src/lib/libsecureboot, branch releng/12.2 FreeBSD source tree MFC loader fixes 2020-08-29T16:23:00+00:00 Simon J. Gerraty sjg@FreeBSD.org 2020-08-29T16:23:00+00:00 035a1427f2af23da211145fdfce5bd9fc90dffcb r361710: stand/uboot: fix setting of gateip.s_addr Missplaced paren. r361933: loader: install allow for more complete device spec in url Rework to simplify and impose sane url syntax. That is we allow for file://[devname[:fstype]]/package r362127: verify_pcr_export: bump kenv_mvallen if needed r362231: make KENV_MVALLEN tunable When doing secure boot, loader wants to export loader.ve.hashed the value of which typically exceeds KENV_MVALLEN. Replace use of KENV_MVALLEN with tunable kenv_mvallen. Add getenv_string_buffer() for the case where a stack buffer cannot be created and use uma_zone_t kenv_zone for suitably sized buffers. r364443: veloader: insist on verifying .4th .lua etc When files are read from .rc or .4th, verify_file is asked to guess the severity (VE_TRY,VE_WANT,VE_MUST) Reviewed by: imp, stevek, kevans 
r361710: stand/uboot: fix setting of gateip.s_addr
Missplaced paren.

r361933: loader: install allow for more complete device spec in url

Rework to simplify and impose sane url syntax.
That is we allow for file://[devname[:fstype]]/package

r362127: verify_pcr_export: bump kenv_mvallen if needed
r362231: make KENV_MVALLEN tunable

When doing secure boot, loader wants to export loader.ve.hashed
the value of which typically exceeds KENV_MVALLEN.

Replace use of KENV_MVALLEN with tunable kenv_mvallen.

Add getenv_string_buffer() for the case where a stack buffer cannot be
created and use uma_zone_t kenv_zone for suitably sized buffers.

r364443: veloader: insist on verifying .4th .lua etc

When files are read from .rc or .4th, verify_file is asked to
guess the severity (VE_TRY,VE_WANT,VE_MUST)

Reviewed by:	imp, stevek, kevans
Improve interaction of vectx and tftp 2020-04-14T00:57:50+00:00 Simon J. Gerraty sjg@FreeBSD.org 2020-04-14T00:57:50+00:00 b863ea65c7ba64d71452909669435e0a2c3f8fd5 On slow platforms, it helps to spread the hashing load over time so that tftp does not timeout. Also, some .4th files are too big to fit in cache of pkgfs, so increase cache size and ensure fully populated. MFC of r359700 Reviewed by: stevek Differential Revision: https://reviews.freebsd.org/D24287 
On slow platforms, it helps to spread the hashing load
over time so that tftp does not timeout.

Also, some .4th files are too big to fit in cache of pkgfs,
so increase cache size and ensure fully populated.

MFC of r359700

Reviewed by:	stevek
Differential Revision: https://reviews.freebsd.org/D24287
veloader use vectx API for kernel and modules 2020-04-09T04:50:19+00:00 Simon J. Gerraty sjg@FreeBSD.org 2020-04-09T04:50:19+00:00 19815ded6503c7e91e54f20f67ba16f72f74fe52 The vectx API, computes the hash for verifying a file as it is read. This avoids the overhead of reading files twice - once to verify, then again to load. For doing an install via loader, avoiding the need to rewind large files is critical. This API is only used for modules, kernel and mdimage as these are the biggest files read by the loader. The reduction in boot time depends on how expensive the I/O is on any given platform. On a fast VM we see 6% improvement. For install via loader the first file to be verified is likely to be the kernel, so some of the prep work (finding manifest etc) done by verify_file() needs to be factored so it can be reused for vectx_open(). For missing or unrecognized fingerprint entries, we fail in vectx_open() unless verifying is disabled. Otherwise fingerprint check happens in vectx_close() and since this API is only used for files which must be verified (VE_MUST) we panic if we get an incorrect hash. Fix pkgfs stat so it satisfies libsecureboot We need a valid st_dev, st_ino and st_mtime to correctly track which files have been verified and to update our notion of time. ve_utc_set(): ignore utc if it would jump our current time by more than VE_UTC_MAX_JUMP (20 years). Allow testing of install command via userboot. Need to fix its stat implementation too. bhyveload also needs stat fixed - due to change to userboot.h Call ve_error_get() from vectx_close() when hash is wrong. Track the names of files we have hashed into pcr For the purposes of measured boot, it is important to be able to reproduce the hash reflected in loader.ve.pcr so loader.ve.hashed provides a list of names in the order they were added. Avoid unused vars when VE_ECDSA_HASH_AGAIN undefined MFC of r358744 r358767 r359307 r355962 Reviewed by: imp,tsoome,emaste Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D23827 https://reviews.freebsd.org//D24027 
The vectx API, computes the hash for verifying a file as it is read.
This avoids the overhead of reading files twice - once to verify, then
again to load.

For doing an install via loader, avoiding the need to rewind
large files is critical.

This API is only used for modules, kernel and mdimage as these are the
biggest files read by the loader.
The reduction in boot time depends on how expensive the I/O is
on any given platform.  On a fast VM we see 6% improvement.

For install via loader the first file to be verified is likely to be the
kernel, so some of the prep work (finding manifest etc) done by
verify_file() needs to be factored so it can be reused for
vectx_open().

For missing or unrecognized fingerprint entries, we fail
in vectx_open() unless verifying is disabled.

