From nobody Fri Apr 14 07:26:29 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PySgB0n0Gz44g23; Fri, 14 Apr 2023 07:26:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PySg96Ll2z3tBn; Fri, 14 Apr 2023 07:26:29 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1681457190; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uRpHvr6NoeOygtRq9JwiJmzd0cbCGxcUAsYgv23i1BA=; b=tJmdQ5Aq+4ewB9FCi9+XS9ZQu99rc/MTO/SDD3k2nwASOwu6DIQNzl2OBYX+Q8dK2+laXT PShwB4BLji26GaKK/6C3uLd7vO30dUBvjsVXbSr5A9BTGoyZok9ttKhI81qprrNeGKEuSQ 7BboFGWd62vV5DpFaMiWZq0B3m1jkap6Dabo80UrNYhKu43YvBvbkqNrlPYkBC8+Tw6hV2 3pJl+0+/23ercgySbudtRiBZhzuIzhFntBifzSsDfT0XwnAHRhIx45uyZ5ISKf1lBPB906 3aGXLQYaYYQUF3FBOPR9n/2yldsh337attwKeGeVBIgpEfykDxfjZdC5WdqRzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1681457190; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uRpHvr6NoeOygtRq9JwiJmzd0cbCGxcUAsYgv23i1BA=; b=vPnI1Gh5ne5wqipT5PGi6zeqNDsk7MThyMqKHGJvItCcr8bHNl8tNqXaUHxIxJjubPZ3XL diz7+ijDcHTGUTodv4s6Eq0E9Q75mLrQKI9pjV6Zgar/5U1b8ZvjT4KvsSC4CmkHq82BbO /b3gMTYL4DXadq2tZnAiEYgtFC0g0BfCFrdVCaV+kA0uWU9BM1sivmMGrxamC4KeXEx8Ua 6e/xtx6lM41pQibmMJuSotPTmb7qC3w66hzh0AQ7WJZ6KIfQtJ9Bcc7sTnrQfvNJcSMY6L YtyltvoGC01NBgDQfUYiC5VL0NuZTAmuatNiue8t9c3FN4FELcxsEdQ4AGYE1w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1681457190; a=rsa-sha256; cv=none; b=HFXjhxUbzceILrj8H1o2KvYtUEx9l9d4giYAjP9cOlEWx+qRtA6AHF7CBcymj3G6aY75QY FmopKRXaewN4FZyKPtlA6tY/HZyqJBEfEIll9Ml7zRlok6MS4c6KQmFseuX/m8+YXFlKV/ hZOpDHdUho1OjRmfloE+UY5mZ/URgPp2Kxs9rg7Trfu4v44piYz3i4uMCZaL8aoju/2cfK y8G/yujHzvBsJjToXqbr/LhWuRONuUfuV+OYtNJsamup7/Nh+DGKJcH9mR6PC4EqiaqHM/ N+w9H4BD5EuU7TGcbeawRGRPInLLSure7pEhZlnUJedBqN38hvDAJ5CMNq/DGw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PySg95FhmzFvp; Fri, 14 Apr 2023 07:26:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 33E7QT61032650; Fri, 14 Apr 2023 07:26:29 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 33E7QTLH032649; Fri, 14 Apr 2023 07:26:29 GMT (envelope-from git) Date: Fri, 14 Apr 2023 07:26:29 GMT Message-Id: <202304140726.33E7QTLH032649@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Gordon Bergling Subject: git: 32d22bbf32b8 - stable/13 - Add -S option to veriexec List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gbe X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 32d22bbf32b86033f5f51196d7c6e7b0deda0f72 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by gbe: URL: https://cgit.FreeBSD.org/src/commit/?id=32d22bbf32b86033f5f51196d7c6e7b0deda0f72 commit 32d22bbf32b86033f5f51196d7c6e7b0deda0f72 Author: Simon J. Gerraty AuthorDate: 2022-07-19 15:59:53 +0000 Commit: Gordon Bergling CommitDate: 2023-04-14 07:25:45 +0000 Add -S option to veriexec During software installation, use veriexec -S to strictly enforce certificate validity checks (notBefore, notAfter). Otherwise ignore certificate validity period. It is generally unacceptible for the Internet to stop working just because someone did not upgrade their infrastructure for a decade. Sponsored by: Juniper Networks, Inc. Reviewed by: sebastien.bini_stormshield.eu Differential Revision: https://reviews.freebsd.org/D35758 (cherry picked from commit ab4f0a15188087e407426aac2a720035fd2a3b0a) --- lib/libsecureboot/Makefile.depend.host | 1 - lib/libsecureboot/h/libsecureboot.h | 1 + lib/libsecureboot/vets.c | 44 ++++++++++++++++++++++------------ sbin/veriexec/veriexec.8 | 8 ++++++- sbin/veriexec/veriexec.c | 6 ++++- 5 files changed, 42 insertions(+), 18 deletions(-) diff --git a/lib/libsecureboot/Makefile.depend.host b/lib/libsecureboot/Makefile.depend.host index c6441c263f4a..f80275d86ab1 100644 --- a/lib/libsecureboot/Makefile.depend.host +++ b/lib/libsecureboot/Makefile.depend.host @@ -2,7 +2,6 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - lib/libstand \ .include diff --git a/lib/libsecureboot/h/libsecureboot.h b/lib/libsecureboot/h/libsecureboot.h index 200f8bdb763f..f07988a8206e 100644 --- a/lib/libsecureboot/h/libsecureboot.h +++ b/lib/libsecureboot/h/libsecureboot.h @@ -59,6 +59,7 @@ size_t ve_trust_anchors_add_buf(unsigned char *, size_t); size_t ve_trust_anchors_revoke(unsigned char *, size_t); int ve_trust_add(const char *); void ve_debug_set(int); +void ve_enforce_validity_set(int); void ve_anchor_verbose_set(int); int ve_anchor_verbose_get(void); void ve_utc_set(time_t utc); diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c index af423b1cd7c0..9e2a7f204001 100644 --- a/lib/libsecureboot/vets.c +++ b/lib/libsecureboot/vets.c @@ -86,6 +86,20 @@ ve_debug_set(int n) DebugVe = n; } +/* + * For embedded systems (and boot loaders) + * we do not want to enforce certificate validity post install. + * It is generally unacceptible for infrastructure to stop working + * just because it has not been updated recently. + */ +static int enforce_validity = 0; + +void +ve_enforce_validity_set(int i) +{ + enforce_validity = i; +} + static char ebuf[512]; char * @@ -444,23 +458,23 @@ verify_time_cb(void *tctx, char date[12], nb_date[12], na_date[12]; #endif - not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds; - not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds; - if (ve_utc < not_before) - rc = -1; - else if (ve_utc > not_after) - rc = 1; - else - rc = 0; + if (enforce_validity) { + not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds; + not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds; + if (ve_utc < not_before) + rc = -1; + else if (ve_utc > not_after) + rc = 1; + else + rc = 0; #ifdef UNIT_TEST - printf("notBefore %s notAfter %s date %s rc %d\n", - gdate(nb_date, sizeof(nb_date), not_before), - gdate(na_date, sizeof(na_date), not_after), - gdate(date, sizeof(date), ve_utc), rc); -#endif -#if defined(_STANDALONE) - rc = 0; /* don't fail */ + printf("notBefore %s notAfter %s date %s rc %d\n", + gdate(nb_date, sizeof(nb_date), not_before), + gdate(na_date, sizeof(na_date), not_after), + gdate(date, sizeof(date), ve_utc), rc); #endif + } else + rc = 0; /* don't fail */ return rc; } #endif diff --git a/sbin/veriexec/veriexec.8 b/sbin/veriexec/veriexec.8 index 161406ae6de2..d191f5175074 100644 --- a/sbin/veriexec/veriexec.8 +++ b/sbin/veriexec/veriexec.8 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 14, 2022 +.Dd July 8, 2022 .Dt VERIEXEC 8 .Os .Sh NAME @@ -34,6 +34,7 @@ .Nm .Op Fl v .Op Fl C Ar directory +.Op Fl S .Pa manifest .Nm .Fl z Ar state @@ -53,6 +54,11 @@ The first form is for loading a first verifies a digital signature of the .Ar manifest and if successful, parses it and feeds its content to kernel. +The +.Fl S +flag indicates that certificate validity should be checked. +Without this, a valid signature with an expired certificate +will still be accepted. .Pp The second form with .Fl z diff --git a/sbin/veriexec/veriexec.c b/sbin/veriexec/veriexec.c index aff514b1cac5..0162eeda5347 100644 --- a/sbin/veriexec/veriexec.c +++ b/sbin/veriexec/veriexec.c @@ -148,7 +148,7 @@ main(int argc, char *argv[]) dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0); - while ((c = getopt(argc, argv, "hC:i:xvz:")) != -1) { + while ((c = getopt(argc, argv, "hC:i:Sxvz:")) != -1) { switch (c) { case 'h': /* Print usage info */ @@ -174,6 +174,10 @@ main(int argc, char *argv[]) exit((x & state) == 0); break; + case 'S': + /* Strictly enforce certificate validity */ + ve_enforce_validity_set(1); + break; case 'v': /* Increase the verbosity */