src/lib/libsecureboot/verify_file.c, branch releng/14.3 FreeBSD source tree libsecureboot do not report expected unverified files 2024-04-16T19:54:22+00:00 Simon J. Gerraty sjg@FreeBSD.org 2024-02-12T22:35:01+00:00 16d49d0e4fe7061832c2c23ff9e91e7abdc272ac By default only report unverified files at severity VE_WANT and above. This inlcudes *.conf but not *.hints, *.cookie or *.tgz which get VE_TRY as their severity. If Verbose is set to 0, then VerifyFlags should default to 0 too. Thus the combination of module_verbose=0 VE_VEBOSE=0 is sufficient to make the loader almost totally silent. When verify_prep has to find_manifest and it is verified ok return VE_NOT_CHECKED to verify_file so that it can skip repeating verify_fd Also add better debugging output for is_verified and add_verify_status. vectx handle compressed modules When verifying a compressed module (.ko.gz or .ko.bz2) stat() reports the size as -1 (unknown). vectx_lseek needs to spot this during closing - and just read until EOF is hit. Note: because of the way libsa's open() works, verify_prep will see the path to be verified as module.ko not module.ko.bz2 etc. This is actually ok, because we need a separate module.ko.bz2 entry so that the package can be verified, and the hash for module.ko is of the uncompressed file which is what vectx will see. Re-work local.trust.mk so site.trust.mk need only set VE_SIGN_URL_LIST (if using the mentioned signing server) interp.c: restrict interactive input Apply the same restrictions to interactive input as for unverified conf and hints files. Use version.veriexec when LOADER_VERIEXEC is yes Reviewed by: kevans Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D43810 (cherry picked from commit f616d61ab6b071e5fbfdbae7033a9ef04c1444ad) 
By default only report unverified files at severity VE_WANT
and above.  This inlcudes *.conf but not *.hints, *.cookie
or *.tgz which get VE_TRY as their severity.

If Verbose is set to 0, then VerifyFlags should default to 0 too.
Thus the combination of

	module_verbose=0
	VE_VEBOSE=0

is sufficient to make the loader almost totally silent.

When verify_prep has to find_manifest and it is verified ok
return VE_NOT_CHECKED to verify_file so that it can skip
repeating verify_fd

Also add better debugging output for is_verified and add_verify_status.

vectx handle compressed modules

When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.

Note: because of the way libsa's open() works, verify_prep will see
the path to be verified as module.ko not module.ko.bz2 etc.  This is
actually ok, because we need a separate module.ko.bz2 entry so that
the package can be verified, and the hash for module.ko is of the
uncompressed file which is what vectx will see.

Re-work local.trust.mk so site.trust.mk need only set
VE_SIGN_URL_LIST (if using the mentioned signing server)

interp.c: restrict interactive input

Apply the same restrictions to interactive input as for
unverified conf and hints files.

Use version.veriexec when LOADER_VERIEXEC is yes

Reviewed by:	kevans
Sponsored by:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D43810

(cherry picked from commit f616d61ab6b071e5fbfdbae7033a9ef04c1444ad)
Remove $FreeBSD$: one-line .c pattern 2023-08-16T17:54:42+00:00 Warner Losh imp@FreeBSD.org 2023-08-16T17:54:42+00:00 1d386b48a555f61cb7325543adbbb5c3f3407a66 Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/ 
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
Update libsecureboot 2022-04-18T19:54:15+00:00 Simon J. Gerraty sjg@FreeBSD.org 2022-04-18T19:53:53+00:00 666554111a7e6b4c1a9a6ff2e73f12cd582573bb Preparation for updating bearssl, pull in updates to libsecureboot. o fix handling of some out-of-memory cases o allow more control over reporting of Verified/Unverified files. this helps boot time when console output is slow o recheck verbose/debug level after reading any unverified file o more debug support for vectx o hash_string to support fake stat for tftp o tests/tvo add -v to simply verify signatures o vets.c allow for HAVE_BR_X509_TIME_CHECK which will greatly simplify verification in loader o report date when certificate fails validity period checks Reviewed by: stevek Sponsored by: Juniper Networks, Inc. 
Preparation for updating bearssl, pull in updates to libsecureboot.

o fix handling of some out-of-memory cases

o allow more control over reporting of Verified/Unverified files.
  this helps boot time when console output is slow

  o recheck verbose/debug level after reading any unverified file

o more debug support for vectx

o hash_string to support fake stat for tftp

o tests/tvo add -v to simply verify signatures

o vets.c allow for HAVE_BR_X509_TIME_CHECK which will greatly simplify
  verification in loader

o report date when certificate fails validity period checks

Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
libsecureboot: define SOPEN_MAX 2021-08-10T19:46:40+00:00 Toomas Soome tsoome@FreeBSD.org 2021-08-10T19:46:40+00:00 ee6dc333e1a1af08afa3d14b83e963e4cf90b77b With commit 97cbd5e722389a575e820c4e03f38053308f08ea, the SOPEN_MAX was removed from stand.h. We would need better mechanism there. 
With commit 97cbd5e722389a575e820c4e03f38053308f08ea, the SOPEN_MAX
was removed from stand.h.

