From nobody Thu Jan 23 03:12:52 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YdmGX2w1Dz5lVhd; Thu, 23 Jan 2025 03:12:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YdmGX1mq1z45lB; Thu, 23 Jan 2025 03:12:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737601972; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2gLejA5rLogLpmI7G/XuuUqKQe+rNfb9zDx9fL5t7r4=; b=eZrGgVwxo9vi81a9aqXXjShi7V8xFJjHu1N8WVCJF9jBnKO4VZZpm4dAH1TlxttorlRCwo YYqccD9avFWJCHzvnxVNlWB+2uFLrbKgD/hYqBM/97j1LXldHgDS3L8vzhI3iXJy7szSD8 PUnBHdIieLwUPH1wZ81fDwTg1I/OiwF85BSXhuxWUXEAOgHtZIXcg+NyJWhvdLYX8ai70x jgi6YrVwgAJ13/4R/TY+0jDtbjvjDe3n/ZlDw0NJGAkrk/6fRnrKjO5wYkBEFAoV+cyADA rjN8twshHITuYDAh480ayID9sjeNaYP6mY7I/Fk+VcDWirHf8NjIWfd9QB3ZZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737601972; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2gLejA5rLogLpmI7G/XuuUqKQe+rNfb9zDx9fL5t7r4=; b=OCdY0dwTGzdxXKcqmr9AkcD562CQoWwGvvBldJwOrOLxiEj2/RRzrtxr8s79GWmbUo9Yd0 +70BkyVg5mtgE320RRknDA/01aXHCLBhH6diGVdgnxn6GJJwXkO239lkjl4l8gsD9EA0vg hQgRcYbYX+kkXe+z9W542iPE7TVq5LKOK9qh+aFgAwpPZp/uYlnXgMHsCoFodmCvnws23q 8b8ABJXBRQ2zISpphvdzO8zPQdP0a9yQqEi7p8EL8ORabFnUWyqiOqTd6lruh49CVDjQsN q91otbf9C/PoVDK5seHYQ/BX8Dg9pA2kHWuSRSlu1+toDZxPY2iOf2jceqs3mw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1737601972; a=rsa-sha256; cv=none; b=yhxZ7gpOYKsz2Uel8vzxWTPJ6BejuYF7SXmqHOeLzImyq0iHv0pvBpNCUnwr3Kddb4KbvR QWVFTWxH0E7MPvFHs7ByX5XIUk6mf+zLPmtaOpuNkPTtMMwH8KVs7Dpo6CeH0wNXSWnqZ6 Bu62RNuwvNxBWG7+Ra1ypDQNrbs2zjXgWa8OEOO+c0BqzNINPphIgMzhEUQWNFCD8A+cVY zzj5pWR2bjpRB1CtDmzl7nAvSiocrxcTXCskwYqfIaQvOXdyS/ORT6DolBkj/7f7/ZOx2A 6b5Q/GoxZUdlXeQ1JsyLqbzep3n6C65mBY2wU7QWcoYinidcrSCwBx2myPyrXQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YdmGX1C0Nz5NX; Thu, 23 Jan 2025 03:12:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50N3CqPW025247; Thu, 23 Jan 2025 03:12:52 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50N3CqB2025244; Thu, 23 Jan 2025 03:12:52 GMT (envelope-from git) Date: Thu, 23 Jan 2025 03:12:52 GMT Message-Id: <202501230312.50N3CqB2025244@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Simon J. Gerraty" Subject: git: f486ebb5e36b - main - libsecureboot/README.rst clarify use of gpg List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: sjg X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f486ebb5e36b0dada882cfa1592cee110da2afb2 Auto-Submitted: auto-generated The branch main has been updated by sjg: URL: https://cgit.FreeBSD.org/src/commit/?id=f486ebb5e36b0dada882cfa1592cee110da2afb2 commit f486ebb5e36b0dada882cfa1592cee110da2afb2 Author: Simon J. Gerraty AuthorDate: 2025-01-23 03:10:10 +0000 Commit: Simon J. Gerraty CommitDate: 2025-01-23 03:10:10 +0000 libsecureboot/README.rst clarify use of gpg Clarify some language and provide an example of gpg use to generate a detached signature. --- lib/libsecureboot/README.rst | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/lib/libsecureboot/README.rst b/lib/libsecureboot/README.rst index 85b949db58cc..f1d3c5679d35 100644 --- a/lib/libsecureboot/README.rst +++ b/lib/libsecureboot/README.rst @@ -1,7 +1,8 @@ libsecureboot ************* -This library depends one way or another on verifying digital signatures. +This library depends one way or another on verifying detached digital +signatures. To do that, the necessary trust anchors need to be available. The simplest (and most attractive for an embedded system) is to @@ -16,7 +17,7 @@ provide access to the necessary trust anchors. That signing server is freely available - see http://www.crufty.net/sjg/docs/signing-server.htm -X.509 certificates chains offer a lot of flexibility over time and are +X.509 certificate chains offer a lot of flexibility over time and are a great solution for an embedded vendor like Juniper or even FreeBSD.org, but are probably overkill for personal or small site use. @@ -74,8 +75,12 @@ header. Signatures ---------- -We expect ascii armored (``.asc``) detached signatures. -Eg. signature for ``manifest`` would be in ``manifest.asc`` +We expect ascii armored (``.asc``) detached signatures +Eg.:: + + gpg -a --detach-sign manifest + +should produce the expected signature in ``manifest.asc`` We only support version 4 signatures using RSA (the default for ``gpg``). @@ -108,6 +113,10 @@ Ie. client sends a hash which during signing gets hashed again. So for Junos we define VE_ECDSA_HASH_AGAIN which causes ``verify_ec`` to hash again. +Later I added a FakeHash class to the signing server so we could +generate signatures compatible with our previous RSA scheme and +others. + Otherwise our EC DSA and RSA signatures are the default used by OpenSSL - an original design goal was that a customer could verify our signatures using nothing but an ``openssl`` binary.