Page MenuHomeFreeBSD

sjg (Simon Gerraty)
User

Projects

User Details

User Since
Apr 9 2015, 9:27 PM (205 w, 5 d)

Recent Activity

Mon, Mar 11

sjg committed rS345024: Add _PC_ACL_* to vop_stdpathconf.
Add _PC_ACL_* to vop_stdpathconf
Mon, Mar 11, 8:41 PM
sjg closed D19512: tmpfs silently ignore pathconf ACL requests.
Mon, Mar 11, 8:41 PM
sjg added a comment to D19512: tmpfs silently ignore pathconf ACL requests.

I applied this same patch to stable/11 and while ktace shows that tmpfs no longer returns EINVAL for fpathconf
original ktrace:

Mon, Mar 11, 8:30 PM

Sat, Mar 9

sjg updated the diff for D19512: tmpfs silently ignore pathconf ACL requests.

Add zfs and nandfs, note zfs_vnops.c:zfs_pathconf is not compatible with this change

Sat, Mar 9, 5:18 PM

Fri, Mar 8

sjg updated the diff for D19512: tmpfs silently ignore pathconf ACL requests.

per feedback - not sure about zfs though

Fri, Mar 8, 11:00 PM
sjg updated the diff for D19512: tmpfs silently ignore pathconf ACL requests.

Like this?

Fri, Mar 8, 9:53 PM
sjg added a comment to D19512: tmpfs silently ignore pathconf ACL requests.
In D19512#417662, @kib wrote:
In D19512#417656, @sjg wrote:
In D19512#417632, @kib wrote:

You can remove handling of _PC_ACL_EXTENDED from nfs and zfs client vops.
You can remove any handling of _PC_ACL_EXTENDED and _PC_ACL_NFS4 from UFS wheh not compiled in (i.e. #else cases).

In the case of ufs this would get ugly no? The case would need to be within the #ifdef

No, as I said you drop #else part altogether.

Fri, Mar 8, 9:50 PM
sjg removed reviewers for D19512: tmpfs silently ignore pathconf ACL requests: kib, jhb.
In D19512#417632, @kib wrote:

You can remove handling of _PC_ACL_EXTENDED from nfs and zfs client vops.
You can remove any handling of _PC_ACL_EXTENDED and _PC_ACL_NFS4 from UFS wheh not compiled in (i.e. #else cases).

Fri, Mar 8, 9:32 PM
sjg updated the diff for D19512: tmpfs silently ignore pathconf ACL requests.

Add more cases

Fri, Mar 8, 9:31 PM
sjg updated the diff for D19512: tmpfs silently ignore pathconf ACL requests.

shift to vop_stdpathconf

Fri, Mar 8, 8:39 PM
sjg updated the diff for D19512: tmpfs silently ignore pathconf ACL requests.

fix patch skew

Fri, Mar 8, 8:11 PM
sjg created D19512: tmpfs silently ignore pathconf ACL requests.
Fri, Mar 8, 7:46 PM

Mon, Mar 4

sjg added inline comments to D19093: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation.
Mon, Mar 4, 10:05 PM
sjg committed rS344784: Allow for reproducible build.
Allow for reproducible build
Mon, Mar 4, 10:04 PM
sjg closed D19464: Allow for reproducible build.
Mon, Mar 4, 10:04 PM
sjg added a reviewer for D19464: Allow for reproducible build: emaste.
Mon, Mar 4, 9:48 PM
sjg created D19464: Allow for reproducible build.
Mon, Mar 4, 9:48 PM
sjg added inline comments to D19093: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation.
Mon, Mar 4, 9:09 PM
sjg added inline comments to D19093: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation.
Mon, Mar 4, 8:47 PM
sjg committed rS344780: Add -d flag to load command.
Add -d flag to load command
Mon, Mar 4, 7:51 PM

Sun, Mar 3

sjg added inline comments to D19093: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation.
Sun, Mar 3, 5:02 PM

Sat, Mar 2

sjg accepted D19093: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation.

One minor nit left

Sat, Mar 2, 7:18 PM

Thu, Feb 28

sjg added a comment to D19093: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation.

Looking better....

