Changeset View
Standalone View
usr.sbin/binsign/binsign.8
- This file was added.
.\" | |||||
0mp: I am not sure if it is important, but it's missing the SPDX tag. | |||||
.\" Copyright (c) 2019 Stormshield. | |||||
.\" Copyright (c) 2019 Semihalf. | |||||
.\" All rights reserved. | |||||
0mpUnsubmitted Not Done Inline ActionsNo longer needed. See D15370 for example. 0mp: No longer needed. See D15370 for example. | |||||
.\" | |||||
.\" Redistribution and use in source and binary forms, with or without | |||||
.\" modification, are permitted provided that the following conditions | |||||
.\" are met: | |||||
.\" 1. Redistributions of source code must retain the above copyright | |||||
.\" notice, this list of conditions and the following disclaimer. | |||||
.\" 2. Redistributions in binary form must reproduce the above copyright | |||||
.\" notice, this list of conditions and the following disclaimer in the | |||||
.\" documentation and/or other materials provided with the distribution. | |||||
.\" | |||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |||||
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |||||
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |||||
.\" DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |||||
.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |||||
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |||||
.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |||||
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN | |||||
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |||||
.\" POSSIBILITY OF SUCH DAMAGE. | |||||
.\" | |||||
0mpUnsubmitted Not Done Inline ActionsMissing $FreeBSD$ 0mp: Missing $FreeBSD$ | |||||
.Dd January 10, 2019 | |||||
.Dt BINSIGN 8 | |||||
.Os | |||||
.Sh NAME | |||||
.Nm binsign | |||||
.Nd Secure Boot signing utility | |||||
.Sh SYNOPSIS | |||||
.Nm | |||||
.Fl c Ar cert | |||||
.Fl k Ar key | |||||
.Ar file | |||||
.Sh DESCRIPTION | |||||
The | |||||
.Nm | |||||
utility signs any type of file by appending a signature in PKCS#1 v2 standard | |||||
together with a certificate used for the signing to its end. | |||||
emasteUnsubmitted Not Done Inline ActionsSo the result is an ELF file with extra stuff tacked on the end. How do existing tools (kernel, rtld, readelf, objcopy, etc.) treat this? emaste: So the result is an ELF file with extra stuff tacked on the end. How do existing tools (kernel… | |||||
kdAuthorUnsubmitted Not Done Inline ActionsYes, that's essentially how it works. So far it seems that it doesn't break anything, that is signed files are loading and working properly. The readelf tool also processes them without complaining. Having said that the "cleaner" solution would be to create a new section, lets say ".signature" and store it there. The problem is that it would complicate the code and bear in mind that we have to process said signature in loader. Integrating a new library(probably libelf) with the loader would most likely be problematic. kd: Yes, that's essentially how it works. So far it seems that it doesn't break anything, that is… | |||||
Loader can be configured to verify the kernel and modules integrity | |||||
0mpUnsubmitted Not Done Inline Actions.Xr loader 8 instead of Loader? Also, should we describe how to configure the loader? 0mp: `.Xr loader 8` instead of `Loader`?
Also, should we describe how to configure the loader? | |||||
signed with this tool. | |||||
.Sh EXIT STATUS | |||||
The | |||||
.Nm | |||||
utility exits 0 on success, and 1 if an error occurs. | |||||
.Sh EXAMPLES | |||||
.Nm | |||||
0mpUnsubmitted Not Done Inline ActionsCould you have a look at src/share/man/man5/style.mdoc.5 and try to format the examples sections similarly? 0mp: Could you have a look at `src/share/man/man5/style.mdoc.5` and try to format the examples… | |||||
-c cert.der -k cert.key file | |||||
.Pp | |||||
The cert.key and cert.der files have to contain a DER encoded | |||||
0mpUnsubmitted Not Done Inline Actions.Pa cert.key 0mp: .Pa cert.key
and
.Pa cert.der | |||||
RSA private key and X509 certificate respectively. | |||||
.Sh SEE ALSO | |||||
0mpUnsubmitted Not Done Inline ActionsWould it be beneficial to reference the PKCS#1 v2 standard here? Similarly to how its done in CMSG_DATA(3) for example. 0mp: Would it be beneficial to reference the PKCS#1 v2 standard here? Similarly to how its done in… | |||||
.Xr loader 8 | |||||
0mpUnsubmitted Not Done Inline ActionsIt would be great to cross-reference this manual page from loader(8) and other related manuals (like uefisign(8) perhaps?). 0mp: It would be great to cross-reference this manual page from loader(8) and other related manuals… | |||||
.Sh HISTORY | |||||
The | |||||
.Nm | |||||
command appeared in | |||||
.Fx 13.0 . | |||||
.Sh AUTHORS | |||||
The | |||||
.Nm | |||||
utility was developed by | |||||
.An Kornel Duleba Aq Mt mindal@semihalf.com | |||||
under sponsorship from Stormshield. |
I am not sure if it is important, but it's missing the SPDX tag.