It uses BearSSL as cryptographic backend. It creates signature specified in PKCS#1 v2 standard. The signature together with a certificate is appended to the file.
It is used in Secure Boot implementation https://reviews.freebsd.org/D18797.
Details
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Skipped - Unit
Tests Skipped
Event Timeline
From the man page side: could you confirm that igor (textproc/igor) and mandoc -Tlint do not produce any errors?
The uefisign is designed to work only with PE binaries, that is only ones that can be run directly in UEFI. You can read more about it here.
Update date to correct format and remove unnecessary leftover .Pp. After this change both igor and mandoc pass without a warning.
Shouldn't we include a short comparison of those two utilities in the manual page?
usr.sbin/binsign/binsign.8 | ||
---|---|---|
2 | I am not sure if it is important, but it's missing the SPDX tag. | |
5 | No longer needed. See D15370 for example. | |
27 | Missing $FreeBSD$ | |
44 | .Xr loader 8 instead of Loader? Also, should we describe how to configure the loader? | |
51 | Could you have a look at src/share/man/man5/style.mdoc.5 and try to format the examples sections similarly? | |
54 | .Pa cert.key | |
56 | Would it be beneficial to reference the PKCS#1 v2 standard here? Similarly to how its done in CMSG_DATA(3) for example. | |
57 | It would be great to cross-reference this manual page from loader(8) and other related manuals (like uefisign(8) perhaps?). | |
usr.sbin/binsign/binsign.c | ||
26 | Missing $FreeBSD$. |
Shouldn't we include a short comparison of those two utilities in the manual page?
At least there should be a .Xr between the tools.
usr.sbin/binsign/binsign.8 | ||
---|---|---|
40–43 | So the result is an ELF file with extra stuff tacked on the end. How do existing tools (kernel, rtld, readelf, objcopy, etc.) treat this? |
Just a general suggestion: could you consider adding the "-o" option instead of overwriting the input file with a signed one, just like uefisign(8) does it? It makes it much easier to hook it into various automation things - build systems and such.
usr.sbin/binsign/binsign.8 | ||
---|---|---|
40–43 | Yes, that's essentially how it works. So far it seems that it doesn't break anything, that is signed files are loading and working properly. The readelf tool also processes them without complaining. Having said that the "cleaner" solution would be to create a new section, lets say ".signature" and store it there. The problem is that it would complicate the code and bear in mind that we have to process said signature in loader. Integrating a new library(probably libelf) with the loader would most likely be problematic. |