Page MenuHomeFreeBSD

Create binsign tool to sign binary files for Secure Boot
Needs ReviewPublic

Authored by mindal_semihalf.com on Wed, Jan 9, 6:17 PM.

Details

Reviewers
trasz
sjg
mw
0mp
cem
Group Reviewers
manpages
secteam
Summary

It uses BearSSL as cryptographic backend. It creates signature specified in PKCS#1 v2 standard. The signature together with a certificate is appended to the file.
It is used in Secure Boot implementation https://reviews.freebsd.org/D18797.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

mindal_semihalf.com created this object with visibility "Custom Policy".
mindal_semihalf.com retitled this revision from Add tool to sign binary files to Create binsign tool to sign binary files for Secure Boot.Wed, Jan 9, 6:28 PM
mindal_semihalf.com added reviewers: trasz, secteam, cem, sjg.
mindal_semihalf.com changed the visibility from "Custom Policy" to "Public (No Login Required)".
imp added a comment.Thu, Jan 10, 12:37 AM

how is this different than uefisign(8)?

cem resigned from this revision.Thu, Jan 10, 12:58 AM
0mp requested changes to this revision.Thu, Jan 10, 9:24 AM
0mp added a subscriber: 0mp.

From the man page side: could you confirm that igor (textproc/igor) and mandoc -Tlint do not produce any errors?

This revision now requires changes to proceed.Thu, Jan 10, 9:24 AM
In D18799#401279, @imp wrote:

how is this different than uefisign(8)?

The uefisign is designed to work only with PE binaries, that is only ones that can be run directly in UEFI. You can read more about it here.

Update date to correct format and remove unnecessary leftover .Pp. After this change both igor and mandoc pass without a warning.

0mp requested changes to this revision.Thu, Jan 10, 2:13 PM
In D18799#401279, @imp wrote:

how is this different than uefisign(8)?

The uefisign is designed to work only with PE binaries, that is only ones that can be run directly in UEFI. You can read more about it here.

Shouldn't we include a short comparison of those two utilities in the manual page?

usr.sbin/binsign/binsign.8
2

I am not sure if it is important, but it's missing the SPDX tag.

5

No longer needed. See D15370 for example.

27

Missing $FreeBSD$

44

.Xr loader 8 instead of Loader?

Also, should we describe how to configure the loader?

51

Could you have a look at src/share/man/man5/style.mdoc.5 and try to format the examples sections similarly?

54

.Pa cert.key
and
.Pa cert.der

56

Would it be beneficial to reference the PKCS#1 v2 standard here? Similarly to how its done in CMSG_DATA(3) for example.

57

It would be great to cross-reference this manual page from loader(8) and other related manuals (like uefisign(8) perhaps?).

usr.sbin/binsign/binsign.c
26

Missing $FreeBSD$.

This revision now requires changes to proceed.Thu, Jan 10, 2:13 PM
emaste added a subscriber: emaste.Thu, Jan 10, 3:28 PM

Shouldn't we include a short comparison of those two utilities in the manual page?

At least there should be a .Xr between the tools.

usr.sbin/binsign/binsign.8
40–43

So the result is an ELF file with extra stuff tacked on the end. How do existing tools (kernel, rtld, readelf, objcopy, etc.) treat this?

trasz added a comment.Thu, Jan 10, 9:45 PM

Just a general suggestion: could you consider adding the "-o" option instead of overwriting the input file with a signed one, just like uefisign(8) does it? It makes it much easier to hook it into various automation things - build systems and such.

usr.sbin/binsign/binsign.8
40–43

Yes, that's essentially how it works. So far it seems that it doesn't break anything, that is signed files are loading and working properly. The readelf tool also processes them without complaining. Having said that the "cleaner" solution would be to create a new section, lets say ".signature" and store it there. The problem is that it would complicate the code and bear in mind that we have to process said signature in loader. Integrating a new library(probably libelf) with the loader would most likely be problematic.

Modify manpage according to @0mp suggestions and add output file option.