src/lib/libsecureboot/Makefile.inc, branch releng/14.3 FreeBSD source tree libsecureboot do not report expected unverified files 2024-04-16T19:54:22+00:00 Simon J. Gerraty sjg@FreeBSD.org 2024-02-12T22:35:01+00:00 16d49d0e4fe7061832c2c23ff9e91e7abdc272ac By default only report unverified files at severity VE_WANT and above. This inlcudes *.conf but not *.hints, *.cookie or *.tgz which get VE_TRY as their severity. If Verbose is set to 0, then VerifyFlags should default to 0 too. Thus the combination of module_verbose=0 VE_VEBOSE=0 is sufficient to make the loader almost totally silent. When verify_prep has to find_manifest and it is verified ok return VE_NOT_CHECKED to verify_file so that it can skip repeating verify_fd Also add better debugging output for is_verified and add_verify_status. vectx handle compressed modules When verifying a compressed module (.ko.gz or .ko.bz2) stat() reports the size as -1 (unknown). vectx_lseek needs to spot this during closing - and just read until EOF is hit. Note: because of the way libsa's open() works, verify_prep will see the path to be verified as module.ko not module.ko.bz2 etc. This is actually ok, because we need a separate module.ko.bz2 entry so that the package can be verified, and the hash for module.ko is of the uncompressed file which is what vectx will see. Re-work local.trust.mk so site.trust.mk need only set VE_SIGN_URL_LIST (if using the mentioned signing server) interp.c: restrict interactive input Apply the same restrictions to interactive input as for unverified conf and hints files. Use version.veriexec when LOADER_VERIEXEC is yes Reviewed by: kevans Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D43810 (cherry picked from commit f616d61ab6b071e5fbfdbae7033a9ef04c1444ad) 
By default only report unverified files at severity VE_WANT
and above.  This inlcudes *.conf but not *.hints, *.cookie
or *.tgz which get VE_TRY as their severity.

If Verbose is set to 0, then VerifyFlags should default to 0 too.
Thus the combination of

	module_verbose=0
	VE_VEBOSE=0

is sufficient to make the loader almost totally silent.

When verify_prep has to find_manifest and it is verified ok
return VE_NOT_CHECKED to verify_file so that it can skip
repeating verify_fd

Also add better debugging output for is_verified and add_verify_status.

vectx handle compressed modules

When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.

Note: because of the way libsa's open() works, verify_prep will see
the path to be verified as module.ko not module.ko.bz2 etc.  This is
actually ok, because we need a separate module.ko.bz2 entry so that
the package can be verified, and the hash for module.ko is of the
uncompressed file which is what vectx will see.

Re-work local.trust.mk so site.trust.mk need only set
VE_SIGN_URL_LIST (if using the mentioned signing server)

interp.c: restrict interactive input

Apply the same restrictions to interactive input as for
unverified conf and hints files.

Use version.veriexec when LOADER_VERIEXEC is yes

Reviewed by:	kevans
Sponsored by:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D43810

(cherry picked from commit f616d61ab6b071e5fbfdbae7033a9ef04c1444ad)
Remove $FreeBSD$: one-line sh pattern 2023-08-16T17:55:03+00:00 Warner Losh imp@FreeBSD.org 2023-08-16T17:55:03+00:00 d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ 
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
libsecureboot ensure correct BUILD_UTC 2023-05-23T16:02:00+00:00 Simon J. Gerraty sjg@FreeBSD.org 2023-05-23T16:02:00+00:00 75e02c458a0def1ee8054646434c738b4004de8f If using stat(1) on BUILD_UTC_FILE we should use -L incase it is a symlink. If we have new enough bmake though we can just use ${BUILD_UTC_FILE:mtime} 
If using stat(1) on BUILD_UTC_FILE we should use -L incase
it is a symlink.

If we have new enough bmake though we can just use ${BUILD_UTC_FILE:mtime}
Merge bearssl-20220418 2022-04-18T21:52:30+00:00 Simon J. Gerraty sjg@FreeBSD.org 2022-04-18T21:47:09+00:00 cc9e6590773dba57440750c124173ed531349a06 Main change is a callback for checking validity period of certificates. Merge commit 'f6acb9b9f81c96ae7c9592bee1bb89c4357cc3e5' Add -DHAVE_BR_X509_TIME_CHECK to libsecureboot/Makefile.inc 
Main change is a callback for checking validity period of certificates.

Merge commit 'f6acb9b9f81c96ae7c9592bee1bb89c4357cc3e5'

Add -DHAVE_BR_X509_TIME_CHECK to libsecureboot/Makefile.inc
libsecureboot: make it easier to customize trust anchors 2019-05-09T22:25:12+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-05-09T22:25:12+00:00 9bee6a6083228d0e6abfb991fdbb4edf020fd438 Avoid making hash self-tests depend on X.509 certs. Include OpenPGP keys in trust store count. Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20208 
Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.

Reviewed by:	stevek
MFC after:	1 week
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org/D20208
Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation 2019-03-06T06:39:42+00:00 Marcin Wojtas mw@FreeBSD.org 2019-03-06T06:39:42+00:00 13ea0450a9c8742119d36f3bf8f47accdce46e54 UEFI related headers were copied from edk2. A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow loading of trusted anchors from UEFI. Certificate revocation support is also introduced. The forbidden certificates are loaded from dbx variable. Verification fails in two cases: There is a direct match between cert in dbx and the one in the chain. The CA used to sign the chain is found in dbx. One can also insert a hash of TBS section of a certificate into dbx. In this case verifications fails only if a direct match with a certificate in chain is found. Submitted by: Kornel Duleba <mindal@semihalf.com> Reviewed by: sjg Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D19093 
UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.

Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:

There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision:	https://reviews.freebsd.org/D19093
Allow for reproducible build 2019-03-04T22:04:21+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-03-04T22:04:21+00:00 02a4bc589cb28479993057372d74f26a7c3fce84 Use SOURCE_DATE_EPOCH for BUILD_UTC if MK_REPRODUCIBLE_BUILD is yes. Default SOURCE_DATE_EPOCH to 2019-01-01 Reviewed by: emaste Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D19464 
Use SOURCE_DATE_EPOCH for BUILD_UTC if MK_REPRODUCIBLE_BUILD is yes.
Default SOURCE_DATE_EPOCH to 2019-01-01

Reviewed by:	emaste
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org/D19464
Add libsecureboot 2019-02-26T06:09:10+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-02-26T06:09:10+00:00 5fff9558a43aaac53da41dc23c250c4e84f6fb02 Used by loader and veriexec Depends on libbearssl Reviewed by: emaste Sponsored by: Juniper Networks Differential Revision: D16335 
Used by loader and veriexec
Depends on libbearssl

Reviewed by:	emaste
Sponsored by:	Juniper Networks
Differential Revision:	D16335