Revision tags: release/14.0.0 |
|
#
1d386b48 |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line .c pattern
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
Revision tags: release/13.2.0, release/12.4.0, release/13.1.0 |
|
#
66655411 |
| 18-Apr-2022 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Update libsecureboot
Preparation for updating bearssl, pull in updates to libsecureboot.
o fix handling of some out-of-memory cases
o allow more control over reporting of Verified/Unverified files
Update libsecureboot
Preparation for updating bearssl, pull in updates to libsecureboot.
o fix handling of some out-of-memory cases
o allow more control over reporting of Verified/Unverified files. this helps boot time when console output is slow
o recheck verbose/debug level after reading any unverified file
o more debug support for vectx
o hash_string to support fake stat for tftp
o tests/tvo add -v to simply verify signatures
o vets.c allow for HAVE_BR_X509_TIME_CHECK which will greatly simplify verification in loader
o report date when certificate fails validity period checks
Reviewed by: stevek Sponsored by: Juniper Networks, Inc.
show more ...
|
Revision tags: release/12.3.0, release/13.0.0, release/12.2.0, release/11.4.0 |
|
#
16b90565 |
| 10-Mar-2020 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r358731 through r358831.
|
#
afc571b1 |
| 08-Mar-2020 |
Simon J. Gerraty <sjg@FreeBSD.org> |
veloader use vectx API for kernel and modules
The vectx API, computes the hash for verifying a file as it is read. This avoids the overhead of reading files twice - once to verify, then again to loa
veloader use vectx API for kernel and modules
The vectx API, computes the hash for verifying a file as it is read. This avoids the overhead of reading files twice - once to verify, then again to load.
For doing an install via loader, avoiding the need to rewind large files is critical.
This API is only used for modules, kernel and mdimage as these are the biggest files read by the loader. The reduction in boot time depends on how expensive the I/O is on any given platform. On a fast VM we see 6% improvement.
For install via loader the first file to be verified is likely to be the kernel, so some of the prep work (finding manifest etc) done by verify_file() needs to be factored so it can be reused for vectx_open().
For missing or unrecognized fingerprint entries, we fail in vectx_open() unless verifying is disabled.
Otherwise fingerprint check happens in vectx_close() and since this API is only used for files which must be verified (VE_MUST) we panic if we get an incorrect hash.
Reviewed by: imp,tsoome MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D23827
show more ...
|
Revision tags: release/12.1.0, release/11.3.0 |
|
#
0269ae4c |
| 06-Jun-2019 |
Alan Somers <asomers@FreeBSD.org> |
MFHead @348740
Sponsored by: The FreeBSD Foundation
|
#
980bde58 |
| 19-May-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
libsecureboot: allow control of when pseudo pcr is updated
During boot we only want to measure things which *must* be verified - this should provide more deterministic ordering.
Reviewed by: stevek
libsecureboot: allow control of when pseudo pcr is updated
During boot we only want to measure things which *must* be verified - this should provide more deterministic ordering.
Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20297
show more ...
|
#
2aaf9152 |
| 18-Mar-2019 |
Alan Somers <asomers@FreeBSD.org> |
MFHead@r345275
|
#
b18a4cca |
| 05-Mar-2019 |
Enji Cooper <ngie@FreeBSD.org> |
MFhead@r344786
|
#
844fc3e9 |
| 04-Mar-2019 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r344549 through r344775.
|
#
5fff9558 |
| 26-Feb-2019 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Add libsecureboot
Used by loader and veriexec Depends on libbearssl
Reviewed by: emaste Sponsored by: Juniper Networks Differential Revision: D16335
|