Page MenuHomeFreeBSD
Files F107027687

D35758.id108330.diff
No OneTemporary
Actions

D35758.id108330.diff
View Options

diff --git a/lib/libsecureboot/Makefile.depend.host b/lib/libsecureboot/Makefile.depend.host
--- a/lib/libsecureboot/Makefile.depend.host
+++ b/lib/libsecureboot/Makefile.depend.host
@@ -2,7 +2,6 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
- lib/libstand \
.include <dirdeps.mk>
diff --git a/lib/libsecureboot/h/libsecureboot.h b/lib/libsecureboot/h/libsecureboot.h
--- a/lib/libsecureboot/h/libsecureboot.h
+++ b/lib/libsecureboot/h/libsecureboot.h
@@ -59,6 +59,7 @@
size_t ve_trust_anchors_revoke(unsigned char *, size_t);
int ve_trust_add(const char *);
void ve_debug_set(int);
+void ve_enforce_validity_set(int);
void ve_anchor_verbose_set(int);
int ve_anchor_verbose_get(void);
void ve_utc_set(time_t utc);
diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c
--- a/lib/libsecureboot/vets.c
+++ b/lib/libsecureboot/vets.c
@@ -86,6 +86,20 @@
DebugVe = n;
}
+/*
+ * For embedded systems (and boot loaders)
+ * we do not want to enforce certificate validity post install.
+ * It is generally unacceptible for infrastructure to stop working
+ * just because it has not been updated recently.
+ */
+static int enforce_validity = 0;
+
+void
+ve_enforce_validity_set(int i)
+{
+ enforce_validity = i;
+}
+
static char ebuf[512];
char *
@@ -444,23 +458,23 @@
char date[12], nb_date[12], na_date[12];
#endif
- not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds;
- not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds;
- if (ve_utc < not_before)
- rc = -1;
- else if (ve_utc > not_after)
- rc = 1;
- else
- rc = 0;
+ if (enforce_validity) {
+ not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds;
+ not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds;
+ if (ve_utc < not_before)
+ rc = -1;
+ else if (ve_utc > not_after)
+ rc = 1;
+ else
+ rc = 0;
#ifdef UNIT_TEST
- printf("notBefore %s notAfter %s date %s rc %d\n",
- gdate(nb_date, sizeof(nb_date), not_before),
- gdate(na_date, sizeof(na_date), not_after),
- gdate(date, sizeof(date), ve_utc), rc);
-#endif
-#if defined(_STANDALONE)
- rc = 0; /* don't fail */
+ printf("notBefore %s notAfter %s date %s rc %d\n",
+ gdate(nb_date, sizeof(nb_date), not_before),
+ gdate(na_date, sizeof(na_date), not_after),
+ gdate(date, sizeof(date), ve_utc), rc);
#endif
+ } else
+ rc = 0; /* don't fail */
return rc;
}
#endif
diff --git a/sbin/veriexec/veriexec.8 b/sbin/veriexec/veriexec.8
--- a/sbin/veriexec/veriexec.8
+++ b/sbin/veriexec/veriexec.8
@@ -24,7 +24,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd February 14, 2022
+.Dd July 8, 2022
.Dt VERIEXEC 8
.Os
.Sh NAME
@@ -34,6 +34,7 @@
.Nm
.Op Fl v
.Op Fl C Ar directory
+.Op Fl S
.Pa manifest
.Nm
.Fl z Ar state
@@ -53,6 +54,11 @@
first verifies a digital signature of the
.Ar manifest
and if successful, parses it and feeds its content to kernel.
+The
+.Fl S
+flag indicates that certificate validity should be checked.
+Without this, a valid signature with an expired certificate
+will still be accepted.
.Pp
The second form with
.Fl z
diff --git a/sbin/veriexec/veriexec.c b/sbin/veriexec/veriexec.c
--- a/sbin/veriexec/veriexec.c
+++ b/sbin/veriexec/veriexec.c
@@ -148,7 +148,7 @@
dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0);
- while ((c = getopt(argc, argv, "hC:i:xvz:")) != -1) {
+ while ((c = getopt(argc, argv, "hC:i:Sxvz:")) != -1) {
switch (c) {
case 'h':
/* Print usage info */
@@ -174,6 +174,10 @@
exit((x & state) == 0);
break;
+ case 'S':
+ /* Strictly enforce certificate validity */
+ ve_enforce_validity_set(1);
+ break;
case 'v':
/* Increase the verbosity */

File Metadata

Mime Type
text/plain
Expires
Fri, Jan 10, 4:38 AM (11 h, 47 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
15739454
Default Alt Text
D35758.id108330.diff (3 KB)

Event Timeline