libsecureboot add sha384 and sha512 for OpenPGP

gpg supports SHA384, SHA512 as well as SHA256 so allow for them.

Tweak Makefile.inc so we can build libsecureboot with only OpenPGP
trust anchors.

R

libsecureboot add sha384 and sha512 for OpenPGP

gpg supports SHA384, SHA512 as well as SHA256 so allow for them.

Tweak Makefile.inc so we can build libsecureboot with only OpenPGP
trust anchors.

Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D48546

show more ...

libsecureboot: be more verbose about validation failures

Reviewed by: imp, sjg
Pull Request: https://github.com/freebsd/freebsd-src/pull/916

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

libsecureboot: do not accept certificate we cannot decode

Although we care more about the CN of a certificate than its status
(for purpose of reporting), we should skip if we have errors decoding.

libsecureboot: do not accept certificate we cannot decode

Although we care more about the CN of a certificate than its status
(for purpose of reporting), we should skip if we have errors decoding.

Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.

show more ...

libsecureboot: avoid set but not used errors

Reviewed by: stevek

lib/libsecureboot: Fix some typos

Signed-off-by: Elyes HAOUAS <ehaouas@noos.fr>
Pull Request: https://github.com/freebsd/freebsd-src/pull/544

Add -S option to veriexec

During software installation, use veriexec -S to strictly
enforce certificate validity checks (notBefore, notAfter).

Otherwise ignore certificate validity period.
It is ge

Add -S option to veriexec

During software installation, use veriexec -S to strictly
enforce certificate validity checks (notBefore, notAfter).

Otherwise ignore certificate validity period.
It is generally unacceptible for the Internet to stop working
just because someone did not upgrade their infrastructure for a decade.

Sponsored by: Juniper Networks, Inc.

Reviewed by: sebastien.bini_stormshield.eu
Differential Revision: https://reviews.freebsd.org/D35758

show more ...

libsecureboot: Do not propagate empty string

If Trust Anchors are provided by UEFI and not compiled into
libsecureboot the segmentation fault occurs due to empty
or NULL string usage.

Obtained from

libsecureboot: Do not propagate empty string

If Trust Anchors are provided by UEFI and not compiled into
libsecureboot the segmentation fault occurs due to empty
or NULL string usage.

Obtained from: Semihalf
Reviewed by: sjg
Differential revision: https://reviews.freebsd.org/D35120

show more ...

Merge bearssl-20220418

Main change is a callback for checking validity period of certificates.

Merge commit 'f6acb9b9f81c96ae7c9592bee1bb89c4357cc3e5'

Add -DHAVE_BR_X509_TIME_CHECK to libsecureboo

Merge bearssl-20220418

Main change is a callback for checking validity period of certificates.

Merge commit 'f6acb9b9f81c96ae7c9592bee1bb89c4357cc3e5'

Add -DHAVE_BR_X509_TIME_CHECK to libsecureboot/Makefile.inc

show more ...

Update libsecureboot

Preparation for updating bearssl, pull in updates to libsecureboot.

o fix handling of some out-of-memory cases

o allow more control over reporting of Verified/Unverified files

Update libsecureboot

Preparation for updating bearssl, pull in updates to libsecureboot.

o fix handling of some out-of-memory cases

o allow more control over reporting of Verified/Unverified files.
this helps boot time when console output is slow

o recheck verbose/debug level after reading any unverified file

o more debug support for vectx

o hash_string to support fake stat for tftp

o tests/tvo add -v to simply verify signatures

o vets.c allow for HAVE_BR_X509_TIME_CHECK which will greatly simplify
verification in loader

o report date when certificate fails validity period checks

Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.

show more ...

Fix pkgfs stat so it satisfies libsecureboot

We need a valid st_dev, st_ino and st_mtime
to correctly track which files have been verified
and to update our notion of time.

ve_utc_set(): ignore utc

Fix pkgfs stat so it satisfies libsecureboot

We need a valid st_dev, st_ino and st_mtime
to correctly track which files have been verified
and to update our notion of time.

ve_utc_set(): ignore utc if it would jump our current time
by more than VE_UTC_MAX_JUMP (20 years).

Allow testing of install command via userboot.
Need to fix its stat implementation too.

bhyveload also needs stat fixed - due to change to userboot.h

Call ve_error_get() from vectx_close() when hash is wrong.

Track the names of files we have hashed into pcr

For the purposes of measured boot, it is important
to be able to reproduce the hash reflected in
loader.ve.pcr
so loader.ve.hashed provides a list of names in the order they
were added.

Reviewed by: imp
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org//D24027

show more ...

Avoid unused vars when VE_ECDSA_HASH_AGAIN undefined

Reviewed by: emaste
MFC after: 1 week

Initialize verbosity and debug level from env

For EFI at least, we can seed the environment
with VE_VERBOSE etc.

Reviewed by: stevek imp
Sponsored by: Juniper Networks
MFC after: 1 week
Differentia

Initialize verbosity and debug level from env

For EFI at least, we can seed the environment
with VE_VERBOSE etc.

Reviewed by: stevek imp
Sponsored by: Juniper Networks
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D22135

show more ...

MFHead @r350386

Sponsored by: The FreeBSD Foundation

libsecureboot: avoid recusion in ve_trust_init

set our guard value immediately.
also replace call to ve_trust_init in opgp_sig.c:initialize with
call to openpgp_trust_init.

Reported by: mindal@semi

libsecureboot: avoid recusion in ve_trust_init

set our guard value immediately.
also replace call to ve_trust_init in opgp_sig.c:initialize with
call to openpgp_trust_init.

Reported by: mindal@semihalf.com
Reviewed by: jhibbits obrien
MFC after: 1 week

show more ...

MFHead @349476

Sponsored by: The FreeBSD Foundation

libsecureboot: allow OpenPGP support to be dormant

Since we can now add OpenPGP trust anchors at runtime,
ensure the latent support is available.

Ensure we do not add duplicate keys to trust store.

libsecureboot: allow OpenPGP support to be dormant

Since we can now add OpenPGP trust anchors at runtime,
ensure the latent support is available.

Ensure we do not add duplicate keys to trust store.

Also allow reporting names of trust anchors added/revoked

We only do this for loader and only after initializing trust store.
Thus only changes to initial trust store will be logged.

Reviewed by: stevek
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D20700

show more ...

MFHead @347527

Sponsored by: The FreeBSD Foundation

libsecureboot: make it easier to customize trust anchors

Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.

Reviewed by: stevek
MFC after: 1 week
Sponsor

libsecureboot: make it easier to customize trust anchors

Avoid making hash self-tests depend on X.509 certs.
Include OpenPGP keys in trust store count.

Reviewed by: stevek
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D20208

show more ...

MFHead@r345275

MFhead@r344996

Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation

UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added

Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation

UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.

Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:

There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19093

show more ...

MFhead@r344786

Merge ^/head r344549 through r344775.

Add libsecureboot

Used by loader and veriexec
Depends on libbearssl

Reviewed by: emaste
Sponsored by: Juniper Networks
Differential Revision: D16335