| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Notes:
svn path=/head/; revision=363351
|
| |
|
|
| |
Notes:
svn path=/head/; revision=363350
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we can now add OpenPGP trust anchors at runtime,
ensure the latent support is available.
Ensure we do not add duplicate keys to trust store.
Also allow reporting names of trust anchors added/revoked
We only do this for loader and only after initializing trust store.
Thus only changes to initial trust store will be logged.
Reviewed by: stevek
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D20700
Notes:
svn path=/head/; revision=349446
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.
Reviewed by: stevek
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D20208
Notes:
svn path=/head/; revision=347408
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
implement revocation
UEFI related headers were copied from edk2.
A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.
Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:
There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.
Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19093
Notes:
svn path=/head/; revision=344840
|
|
|
Used by loader and veriexec
Depends on libbearssl
Reviewed by: emaste
Sponsored by: Juniper Networks
Differential Revision: D16335
Notes:
svn path=/head/; revision=344565
|
