The state of secure boot with FreeBSD

From: Andreas Kempe <kempe_at_lysator.liu.se>
Date: Wed, 24 Jan 2024 14:24:20 UTC
Hello everyone,

I've been looking at configuring my FreeBSD UEFI laptop with ZFS on
GELI with secure boot.

Using efitools[0] from Linux in a Linux VM allowed me to generate keys
that were programmed into the UEFI. The generated keys then worked
fine for signing the EFI loader using uefisign(8) on my FreeBSD
system. So far so good, but the crux is maintaining the secure boot
chain between the loader and the root file system.

One version I tried was applying the patch attached to this mail to my
loader, whitelisting the GELI header hash of my root partition. This
works, but I'm fairly sure that the loader could be manipulated with
configuration files or the creation of extra unencrypted partitions on
the drive for it to find and try to boot, making it far from an ideal
solution.

I found instructions on the FreeBSD Foundation's website[1] on how to
embed the kernel into the loader. It could be due to user error, but
when trying this, the loader simply found and booted my ZFS system
instead of the embedded kernel. Looking at the code in
stand/efi/loader/main.c seems to imply that ZFS will be tried before
the embedded image.

For verification, there are references to VERIEXEC in the loader and
in src.conf(5), but I have not been able to find any FreeBSD
documentation on how this is to be configured.

Lastly, I'm aware of the FreeBSD secure boot wiki page[2], but it has
not been updated in a few years so I don't know if it reflects the
current secure boot situation. Its status matrix indicates that secure
boot work for the loader has not been started.

Does anyone know if secure boot work is ongoing? Are there patches for
locking the loader down floating around out there? Are there
instructions I have missed or alternatives to using the EFI loader
provided in base?

Thank you for reading!
Best regards,
Andreas Kempe

[0]: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
[1]: https://freebsdfoundation.org/freebsd-uefi-secure-boot/
[2]: https://wiki.freebsd.org/SecureBoot