diff options
author | Marcin Wojtas <mw@FreeBSD.org> | 2019-03-06 06:39:42 +0000 |
---|---|---|
committer | Marcin Wojtas <mw@FreeBSD.org> | 2019-03-06 06:39:42 +0000 |
commit | 13ea0450a9c8742119d36f3bf8f47accdce46e54 (patch) | |
tree | 08c5058c1b3a1cde3be3dd1e7d12a25058e72d5f /lib/libsecureboot/libsecureboot-priv.h | |
parent | ce37b71e6809fe5074be54230da9cf09543d3cdd (diff) | |
download | src-13ea0450a9c8742119d36f3bf8f47accdce46e54.tar.gz src-13ea0450a9c8742119d36f3bf8f47accdce46e54.zip |
Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation
UEFI related headers were copied from edk2.
A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.
Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:
There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.
Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19093
Notes
Notes:
svn path=/head/; revision=344840
Diffstat (limited to 'lib/libsecureboot/libsecureboot-priv.h')
-rw-r--r-- | lib/libsecureboot/libsecureboot-priv.h | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/libsecureboot/libsecureboot-priv.h b/lib/libsecureboot/libsecureboot-priv.h index 0618f05f15b1..5cfc9800c829 100644 --- a/lib/libsecureboot/libsecureboot-priv.h +++ b/lib/libsecureboot/libsecureboot-priv.h @@ -31,8 +31,15 @@ /* public api */ #include "libsecureboot.h" +typedef struct { + unsigned char *data; + size_t hash_size; +} hash_data; + size_t ve_trust_anchors_add(br_x509_certificate *, size_t); -char *fingerprint_info_lookup(int, const char *); +size_t ve_forbidden_anchors_add(br_x509_certificate *, size_t); +void ve_forbidden_digest_add(hash_data *digest, size_t); +char *fingerprint_info_lookup(int, const char *); br_x509_certificate * parse_certificates(unsigned char *, size_t, size_t *); int certificate_to_trust_anchor_inner(br_x509_trust_anchor *, @@ -45,4 +52,9 @@ int verify_rsa_digest(br_rsa_public_key *pkey, int openpgp_self_tests(void); +int efi_secure_boot_enabled(void); +br_x509_certificate* efi_get_trusted_certs(size_t *count); +br_x509_certificate* efi_get_forbidden_certs(size_t *count); +hash_data* efi_get_forbidden_digests(size_t *count); + #endif /* _LIBSECUREBOOT_PRIV_H_ */ |