[BUG] buildman does not check signature of toolchain

Simon Glass sjg at chromium.org
Mon Nov 1 00:46:48 CET 2021


Hi Heinrich,

On Wed, 27 Oct 2021 at 08:23, Heinrich Schuchardt
<heinrich.schuchardt at canonical.com> wrote:
>
> On 10/27/21 16:05, Simon Glass wrote:
> > Hi Heinrich,
> >
> > On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt
> > <heinrich.schuchardt at canonical.com> wrote:
> >>
> >> Downloading binaries and executing without checking the authenticity is
> >> at least unwise.
> >>
> >> When binman downloads GCC it should also download and verify the GPG
> >> signatures.
> >>
> >> Additionally binman could hold a list of the SHA256 hashes of all
> >> binaries in question for a further check.
> >
> > Buildman? Yes that sounds like a nice feature. Did you hit a problem,
> > or just come up with this idea? You could try the new issue tracker!
>
> tools/buildman/toolchain.py
>
> I have seen this script downloading binaries and executing them on my
> machine without verification. This makes me feel insecure.

This should only happen with --fetch-arch but if you see it happening
without that, there is some kind of bug.

>
> test/run invokes buildman.
>
> The same is true for tools/docker/Dockerfile. As Docker does not use its
> own kernel you should avoid running untrusted binaries in a container.

OK I will leave this as an exercise for the reader.

Regards,
Simon


More information about the U-Boot mailing list