Introduce new Secure Boot library
AbandonedPublic
Actions

Authored by kd on Jan 9 2019, 6:15 PM.

Details

Reviewers

trasz
cem
sjg
mw

Group Reviewers

secteam

Summary

It is primarly used in loader to verify kernel and its modules. Since making the OpenSSL work in loader proved to be problematic, it uses BearSSL instead. It is planned to use it to verify modules in kldload.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

kd created this revision.Jan 9 2019, 6:15 PM

kd created this object with visibility "Custom Policy".

Herald added a subscriber: Contributor Reviews (src). · View Herald TranscriptJan 9 2019, 6:15 PM

kd added a child revision: D18799: Create binsign tool to sign binary files for Secure Boot.Jan 9 2019, 6:20 PM

kd added a child revision: D18798: Implement Secure Boot in loader..

kd added parent revisions: D18794: Introduce Build options for Secure Boot, D18795: Build libbearssl for Secure Boot..

kd added reviewers: secteam, trasz, cem, sjg.Jan 9 2019, 6:28 PM

kd added a reviewer: mw.Jan 9 2019, 6:31 PM

kd changed the visibility from "Custom Policy" to "Public (No Login Required)".

Herald added a subscriber: imp. · View Herald TranscriptJan 9 2019, 6:31 PM

mst_semihalf.com added a subscriber: mst_semihalf.com.Jan 9 2019, 6:39 PM

(sorry don't know how else to contact you ;-)
I'm thinking this should be merged with libve so we can work to a single API that loader calls to verify stuff.
The functionality you have is I think a subset of that in libve.
The name libve is far from ideal.
Do you have any objection to renaming it to libsecureboot as a first step?

In D18797#401557, @sjg wrote:

(sorry don't know how else to contact you ;-)
I'm thinking this should be merged with libve so we can work to a single API that loader calls to verify stuff.
The functionality you have is I think a subset of that in libve.
The name libve is far from ideal.
Do you have any objection to renaming it to libsecureboot as a first step?

I like the idea of integrating both libraries, the problem is that right now I don't know how much effort it would take. I've also emailed you a more elaborate response.

Abandoned in favor of https://reviews.freebsd.org/D19093