From owner-freebsd-arch@freebsd.org Wed Aug 30 21:56:33 2017 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 25CEEE0B48F for ; Wed, 30 Aug 2017 21:56:33 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0100.outbound.protection.outlook.com [104.47.33.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id ACA6581DE9; Wed, 30 Aug 2017 21:56:31 +0000 (UTC) (envelope-from sjg@juniper.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=PARJT11tdHYT51WOOyVQXKuWp4d+8eV7gG6GoyBuFO8=; b=FOEAVNLZ26h4SRewJIbnZ9prFBdv1zeNE4Jndo5yTASPEIQSZjDbSdHbN6UsSEDtvc+Y9YpCuCpU5fAV6O1rSk5uLkwM/DATyz/GFCM9/7k99w5jd9CNpHB1lw1AmUqdIG6yArjhxtoVcPHrNINY9T4LvElkmpNg6wPcIYrCpkM= Received: from BN3PR05CA0024.namprd05.prod.outlook.com (10.174.64.34) by BN3PR0501MB1250.namprd05.prod.outlook.com (10.160.183.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.13.2; Wed, 30 Aug 2017 21:56:30 +0000 Received: from BY2NAM05FT024.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e52::208) by BN3PR05CA0024.outlook.office365.com (2603:10b6:400::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.35.3 via Frontend Transport; Wed, 30 Aug 2017 21:56:29 +0000 Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=fail action=none header.from=juniper.net; Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender) Received: from p-emfe01a-sac.jnpr.net (66.129.239.12) by BY2NAM05FT024.mail.protection.outlook.com (10.152.100.161) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256) id 15.1.1385.11 via Frontend Transport; Wed, 30 Aug 2017 21:56:29 +0000 Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 30 Aug 2017 14:55:48 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.21.30.60]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id v7ULtlck027259; Wed, 30 Aug 2017 14:55:47 -0700 (envelope-from sjg@juniper.net) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id 2DEF1385520; Wed, 30 Aug 2017 14:55:48 -0700 (PDT) To: CC: Steve Kiernan , , "Baptiste Daroussin" , Ed Maste , Allan Jude , "Toomas Soome" , =?UTF-8?Q?Edward_Tomasz_Napiera=C5=82a?= , Subject: Import BearSSL ? (Adding verification to loader) In-Reply-To: References: <44449.1497382261@kaos.jnpr.net> Comments: In-reply-to: Ed Maste message dated "Tue, 13 Jun 2017 15:51:02 -0400." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 25.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <24255.1504130148.1@kaos.jnpr.net> Date: Wed, 30 Aug 2017 14:55:48 -0700 Message-ID: <24256.1504130148@kaos.jnpr.net> X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(2980300002)(189002)(199003)(2950100002)(81166006)(81156014)(97736004)(50986999)(8676002)(76176999)(6916009)(50466002)(8936002)(77096006)(69596002)(46406003)(4326008)(23726003)(626005)(54906002)(450100002)(97876018)(9686003)(55016002)(50226002)(47776003)(2906002)(53936002)(7126002)(53416004)(6266002)(105596002)(76506005)(356003)(110136004)(107886003)(305945005)(5660300001)(2351001)(2810700001)(106466001)(86362001)(7696004)(68736007)(478600001)(97756001)(189998001)(15650500001)(117636001)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1250; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BY2NAM05FT024; 