrote:
> > I noticed that we are downloading a 3rd party precompiled library,
> > libphy62xxble.a from www.phyplusinc.com. (One of the Linux build tests
> > on PR-6266 failed because curl failed to download it.)
> >
> > This download is done in arch/arm/src/phy62xx/Make.defs:
> >
> > if [ ! -f libphy62xxble.a ]; then \
> > echo "############download lib form server############"; \
> > curl -L -o libphy62xxble.a http://www.phyplusinc.com/phyplus/libphy62xxble.a; \
> > cp -a libphy62xxble.a ../../../staging; \
> > else \
> > echo "############file exist############"; \
> > fi \
> >
> > Should we add a new item to Kconfig -> License Setup?
> > For example:
> > [ ] Use components that include 3rd party binary objects
>
> This is a good catch! No Open-Source project should silently include
> external closed-source binary blobs from internet.
Yes, this is what I'm getting at.
If we allow this at all, it should definitely be gated behind a
"Licensing" Kconfig that is OFF by default.
More below:
> Not to mention insecure HTTP and no signature / certificate / checksum
> residing in the project for download verification. This is a serious
> security issue.
If we allow this at all, there should be at least a basic mitigation:
(1) The SHA-512 of the known-legitimate file should be written in
arch/arm/src/phy62xx/Make.defs. (2) When the file is downloaded, it is
initially saved to an alternate name, e.g.,
libphy62xxble.a.downloaded. (3) The downloaded file's SHA-512 is
computed and compared to the known-legitimate SHA-512. If there is a
discrepancy then the build is aborted and the user is left to check
what happened. If the file SHA-512 is verified then the file is
renamed to its correct name.
Nathan
Re: Add license Kconfig for 3rd party binary blobs?
Posted by Tomek CEDRO <to...@cedro.info>.
On Sun, May 15, 2022 at 4:23 PM Nathan Hartman wrote:
> I noticed that we are downloading a 3rd party precompiled library,
> libphy62xxble.a from www.phyplusinc.com. (One of the Linux build tests
> on PR-6266 failed because curl failed to download it.)
>
> This download is done in arch/arm/src/phy62xx/Make.defs:
>
> if [ ! -f libphy62xxble.a ]; then \
> echo "############download lib form server############"; \
> curl -L -o libphy62xxble.a http://www.phyplusinc.com/phyplus/libphy62xxble.a; \
> cp -a libphy62xxble.a ../../../staging; \
> else \
> echo "############file exist############"; \
> fi \
>
> Should we add a new item to Kconfig -> License Setup?
> For example:
> [ ] Use components that include 3rd party binary objects
This is a good catch! No Open-Source project should silently include
external closed-source binary blobs from internet.
Not to mention insecure HTTP and no signature / certificate / checksum
residing in the project for download verification. This is a serious
security issue.
In perfect world this "allow 3rd party binaries" would also block
downloading and linking such objects when disabled :-)
--
CeDeROM, SQ7MHZ, http://www.tomek.cedro.info