src/lib/libsecureboot/local.trust.mk, branch releng/12.2 FreeBSD source tree libsecureboot: allow OpenPGP support to be dormant 2019-07-10T21:35:55+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-07-10T21:35:55+00:00 c6eb46769d0ba33bcc1096f036ebc165eb585c92 Since we can now add OpenPGP trust anchors at runtime, ensure the latent support is available. Ensure we do not add duplicate keys to trust store. Also allow reporting names of trust anchors added/revoked We only do this for loader and only after initializing trust store. Thus only changes to initial trust store will be logged. MFC of r349446 Reviewed by: stevek Differential Revision: https://reviews.freebsd.org/D20700 
Since we can now add OpenPGP trust anchors at runtime,
ensure the latent support is available.

Ensure we do not add duplicate keys to trust store.

Also allow reporting names of trust anchors added/revoked

We only do this for loader and only after initializing trust store.
Thus only changes to initial trust store will be logged.

MFC of r349446

Reviewed by:    stevek
Differential Revision:  https://reviews.freebsd.org/D20700
libsecureboot: make it easier to customize trust anchors 2019-05-16T16:15:41+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-05-16T16:15:41+00:00 e9134c4661ea9e0ffbeaa1acfe121b8a5a5a1559 Avoid making hash self-tests depend on X.509 certs. Include OpenPGP keys in trust store count. MFC of r347408 Reviewed by: stevek Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20208 
Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.

MFC of r347408

Reviewed by:	stevek
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org/D20208
MFC r344840: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation 2019-04-26T00:48:52+00:00 Marcin Wojtas mw@FreeBSD.org 2019-04-26T00:48:52+00:00 63fd89c7cdb04dada3f82eb75201782b8712c8b6 UEFI related headers were copied from edk2. A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow loading of trusted anchors from UEFI. Certificate revocation support is also introduced. The forbidden certificates are loaded from dbx variable. Verification fails in two cases: There is a direct match between cert in dbx and the one in the chain. The CA used to sign the chain is found in dbx. One can also insert a hash of TBS section of a certificate into dbx. In this case verifications fails only if a direct match with a certificate in chain is found. Submitted by: Kornel Duleba <mindal@semihalf.com> Obtained from: Semihalf Sponsored by: Stormshield 
UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.

Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:

There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Obtained from: Semihalf
Sponsored by: Stormshield
Add support for loader veriexec 2019-04-12T01:03:00+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-04-12T01:03:00+00:00 ae8c08e7ce273c86febc4fd9d6357232b277548a Also sbin/veriexec for mac_veriexec MFC r343281,344564-344568,344780,344784,345289,346070 
Also sbin/veriexec for mac_veriexec

MFC r343281,344564-344568,344780,344784,345289,346070