diff --git a/lib/libsecureboot/Makefile.depend.host b/lib/libsecureboot/Makefile.depend.host --- a/lib/libsecureboot/Makefile.depend.host +++ b/lib/libsecureboot/Makefile.depend.host @@ -2,7 +2,6 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - lib/libstand \ .include diff --git a/lib/libsecureboot/h/libsecureboot.h b/lib/libsecureboot/h/libsecureboot.h --- a/lib/libsecureboot/h/libsecureboot.h +++ b/lib/libsecureboot/h/libsecureboot.h @@ -59,6 +59,7 @@ size_t ve_trust_anchors_revoke(unsigned char *, size_t); int ve_trust_add(const char *); void ve_debug_set(int); +void ve_enforce_validity_set(int); void ve_anchor_verbose_set(int); int ve_anchor_verbose_get(void); void ve_utc_set(time_t utc); diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c --- a/lib/libsecureboot/vets.c +++ b/lib/libsecureboot/vets.c @@ -86,6 +86,20 @@ DebugVe = n; } +/* + * For embedded systems (and boot loaders) + * we do not want to enforce certificate validity post install. + * It is generally unacceptible for infrastructure to stop working + * just because it has not been updated recently. + */ +static int enforce_validity = 0; + +void +ve_enforce_validity_set(int i) +{ + enforce_validity = i; +} + static char ebuf[512]; char * @@ -444,23 +458,23 @@ char date[12], nb_date[12], na_date[12]; #endif - not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds; - not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds; - if (ve_utc < not_before) - rc = -1; - else if (ve_utc > not_after) - rc = 1; - else - rc = 0; + if (enforce_validity) { + not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds; + not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds; + if (ve_utc < not_before) + rc = -1; + else if (ve_utc > not_after) + rc = 1; + else + rc = 0; #ifdef UNIT_TEST - printf("notBefore %s notAfter %s date %s rc %d\n", - gdate(nb_date, sizeof(nb_date), not_before), - gdate(na_date, sizeof(na_date), not_after), - gdate(date, sizeof(date), ve_utc), rc); -#endif -#if defined(_STANDALONE) - rc = 0; /* don't fail */ + printf("notBefore %s notAfter %s date %s rc %d\n", + gdate(nb_date, sizeof(nb_date), not_before), + gdate(na_date, sizeof(na_date), not_after), + gdate(date, sizeof(date), ve_utc), rc); #endif + } else + rc = 0; /* don't fail */ return rc; } #endif diff --git a/sbin/veriexec/veriexec.8 b/sbin/veriexec/veriexec.8 --- a/sbin/veriexec/veriexec.8 +++ b/sbin/veriexec/veriexec.8 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 14, 2022 +.Dd July 8, 2022 .Dt VERIEXEC 8 .Os .Sh NAME @@ -34,6 +34,7 @@ .Nm .Op Fl v .Op Fl C Ar directory +.Op Fl S .Pa manifest .Nm .Fl z Ar state @@ -53,6 +54,11 @@ first verifies a digital signature of the .Ar manifest and if successful, parses it and feeds its content to kernel. +The +.Fl S +flag indicates that certificate validity should be checked. +Without this, a valid signature with an expired certificate +will still be accepted. .Pp The second form with .Fl z diff --git a/sbin/veriexec/veriexec.c b/sbin/veriexec/veriexec.c --- a/sbin/veriexec/veriexec.c +++ b/sbin/veriexec/veriexec.c @@ -148,7 +148,7 @@ dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0); - while ((c = getopt(argc, argv, "hC:i:xvz:")) != -1) { + while ((c = getopt(argc, argv, "hC:i:Sxvz:")) != -1) { switch (c) { case 'h': /* Print usage info */ @@ -174,6 +174,10 @@ exit((x & state) == 0); break; + case 'S': + /* Strictly enforce certificate validity */ + ve_enforce_validity_set(1); + break; case 'v': /* Increase the verbosity */