By default only report unverified files at severity VE_WANT
and above. This inlcudes *.conf but not *.hints, *.cookie
or *.tgz which get VE_TRY as their severity.
If Verbose is set to 0, then VerifyFlags should default to 0 too.
Thus the combination of
module_verbose=0
VE_VEBOSE=0
is sufficient to make the loader almost totally silent.
When verify_prep has to find_manifest and it is verified ok
return VE_NOT_CHECKED to verify_file so that it can skip
repeating verify_fd
Also add better debugging output for is_verified and add_verify_status.
vectx handle compressed modules
When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.
Note: because of the way libsa's open() works, verify_prep will see
the path to be verified as module.ko not module.ko.bz2 etc. This is
actually ok, because we need a separate module.ko.bz2 entry so that
the package can be verified, and the hash for module.ko is of the
uncompressed file which is what vectx will see.
Re-work local.trust.mk so site.trust.mk need only set
VE_SIGN_URL_LIST (if using the mentioned signing server)
interp.c: restrict interactive input
Apply the same restrictions to interactive input as for
unverified conf and hints files.
Use version.veriexec when LOADER_VERIEXEC is yes
Reviewed by: kevans
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D43810
Since we can now add OpenPGP trust anchors at runtime,
ensure the latent support is available.
Ensure we do not add duplicate keys to trust store.
Also allow reporting names of trust anchors added/revoked
We only do this for loader and only after initializing trust store.
Thus only changes to initial trust store will be logged.
Reviewed by: stevek
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D20700
UEFI related headers were copied from edk2.
A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.
Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:
There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.
Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19093