Add license Kconfig for 3rd party binary blobs?
I noticed that we are downloading a 3rd party precompiled library, libphy62xxble.a from www.phyplusinc.com. (One of the Linux build tests on PR-6266 failed because curl failed to download it.) This download is done in arch/arm/src/phy62xx/Make.defs: if [ ! -f libphy62xxble.a ]; then \ echo "download lib form server"; \ curl -L -o libphy62xxble.a http://www.phyplusinc.com/phyplus/libphy62xxble.a; \ cp -a libphy62xxble.a ../../../staging; \ else \ echo "file exist"; \ fi \ Should we add a new item to Kconfig -> License Setup? For example: [ ] Use components that include 3rd party binary objects Cheers, Nathan
Re: Add license Kconfig for 3rd party binary blobs?
On Sun, May 15, 2022 at 4:23 PM Nathan Hartman wrote: > I noticed that we are downloading a 3rd party precompiled library, > libphy62xxble.a from www.phyplusinc.com. (One of the Linux build tests > on PR-6266 failed because curl failed to download it.) > > This download is done in arch/arm/src/phy62xx/Make.defs: > > if [ ! -f libphy62xxble.a ]; then \ > echo "download lib form server"; \ > curl -L -o libphy62xxble.a http://www.phyplusinc.com/phyplus/libphy62xxble.a; > \ > cp -a libphy62xxble.a ../../../staging; \ > else \ > echo "file exist"; \ > fi \ > > Should we add a new item to Kconfig -> License Setup? > For example: > [ ] Use components that include 3rd party binary objects This is a good catch! No Open-Source project should silently include external closed-source binary blobs from internet. Not to mention insecure HTTP and no signature / certificate / checksum residing in the project for download verification. This is a serious security issue. In perfect world this "allow 3rd party binaries" would also block downloading and linking such objects when disabled :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
Re: Add license Kconfig for 3rd party binary blobs?
On Sun, May 15, 2022 at 10:51 AM Tomek CEDRO wrote: > > On Sun, May 15, 2022 at 4:23 PM Nathan Hartman wrote: > > I noticed that we are downloading a 3rd party precompiled library, > > libphy62xxble.a from www.phyplusinc.com. (One of the Linux build tests > > on PR-6266 failed because curl failed to download it.) > > > > This download is done in arch/arm/src/phy62xx/Make.defs: > > > > if [ ! -f libphy62xxble.a ]; then \ > > echo "download lib form server"; \ > > curl -L -o libphy62xxble.a > > http://www.phyplusinc.com/phyplus/libphy62xxble.a; \ > > cp -a libphy62xxble.a ../../../staging; \ > > else \ > > echo "file exist"; \ > > fi \ > > > > Should we add a new item to Kconfig -> License Setup? > > For example: > > [ ] Use components that include 3rd party binary objects > > This is a good catch! No Open-Source project should silently include > external closed-source binary blobs from internet. Yes, this is what I'm getting at. If we allow this at all, it should definitely be gated behind a "Licensing" Kconfig that is OFF by default. More below: > Not to mention insecure HTTP and no signature / certificate / checksum > residing in the project for download verification. This is a serious > security issue. If we allow this at all, there should be at least a basic mitigation: (1) The SHA-512 of the known-legitimate file should be written in arch/arm/src/phy62xx/Make.defs. (2) When the file is downloaded, it is initially saved to an alternate name, e.g., libphy62xxble.a.downloaded. (3) The downloaded file's SHA-512 is computed and compared to the known-legitimate SHA-512. If there is a discrepancy then the build is aborted and the user is left to check what happened. If the file SHA-512 is verified then the file is renamed to its correct name. Nathan
Re: Add license Kconfig for 3rd party binary blobs?
On Sun, May 15, 2022 at 10:35 PM Nathan Hartman wrote: > On Sun, May 15, 2022 at 10:51 AM Tomek CEDRO wrote: > > On Sun, May 15, 2022 at 4:23 PM Nathan Hartman wrote: > > > I noticed that we are downloading a 3rd party precompiled library, > > > libphy62xxble.a from www.phyplusinc.com. (One of the Linux build tests > > > on PR-6266 failed because curl failed to download it.) > > > > > > This download is done in arch/arm/src/phy62xx/Make.defs: > > > > > > if [ ! -f libphy62xxble.a ]; then \ > > > echo "download lib form server"; \ > > > curl -L -o libphy62xxble.a > > > http://www.phyplusinc.com/phyplus/libphy62xxble.a; \ > > > cp -a libphy62xxble.a ../../../staging; \ > > > else \ > > > echo "file exist"; \ > > > fi \ > > > > > > Should we add a new item to Kconfig -> License Setup? > > > For example: > > > [ ] Use components that include 3rd party binary objects > > > > This is a good catch! No Open-Source project should silently include > > external closed-source binary blobs from internet. > > > Yes, this is what I'm getting at. > > If we allow this at all, it should definitely be gated behind a > "Licensing" Kconfig that is OFF by default. > > More below: > > > Not to mention insecure HTTP and no signature / certificate / checksum > > residing in the project for download verification. This is a serious > > security issue. > > If we allow this at all, there should be at least a basic mitigation: > (1) The SHA-512 of the known-legitimate file should be written in > arch/arm/src/phy62xx/Make.defs. (2) When the file is downloaded, it is > initially saved to an alternate name, e.g., > libphy62xxble.a.downloaded. (3) The downloaded file's SHA-512 is > computed and compared to the known-legitimate SHA-512. If there is a > discrepancy then the build is aborted and the user is left to check > what happened. If the file SHA-512 is verified then the file is > renamed to its correct name. > > Nathan Exactly :-) `sha512 -c sum filename` works on BSD like a charm and status can be checked with `echo $?` :-) Also `curl --hostpubsha256` can be used here to verify the server public certificate :-) --hostpubsha256 (SFTP SCP) Pass a string containing a Base64-encoded SHA256 hash of the remote host's public key. Curl will refuse the connection with the host unless the hashes match. Example: curl --hostpubsha256 NDVkMTQxMGQ1ODdmMjQ3MjczYjAyOTY5MmRkMjVmNDQ= sftp://example.com/ See also --hostpubmd5. Added in 7.80.0. -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
