src/lib/libsecureboot/tests, branch main

Pass severity to vectx_open() rather than vectx_close()

2026-04-10T17:46:54+00:00

file_loadraw() can have a need to load unverified files
like "dtrace_dof".  Allow severity_guess() to look at the filename
but if it returns less than VE_MUST check that the type is not
one we insist on verifying.

In vectx_open if severity < VE_MUST we can allow it to be unverified.
If passed VE_GUESS we call severity_guess().
Regardless, we record severity in ctx so it is available to vectx_close().

Sponsored by: Hewlett Packard Enterprise Development LP

Reviewed by:	khng
Differential Revision:	https://reviews.freebsd.org/D56297

Remove residual blank line at start of Makefile

2024-07-15T22:43:39+00:00

This is a residual of the $FreeBSD$ removal.

MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix

Remove $FreeBSD$: one-line sh pattern

2023-08-16T17:55:03+00:00

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

Remove $FreeBSD$: one-line .c pattern

2023-08-16T17:54:42+00:00

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

Update libsecureboot

2022-04-18T19:54:15+00:00

Preparation for updating bearssl, pull in updates to libsecureboot.

o fix handling of some out-of-memory cases

o allow more control over reporting of Verified/Unverified files.
  this helps boot time when console output is slow

  o recheck verbose/debug level after reading any unverified file

o more debug support for vectx

o hash_string to support fake stat for tftp

o tests/tvo add -v to simply verify signatures

o vets.c allow for HAVE_BR_X509_TIME_CHECK which will greatly simplify
  verification in loader

o report date when certificate fails validity period checks

Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.

veloader use vectx API for kernel and modules

2020-03-08T17:42:42+00:00

The vectx API, computes the hash for verifying a file as it is read.
This avoids the overhead of reading files twice - once to verify, then
again to load.

For doing an install via loader, avoiding the need to rewind
large files is critical.

This API is only used for modules, kernel and mdimage as these are the
biggest files read by the loader.
The reduction in boot time depends on how expensive the I/O is
on any given platform.  On a fast VM we see 6% improvement.

For install via loader the first file to be verified is likely to be the
kernel, so some of the prep work (finding manifest etc) done by
verify_file() needs to be factored so it can be reused for
vectx_open().

For missing or unrecognized fingerprint entries, we fail
in vectx_open() unless verifying is disabled.

Otherwise fingerprint check happens in vectx_close() and
since this API is only used for files which must be verified
(VE_MUST) we panic if we get an incorrect hash.

Reviewed by:	imp,tsoome
MFC after:	1 week
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org//D23827

libsecureboot: allow control of when pseudo pcr is updated

2019-05-19T20:28:49+00:00

During boot we only want to measure things which *must*
be verified - this should provide more deterministic ordering.

Reviewed by:	stevek
MFC after:	1 week
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org/D20297

libsecureboot: make it easier to customize trust anchors

2019-05-09T22:25:12+00:00

Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.

Reviewed by:	stevek
MFC after:	1 week
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org/D20208

Allow for reproducible build

2019-03-04T22:04:21+00:00

Use SOURCE_DATE_EPOCH for BUILD_UTC if MK_REPRODUCIBLE_BUILD is yes.
Default SOURCE_DATE_EPOCH to 2019-01-01

Reviewed by:	emaste
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org/D19464

Add libsecureboot

2019-02-26T06:09:10+00:00

Used by loader and veriexec
Depends on libbearssl

Reviewed by:	emaste
Sponsored by:	Juniper Networks
Differential Revision:	D16335