Create binsign tool to sign binary files for Secure Boot
AbandonedPublic
Actions

Authored by kd on Jan 9 2019, 6:17 PM.

Details

Reviewers

trasz
sjg
mw
0mp
cem

Group Reviewers

manpages
secteam

Summary

It uses BearSSL as cryptographic backend. It creates signature specified in PKCS#1 v2 standard. The signature together with a certificate is appended to the file.
It is used in Secure Boot implementation https://reviews.freebsd.org/D18797.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

kd created this revision.Jan 9 2019, 6:17 PM

kd created this object with visibility "Custom Policy".

Herald added a reviewer: manpages. · View Herald TranscriptJan 9 2019, 6:17 PM

Herald added a subscriber: Contributor Reviews (src). · View Herald Transcript

kd edited the summary of this revision. (Show Details)Jan 9 2019, 6:19 PM

kd added parent revisions: D18797: Introduce new Secure Boot library, D18795: Build libbearssl for Secure Boot., D18794: Introduce Build options for Secure Boot.

kd removed a parent revision: D18794: Introduce Build options for Secure Boot.

kd retitled this revision from Add tool to sign binary files to Create binsign tool to sign binary files for Secure Boot.Jan 9 2019, 6:28 PM

kd added reviewers: trasz, secteam, cem, sjg.

kd added a reviewer: mw.Jan 9 2019, 6:31 PM

kd changed the visibility from "Custom Policy" to "Public (No Login Required)".

Herald added a subscriber: imp. · View Herald TranscriptJan 9 2019, 6:31 PM

mst_semihalf.com added a subscriber: mst_semihalf.com.Jan 9 2019, 6:39 PM

how is this different than uefisign(8)?

cem resigned from this revision.Jan 10 2019, 12:58 AM

From the man page side: could you confirm that igor (textproc/igor) and mandoc -Tlint do not produce any errors?

This revision now requires changes to proceed.Jan 10 2019, 9:24 AM

In D18799#401279, @imp wrote:

how is this different than uefisign(8)?

The uefisign is designed to work only with PE binaries, that is only ones that can be run directly in UEFI. You can read more about it here.

Update date to correct format and remove unnecessary leftover .Pp. After this change both igor and mandoc pass without a warning.

In D18799#401347, @mindal_semihalf.com wrote:

In D18799#401279, @imp wrote:

how is this different than uefisign(8)?

The uefisign is designed to work only with PE binaries, that is only ones that can be run directly in UEFI. You can read more about it here.

Shouldn't we include a short comparison of those two utilities in the manual page?

usr.sbin/binsign/binsign.8
2	I am not sure if it is important, but it's missing the SPDX tag.
5	No longer needed. See D15370 for example.
27	Missing $FreeBSD$
44	`.Xr loader 8` instead of `Loader`? Also, should we describe how to configure the loader?
51	Could you have a look at `src/share/man/man5/style.mdoc.5` and try to format the examples sections similarly?
54	.Pa cert.key and .Pa cert.der
56	Would it be beneficial to reference the PKCS#1 v2 standard here? Similarly to how its done in CMSG_DATA(3) for example.
57	It would be great to cross-reference this manual page from loader(8) and other related manuals (like uefisign(8) perhaps?).
usr.sbin/binsign/binsign.c
26	Missing $FreeBSD$.

This revision now requires changes to proceed.Jan 10 2019, 2:13 PM

Shouldn't we include a short comparison of those two utilities in the manual page?

At least there should be a .Xr between the tools.

usr.sbin/binsign/binsign.8
40–43	So the result is an ELF file with extra stuff tacked on the end. How do existing tools (kernel, rtld, readelf, objcopy, etc.) treat this?

Just a general suggestion: could you consider adding the "-o" option instead of overwriting the input file with a signed one, just like uefisign(8) does it? It makes it much easier to hook it into various automation things - build systems and such.

kd added inline comments.Jan 11 2019, 1:22 PM

usr.sbin/binsign/binsign.8
40–43	Yes, that's essentially how it works. So far it seems that it doesn't break anything, that is signed files are loading and working properly. The readelf tool also processes them without complaining. Having said that the "cleaner" solution would be to create a new section, lets say ".signature" and store it there. The problem is that it would complicate the code and bear in mind that we have to process said signature in loader. Integrating a new library(probably libelf) with the loader would most likely be problematic.