diff options
| author | Marcin Wojtas <mw@FreeBSD.org> | 2019-03-06 06:39:42 +0000 |
|---|---|---|
| committer | Marcin Wojtas <mw@FreeBSD.org> | 2019-03-06 06:39:42 +0000 |
| commit | 13ea0450a9c8742119d36f3bf8f47accdce46e54 (patch) | |
| tree | 08c5058c1b3a1cde3be3dd1e7d12a25058e72d5f /lib/libsecureboot/local.trust.mk | |
| parent | ce37b71e6809fe5074be54230da9cf09543d3cdd (diff) | |
| download | src-13ea0450a9c8742119d36f3bf8f47accdce46e54.tar.gz src-13ea0450a9c8742119d36f3bf8f47accdce46e54.zip | |
Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation
UEFI related headers were copied from edk2.
A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.
Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:
There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.
Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19093
Notes
Notes:
svn path=/head/; revision=344840
Diffstat (limited to 'lib/libsecureboot/local.trust.mk')
| -rw-r--r-- | lib/libsecureboot/local.trust.mk | 19 |
1 files changed, 9 insertions, 10 deletions
diff --git a/lib/libsecureboot/local.trust.mk b/lib/libsecureboot/local.trust.mk index f26a4ec0a9be..cdc3a796b7ec 100644 --- a/lib/libsecureboot/local.trust.mk +++ b/lib/libsecureboot/local.trust.mk @@ -7,27 +7,26 @@ # for each key will provide the appropriate certificate chain on request # force these for Junos -MANIFEST_SKIP_ALWAYS= boot +#MANIFEST_SKIP_ALWAYS= boot VE_HASH_LIST= \ SHA1 \ SHA256 \ - SHA384 + SHA384 \ + SHA512 VE_SIGNATURE_LIST= \ - ECDSA + ECDSA \ + RSA VE_SIGNATURE_EXT_LIST= \ - esig + esig \ + rsig VE_SELF_TESTS= yes .if ${MACHINE} == "host" && ${.CURDIR:T} == "tests" -# for testing -VE_HASH_LIST+= \ - SHA512 VE_SIGNATURE_LIST+= \ - RSA \ DEPRECATED_RSA_SHA1 VE_SIGNATURE_EXT_LIST+= \ @@ -88,7 +87,7 @@ vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE .endif # we take the mtime of this as our baseline time -BUILD_UTC_FILE= ecerts.pem +#BUILD_UTC_FILE= ecerts.pem #VE_DEBUG_LEVEL=3 #VE_VERBOSE_DEFAULT=1 @@ -97,7 +96,7 @@ BUILD_UTC_FILE= ecerts.pem .if empty(TRUST_ANCHORS) TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null .endif -.if empty(TRUST_ANCHORS) +.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes" .error Need TRUST_ANCHORS see ${.CURDIR}/README.rst .endif .if ${TRUST_ANCHORS:T:Mt*.pem} != "" |