1:SQop3r2tULtLhln8TLuIPlLajxultANZvksPl2B3zlgS4cF+BuNpeC12JcROkR03/QjSun+1DbbS2Pc/dOrB4vNG3LPzmQFMR+MpbrDEjHqpYi1Lr1ko4sTwGB1ZbpW2 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d982fb09-3968-4eab-7171-08d4eff1f845 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1250; X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 3:Y+yFAVAMByx/x01SyJ4D51VGBz+dYnmTH0HejWNu1IX6A2pPZF7PFqju0XcLSObmMvIME5WR9ULdBikUtiEA0wmDWGQziowQpRt7OldGGJBMhE1U7K2NW4Ubv6yKs236gg4IaTx9xWRTiLZgYw5VkMTUplG6sM178D6rVXxtKW6DiQvg0Dt0FF1ukR4IOe2kcCMidUJmeMNBRyoLdFga9XFcbwizcj61ntYpGOdfTkJHUIkpCFcD/X09EDVCTJBSF5sT898AwBl5z4fc6zVdTFkC5rRXBUbprNixmAjArdls16N05zbmX9AYYg9XwOqff2/imlOlgyMSAC6bLuPxL/5JcXpIoFCyr+xqo9x4aZk=; 25:ZEdQ2zO5cv8gj7IPdIlvb9zDAqRXCeP0gAJdMM5zqTexF/ZgJctreolw9JfDfppX5O+GL7buICM6Tbe2s8mn6eUsgmOXe/p8VGoIY+h//BcZzRhHPvEr46BzAgNwaZsdzWeV+DGEyeacn8LaoLekLd0FlEMhxElzfh7aCteAdkTDJUhsDYk/5ybolny+Z+kDWDQ1qLtQo1xChuQw2q587+L80W9ilUskyU/JYhp4M/ZExJ1cvryRmyG9g218MjR5J46HmhTdSFUNWwiwIZ8DYzdUgkrWPKsSPNFeZSu8CiKak/gXkECeoIWmbCzOhVNO7Owtsawg+Q660GCd8eiOvg== X-MS-TrafficTypeDiagnostic: BN3PR0501MB1250: X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 31:gcHS/61MUZFYCPG1MFxMUmgijVVRueNapILeu5a15gx/bX13i4pROSsB56IHe6+YloweCSToFshxp67RLL/vQ1JoOw4IWTkEPrekbL+3YprTCzMGXdE0kb4XvKfdtUhnjMLwcrQeifp3foAJRwpIXN31Gt8h5QTOI4BiYQXZaZuLlOBiQCZQfUvh3neenPXPrizkLnDzJwXQGI1Y63ik5TposRQzulEV8r7pH6Pg/8s=; 20:Kn+U5ELAXHvCre+RyRuU3RHUwKQXmFaqIwDHJpYk6i1PSq+OniIzFJ3RXsSbGoln/AYauhiNt2dcLYAILN2OrNbfRudwMOHrgSsnYhQgE69e5aiDPJmVK01fMnwGd9c6BkESdQp84IKJfrJEtbUjfTDqevBDuZHslh5taNHRCU8fD9gFXNvYn4NuDAMssUbRCsLD65k0a8qqGc/SzffBdx6Bji/c1ofFJY7etpi2LRd9R0CrzHOFZrYOS0NnWTTh8AR2VwNnIoKpQMxLHxTTvFSMq5+d0sDcMNu5j11c/c647SPTMn1/xB9ujc+taTDZ29iMQx5wRNtkWwYGZgedWnw0cWvItS+K5OXSqSY1h0/qoMpVG7LamkkB7skMUU04M9oefKoOwJ/PyFPsaZpHk7Gxgqu8tR9KARh7JuzhBxw7/HZqeqKV//r1m/dT/I9ZlOMrlqeCUThTfXA0P7DLy2DX7l5O2YLLvPzR9RWI3VKy53XecwWGa6TKfKeAYZ5M X-Exchange-Antispam-Report-Test: UriScan:(192374486261705); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(13018025)(13016025)(5005006)(10201501046)(100000703101)(100105400095)(3002001)(93006095)(93003095)(6055026)(6041248)(20161123562025)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1250; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1250; X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 4:Sha7iPP23g++L94j0k+kaSrvyZYoMShORR1MSRtRl2xkkNtFGIONcblIV/44hB/91C/Jy3uSarLa5kmjctxWUoek1wdFCll6q9CVqeBSHzILSbLkpWjcKAeobJwYj+pvfeTt5fzdvFD84vnHIvsmg4DDsvP2hxEcofKqUX/ON7EtHb+17Q4QEUCZVWUJx3tf7tCxqjTP5+PdjmVwVp56E6bDQNC046ilSFStgQSGp4bkKiZ+QpDOzL7gEXYnqKolUwPp2+Nf08b7OBW+aPrGFIj9fUBfoKAkVM8T/zkDHxY= X-Forefront-PRVS: 041517DFAB X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BN3PR0501MB1250; 23:juoOjPh65LsGKByWVgRqzDoXUMg0r2WdBcdDbcx?