BSDCan2018 - 1.54

BSDCan 2018
The Technical BSD Conference

Simon Gerraty
Day Talks #1 - 8 June - 2018-06-08
Room DMS 1160
Start time 16:00
Duration 01:00
ID 922
Event type Lecture
Track Security
Language used for presentation English

Adding verification to FreeBSD loader

Secure boot is a popular topic these days.

Junos (a FreeBSD based OS) has shipped with Verified Exec (from NetBSD) for over a decade, but there is a big gap between firmware power on and veriexec enforcement.

Adding the equivalent of verified exec to the loader addresses this gap.

Fixing the loader to verify modules and kernel has been on our roadmap for ages, but trying to squeeze enough of OpenSSL into the loader to handle verification of X.509 certificate chains, was simply not feasible.

Thomas Pornin's talk last year on BearSSL, changed the game. With this tiny library in hand I was able to add verification to the FreeBSD loader in a manner compatible with Verified Exec, while adding only about 100K to the size of the loader.

This talk will discuss the background, design decisions and implementation.