Page MenuHomeFreeBSD

Implement Secure Boot in loader.
AbandonedPublic

Authored by mindal_semihalf.com on Jan 9 2019, 6:16 PM.

Details

Reviewers
trasz
cem
sjg
mw
wma
Group Reviewers
secteam
Summary

This patch adds signature verification routines to the loader. It uses the newly added secureboot library. The trusted/revoked certificates are obtained from UEFI db/dbx variables. Support for authorized timestampts stored in dbt are not implemented. Headers with definitions of UEFI standardized structures were copied from edk2

Diff Detail

Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

mindal_semihalf.com created this object with visibility "Custom Policy".
mindal_semihalf.com changed the visibility from "Custom Policy" to "Public (No Login Required)".
sjg added a comment.Jan 9 2019, 7:32 PM

There is potentially a lot of overlap with D16335 libsecureboot could be a better name for that than libve.
It would be good to leverage both.

For example D16335 contains an api which can verify hash of file as side effect of reading (reduces boot overhead),
it isn't used yet due to the considerable churn on loader module reading logic.
Also D16335 can work without UEFI - but the combination would be better.

Phab is a horrible way to conduct a discussion though - perhaps an email exchange would be useful.