We would need better mechanism there.
veloader: insist on verifying .4th .lua etc 2020-08-21T00:27:06+00:00 Simon J. Gerraty sjg@FreeBSD.org 2020-08-21T00:27:06+00:00 0929924b610c8365202e04e3482ecda88e895a1a When files are read from .rc or .4th, verify_file is asked to guess the severity (VE_TRY,VE_WANT,VE_MUST) Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks 
When files are read from .rc or .4th, verify_file is asked to
guess the severity (VE_TRY,VE_WANT,VE_MUST)

Reviewed by:	stevek
MFC after:	1 week
Sponsored by:	Juniper Networks
verify_pcr_export: bump kenv_mvallen if needed 2020-06-12T21:55:30+00:00 Simon J. Gerraty sjg@FreeBSD.org 2020-06-12T21:55:30+00:00 3e6e3de0aa0a25d4e2ddc43e19ed4686353ceb44 The loader.ve.hashed list can easily exceed KENV_MVALLEN. If so, bump kenv_mvallen to a multiple of KENV_MVALLEN to accommodate the value. Reviewed by: stevek MFC after: 1 week 
The loader.ve.hashed list can easily exceed KENV_MVALLEN.
If so, bump kenv_mvallen to a multiple of KENV_MVALLEN to
accommodate the value.

Reviewed by:	stevek
MFC after:	1 week
Fix pkgfs stat so it satisfies libsecureboot 2020-03-25T19:12:19+00:00 Simon J. Gerraty sjg@FreeBSD.org 2020-03-25T19:12:19+00:00 53f151f90603580d0c0a8fa1840ba1262958a7c1 We need a valid st_dev, st_ino and st_mtime to correctly track which files have been verified and to update our notion of time. ve_utc_set(): ignore utc if it would jump our current time by more than VE_UTC_MAX_JUMP (20 years). Allow testing of install command via userboot. Need to fix its stat implementation too. bhyveload also needs stat fixed - due to change to userboot.h Call ve_error_get() from vectx_close() when hash is wrong. Track the names of files we have hashed into pcr For the purposes of measured boot, it is important to be able to reproduce the hash reflected in loader.ve.pcr so loader.ve.hashed provides a list of names in the order they were added. Reviewed by: imp MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D24027 
We need a valid st_dev, st_ino and st_mtime
to correctly track which files have been verified
and to update our notion of time.

ve_utc_set(): ignore utc if it would jump our current time
by more than VE_UTC_MAX_JUMP (20 years).

Allow testing of install command via userboot.
Need to fix its stat implementation too.

bhyveload also needs stat fixed - due to change to userboot.h

Call ve_error_get() from vectx_close() when hash is wrong.

Track the names of files we have hashed into pcr

For the purposes of measured boot, it is important
to be able to reproduce the hash reflected in
loader.ve.pcr
so loader.ve.hashed provides a list of names in the order they
were added.

Reviewed by:	imp
MFC after:	1 week
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org//D24027
veloader use vectx API for kernel and modules 2020-03-08T17:42:42+00:00 Simon J. Gerraty sjg@FreeBSD.org 2020-03-08T17:42:42+00:00 afc571b1a6fb341b0e3f603d4f3a2538093e91f5 The vectx API, computes the hash for verifying a file as it is read. This avoids the overhead of reading files twice - once to verify, then again to load. For doing an install via loader, avoiding the need to rewind large files is critical. This API is only used for modules, kernel and mdimage as these are the biggest files read by the loader. The reduction in boot time depends on how expensive the I/O is on any given platform. On a fast VM we see 6% improvement. For install via loader the first file to be verified is likely to be the kernel, so some of the prep work (finding manifest etc) done by verify_file() needs to be factored so it can be reused for vectx_open(). For missing or unrecognized fingerprint entries, we fail in vectx_open() unless verifying is disabled. Otherwise fingerprint check happens in vectx_close() and since this API is only used for files which must be verified (VE_MUST) we panic if we get an incorrect hash. Reviewed by: imp,tsoome MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D23827 
The vectx API, computes the hash for verifying a file as it is read.
This avoids the overhead of reading files twice - once to verify, then
again to load.

For doing an install via loader, avoiding the need to rewind
large files is critical.

This API is only used for modules, kernel and mdimage as these are the
biggest files read by the loader.
The reduction in boot time depends on how expensive the I/O is
on any given platform.  On a fast VM we see 6% improvement.

For install via loader the first file to be verified is likely to be the
kernel, so some of the prep work (finding manifest etc) done by
verify_file() needs to be factored so it can be reused for
vectx_open().

For missing or unrecognized fingerprint entries, we fail
in vectx_open() unless verifying is disabled.

Otherwise fingerprint check happens in vectx_close() and
since this API is only used for files which must be verified
(VE_MUST) we panic if we get an incorrect hash.

Reviewed by:	imp,tsoome
MFC after:	1 week
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org//D23827
Initialize verbosity and debug level from env 2019-10-24T19:50:18+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-10-24T19:50:18+00:00 18e2fbc0d8c137286c5086e52666f43598d4387e For EFI at least, we can seed the environment with VE_VERBOSE etc. Reviewed by: stevek imp Sponsored by: Juniper Networks MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D22135 
For EFI at least, we can seed the environment
with VE_VERBOSE etc.

Reviewed by:	stevek imp
Sponsored by:	Juniper Networks
MFC after:	1 week
Differential Revision:  https://reviews.freebsd.org/D22135
libsecureboot: allow OpenPGP support to be dormant 2019-06-26T23:33:32+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-06-26T23:33:32+00:00 f9510887eeb5ad2eab96b48c41631886f8f33ad6 Since we can now add OpenPGP trust anchors at runtime, ensure the latent support is available. Ensure we do not add duplicate keys to trust store. Also allow reporting names of trust anchors added/revoked We only do this for loader and only after initializing trust store. Thus only changes to initial trust store will be logged. Reviewed by: stevek MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D20700 
Since we can now add OpenPGP trust anchors at runtime,
ensure the latent support is available.

Ensure we do not add duplicate keys to trust store.

Also allow reporting names of trust anchors added/revoked

We only do this for loader and only after initializing trust store.
Thus only changes to initial trust store will be logged.

Reviewed by:	stevek
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D20700