still mucking about trying to get a VM image booting using efi...]
>
> Clay
>
> On Mon, Oct 14, 2019 at 1:52 PM Simon J. Gerraty via freebsd-security <
> freebsd-security@freebsd.org> wrote:
>
> > Tomasz CEDRO wrote:
> >
> > > would be really nice a
Tomasz CEDRO wrote:
> would be really nice also to get UEFI BOOT compatible with SECURE BOOT :-)
Unless you are using your own BIOS, the above means getting Microsoft
to sign boot1.efi or similar. Shims that simply work around lack of
acceptible signature don't help.
That would need to then ver
> - and/or change listening port of sshd
Yes, I used to get lots of probes to sshd from china etc,
some years ago, moved inbound to a high numbered port...
no more noise.
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/l
Eric McCorkle wrote:
> Overall, I think LibreSSL is the best option, though there needs to be
> some investigation into how easily it can be used for kernel and
> boot-loader purposes. Things like libsodium are too narrow in their
> focus, and BearSSL is too new.
Our userland veriexec binary use
Eric McCorkle wrote:
> * BearSSL's design seemingly lends itself to acting as a userland,
> kernel, and bootloader library. On the other hand, it's new (which
> means it will need to be reviewed by crypto experts and thoroughly
> tested), and has one developer at this point.
BearSSL is indeed ve
Garrett Wollman wrote:
> Since packages are already distributed with signatures over the entire
> package manifest, it would be nice if you could use the package system
> to feed this.
Yes, that's what we do in Junos.
The Junos package system relies on veriexec to verify packages and their
conte
Eric McCorkle wrote:
> > Any thoughts on how to validate executables which are not elf binaries,
> > such as shell scripts, python programs, etc?
>
> I hadn't really thought in depth about it, as my main initial goal is
> signed kernel/modules, but I have given it some thought...
>
> An alterna
