From owner-freebsd-virtualization@freebsd.org Mon Oct 14 20:21:48 2019 Return-Path: Delivered-To: freebsd-virtualization@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0AE48136264; Mon, 14 Oct 2019 20:21:48 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.pphosted.com", Issuer "Thawte RSA CA 2018" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46sVMZ5gHpz3Kxc; Mon, 14 Oct 2019 20:21:46 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x9EKL3In003404; Mon, 14 Oct 2019 13:21:43 -0700 Received: from nam05-by2-obe.outbound.protection.outlook.com (mail-by2nam05lp2059.outbound.protection.outlook.com [104.47.50.59]) by mx0b-00273201.pphosted.com with ESMTP id 2vmvsn89e5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 14 Oct 2019 13:21:43 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BzjNyY0hqdJNw0JtsZQnau6OMTMmRv1LD5LNA6h2+Hgk0eKTR++kilp9CtmGFYCkywIVmObbopUReNC7/f/QAv2sgTpeJo705rhaTDhdwCsVQ23jN2x9TRc0UJZCyNwkgMxlmKyERfeZKFuQYRen2hoAdf9cmLBYc4/qAeR+wBzOlwhcP0J2P67L9zXZ5WARTuBuuUoMxRF8M+Bd54Lz/knJlplCe0OV/K8fykJ6C8AppgpSX+A89dWiz9wVLCiWOL3mcH3vmynF/eP/KZIbVSMzlQ/bChyh1K3+CdTMxbN7aIDjll/TPXfbjDXKqwER3axHL08U1wa6S+LenqL86w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QU6b2+J+lZWDOAHqhtlg3vvyfCiPZRQjdNFopsuO0u4=; b=E/QdLKDhLzB3tA15IqqdVcYuIJaJJEbgO/9WfJijFQTshlIhTTpqrcV7MMsej6ZFnZ67ndH0mERGijYK3PISm58/TK3P0qs+dIIiGe0k3KfMMJIY2Rlz4DoxPHTUpEZhEcwdXk6QxPK/9M3fVV1bPirFQjwOgKOtKLSohzfosoXkgt+Y8sf2uOiqbCxCZ1SwFY2ZR2eKUm/UUxIEfaHx3j5p5uSY8XG7Jr88731sWrQPClKVY9Vf5ukGZ4wb558bCe/Hi068wOsc8Drh1tobQAfo0kg87IlPhISaSJDEzTYqNen9P/lj5/Wy4/r8RQGTYpuCIkIAylzOdW1cxPbQ+g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.12) smtp.rcpttodomain=freebsd.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none Received: from BN6PR05CA0001.namprd05.prod.outlook.com (2603:10b6:405:39::14) by BYAPR05MB4773.namprd05.prod.outlook.com (2603:10b6:a03:4e::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.15; Mon, 14 Oct 2019 20:21:40 +0000 Received: from BY2NAM05FT028.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e52::207) by BN6PR05CA0001.outlook.office365.com (2603:10b6:405:39::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16 via Frontend Transport; Mon, 14 Oct 2019 20:21:40 +0000 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender) Received: from P-EXFEND-EQX-01.jnpr.net (66.129.239.12) by BY2NAM05FT028.mail.protection.outlook.com (10.152.100.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2367.5 via Frontend Transport; Mon, 14 Oct 2019 20:21:39 +0000 Received: from P-EXBEND-EQX-01.jnpr.net (10.104.8.52) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 14 Oct 2019 13:21:39 -0700 Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-01.jnpr.net (10.104.8.52) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Mon, 14 Oct 2019 13:21:38 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.23.50.162]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id x9EKLcPb012775; Mon, 14 Oct 2019 13:21:38 -0700 (envelope-from sjg@juniper.net) Received: by kaos.jnpr.net (Postfix, from userid 1377) id 69FB43467A; Mon, 14 Oct 2019 13:21:38 -0700 (PDT) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id 6981234679; Mon, 14 Oct 2019 13:21:38 -0700 (PDT) To: Clay Daniels Jr. CC: Tomasz CEDRO , "freebsd-security@freebsd.org" , "freebsd-current@freebsd.org" , grarpamp , , Subject: Re: AMD Secure Encrypted Virtualization - FreeBSD Status? In-Reply-To: References: <76102.1571079149@kaos.jnpr.net> Comments: In-reply-to: "Clay Daniels Jr." message dated "Mon, 14 Oct 2019 14:18:18 -0500." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <54832.1571084498.1@kaos.jnpr.net> Content-Transfer-Encoding: quoted-printable Date: Mon, 14 Oct 2019 13:21:38 -0700 Message-ID: <56226.1571084498@kaos.jnpr.net> X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(376002)(396003)(136003)(39860400002)(346002)(199004)(189003)(23726003)(81156014)(8676002)(107886003)(117636001)(6266002)(6246003)(81166006)(97756001)(7696005)(76176011)(966005)(5660300002)(55016002)(86362001)(9686003)(6916009)(50226002)(6306002)(476003)(126002)(46406003)(7126003)(2906002)(53546011)(486006)(336012)(54906003)(356004)(76506006)(11346002)(186003)(26005)(478600001)(50466002)(14444005)(4326008)(47776003)(45080400002)(446003)(70206006)(8936002)(8746002)(70586007)(316002)(97876018)(305945005)(53416004)(229853002)(2690400003)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4773; H:P-EXFEND-EQX-01.