#
4b9d6057 |
|
04-Dec-2023 |
Stéphane Rochoy <stephane.rochoy@stormshield.eu> |
libsecureboot: be more verbose about validation failures Reviewed by: imp, sjg Pull Request: https://github.com/freebsd/freebsd-src/pull/916
|
#
1d386b48 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
9c3478cb |
|
05-Jul-2023 |
Simon J. Gerraty <sjg@FreeBSD.org> |
libsecureboot: do not accept certificate we cannot decode Although we care more about the CN of a certificate than its status (for purpose of reporting), we should skip if we have errors decoding. Reviewed by: stevek Sponsored by: Juniper Networks, Inc.
|
#
56f3f2d2 |
|
30-Jun-2023 |
Simon J. Gerraty <sjg@FreeBSD.org> |
libsecureboot: avoid set but not used errors Reviewed by: stevek
|
#
cb25444c |
|
22-Mar-2021 |
Elyes HAOUAS <ehaouas@noos.fr> |
lib/libsecureboot: Fix some typos Signed-off-by: Elyes HAOUAS <ehaouas@noos.fr> Pull Request: https://github.com/freebsd/freebsd-src/pull/544
|
#
ab4f0a15 |
|
19-Jul-2022 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add -S option to veriexec During software installation, use veriexec -S to strictly enforce certificate validity checks (notBefore, notAfter). Otherwise ignore certificate validity period. It is generally unacceptible for the Internet to stop working just because someone did not upgrade their infrastructure for a decade. Sponsored by: Juniper Networks, Inc. Reviewed by: sebastien.bini_stormshield.eu Differential Revision: https://reviews.freebsd.org/D35758
|
#
e6ef5042 |
|
29-Jun-2022 |
Wojciech Macek <wma@FreeBSD.org> |
libsecureboot: Do not propagate empty string If Trust Anchors are provided by UEFI and not compiled into libsecureboot the segmentation fault occurs due to empty or NULL string usage. Obtained from: Semihalf Reviewed by: sjg Differential revision: https://reviews.freebsd.org/D35120
|
#
66655411 |
|
18-Apr-2022 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Update libsecureboot Preparation for updating bearssl, pull in updates to libsecureboot. o fix handling of some out-of-memory cases o allow more control over reporting of Verified/Unverified files. this helps boot time when console output is slow o recheck verbose/debug level after reading any unverified file o more debug support for vectx o hash_string to support fake stat for tftp o tests/tvo add -v to simply verify signatures o vets.c allow for HAVE_BR_X509_TIME_CHECK which will greatly simplify verification in loader o report date when certificate fails validity period checks Reviewed by: stevek Sponsored by: Juniper Networks, Inc.
|
#
53f151f9 |
|
25-Mar-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Fix pkgfs stat so it satisfies libsecureboot We need a valid st_dev, st_ino and st_mtime to correctly track which files have been verified and to update our notion of time. ve_utc_set(): ignore utc if it would jump our current time by more than VE_UTC_MAX_JUMP (20 years). Allow testing of install command via userboot. Need to fix its stat implementation too. bhyveload also needs stat fixed - due to change to userboot.h Call ve_error_get() from vectx_close() when hash is wrong. Track the names of files we have hashed into pcr For the purposes of measured boot, it is important to be able to reproduce the hash reflected in loader.ve.pcr so loader.ve.hashed provides a list of names in the order they were added. Reviewed by: imp MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D24027
|
#
0e47020f |
|
20-Dec-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Avoid unused vars when VE_ECDSA_HASH_AGAIN undefined Reviewed by: emaste MFC after: 1 week
|
#
18e2fbc0 |
|
24-Oct-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Initialize verbosity and debug level from env For EFI at least, we can seed the environment with VE_VERBOSE etc. Reviewed by: stevek imp Sponsored by: Juniper Networks MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D22135
|
#
3ae2a848 |
|
11-Jul-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
libsecureboot: avoid recusion in ve_trust_init set our guard value immediately. also replace call to ve_trust_init in opgp_sig.c:initialize with call to openpgp_trust_init. Reported by: mindal@semihalf.com Reviewed by: jhibbits obrien MFC after: 1 week
|
#
f9510887 |
|
26-Jun-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
libsecureboot: allow OpenPGP support to be dormant Since we can now add OpenPGP trust anchors at runtime, ensure the latent support is available. Ensure we do not add duplicate keys to trust store. Also allow reporting names of trust anchors added/revoked We only do this for loader and only after initializing trust store. Thus only changes to initial trust store will be logged. Reviewed by: stevek MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D20700
|
#
9bee6a60 |
|
09-May-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
libsecureboot: make it easier to customize trust anchors Avoid making hash self-tests depend on X.509 certs. Include OpenPGP keys in trust store count. Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20208
|
#
13ea0450 |
|
05-Mar-2019 |
Marcin Wojtas <mw@FreeBSD.org> |
Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation UEFI related headers were copied from edk2. A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow loading of trusted anchors from UEFI. Certificate revocation support is also introduced. The forbidden certificates are loaded from dbx variable. Verification fails in two cases: There is a direct match between cert in dbx and the one in the chain. The CA used to sign the chain is found in dbx. One can also insert a hash of TBS section of a certificate into dbx. In this case verifications fails only if a direct match with a certificate in chain is found. Submitted by: Kornel Duleba <mindal@semihalf.com> Reviewed by: sjg Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D19093
|
#
5fff9558 |
|
25-Feb-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add libsecureboot Used by loader and veriexec Depends on libbearssl Reviewed by: emaste Sponsored by: Juniper Networks Differential Revision: D16335
|