Thu, Feb 28, 9:02 PM

Tue, Feb 26

sjg accepted D16334: Build libbearssl for loader and sbin/veriexec.

this is committed

Tue, Feb 26, 7:05 PM
sjg added inline comments to D19093: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation.
Tue, Feb 26, 6:55 PM
sjg committed rS344568: Enable veriexec for loader.
Enable veriexec for loader
Tue, Feb 26, 6:22 AM
sjg closed D16336: Add calls to verify_file to loader..
Tue, Feb 26, 6:22 AM
sjg closed D16575: Add verifying loader for mac_veriexec.
Tue, Feb 26, 6:17 AM
sjg committed rS344567: Add verifying manifest loader for mac_veriexec.
Add verifying manifest loader for mac_veriexec
Tue, Feb 26, 6:17 AM
sjg committed rS344566: Enable build of libbearssl.
Enable build of libbearssl
Tue, Feb 26, 6:11 AM
sjg closed D16337: Build options etc for libbearssl and libve.
Tue, Feb 26, 6:11 AM
sjg committed rS344565: Add libsecureboot.
Add libsecureboot
Tue, Feb 26, 6:09 AM
sjg closed D16335: Build libve for loader and sbin/veriexec.
Tue, Feb 26, 6:09 AM

Thu, Feb 21

sjg added a reviewer for D19281: mac_veriexec: Create kernel module to parse manifest based on envs.: stevek.
Thu, Feb 21, 5:46 PM
sjg added a comment to D19281: mac_veriexec: Create kernel module to parse manifest based on envs..

First off; The changes to verify_file* should really be in a separate file.
Also this should all be guarded by a knob, since in the absence of verifying loader it introduces a new attack vector.
Thus anyone using this should be doing so very deliberately.

Thu, Feb 21, 5:33 PM

Feb 13 2019

sjg updated the diff for D16336: Add calls to verify_file to loader..

liblua/Makefile -I

Feb 13 2019, 5:03 PM
sjg updated the diff for D16336: Add calls to verify_file to loader..

liblua/Makefile

Feb 13 2019, 4:14 PM
sjg updated the diff for D16336: Add calls to verify_file to loader..

Hook lua fopen

Feb 13 2019, 12:05 AM

Feb 12 2019

sjg updated the diff for D16335: Build libve for loader and sbin/veriexec.

Only pass prefix to load_manifest if skip!=NULL

Feb 12 2019, 9:23 PM

Feb 11 2019

sjg updated the diff for D16335: Build libve for loader and sbin/veriexec.

Trim trailing ../ from prefix

Feb 11 2019, 10:47 PM

Feb 8 2019

sjg added inline comments to D19093: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation.
Feb 8 2019, 12:56 AM

Feb 6 2019

sjg added inline comments to D19093: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation.
Feb 6 2019, 8:34 PM

Jan 22 2019

sjg updated the diff for D16575: Add verifying loader for mac_veriexec.

Use libsecureboot

Jan 22 2019, 11:51 PM

Jan 21 2019

sjg committed rS343283: Done with initial BearSSL import.
Done with initial BearSSL import
Jan 21 2019, 8:25 PM
sjg committed rS343282: tag bearssl-6433cc2.
tag bearssl-6433cc2
Jan 21 2019, 8:24 PM
sjg committed rS343281: Import bearssl-6433cc2.
Import bearssl-6433cc2
Jan 21 2019, 8:24 PM
sjg committed rS343279: For initial BearSSL import.
For initial BearSSL import
Jan 21 2019, 8:23 PM
sjg committed rS343277: bearssl for importing BearSSL.
bearssl for importing BearSSL
Jan 21 2019, 8:02 PM

Jan 16 2019

sjg updated the diff for D16335: Build libve for loader and sbin/veriexec.

Rename libve to libsecureboot

Jan 16 2019, 11:49 PM
sjg updated the diff for D16337: Build options etc for libbearssl and libve.