= =?us-ascii?Q?QGOuQAjO58stIv4pcduEebMrjVPKa+96n3AGqDzTOduQ0cYTQYCXuxuiADTx?= =?us-ascii?Q?BfdSjkPmpLYgGlXZj2pJ3V+INjuo0S0sWXByphVNxrD94RPq6UnqzGZMGMzM?= =?us-ascii?Q?N4lS1HEWnKYBWZl+7FVfuOMrjX8gfWHuWaPaANCXVRHIhg6Y4f20HmczNavD?= =?us-ascii?Q?lIWrgyIBtn0+JOxT5oFe2yWTeY6jyxACWStK4mJdqEwnE+R7CQ+Pm0vPCbQq?= =?us-ascii?Q?7LuObxoOx86kxxCOpyC7FAp0Ny4mtYzUfbw4WTFmCsyn8g0u0Twz2iSV/g8l?= =?us-ascii?Q?C5lofTla0ONGwOo82XWRCnO7HACNoLCkPEPZaqkWMXQspP8Jh65+BaPWdZSc?= =?us-ascii?Q?Mwpi7i/e0gjusCjGptJW/SQ45+NuFHRfpvpzKrtUj9oorNewaIiP8uFLsmC5?= =?us-ascii?Q?4cvVECQnIK6aEQrgxT1ybAQubQoAxkjqDa7jhSyoWSX4nKJRTljiAARU/65M?= =?us-ascii?Q?kpXAc7xwLMrBYRj+A5MZwmmz/ASmbW8/85OBoWcKpgxAbohP0kSmg3F2QgdP?= =?us-ascii?Q?hhUboYLf0NZ7YVqFut2rw0yBRnpF4bHYZcnrDZkcEWnJ1v/wuEUTmR2M2ijp?= =?us-ascii?Q?01TnFXwMz5eg0Xko+H8SLmp7MZslvnid6EEawL46TBK33CrKE6QtT+i07PgF?= =?us-ascii?Q?gwwUXu057+0dAfTgm1hQKrRbHKqiCNduOULMS5CvHCW6K5bhZkoCXwLEYbSs?= =?us-ascii?Q?W4Pn2Vwt3JtzOO8VOH6eHYVr+Uo/mBFnsdHFFH6DpE1QqjqnDpNDEgqJmeYm?= =?us-ascii?Q?D3K+TiwKonVolW4PQyXx2AXPmC3+q80Iq8PB8BkVoFB9uH3C2IbMQY5r4o/4?= =?us-ascii?Q?GXaHqEPMisqE4slGlU7DwZ1JUOYRTHmsBKcVCnVZDgD+JVIAAZf/xeaGOxK+?= =?us-ascii?Q?dc878gAqcaW5g6e6Gmf8jtmxmBE4A7z4eLzPZwqhRGaepFE7+Pwb6V7wP2gC?= =?us-ascii?Q?/QNHyPKg0ZscmT77VZSoJjbUQfcIt++qQKVBOSPRdE1s+qBt05Iv32RX0G9m?= =?us-ascii?Q?UfH5ZrQYjIzq5YuwkhF/6LV2kJZjL0R6UsyoQ/zVID1B9RDymIRE686e/AeN?= =?us-ascii?Q?cHRA+mEk0BCZ+jbc9JgNzDWjRVf1L7yUKdNkaMJvv+MilhCE7mnEGza1PkGL?= =?us-ascii?Q?XKEv/4paWiQycBb5YAocUy7wJxygnn7wOu1QMeDlwghqXVvByBshue8FYTA?= =?us-ascii?Q?=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 6:HCyl1EgWuhTJILP98nLdU58EYQbD3cB1zATRF+1edYEKFd0XReRI2sci+cJDrTRL+VoM9AEJpU195uvEUr6bH86jPP7M6qtiP8GOYHrHZ0Dx3Wk2U/XPcS2GLToV4prTUoUBn6ByyB7M6WnPxWcnDYa0ODJLFi+9bEFmLPexKf1AqkZiRtVUVHVlIJC2ZHImkqTP5SL2F6QGpEjua20FbZyipiKdQB89teArZocepWl8dF15uthkgXFuRRHoT2bhYL4ZaWh7tadZwhPK10Svt5BsjSW2ysa9A4CALsWe5Np1V1M4qThWbToSyvKBaex8n9UO6Urgt0R8kh+rxXUf1w==; 5:9jvepWBR/CYhK1ESQ+SNA7wQ2I5ed7CdO05iZeswvvNbPjrYVWIj3xlTRNMZt/dflNW5uCxNO9z8f8yWCxvRS9ZbVw5fXhh1o40NjoUIGgrwx13jvZIop0GjmobeQvxxFsVR6v0J0PABkovs7idv8w==; 24:fvVySNYGA/HVYLxuDIbfoLAbBy2uLvdfTtcbUktTF0Wx/p6e0H/ZxObi7/HbAzj6p5qMXBiR5ztO/r/QLZESE0ZJNDKJX2v0GoFJSopjYpo=; 7:YyS8hKd1kGOzYxmRYJ/RWEm479radfIYSyPFB3+OxTOeIr/ceLwQ+KhLSUF5NMrwHbEVe1hdqf/MpO/acTRTVGnC12BSeRLR/Afs8Rit0UKkKap5EZfzKhp10uS+UfXQkDnas6RFJE7dsEdjN4fKHd6Hcq6bPLaCiI87LXU0lbLbu41SBhYDvayh83MLas93w373dtltmJa3iYkUyca+FJOH8qPKpyANkzcs30dOIoQ= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Aug 2017 21:56:29.5196 (UTC) X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[p-emfe01a-sac.