src/lib/libsecureboot/vets.c, branch releng/14.3 FreeBSD source tree libsecureboot: be more verbose about validation failures 2024-01-07T19:39:17+00:00 Stéphane Rochoy stephane.rochoy@stormshield.eu 2023-12-04T09:57:43+00:00 a13066579c6f0b80786472505f115cadbf301c25 Reviewed by: imp, sjg Pull Request: https://github.com/freebsd/freebsd-src/pull/916 (cherry picked from commit 4b9d605768acabc460aa6dcfe8a1f8db35b16794) 
Reviewed by:	imp, sjg
Pull Request:	https://github.com/freebsd/freebsd-src/pull/916

(cherry picked from commit 4b9d605768acabc460aa6dcfe8a1f8db35b16794)
Remove $FreeBSD$: one-line .c pattern 2023-08-16T17:54:42+00:00 Warner Losh imp@FreeBSD.org 2023-08-16T17:54:42+00:00 1d386b48a555f61cb7325543adbbb5c3f3407a66 Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/ 
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
libsecureboot: do not accept certificate we cannot decode 2023-07-05T19:37:14+00:00 Simon J. Gerraty sjg@FreeBSD.org 2023-07-05T19:37:14+00:00 9c3478cb226385c468c0d029337f4e78e69931c8 Although we care more about the CN of a certificate than its status (for purpose of reporting), we should skip if we have errors decoding. Reviewed by: stevek Sponsored by: Juniper Networks, Inc. 
Although we care more about the CN of a certificate than its status
(for purpose of reporting), we should skip if we have errors decoding.

Reviewed by:	stevek
Sponsored by:	Juniper Networks, Inc.
libsecureboot: avoid set but not used errors 2023-06-30T06:52:17+00:00 Simon J. Gerraty sjg@FreeBSD.org 2023-06-30T06:52:17+00:00 56f3f2d2491e30f369f9461c3cb2a366bdffbe1d Reviewed by: stevek 
Reviewed by:	stevek
lib/libsecureboot: Fix some typos 2022-11-11T15:38:39+00:00 Elyes HAOUAS ehaouas@noos.fr 2021-03-22T17:16:06+00:00 cb25444c05071463d7f690590ed6288b015ec0fb Signed-off-by: Elyes HAOUAS <ehaouas@noos.fr> Pull Request: https://github.com/freebsd/freebsd-src/pull/544 
Signed-off-by: Elyes HAOUAS <ehaouas@noos.fr>
Pull Request:	https://github.com/freebsd/freebsd-src/pull/544
Add -S option to veriexec 2022-07-19T15:59:53+00:00 Simon J. Gerraty sjg@FreeBSD.org 2022-07-19T15:59:53+00:00 ab4f0a15188087e407426aac2a720035fd2a3b0a During software installation, use veriexec -S to strictly enforce certificate validity checks (notBefore, notAfter). Otherwise ignore certificate validity period. It is generally unacceptible for the Internet to stop working just because someone did not upgrade their infrastructure for a decade. Sponsored by: Juniper Networks, Inc. Reviewed by: sebastien.bini_stormshield.eu Differential Revision: https://reviews.freebsd.org/D35758 
During software installation, use veriexec -S to strictly
enforce certificate validity checks (notBefore, notAfter).

Otherwise ignore certificate validity period.
It is generally unacceptible for the Internet to stop working
just because someone did not upgrade their infrastructure for a decade.

Sponsored by:	Juniper Networks, Inc.

Reviewed by:	sebastien.bini_stormshield.eu
Differential Revision:	https://reviews.freebsd.org/D35758
libsecureboot: Do not propagate empty string 2022-06-29T08:50:23+00:00 Wojciech Macek wma@FreeBSD.org 2022-06-29T08:50:23+00:00 e6ef5042e485f74e7233a9974010b16a7316167e If Trust Anchors are provided by UEFI and not compiled into libsecureboot the segmentation fault occurs due to empty or NULL string usage. Obtained from: Semihalf Reviewed by: sjg Differential revision: https://reviews.freebsd.org/D35120 
If Trust Anchors are provided by UEFI and not compiled into
libsecureboot the segmentation fault occurs due to empty
or NULL string usage.

