libsecureboot add sha384 and sha512 for OpenPGP

gpg supports SHA384, SHA512 as well as SHA256 so allow for them.

Tweak Makefile.inc so we can build libsecureboot with only OpenPGP
trust anchors.

R

libsecureboot add sha384 and sha512 for OpenPGP

gpg supports SHA384, SHA512 as well as SHA256 so allow for them.

Tweak Makefile.inc so we can build libsecureboot with only OpenPGP
trust anchors.

Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D48546

show more ...

Remove residual blank line at start of Makefile

This is a residual of the $FreeBSD$ removal.

MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix

libsecureboot do not report expected unverified files

By default only report unverified files at severity VE_WANT
and above. This inlcudes *.conf but not *.hints, *.cookie
or *.tgz which get VE_TRY

libsecureboot do not report expected unverified files

By default only report unverified files at severity VE_WANT
and above. This inlcudes *.conf but not *.hints, *.cookie
or *.tgz which get VE_TRY as their severity.

If Verbose is set to 0, then VerifyFlags should default to 0 too.
Thus the combination of

module_verbose=0
VE_VEBOSE=0

is sufficient to make the loader almost totally silent.

When verify_prep has to find_manifest and it is verified ok
return VE_NOT_CHECKED to verify_file so that it can skip
repeating verify_fd

Also add better debugging output for is_verified and add_verify_status.

vectx handle compressed modules

When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.

Note: because of the way libsa's open() works, verify_prep will see
the path to be verified as module.ko not module.ko.bz2 etc. This is
actually ok, because we need a separate module.ko.bz2 entry so that
the package can be verified, and the hash for module.ko is of the
uncompressed file which is what vectx will see.

Re-work local.trust.mk so site.trust.mk need only set
VE_SIGN_URL_LIST (if using the mentioned signing server)

interp.c: restrict interactive input

Apply the same restrictions to interactive input as for
unverified conf and hints files.

Use version.veriexec when LOADER_VERIEXEC is yes

Reviewed by: kevans
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D43810

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

libsecureboot ensure correct BUILD_UTC

If using stat(1) on BUILD_UTC_FILE we should use -L incase
it is a symlink.

If we have new enough bmake though we can just use ${BUILD_UTC_FILE:mtime}

Merge bearssl-20220418

Main change is a callback for checking validity period of certificates.

Merge commit 'f6acb9b9f81c96ae7c9592bee1bb89c4357cc3e5'

Add -DHAVE_BR_X509_TIME_CHECK to libsecureboo

Merge bearssl-20220418

Main change is a callback for checking validity period of certificates.

Merge commit 'f6acb9b9f81c96ae7c9592bee1bb89c4357cc3e5'

Add -DHAVE_BR_X509_TIME_CHECK to libsecureboot/Makefile.inc

show more ...

MFHead @347527

Sponsored by: The FreeBSD Foundation

libsecureboot: make it easier to customize trust anchors

Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.

Reviewed by: stevek
MFC after: 1 week
Sponsor

libsecureboot: make it easier to customize trust anchors

Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.

Reviewed by: stevek
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D20208

show more ...

MFHead@r345275

MFhead@r344996

Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation

UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added

Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation

UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.

Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:

There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19093

show more ...

MFhead@r344786

Allow for reproducible build

Use SOURCE_DATE_EPOCH for BUILD_UTC if MK_REPRODUCIBLE_BUILD is yes.
Default SOURCE_DATE_EPOCH to 2019-01-01

Reviewed by: emaste
Sponsored by: Juniper Networks
Differen

Allow for reproducible build

Use SOURCE_DATE_EPOCH for BUILD_UTC if MK_REPRODUCIBLE_BUILD is yes.
Default SOURCE_DATE_EPOCH to 2019-01-01

Reviewed by: emaste
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D19464

show more ...

Merge ^/head r344549 through r344775.

Add libsecureboot

Used by loader and veriexec
Depends on libbearssl

Reviewed by: emaste
Sponsored by: Juniper Networks
Differential Revision: D16335