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7aedafa5-d975-4596-367e-08d750e41f14 X-MS-TrafficTypeDiagnostic: BYAPR05MB4773: X-MS-Exchange-PUrlCount: 2 X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-Forefront-PRVS: 01901B3451 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: NrpZk69hHtIEZ4YfybJ+CkAnDM6GolxLuv0x8UThUbLi4BnIff0UHF8mSym5cjZKjdo+c4SH/xeHQvLHzDTpcWQcUY1jA8gZ+zZDxfqJSGMfMC/uBLjQdyF1sTzAlBDOQwNm3gyqIwNrD46VsHySBm0hTm4YRCQga1KIDlsq5Rh7m4k25OtNpEC5005le+iScbq7uUzeGrmCU1URcGd1oSBp1pg/0LstkKPClgausQTD85jrd21Jz/MIgw7oZfJTQf7SaZumo7R+a7cA941H4dEGblwzP22xsFk5tyAeWbKtxhuoo40NV3ozXxMWX+esgQ43q01IQCGxzJLmc4W63vpAV691hegy/F3jyXSSnTcMGMBpps77tIiLUyOuQjx3kVbnvn6M6Qf4XmyTYJTklcOxcO3aiIRt5y+lmQPvjH2ArQ+f3z+Y7KladSaZrKu4IC/H4Klix8JZ+HSuEAdJUA== X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2019 20:21:39.9637 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7aedafa5-d975-4596-367e-08d750e41f14 X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[P-EXFEND-EQX-01.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4773 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-14_10:2019-10-11,2019-10-14 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 clxscore=1011 priorityscore=1501 impostorscore=0 lowpriorityscore=0 suspectscore=1 bulkscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910140169 X-Rspamd-Queue-Id: 46sVMZ5gHpz3Kxc X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.53 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[juniper.net:s=PPS1017]; RCVD_COUNT_SEVEN(0.00)[10]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:67.231.152.164]; IP_SCORE(-0.93)[ip: (-2.15), ipnet: 67.231.152.0/24(-0.94), asn: 22843(-1.49), country: US(-0.05)]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[juniper.net:+]; DMARC_POLICY_ALLOW(-0.50)[juniper.net,reject]; RCPT_COUNT_SEVEN(0.00)[7]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_IN_DNSWL_LOW(-0.10)[164.152.231.67.list.dnswl.org : 127.0.3.1]; SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:22843, ipnet:67.231.152.0/24, country:US]; ARC_ALLOW(-1.00)[i=1]; SUSPICIOUS_RECIPS(1.50)[]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Oct 2019 20:21:48 -0000 Clay Daniels Jr. wrote: > Simon, please do elaborate more on your implementation. I suspect you ar= e > talking about libsecureboot? I have played with the generation of certs > with OpenSSL & LibreSSL, but libsecureboot seems to take a different > approach. Please tell us more. Yes I meant libsecureboot. You should be able to create keys and certs with OpenSSL. That's all we use, but we keep all the private keys etc isolated in signing servers. The local.trust.mk in libsecureboot leverages the sign.py etc described at http://www.crufty.net/sjg/blog/signing-server.htm (which also contains a link to the src) But that does not alter the fact that the certs are simply those created by an OpenSSL based CA - there are a number of good tutorials on the net on how to setup such things. With all that said; you may find it more useful to use OpenPGP for signing we again use sign.py to retrieve OpenPGP public key, but you can do all you need using nothing more than gpg For an embedded vendor like Juniper X.509 makes a lot of sense. For an individual or small scale, OpenPGP is likely simpler. libsecureboot supports both, but you need to tailor local.trust.mk to suit. IIRC you can have local.trust.mk simply set TA_PEM_LIST etc to paths of pre-prepared pem files containing your trust anchors and ta.h and/or TA_ASC_LIST to a list of .asc files containing ascii armored openpgp trust anchors. BTW in current boot1.efi is no more, loader.efi is used. [I'm still mucking about trying to get a VM image booting using efi...] > = > Clay > = > On Mon, Oct 14, 2019 at 1:52 PM Simon J. Gerraty via freebsd-security < > freebsd-security@freebsd.org> wrote: > = > > Tomasz CEDRO wrote: > > > > > would be really nice also to get UEFI BOOT compatible with SECURE BO= OT > > :-) > > > > Unless you are using your own BIOS, the above means getting Microsoft > > to sign boot1.efi or similar. Shims that simply work around lack of > > acceptible signature don't help. > > > > That would need to then verify loader.efi - which can be built to > > to verify all the modules and kernel. > > > > In my implementation (uses the non efi loader) trust anchors are > > embedded in loader but there is code in current to lookup trust anchor= s > > in /efi I think which would be more generally useful - I've not looked > > at the attack vectors that introduces though. > > > > --sjg > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > https://urldefense.com/v3/__https://lists.freebsd.org/mailman/listinfo= /freebsd-security__;!8WoA6RjC81c!TLaVmP78NH0BviSHHV_3_V0-ispe2o0I7E59vmxZ_= 8XnbmOYxeHxemscoWsaXA$ = > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd= .org > > " > >