src/lib/libsecureboot, branch main FreeBSD source tree libsecureboot: do further checks on files without manifests 2025-11-27T02:18:23+00:00 Ka Ho Ng khng@FreeBSD.org 2025-11-27T02:17:14+00:00 52c0749723bd80017fb0c0487440762a783ad323 verify_prep can return VE_FINGERPRINT_NONE. Consider such scenario so the VE_GEUSS heuristics works with files that likely will not have fingerprints in the manifest file. Obtained from: Hewlett Packard Enterprise Reviewed by: sjg MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D53940 
verify_prep can return VE_FINGERPRINT_NONE. Consider such scenario so
the VE_GEUSS heuristics works with files that likely will not have
fingerprints in the manifest file.

Obtained from:	Hewlett Packard Enterprise
Reviewed by:	sjg
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D53940
stand: Fix secureboot build 2025-11-17T05:58:36+00:00 Warner Losh imp@FreeBSD.org 2025-11-17T05:49:21+00:00 3c5ca68b9b7ce68a5376b8456edf6af57ed18f91 Make libesecureboot build, enabled when WITH_BEARSSL=y WITH_LOADER_EFI_SECUREBOOT=y. Copy EDK2 files related to secure boot to sys/contrib/edk2 and delete duplicates under libsecreboot/efi/include. Adjust efi_variables.c to build in the new environment. Undefine MIN and MAX before include sys/param.h in libsecureboot.h. I'm not sure that sys/param.h is needed here, but either the param.h or the Base.h definitions are fine. Fix include paths to reflect the new way. Fixes: 43b8edb32051 Sponsored by: Netflix 
Make libesecureboot build, enabled when WITH_BEARSSL=y
WITH_LOADER_EFI_SECUREBOOT=y.

Copy EDK2 files related to secure boot to sys/contrib/edk2 and delete
duplicates under libsecreboot/efi/include.
Adjust efi_variables.c to build in the new environment.

Undefine MIN and MAX before include sys/param.h in libsecureboot.h. I'm
not sure that sys/param.h is needed here, but either the param.h or the
Base.h definitions are fine.

Fix include paths to reflect the new way.

Fixes:		43b8edb32051
Sponsored by:	Netflix
Add DEBUG_PRINTF to stand.h 2025-07-17T23:36:17+00:00 Simon J. Gerraty sjg@FreeBSD.org 2025-07-17T23:36:17+00:00 e67aef419093b08984b8a2de535bc3e4ce13e087 stand/ is mostly debugged with printfs, in an ad hoc and sometimes fragile manner. For example BOOTP_DEBUG in bootp.c cannot be defined unless NETIF_DEBUG is defined in dev_net.c or build fails for lack of the symbol debug. The DEBUG_PRINTF implementation in stand.h addresses that and allows for more control over debug output. It is compatible with the usage in libsecureboot. Simply define _DEBUG_LEVEL to the desired level of debug or in the case of libsecureboot _DEBUG_LEVEL_VAR to the variable that will hold that value - default is _debug which is static so each translation unit can be controlled independently. The 1st arg to DEBUG_PRINTF is a level which must be greater than or equal to _DEBUG_LEVEL_VAR if the printf is to be called. See libsecureboot for more examples. Reviewed by: imp Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D51269 
stand/ is mostly debugged with printfs, in an ad hoc and sometimes
fragile manner. For example BOOTP_DEBUG in bootp.c cannot be defined
unless NETIF_DEBUG is defined in dev_net.c or build fails for lack of the
symbol debug.

The DEBUG_PRINTF implementation in stand.h addresses that and allows
for more control over debug output.  It is compatible with the
usage in libsecureboot.

Simply define _DEBUG_LEVEL to the desired level of debug
or in the case of libsecureboot _DEBUG_LEVEL_VAR to the variable that
will hold that value - default is _debug which is static so each
translation unit can be controlled independently.

The 1st arg to DEBUG_PRINTF is a level which must be greater than or
equal to _DEBUG_LEVEL_VAR if the printf is to be called.
See libsecureboot for more examples.

Reviewed by:	imp
Sponsored by:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D51269
libsecureboot: avoid noise when looking for tust anchors 2025-04-19T19:29:30+00:00 Simon J. Gerraty sjg@FreeBSD.org 2025-04-19T19:29:30+00:00 62671aa7d5fe72e4bd6669902eead98004f650e9 PR: 286160 
PR: 286160
libsecureboot/README.rst clarify use of gpg 2025-01-23T03:10:10+00:00 Simon J. Gerraty sjg@FreeBSD.org 2025-01-23T03:10:10+00:00 f486ebb5e36b0dada882cfa1592cee110da2afb2 Clarify some language and provide an example of gpg use to generate a detached signature. 
Clarify some language and provide an example of gpg use to generate
a detached signature.
libsecureboot add sha384 and sha512 for OpenPGP 2025-01-20T20:56:44+00:00 Simon J. Gerraty sjg@FreeBSD.org 2025-01-20T20:56:44+00:00 dae4eb623e862789533dca8b644ea531502a088f gpg supports SHA384, SHA512 as well as SHA256 so allow for them. Tweak Makefile.inc so we can build libsecureboot with only OpenPGP trust anchors. Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D48546 
gpg supports SHA384, SHA512 as well as SHA256 so allow for them.