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1250 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2017 21:56:33 -0000 Hi, Background: I've been adding what amounts to a mini "verified exec" to the freebsd loader for use in Junos. What this means is that the loader verifies the kernel and all the modules before loading them, and can reject anything for which a registered fingerprint (eg. sha1 hash) does not match. This work is probably mainly of interest to folk doing emeded devices or security appliances etc and can be seen as closing the gap between the secure BIOS (which verifies initial loader - grub? whatever) and mac_veriexec which we use in the kernel to control what can run in userland. The boot process on Junos is much more complicated - but also more flexible than stock FreeBSD. We potentially load lots of "loader.conf" snippets from different packages which contribute modules that need to be pre-loaded. Of particular interest, we always provide the kernel with an md_image for initial rootfs, which means the loader can verify the kernel and everything it uses before mac_veriexec is initialized. This obviates the need to touch the kernel at all. For efficiency and flexibility of signing, we use signed 'manifest' files to carry the trusted fingerprints. These manifest files are signed using RSA or ECDSA and an accompanying X.509 certificate chain, allows one to verify the public key was issued by a trusted entity. This approach has proven useful for more than a decade, and allowing the loader to do the same, was an obvious choice for us. Which brings me to BearSSL (www.BearSSL.org) This is a very small library designed to work in embedded environments. The author gave a talk about it at BSDCan earlier this year and it is just what I've been looking for for this project. All the code to do signature verification, fingerprint matching etc, in fact the entire mini-veriexec for the loader adds only about 80K. Last I looked at trying to achieve the same using OpenSSL - I gave up at 6M ;-) The question is what to do - for upstreaming any of this. Assuming of course anyone is interested in this functionality. The changes to the loader itself are trivial. Most of the code is in libve (naming stuff is hard) which handles fingerprint loading, lookup and of course verifying signatures using code from; libbearssl - which is just a reachover build of BearSSL. I have it setup such that BearSSL need not be part of the tree at all so there is no burning need to import it; lib/libbearssl will simply not build if ${BEARSSL} isn't defined and pointing to a BearSSL tree. >From an internal paper-work point-of-view, contrib/bearssl is attractive to me ;-), but it could just as easily be in ports no where at all. If it were in contrib, then it would be feasible to leverage it for other uses in the loader that currently use libmd etc for hashing. Discuss ? Thanks --sjg