src/lib/libsecureboot/Makefile.inc, branch releng/12.2 FreeBSD source tree libsecureboot: make it easier to customize trust anchors 2019-05-16T16:15:41+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-05-16T16:15:41+00:00 e9134c4661ea9e0ffbeaa1acfe121b8a5a5a1559 Avoid making hash self-tests depend on X.509 certs. Include OpenPGP keys in trust store count. MFC of r347408 Reviewed by: stevek Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20208 
Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.

MFC of r347408

Reviewed by:	stevek
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org/D20208
MFC r344840: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation 2019-04-26T00:48:52+00:00 Marcin Wojtas mw@FreeBSD.org 2019-04-26T00:48:52+00:00 63fd89c7cdb04dada3f82eb75201782b8712c8b6 UEFI related headers were copied from edk2. A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow loading of trusted anchors from UEFI. Certificate revocation support is also introduced. The forbidden certificates are loaded from dbx variable. Verification fails in two cases: There is a direct match between cert in dbx and the one in the chain. The CA used to sign the chain is found in dbx. One can also insert a hash of TBS section of a certificate into dbx. In this case verifications fails only if a direct match with a certificate in chain is found. Submitted by: Kornel Duleba <mindal@semihalf.com> Obtained from: Semihalf Sponsored by: Stormshield 
UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.

Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:

There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Obtained from: Semihalf
Sponsored by: Stormshield
Add support for loader veriexec 2019-04-12T01:03:00+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-04-12T01:03:00+00:00 ae8c08e7ce273c86febc4fd9d6357232b277548a Also sbin/veriexec for mac_veriexec MFC r343281,344564-344568,344780,344784,345289,346070 
Also sbin/veriexec for mac_veriexec

MFC r343281,344564-344568,344780,344784,345289,346070