Remove $FreeBSD$: one-line .h pattern

Remove /^\s*\*+\s*\$FreeBSD\$.*$\n/

Add -S option to veriexec

During software installation, use veriexec -S to strictly
enforce certificate validity checks (notBefore, notAfter).

Otherwise ignore certificate validity period.
It is generally unacceptible for the Internet to stop working
just because someone did not upgrade their infrastructure for a decade.

Sponsored by: Juniper Networks, Inc.

Reviewed by: sebastien.bini_stormshield.eu
Differential Revision: https://reviews.freebsd.org/D35758

Update libsecureboot

Preparation for updating bearssl, pull in updates to libsecureboot.

o fix handling of some out-of-memory cases

o allow more control over reporting of Verified/Unverified files.
this helps boot time when console output is slow

o recheck verbose/debug level after reading any unverified file

o more debug support for vectx

o hash_string to support fake stat for tftp

o tests/tvo add -v to simply verify signatures

o vets.c allow for HAVE_BR_X509_TIME_CHECK which will greatly simplify
verification in loader

o report date when certificate fails validity period checks

Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.

Move ve_check_hash prototype to libsecureboot-priv.h

Reviewed by: stevek

Fix pkgfs stat so it satisfies libsecureboot

We need a valid st_dev, st_ino and st_mtime
to correctly track which files have been verified
and to update our notion of time.

ve_utc_set(): ignore utc if it would jump our current time
by more than VE_UTC_MAX_JUMP (20 years).

Allow testing of install command via userboot.
Need to fix its stat implementation too.

bhyveload also needs stat fixed - due to change to userboot.h

Call ve_error_get() from vectx_close() when hash is wrong.

Track the names of files we have hashed into pcr

For the purposes of measured boot, it is important
to be able to reproduce the hash reflected in
loader.ve.pcr
so loader.ve.hashed provides a list of names in the order they
were added.

Reviewed by: imp
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org//D24027

veloader use vectx API for kernel and modules

The vectx API, computes the hash for verifying a file as it is read.
This avoids the overhead of reading files twice - once to verify, then
again to load.

For doing an install via loader, avoiding the need to rewind
large files is critical.

This API is only used for modules, kernel and mdimage as these are the
biggest files read by the loader.
The reduction in boot time depends on how expensive the I/O is
on any given platform. On a fast VM we see 6% improvement.

For install via loader the first file to be verified is likely to be the
kernel, so some of the prep work (finding manifest etc) done by
verify_file() needs to be factored so it can be reused for
vectx_open().

For missing or unrecognized fingerprint entries, we fail
in vectx_open() unless verifying is disabled.

Otherwise fingerprint check happens in vectx_close() and
since this API is only used for files which must be verified
(VE_MUST) we panic if we get an incorrect hash.

Reviewed by: imp,tsoome
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org//D23827

libsecureboot: allow OpenPGP support to be dormant

Since we can now add OpenPGP trust anchors at runtime,
ensure the latent support is available.

Ensure we do not add duplicate keys to trust store.

Also allow reporting names of trust anchors added/revoked

We only do this for loader and only after initializing trust store.
Thus only changes to initial trust store will be logged.

Reviewed by: stevek
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D20700

libsecureboot: allow control of when pseudo pcr is updated

During boot we only want to measure things which *must*
be verified - this should provide more deterministic ordering.

Reviewed by: stevek
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D20297

Allow no_hash to appear in manifest.

sbin/veriexec will ignore entries that have no hash anyway,
but loader needs to be explicitly told that such files are
ok to ignore (not verify).

We will report as Unverified depending on verbose level,
but with no reason - because we are not rejecting the file.

Reviewed by: imp, mindal_semihalf
Sponsored by: Juniper Networks
MFC After: 1 week
Differential Revision: https://reviews.freebsd.org//D20018

Add libsecureboot

Used by loader and veriexec
Depends on libbearssl

Reviewed by: emaste
Sponsored by: Juniper Networks
Differential Revision: D16335