Fix src.libnames.mk

Jan 16 2019, 11:49 PM
sjg added inline comments to D16337: Build options etc for libbearssl and libve.
Jan 16 2019, 11:34 PM
sjg added inline comments to D16335: Build libve for loader and sbin/veriexec.
Jan 16 2019, 11:30 PM
sjg added inline comments to D16337: Build options etc for libbearssl and libve.
Jan 16 2019, 11:25 PM
sjg updated the diff for D16334: Build libbearssl for loader and sbin/veriexec.

Move some i62 methods to Makefile.libsa.inc

Jan 16 2019, 5:38 PM

Jan 15 2019

sjg committed rS343067: Fix STAGE_DIR.* to handle indirect *DIR variables..
Fix STAGE_DIR.* to handle indirect *DIR variables.
Jan 15 2019, 11:38 PM
sjg closed D18847: Fix STAGE_DIR.* setting inline with recent changes..
Jan 15 2019, 11:38 PM
sjg committed rS343066: Use .undef per variable.
Use .undef per variable
Jan 15 2019, 11:36 PM
sjg closed D17251: Use .undef per variable.
Jan 15 2019, 11:36 PM
sjg updated the diff for D16336: Add calls to verify_file to loader..

Update per feedback

Jan 15 2019, 10:23 PM
sjg added a reviewer for D18847: Fix STAGE_DIR.* setting inline with recent changes.: bdrewery.
Jan 15 2019, 10:18 PM
sjg created D18847: Fix STAGE_DIR.* setting inline with recent changes..
Jan 15 2019, 10:17 PM
sjg updated the diff for D16575: Add verifying loader for mac_veriexec.

Renamed libve to libsecureboot

Jan 15 2019, 6:23 PM
sjg updated the diff for D16335: Build libve for loader and sbin/veriexec.

Rename libve to libsecureboot

Jan 15 2019, 6:16 AM
sjg updated the diff for D16336: Add calls to verify_file to loader..

Update per feedback

Jan 15 2019, 6:16 AM

Jan 14 2019

sjg updated the diff for D16337: Build options etc for libbearssl and libve.

Update per feedback

Jan 14 2019, 9:56 PM
sjg updated the diff for D16334: Build libbearssl for loader and sbin/veriexec.

Update to latest BearSSL

Jan 14 2019, 9:55 PM

Jan 10 2019

sjg added a comment to D18797: Introduce new Secure Boot library.

(sorry don't know how else to contact you ;-)
I'm thinking this should be merged with libve so we can work to a single API that loader calls to verify stuff.
The functionality you have is I think a subset of that in libve.
The name libve is far from ideal.
Do you have any objection to renaming it to libsecureboot as a first step?

Jan 10 2019, 9:43 PM
sjg added inline comments to D16337: Build options etc for libbearssl and libve.
Jan 10 2019, 6:12 PM

Jan 9 2019

sjg added a comment to D18798: Implement Secure Boot in loader..

There is potentially a lot of overlap with D16335 libsecureboot could be a better name for that than libve.
It would be good to leverage both.

Jan 9 2019, 7:32 PM

Jan 8 2019

sjg added a comment to D16335: Build libve for loader and sbin/veriexec.

A tool to sign binaries was created. It simply appends an RSA PKCS#1 v2 signature together with a X509 certificate to the end of the file.
Loader was changed to allow only to load signed kernel and modules when Secure Boot mode is detected to have been enabled in UEFI. The trusted root certificates are obtained from UEFI DB authenticated variable. Also the DBX variable is searched for blacklisted certificates.

Jan 8 2019, 11:55 PM
sjg added a comment to D16335: Build libve for loader and sbin/veriexec.

Currently at Semihalf we work on a similar solution to make FreeBSD work with UEFI Secure Boot. The main difference is that instead of creating a manifest with files and their hashes a signature is appended to each file that is supposed to be verified. We also use BearSSL as the cryptographic backend.

Jan 8 2019, 11:18 PM

Dec 25 2018

sjg updated the diff for D16335: Build libve for loader and sbin/veriexec.

Fix error message in vectx_open for VE_FINGERPRINT_UNKNOWN
verify - only panic if severity is above accepted threshold
(eg we are in strict mode)
Add comment to vepcr.c to explain why we use SHA256 when TPM
only supports SHA1

Dec 25 2018, 9:52 PM
sjg added a comment to D16335: Build libve for loader and sbin/veriexec.

