Crypto overhaul

Simon J. Gerraty sjg at juniper.net
Fri Oct 27 01:34:07 UTC 2017


Eric McCorkle <eric at metricspace.net> wrote:
> * BearSSL's design seemingly lends itself to acting as a userland,
> kernel, and bootloader library.  On the other hand, it's new (which
> means it will need to be reviewed by crypto experts and thoroughly
> tested), and has one developer at this point.

BearSSL is indeed very new, and review by crypto experts would be most
welcome. 

It works very nicely though for verifying signatures, X.509 cert chains
etc - everything I needed for the loader to do verification of modules.
And it is *tiny* I think all the verification stuff added about 80-90K
to the size of the loader.

The author, has been extremely responsive and helpful, nice to work with.

The API is very different to OpenSSL so I would not contemplate trying
to use it as a replacement for userland crypto lib anytime soon.

But for the loader (and kernel if needed) it could be a very good
option.

FWIW I did not need to touch kernel, since I have the loader verify the
kernel and the mdimg it uses for /, thus init etc are also verified
before we pass control to kernel.



More information about the freebsd-hackers mailing list