Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Oct 2019 13:21:38 -0700
From:      "Simon J. Gerraty" <sjg@juniper.net>
To:        Clay Daniels Jr. <clay.daniels.jr@gmail.com>
Cc:        Tomasz CEDRO <tomek@cedro.info>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>, grarpamp <grarpamp@gmail.com>, <freebsd-virtualization@freebsd.org>, <sjg@juniper.net>
Subject:   Re: AMD Secure Encrypted Virtualization - FreeBSD Status?
Message-ID:  <56226.1571084498@kaos.jnpr.net>
In-Reply-To: <CAGLDxTWm-u56ZH33=cmvC986XF-eya_Vpjh8tDaHZL5Ojt=iLg@mail.gmail.com>
References:  <CAD2Ti2-2TWZEcCdyg1seHHdWRVSC9v_kuMe4f-ERo1LNdJAnmw@mail.gmail.com> <CAFYkXj=f0NEQ%2B=WQ_y8_RZtOc3-%2BHkoBreAgRM669R6s4cWSmQ@mail.gmail.com> <76102.1571079149@kaos.jnpr.net> <CAGLDxTWm-u56ZH33=cmvC986XF-eya_Vpjh8tDaHZL5Ojt=iLg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Clay Daniels Jr. <clay.daniels.jr@gmail.com> wrote:

> Simon, please do elaborate more on your implementation. I suspect you ar=
e
> talking about libsecureboot? I have played with the generation of certs
> with OpenSSL & LibreSSL, but libsecureboot seems to take a different
> approach. Please tell us more.

Yes I meant libsecureboot.

You should be able to create keys and certs with OpenSSL.
That's all we use, but we keep all the private keys etc isolated in
signing servers.  The local.trust.mk in libsecureboot leverages the
sign.py etc described at
http://www.crufty.net/sjg/blog/signing-server.htm
(which also contains a link to the src)

But that does not alter the fact that the certs are simply those created
by an OpenSSL based CA - there are a number of good tutorials on the net
on how to setup such things.

With all that said; you may find it more useful to use OpenPGP for
signing we again use sign.py to retrieve OpenPGP public key, but you can
do all you need using nothing more than gpg

For an embedded vendor like Juniper X.509 makes a lot of sense.
For an individual or small scale, OpenPGP is likely simpler.
libsecureboot supports both, but you need to tailor local.trust.mk to
suit.

IIRC you can have local.trust.mk simply set TA_PEM_LIST etc to paths of
pre-prepared pem files containing your trust anchors and ta.h
and/or TA_ASC_LIST to a list of .asc files containing ascii armored
openpgp trust anchors.

BTW in current boot1.efi is no more, loader.efi is used.
[I'm still mucking about trying to get a VM image booting using efi...]


> =

> Clay
> =

> On Mon, Oct 14, 2019 at 1:52 PM Simon J. Gerraty via freebsd-security <
> freebsd-security@freebsd.org> wrote:
> =

> > Tomasz CEDRO <tomek@cedro.info> wrote:
> >
> > > would be really nice also to get UEFI BOOT compatible with SECURE BO=
OT
> > :-)
> >
> > Unless you are using your own BIOS, the above means getting Microsoft
> > to sign boot1.efi or similar. Shims that simply work around lack of
> > acceptible signature don't help.
> >
> > That would need to then verify loader.efi - which can be built to
> > to verify all the modules and kernel.
> >
> > In my implementation (uses the non efi loader) trust anchors are
> > embedded in loader but there is code in current to lookup trust anchor=
s
> > in /efi I think which would be more generally useful - I've not looked
> > at the attack vectors that introduces though.
> >
> > --sjg
> > _______________________________________________
> > freebsd-security@freebsd.org mailing list
> > https://urldefense.com/v3/__https://lists.freebsd.org/mailman/listinfo=
/freebsd-security__;!8WoA6RjC81c!TLaVmP78NH0BviSHHV_3_V0-ispe2o0I7E59vmxZ_=
8XnbmOYxeHxemscoWsaXA$ =

> > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd=
.org
> > "
> >



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56226.1571084498>