From owner-freebsd-hackers@freebsd.org Fri Oct 11 02:55:05 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7B7AA13A1EF for ; Fri, 11 Oct 2019 02:55:05 +0000 (UTC) (envelope-from ambrisko@ambrisko.com) Received: from mail.ambrisko.com (mail.ambrisko.com [70.91.206.90]) by mx1.freebsd.org (Postfix) with ESMTP id 46qCHD0FmGz3P7T for ; Fri, 11 Oct 2019 02:55:03 +0000 (UTC) (envelope-from ambrisko@ambrisko.com) X-Ambrisko-Me: Yes Received: from server2.ambrisko.com (HELO internal.ambrisko.com) ([192.168.1.2]) by ironport.ambrisko.com with ESMTP; 10 Oct 2019 19:59:27 -0700 Received: from ambrisko.com (localhost [127.0.0.1]) by internal.ambrisko.com (8.15.2/8.15.2) with ESMTPS id x9B2rsWu061162 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 10 Oct 2019 19:53:54 -0700 (PDT) (envelope-from ambrisko@ambrisko.com) Received: (from ambrisko@localhost) by ambrisko.com (8.15.2/8.15.2/Submit) id x9B2rs7U061161; Thu, 10 Oct 2019 19:53:54 -0700 (PDT) (envelope-from ambrisko) Date: Thu, 10 Oct 2019 19:53:54 -0700 From: Doug Ambrisko To: David Cross Cc: FreeBSD Hackers Subject: Re: uefisign and loader Message-ID: <20191011025354.GA59270@ambrisko.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.2 (2019-01-07) X-Rspamd-Queue-Id: 46qCHD0FmGz3P7T X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of ambrisko@ambrisko.com has no SPF policy when checking 70.91.206.90) smtp.mailfrom=ambrisko@ambrisko.com X-Spamd-Result: default: False [-1.45 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.985,0]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[ambrisko.com]; AUTH_NA(1.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:7922, ipnet:70.88.0.0/14, country:US]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(-0.47)[ipnet: 70.88.0.0/14(-1.15), asn: 7922(-1.15), country: US(-0.05)] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Oct 2019 02:55:05 -0000 On Thu, Oct 10, 2019 at 02:29:37PM -0400, David Cross wrote: | Ok, it appears uefisign is just outright broken; after not being able to | boot even boot1 signed, I brought the signed image over to windows and used | signtool verify and got the error message: | "SignTool Error: WinVerifyTrust returned error: 0x80096010 | The digital signature of the object did not verify." | | | This is a different error then I get form SignTool boot1.efi from an | untrusted cert (signed via SignTool) which reports: | "..A certificate chain processed, but terminated in a root certificate | which is not trusted..." | | Anyone actually use uefisign successfully? I've been using sbsign with patches to use an external OpenSSL engine since our keys are stored in a corporate signing server. This worked well since at work we have different groups running Linux as well so having common signing tools made things easier. Each group has their own UEFI keys. I had authenticated updates working in FreeBSD https://reviews.freebsd.org/D8278 Warner had some feedback. I think I incorporated it but forget. It's been a while. My former group has being shipping FreeBSD in UEFI secure boot mode with their own custom keys for several years. Doug A. | On Mon, Oct 7, 2019 at 9:29 AM David Cross wrote: | | > | > | > On Mon, Oct 7, 2019 at 1:02 AM Warner Losh wrote: | > | >> | >> | >> On Sun, Oct 6, 2019, 10:58 PM David Cross wrote: | >> | >>> I've been working on getting secureboot working under freebsd (I today | >>> just | >>> finished off a REALLY rough tool that lets one tweak uefi authenticated | >>> variables under freebsd, with an eye to try to get a patch to put this | >>> into | >>> efivar). After setting the PK, the KEK, and the db, I was super excited | >>> to | >>> finally secure-boot my machine, and discovered that I could not uefisign | >>> loader. Attempting to sign loader returns a cryptic: "section points | >>> inside the headers" and then hangs in pipe-read (via siginfo). (this is | >>> under 12.0 FWIW). | >>> | >>> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so | >>> its | >>> not really useful for me. | >>> | >>> Suggestions? | >>> | >> | >> Use loader.efi directly instead? | >> | >>> | >>> | > I currently do use loader.efi directly, however not being able to sign | > loader.efi directly complicates things a bit (using hash based signature | > lists for the 'db' variable); and it seems we *should* be able to sign | > loader. From some other posts on the internet it seems that at some point | > we could. | > | _______________________________________________ | freebsd-hackers@freebsd.org mailing list | https://lists.freebsd.org/mailman/listinfo/freebsd-hackers | To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"