| #
f616d61a |
|
12-Feb-2024 |
Simon J. Gerraty <sjg@FreeBSD.org> |
libsecureboot do not report expected unverified files
By default only report unverified files at severity VE_WANT
and above. This inlcudes *.conf but not *.hints, *.cookie
or *.tgz which get VE_TRY as their severity.
If Verbose is set to 0, then VerifyFlags should default to 0 too.
Thus the combination of
module_verbose=0
VE_VEBOSE=0
is sufficient to make the loader almost totally silent.
When verify_prep has to find_manifest and it is verified ok
return VE_NOT_CHECKED to verify_file so that it can skip
repeating verify_fd
Also add better debugging output for is_verified and add_verify_status.
vectx handle compressed modules
When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.
Note: because of the way libsa's open() works, verify_prep will see
the path to be verified as module.ko not module.ko.bz2 etc. This is
actually ok, because we need a separate module.ko.bz2 entry so that
the package can be verified, and the hash for module.ko is of the
uncompressed file which is what vectx will see.
Re-work local.trust.mk so site.trust.mk need only set
VE_SIGN_URL_LIST (if using the mentioned signing server)
interp.c: restrict interactive input
Apply the same restrictions to interactive input as for
unverified conf and hints files.
Use version.veriexec when LOADER_VERIEXEC is yes
Reviewed by: kevans
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D43810
|
| #
d0b2dbfa |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| #
75e02c45 |
|
23-May-2023 |
Simon J. Gerraty <sjg@FreeBSD.org> |
libsecureboot ensure correct BUILD_UTC
If using stat(1) on BUILD_UTC_FILE we should use -L incase
it is a symlink.
If we have new enough bmake though we can just use ${BUILD_UTC_FILE:mtime}
|
| #
cc9e6590 |
|
18-Apr-2022 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Merge bearssl-20220418
Main change is a callback for checking validity period of certificates.
Merge commit 'f6acb9b9f81c96ae7c9592bee1bb89c4357cc3e5'
Add -DHAVE_BR_X509_TIME_CHECK to libsecureboot/Makefile.inc
|
| #
9bee6a60 |
|
09-May-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
libsecureboot: make it easier to customize trust anchors
Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.
Reviewed by: stevek
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D20208 |
| #
13ea0450 |
|
05-Mar-2019 |
Marcin Wojtas <mw@FreeBSD.org> |
Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation
UEFI related headers were copied from edk2.
A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.
Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:
There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.
Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19093 |
| #
02a4bc58 |
|
04-Mar-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Allow for reproducible build
Use SOURCE_DATE_EPOCH for BUILD_UTC if MK_REPRODUCIBLE_BUILD is yes.
Default SOURCE_DATE_EPOCH to 2019-01-01
Reviewed by: emaste
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D19464 |
| #
5fff9558 |
|
25-Feb-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add libsecureboot
Used by loader and veriexec
Depends on libbearssl
Reviewed by: emaste
Sponsored by: Juniper Networks
Differential Revision: D16335 |
| #
9bee6a60 |
|
09-May-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
libsecureboot: make it easier to customize trust anchors
Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.
Reviewed by: stevek
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D20208
|
| #
13ea0450 |
|
05-Mar-2019 |
Marcin Wojtas <mw@FreeBSD.org> |
Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation
UEFI related headers were copied from edk2.
A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.
Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:
There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.
Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19093
|
| #
02a4bc58 |
|
04-Mar-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Allow for reproducible build
Use SOURCE_DATE_EPOCH for BUILD_UTC if MK_REPRODUCIBLE_BUILD is yes.
Default SOURCE_DATE_EPOCH to 2019-01-01
Reviewed by: emaste
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D19464
|
| #
5fff9558 |
|
25-Feb-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add libsecureboot
Used by loader and veriexec
Depends on libbearssl
Reviewed by: emaste
Sponsored by: Juniper Networks
Differential Revision: D16335
|