Back to the question of lib name...

Dec 25 2018, 9:47 PM

Dec 23 2018

sjg committed rS342376: Merge bmake-20181221.
Merge bmake-20181221
Dec 23 2018, 1:06 AM

Dec 22 2018

sjg committed rS342373: tag bmake-20181221.
tag bmake-20181221
Dec 22 2018, 9:32 PM
sjg committed rS342372: Import bmake-20181221.
Import bmake-20181221
Dec 22 2018, 9:32 PM

Dec 6 2018

sjg committed rS341652: Update bmake to version 20180919.
Update bmake to version 20180919
Dec 6 2018, 8:56 PM
sjg committed rS341610: tag bmake-20180919.
tag bmake-20180919
Dec 6 2018, 12:14 AM
sjg committed rS341609: Import bmake-20180919.
Import bmake-20180919
Dec 6 2018, 12:14 AM

Dec 5 2018

sjg added a comment to D16334: Build libbearssl for loader and sbin/veriexec.

Hello,

Are there any plans to integrate this patch with tree?

Dec 5 2018, 10:19 PM

Nov 16 2018

sjg closed D2729: Add __DEFAULT_DEPENDENT_OPTIONS support.

Oops this was committed in r284050

Nov 16 2018, 10:38 PM

Sep 20 2018

sjg added a reviewer for D17251: Use .undef per variable: bdrewery.
Sep 20 2018, 12:21 AM
sjg created D17251: Use .undef per variable.
Sep 20 2018, 12:20 AM

Sep 14 2018

sjg accepted D17170: Cross-reference style.Makefile(5) from make(1) and make.conf(5).
Sep 14 2018, 5:48 PM

Sep 11 2018

sjg updated the diff for D16335: Build libve for loader and sbin/veriexec.

define OPENPGP_TAG_*

Sep 11 2018, 8:48 PM
sjg added inline comments to D16335: Build libve for loader and sbin/veriexec.
Sep 11 2018, 7:56 PM

Sep 10 2018

sjg added inline comments to D16335: Build libve for loader and sbin/veriexec.
Sep 10 2018, 8:20 PM

Sep 6 2018

sjg updated the diff for D16334: Build libbearssl for loader and sbin/veriexec.

remove check for MK_BEARSSL from Makefile

Sep 6 2018, 11:02 PM
sjg updated the diff for D16335: Build libve for loader and sbin/veriexec.

remove check for MK_BEARSSL from Makefile

Sep 6 2018, 11:02 PM
sjg updated the diff for D16335: Build libve for loader and sbin/veriexec.

size_t for 2nd arg to octets2hex

Sep 6 2018, 9:14 PM
sjg added inline comments to D16335: Build libve for loader and sbin/veriexec.
Sep 6 2018, 9:01 PM
sjg added inline comments to D16335: Build libve for loader and sbin/veriexec.
Sep 6 2018, 8:49 PM
sjg added a comment to D16335: Build libve for loader and sbin/veriexec.

cem (Conrad Meyer) <phabric-noreply@freebsd.org> wrote:

Sep 6 2018, 8:38 PM
sjg added a comment to D16575: Add verifying loader for mac_veriexec.

Adding xrefs to related reviews

Sep 6 2018, 12:24 PM
sjg updated the diff for D16337: Build options etc for libbearssl and libve.

Fix INTERNALLIB refs

Sep 6 2018, 12:24 PM
sjg added a comment to D16337: Build options etc for libbearssl and libve.

Sorry, should make all these reviews xref each other.
we have

Sep 6 2018, 12:24 PM
sjg added a comment to D16334: Build libbearssl for loader and sbin/veriexec.

Adding xrefs to related reviews

Sep 6 2018, 12:24 PM
sjg added a comment to D16336: Add calls to verify_file to loader..

Adding xrefs to related reviews

Sep 6 2018, 12:24 PM
sjg added a comment to D16335: Build libve for loader and sbin/veriexec.

Adding xrefs to related reviews

Sep 6 2018, 12:24 PM
sjg updated the diff for D16335: Build libve for loader and sbin/veriexec.

Use file2c to embed certs/keys

Sep 6 2018, 12:24 PM