Tweak Makefile.inc so we can build libsecureboot with only OpenPGP
trust anchors.

Reviewed by: imp
Differential Revision:	https://reviews.freebsd.org/D48546
libsecureboot: Report failure for unsupported hash algorithm 2025-01-20T18:59:20+00:00 Huwyler simon.huwyler@gmail.com 2025-01-17T14:55:15+00:00 caaeab697bf98bf96e2fa8cb4a1e22240511fbcc Reviewed by: sjg Pull request: https://github.com/freebsd/freebsd-src/pull/1574 
Reviewed by:	sjg
Pull request:	https://github.com/freebsd/freebsd-src/pull/1574
Remove residual blank line at start of Makefile 2024-07-15T22:43:39+00:00 Warner Losh imp@FreeBSD.org 2024-07-15T04:46:32+00:00 e9ac41698b2f322d55ccf9da50a3596edb2c1800 This is a residual of the $FreeBSD$ removal. MFC After: 3 days (though I'll just run the command on the branches) Sponsored by: Netflix 
This is a residual of the $FreeBSD$ removal.

MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
libsecureboot do not report expected unverified files 2024-02-12T22:35:01+00:00 Simon J. Gerraty sjg@FreeBSD.org 2024-02-12T22:35:01+00:00 f616d61ab6b071e5fbfdbae7033a9ef04c1444ad By default only report unverified files at severity VE_WANT and above. This inlcudes *.conf but not *.hints, *.cookie or *.tgz which get VE_TRY as their severity. If Verbose is set to 0, then VerifyFlags should default to 0 too. Thus the combination of module_verbose=0 VE_VEBOSE=0 is sufficient to make the loader almost totally silent. When verify_prep has to find_manifest and it is verified ok return VE_NOT_CHECKED to verify_file so that it can skip repeating verify_fd Also add better debugging output for is_verified and add_verify_status. vectx handle compressed modules When verifying a compressed module (.ko.gz or .ko.bz2) stat() reports the size as -1 (unknown). vectx_lseek needs to spot this during closing - and just read until EOF is hit. Note: because of the way libsa's open() works, verify_prep will see the path to be verified as module.ko not module.ko.bz2 etc. This is actually ok, because we need a separate module.ko.bz2 entry so that the package can be verified, and the hash for module.ko is of the uncompressed file which is what vectx will see. Re-work local.trust.mk so site.trust.mk need only set VE_SIGN_URL_LIST (if using the mentioned signing server) interp.c: restrict interactive input Apply the same restrictions to interactive input as for unverified conf and hints files. Use version.veriexec when LOADER_VERIEXEC is yes Reviewed by: kevans Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D43810 
By default only report unverified files at severity VE_WANT
and above.  This inlcudes *.conf but not *.hints, *.cookie
or *.tgz which get VE_TRY as their severity.

If Verbose is set to 0, then VerifyFlags should default to 0 too.
Thus the combination of

	module_verbose=0
	VE_VEBOSE=0

is sufficient to make the loader almost totally silent.

When verify_prep has to find_manifest and it is verified ok
return VE_NOT_CHECKED to verify_file so that it can skip
repeating verify_fd

Also add better debugging output for is_verified and add_verify_status.

vectx handle compressed modules

When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.

Note: because of the way libsa's open() works, verify_prep will see
the path to be verified as module.ko not module.ko.bz2 etc.  This is
actually ok, because we need a separate module.ko.bz2 entry so that
the package can be verified, and the hash for module.ko is of the
uncompressed file which is what vectx will see.

Re-work local.trust.mk so site.trust.mk need only set
VE_SIGN_URL_LIST (if using the mentioned signing server)

interp.c: restrict interactive input

Apply the same restrictions to interactive input as for
unverified conf and hints files.

Use version.veriexec when LOADER_VERIEXEC is yes

Reviewed by:	kevans
Sponsored by:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D43810
libsecureboot: be more verbose about validation failures 2023-12-10T20:13:56+00:00 Stéphane Rochoy stephane.rochoy@stormshield.eu 2023-12-04T09:57:43+00:00 4b9d605768acabc460aa6dcfe8a1f8db35b16794 Reviewed by: imp, sjg Pull Request: https://github.com/freebsd/freebsd-src/pull/916 
Reviewed by:	imp, sjg
Pull Request:	https://github.com/freebsd/freebsd-src/pull/916