We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Adding verification to FreeBSD loader

Formal Metadata

Title
Adding verification to FreeBSD loader
Subtitle
aka; loader verified exec
Title of Series
Number of Parts
45
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Secure boot is a popular topic these days. Junos (a FreeBSD based OS) has shipped with Verified Exec (from NetBSD) for over a decade, but there is a big gap between firmware power on and veriexec enforcement. Adding the equivalent of verified exec to the loader addresses this gap. Fixing the loader to verify modules and kernel has been on our roadmap for ages, but trying to squeeze enough of OpenSSL into the loader to handle verification of X.509 certificate chains, was simply not feasible. Thomas Pornin's talk last year on BearSSL, changed the game. With this tiny library in hand I was able to add verification to the FreeBSD loader in a manner compatible with Verified Exec, while adding only about 100K to the size of the loader. This talk will discuss the background, design decisions and implementation.