From owner-svn-doc-head@FreeBSD.ORG Sat Jan 10 02:41:37 2015 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 83AF021D; Sat, 10 Jan 2015 02:41:37 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 541F9239; Sat, 10 Jan 2015 02:41:37 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t0A2fbVK044166; Sat, 10 Jan 2015 02:41:37 GMT (envelope-from bjk@FreeBSD.org) Received: (from bjk@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t0A2fblD044165; Sat, 10 Jan 2015 02:41:37 GMT (envelope-from bjk@FreeBSD.org) Message-Id: <201501100241.t0A2fblD044165@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: bjk set sender to bjk@FreeBSD.org using -f From: Benjamin Kaduk Date: Sat, 10 Jan 2015 02:41:37 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46187 - head/en_US.ISO8859-1/htdocs/news/status X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jan 2015 02:41:37 -0000 Author: bjk Date: Sat Jan 10 02:41:36 2015 New Revision: 46187 URL: https://svnweb.freebsd.org/changeset/doc/46187 Log: Add Secure Boot entry Approved by: hrs (mentor, blanket) Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2014-10-2014-12.xml Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2014-10-2014-12.xml ============================================================================== --- head/en_US.ISO8859-1/htdocs/news/status/report-2014-10-2014-12.xml Sat Jan 10 02:29:44 2015 (r46186) +++ head/en_US.ISO8859-1/htdocs/news/status/report-2014-10-2014-12.xml Sat Jan 10 02:41:36 2015 (r46187) @@ -2100,4 +2100,63 @@ Sandvine Inc. + + Secure Boot + + + + + Edward Tomasz + Napierała + + trasz@FreeBSD.org + + + + + + + + +

UEFI Secure Boot is a mechanism that requires boot drivers + and operating system loaders to be cryptographically signed by an + authorized key. It will refuse to execute any software that is not + correctly signed, and is intended to secure boot drivers and + operating system loaders from malicious tampering or + replacement.

+ +

This project will deliver the initial phase of secure boot + support for &os; and consists of:

+ +
    +
  • creating ports/packages of the gnu-efi toolchain, + Matthew Garrett’s shim loader, and sbsigntools
    • +
  • extending the shim to provide an API for boot1.efi to + load and verify binaries signed by keys known to the shim
    • +
  • writing uefisign(8), a BSD-licensed utility to sign EFI + binaries using Authenticode, as mandated by UEFI + specification.
    • +
+ + + The &os; Foundation + + + +

Ensure the signature format properly matches UEFI spec + requirements.

+ + + +

Verify correctly signed, incorrectly signed, and + unsigned loader components are handled properly.

+ + + +

Investigate signed kernel ELF objects (including + modules).

+ + + +