Import BearSSL ? (Adding verification to loader)
Jov
amutu at amutu.com
Thu Aug 31 01:55:39 UTC 2017
+1
I use zfs+geli encrypted root for several VPS,as the bootpool is not
encrypted, I am always worried that someone may replace my kernel or kernel
module.(I know 11.x support full disk encrypt without bootpool but an
upgrade is not a choice now).
Jov
2017-08-31 9:21 GMT+08:00 Daniel Eischen <deischen at freebsd.org>:
> On Wed, 30 Aug 2017, Ian Lepore wrote:
>
> On Wed, 2017-08-30 at 14:55 -0700, Simon J. Gerraty wrote:
>>
>>> Hi,
>>>
>>> Background:
>>>
>>> I've been adding what amounts to a mini "verified exec" to the freebsd
>>> loader for use in Junos.
>>>
>>> What this means is that the loader verifies the kernel and all the
>>> modules before loading them, and can reject anything for which a
>>> registered fingerprint (eg. sha1 hash) does not match.
>>>
>> [ ... ]
>
>>
>> We need this exact feature (verification of kernel and modules) for an
>> upcoming product at work. Including the library code in contrib
>> certainly sounds attractive to me, too.
>>
>> I wouldn't be surprised if interest in this goes beyond those of us
>> building embedded appliances.
>>
>
> Indeed, why couldn't it be enabled by default for FreeBSD.org
> packaged distribs? Or am I jumping the gun by a few years?
>
> --
> DE
>
> _______________________________________________
> freebsd-arch at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-arch
> To unsubscribe, send any mail to "freebsd-arch-unsubscribe at freebsd.org"
>
More information about the freebsd-arch
mailing list