Obtained from:		Semihalf
Reviewed by:		sjg
Differential revision:	https://reviews.freebsd.org/D35120
Merge bearssl-20220418 2022-04-18T21:52:30+00:00 Simon J. Gerraty sjg@FreeBSD.org 2022-04-18T21:47:09+00:00 cc9e6590773dba57440750c124173ed531349a06 Main change is a callback for checking validity period of certificates. Merge commit 'f6acb9b9f81c96ae7c9592bee1bb89c4357cc3e5' Add -DHAVE_BR_X509_TIME_CHECK to libsecureboot/Makefile.inc 
Main change is a callback for checking validity period of certificates.

Merge commit 'f6acb9b9f81c96ae7c9592bee1bb89c4357cc3e5'

Add -DHAVE_BR_X509_TIME_CHECK to libsecureboot/Makefile.inc
Update libsecureboot 2022-04-18T19:54:15+00:00 Simon J. Gerraty sjg@FreeBSD.org 2022-04-18T19:53:53+00:00 666554111a7e6b4c1a9a6ff2e73f12cd582573bb Preparation for updating bearssl, pull in updates to libsecureboot. o fix handling of some out-of-memory cases o allow more control over reporting of Verified/Unverified files. this helps boot time when console output is slow o recheck verbose/debug level after reading any unverified file o more debug support for vectx o hash_string to support fake stat for tftp o tests/tvo add -v to simply verify signatures o vets.c allow for HAVE_BR_X509_TIME_CHECK which will greatly simplify verification in loader o report date when certificate fails validity period checks Reviewed by: stevek Sponsored by: Juniper Networks, Inc. 
Preparation for updating bearssl, pull in updates to libsecureboot.

o fix handling of some out-of-memory cases

o allow more control over reporting of Verified/Unverified files.
  this helps boot time when console output is slow

  o recheck verbose/debug level after reading any unverified file

o more debug support for vectx

o hash_string to support fake stat for tftp

o tests/tvo add -v to simply verify signatures

o vets.c allow for HAVE_BR_X509_TIME_CHECK which will greatly simplify
  verification in loader

o report date when certificate fails validity period checks

Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Fix pkgfs stat so it satisfies libsecureboot 2020-03-25T19:12:19+00:00 Simon J. Gerraty sjg@FreeBSD.org 2020-03-25T19:12:19+00:00 53f151f90603580d0c0a8fa1840ba1262958a7c1 We need a valid st_dev, st_ino and st_mtime to correctly track which files have been verified and to update our notion of time. ve_utc_set(): ignore utc if it would jump our current time by more than VE_UTC_MAX_JUMP (20 years). Allow testing of install command via userboot. Need to fix its stat implementation too. bhyveload also needs stat fixed - due to change to userboot.h Call ve_error_get() from vectx_close() when hash is wrong. Track the names of files we have hashed into pcr For the purposes of measured boot, it is important to be able to reproduce the hash reflected in loader.ve.pcr so loader.ve.hashed provides a list of names in the order they were added. Reviewed by: imp MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D24027 
We need a valid st_dev, st_ino and st_mtime
to correctly track which files have been verified
and to update our notion of time.

ve_utc_set(): ignore utc if it would jump our current time
by more than VE_UTC_MAX_JUMP (20 years).

Allow testing of install command via userboot.
Need to fix its stat implementation too.

bhyveload also needs stat fixed - due to change to userboot.h

Call ve_error_get() from vectx_close() when hash is wrong.

Track the names of files we have hashed into pcr

For the purposes of measured boot, it is important
to be able to reproduce the hash reflected in
loader.ve.pcr
so loader.ve.hashed provides a list of names in the order they
were added.

Reviewed by:	imp
MFC after:	1 week
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org//D24027