Page MenuHomeFreeBSD

System trust configuration and local root keygen
Needs ReviewPublic

Authored by on Aug 3 2018, 1:54 AM.


Group Reviewers

This is a part of the work on trust.

This adds a man page describing the system trust configuration, entries to the mtree files and hier(7) man page, and an rc script for generating local root keys.

This is not intended to be integrated anytime soon.

Test Plan

This has been tested out.

Diff Detail

rS FreeBSD src repository
Lint Skipped
Unit Tests Skipped

Event Timeline

An alternative I'm considering: have a seldom-used master key named something like "machine", "master", "root", etc. which is the local trust root key. Have "local" be an intermediate keypair, signed by this master key. The master key acts only as a key-signing certificate; it cannot sign code or issue general signatures. The local key can issue more general signatures.

Then have signelf default to the local key, rather than the master key.

Trying to limit myself to reviewing as manpages and not getting into the design itself...


This is interpreted as "5)" being the macro argument. For parallelism, I'd suggest:

.Po see
.Xr signed-elf 5 Pc


Start new sentences on a new line, please.


TERMINOLOGY is not a standard section name (see mdoc(7)); perhaps a subsection is more appropriate, with a list for the individual terms?


intermediates are never leaf certs, right? Do you want to say that?


What are "assets"?


I'd suggest using a Bl variant that allows item heads and skipping the colons.


With the same file name, or DN/SAN? If the former, that's kind of an awkward requirement to impose.


I don't think Qq is very common -- I see a lot more Dq.


DEFAULT is also not a standard section name.

I've checked the mdoc syntax. It is going to be fine after the changes suggested by @bjk.



You may consider using Qq Pa for .pem (or Dq instead of Qq as suggested by @bjk).


You may consider using Qq Pa for .pem (or Dq instead of Qq as suggested by @bjk).


You may consider using Qq Pa for .pem (or Dq instead of Qq as suggested by @bjk).


Yeah, Dq is much more popular. In fact, you rarely see Qq and Sq in the wild: the only manpage I can remember to use those a lot is sh(1).

Sq seems to be used primarily to quote single characters.

If I were to rewrite most of manpages I'd go for Qq instead of Dq but it won't happen any time soon. ๐Ÿ˜„

Note: I want to let this sit for a while, and I'd prefer to commit this along with other components of the trust framework. edited the test plan for this revision. (Show Details)

Added machine vs. local keys, fixed errors in the scripts, added checking for key expiry, fixed some other issues.

Fixed signing of local cert, and added default DN generation

Can you bump the .Dd at the beginning of share/man/man7/hier.7 for this content change? Thanks!