From ab4f0a15188087e407426aac2a720035fd2a3b0a Mon Sep 17 00:00:00 2001
From: "Simon J. Gerraty" <sjg@FreeBSD.org>
Date: Tue, 19 Jul 2022 08:59:53 -0700
Subject: [PATCH] Add -S option to veriexec

During software installation, use veriexec -S to strictly
enforce certificate validity checks (notBefore, notAfter).

Otherwise ignore certificate validity period.
It is generally unacceptible for the Internet to stop working
just because someone did not upgrade their infrastructure for a decade.

Sponsored by:	Juniper Networks, Inc.

Reviewed by:	sebastien.bini_stormshield.eu
Differential Revision:	https://reviews.freebsd.org/D35758
---
 lib/libsecureboot/Makefile.depend.host |  1 -
 lib/libsecureboot/h/libsecureboot.h    |  1 +
 lib/libsecureboot/vets.c               | 44 +++++++++++++++++---------
 sbin/veriexec/veriexec.8               |  8 ++++-
 sbin/veriexec/veriexec.c               |  6 +++-
 5 files changed, 42 insertions(+), 18 deletions(-)

diff --git a/lib/libsecureboot/Makefile.depend.host b/lib/libsecureboot/Makefile.depend.host
index c6441c263f4a..f80275d86ab1 100644
--- a/lib/libsecureboot/Makefile.depend.host
+++ b/lib/libsecureboot/Makefile.depend.host
@@ -2,7 +2,6 @@
 # Autogenerated - do NOT edit!
 
 DIRDEPS = \
-	lib/libstand \
 
 
 .include <dirdeps.mk>
diff --git a/lib/libsecureboot/h/libsecureboot.h b/lib/libsecureboot/h/libsecureboot.h
index 200f8bdb763f..f07988a8206e 100644
--- a/lib/libsecureboot/h/libsecureboot.h
+++ b/lib/libsecureboot/h/libsecureboot.h
@@ -59,6 +59,7 @@ size_t ve_trust_anchors_add_buf(unsigned char *, size_t);
 size_t ve_trust_anchors_revoke(unsigned char *, size_t);
 int ve_trust_add(const char *);
 void ve_debug_set(int);
+void ve_enforce_validity_set(int);
 void ve_anchor_verbose_set(int);
 int ve_anchor_verbose_get(void);
 void ve_utc_set(time_t utc);
diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c
index b06ab346f716..94475e7cad36 100644
--- a/lib/libsecureboot/vets.c
+++ b/lib/libsecureboot/vets.c
@@ -86,6 +86,20 @@ ve_debug_set(int n)
 	DebugVe = n;
 }
 
+/*
+ * For embedded systems (and boot loaders)
+ * we do not want to enforce certificate validity post install.
+ * It is generally unacceptible for infrastructure to stop working
+ * just because it has not been updated recently.
+ */
+static int enforce_validity = 0;
+
+void
+ve_enforce_validity_set(int i)
+{
+    enforce_validity = i;
+}
+
 static char ebuf[512];
 
 char *
@@ -444,23 +458,23 @@ verify_time_cb(void *tctx __unused,
 	char date[12], nb_date[12], na_date[12];
 #endif
 
-	not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds;
-	not_after =  ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds;
-	if (ve_utc < not_before)
-		rc = -1;
-	else if (ve_utc > not_after)
-		rc = 1;
-	else
-		rc = 0;
+	if (enforce_validity) {
+		not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds;
+		not_after =  ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds;
+		if (ve_utc < not_before)
+			rc = -1;
+		else if (ve_utc > not_after)
+			rc = 1;
+		else
+			rc = 0;
 #ifdef UNIT_TEST
-	printf("notBefore %s notAfter %s date %s rc %d\n",
-	    gdate(nb_date, sizeof(nb_date), not_before),
-	    gdate(na_date, sizeof(na_date), not_after),
-	    gdate(date, sizeof(date), ve_utc), rc);
-#endif
-#if defined(_STANDALONE)
-	rc = 0;				/* don't fail */
+		printf("notBefore %s notAfter %s date %s rc %d\n",
+		    gdate(nb_date, sizeof(nb_date), not_before),
+		    gdate(na_date, sizeof(na_date), not_after),
+		    gdate(date, sizeof(date), ve_utc), rc);
 #endif
+	} else
+		rc = 0;			/* don't fail */
 	return rc;
 }
 #endif
diff --git a/sbin/veriexec/veriexec.8 b/sbin/veriexec/veriexec.8
index 161406ae6de2..d191f5175074 100644
--- a/sbin/veriexec/veriexec.8
+++ b/sbin/veriexec/veriexec.8
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd February 14, 2022
+.Dd July 8, 2022
 .Dt VERIEXEC 8
 .Os
 .Sh NAME
@@ -34,6 +34,7 @@
 .Nm
 .Op Fl v
 .Op Fl C Ar directory
+.Op Fl S
 .Pa manifest
 .Nm
 .Fl z Ar state
@@ -53,6 +54,11 @@ The first form is for loading a
 first verifies a digital signature of the
 .Ar manifest
 and if successful, parses it and feeds its content to kernel.
+The
+.Fl S
+flag indicates that certificate validity should be checked.
+Without this, a valid signature with an expired certificate
+will still be accepted.
 .Pp
 The second form with
 .Fl z
diff --git a/sbin/veriexec/veriexec.c b/sbin/veriexec/veriexec.c
index aff514b1cac5..0162eeda5347 100644
--- a/sbin/veriexec/veriexec.c
+++ b/sbin/veriexec/veriexec.c
@@ -148,7 +148,7 @@ main(int argc, char *argv[])
 
 	dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0);
 
-	while ((c = getopt(argc, argv, "hC:i:xvz:")) != -1) {
+	while ((c = getopt(argc, argv, "hC:i:Sxvz:")) != -1) {
 		switch (c) {
 		case 'h':
 			/* Print usage info */
@@ -174,6 +174,10 @@ main(int argc, char *argv[])
 
 			exit((x & state) == 0);
 			break;
+		case 'S':
+			/* Strictly enforce certificate validity */
+			ve_enforce_validity_set(1);
+			break;
 		case 'v':
 			/* Increase the verbosity */