Otherwise fingerprint check happens in vectx_close() and
since this API is only used for files which must be verified
(VE_MUST) we panic if we get an incorrect hash.

Fix pkgfs stat so it satisfies libsecureboot

We need a valid st_dev, st_ino and st_mtime
to correctly track which files have been verified
and to update our notion of time.

ve_utc_set(): ignore utc if it would jump our current time
by more than VE_UTC_MAX_JUMP (20 years).

Allow testing of install command via userboot.
Need to fix its stat implementation too.

bhyveload also needs stat fixed - due to change to userboot.h

Call ve_error_get() from vectx_close() when hash is wrong.

Track the names of files we have hashed into pcr

For the purposes of measured boot, it is important
to be able to reproduce the hash reflected in
loader.ve.pcr
so loader.ve.hashed provides a list of names in the order they
were added.

Avoid unused vars when VE_ECDSA_HASH_AGAIN undefined

MFC of r358744 r358767 r359307 r355962

Reviewed by:	imp,tsoome,emaste
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org//D23827 https://reviews.freebsd.org//D24027
Add Makefile.depend.options 2019-12-19T04:58:11+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-12-19T04:58:11+00:00 387f2740cab1168555efc6076159d2a66f018a58 Leaf directories that have dependencies impacted by options need a Makefile.depend.options file to avoid churn in Makefile.depend DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc can be set in local.dirdeps-options.mk which can add to those set in Makefile.depend.options See share/mk/dirdeps-options.mk Also update affected Makefile.depend files. MFC of r355616 and r355617 Reviewed by: bdrewery Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22469 
Leaf directories that have dependencies impacted
by options need a Makefile.depend.options file
to avoid churn in Makefile.depend

DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc
can be set in local.dirdeps-options.mk
which can add to those set in Makefile.depend.options

See share/mk/dirdeps-options.mk

Also update affected Makefile.depend files.

MFC of r355616 and r355617

Reviewed by:	 bdrewery
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22469
Initialize verbosity and debug level from env 2019-10-31T20:29:45+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-10-31T20:29:45+00:00 9ee0c04f95c73a958add6184ce350d5ff48c239b For EFI at least, we can seed the environment with VE_VERBOSE etc. MFC of r354038 Reviewed by: stevek imp Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22135 
For EFI at least, we can seed the environment
with VE_VERBOSE etc.

MFC of r354038

Reviewed by:	stevek imp
Sponsored by:	Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22135
libsecureboot: allow OpenPGP support to be dormant 2019-07-10T21:35:55+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-07-10T21:35:55+00:00 c6eb46769d0ba33bcc1096f036ebc165eb585c92 Since we can now add OpenPGP trust anchors at runtime, ensure the latent support is available. Ensure we do not add duplicate keys to trust store. Also allow reporting names of trust anchors added/revoked We only do this for loader and only after initializing trust store. Thus only changes to initial trust store will be logged. MFC of r349446 Reviewed by: stevek Differential Revision: https://reviews.freebsd.org/D20700 
Since we can now add OpenPGP trust anchors at runtime,
ensure the latent support is available.

Ensure we do not add duplicate keys to trust store.

Also allow reporting names of trust anchors added/revoked

We only do this for loader and only after initializing trust store.
Thus only changes to initial trust store will be logged.

MFC of r349446

Reviewed by:    stevek
Differential Revision:  https://reviews.freebsd.org/D20700
load_key_buf do not free data from dearmor 2019-05-22T23:23:16+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-05-22T23:23:16+00:00 b83a9b2850e79d082763afb3dce8ff3110592f97 The data returned by dearmor is referenced by the key leave it alone! MFC r347980 Reviewed by: stevek 
The data returned by dearmor is referenced by the key
leave it alone!

MFC r347980

Reviewed by:	stevek
libsecureboot: allow control of when pseudo pcr is updated 2019-05-22T23:19:20+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-05-22T23:19:20+00:00 6bd29941516de1db137ed3b09f1f0073ef9a1b92 During boot we only want to measure things which *must* be verified - this should provide more deterministic ordering. MFC r347981 Reviewed by: stevek Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20297 
During boot we only want to measure things which *must*
be verified - this should provide more deterministic ordering.

MFC r347981

Reviewed by:	stevek
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org/D20297
libsecureboot: make it easier to customize trust anchors 2019-05-16T16:15:41+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-05-16T16:15:41+00:00 e9134c4661ea9e0ffbeaa1acfe121b8a5a5a1559 Avoid making hash self-tests depend on X.509 certs. Include OpenPGP keys in trust store count. MFC of r347408 Reviewed by: stevek Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20208 
Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.

MFC of r347408

Reviewed by:	stevek
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org/D20208
Allow no_hash to appear in manifest. 2019-04-30T23:01:13+00:00 Simon J. Gerraty sjg@FreeBSD.org 2019-04-30T23:01:13+00:00 7a21d3d07619dd5d12b37d3a2ac4b0e8c006c6bc sbin/veriexec will ignore entries that have no hash anyway, but loader needs to be explicitly told that such files are ok to ignore (not verify). We will report as Unverified depending on verbose level, but with no reason - because we are not rejecting the file. MFC r346604 
sbin/veriexec will ignore entries that have no hash anyway,
but loader needs to be explicitly told that such files are
ok to ignore (not verify).

We will report as Unverified depending on verbose level,
but with no reason - because we are not rejecting the file.

MFC r346604