# Building with MK_LOADER_EFI_SECUREBOOT



## SimonH (Sep 10, 2019)

Dear Approver,

according tho the post below:

I think I just found that I need to build with some more options, MK_LOADER_VERIEXEC and MK_VERIEXEC

It seems to build now, so for the moment, I'm fine. I would like to discard this post, but I apparently can't. So could you just reject it without a comment, unless of course this is of puplic interest (I don't think so).

Best Regards
Simon


Hi,

I am new to FreeBSD, so please bear with me.
I am trying to build the loader with MK_LOADER_EFI_SECUREBOOT and am not successful (FreeBSD 12).

When I run make in /usr/src/stand, I get the error: "implicit declaration of function 've_efi_init' is invalid in C99' in loader/main.c

So I tried declaring this function in  main.c, which leads to the following error:
'Undefined symbols in loader_4th.sym' - the missing symbol appears to be ve_efi_init.
This function I found in lib/libsecureboot/efi/efi_init.c. But if I build the whole lib folder, this file is not compiled, unless, I suppose, I compile with MK_BEARSSL. Trying to do so leads me to a lot more errors.

I also tried building the world, which lead (after a long time) to the very same issue.

So, I thought, this is now the point to aks for help. Can someone give me a hint?

Best Regards
Simon


----------



## yuripv (Sep 10, 2019)

You should not specify the MK_* variables directly, and rather use the WITH_* in /etc/src.conf.  Also see src.conf(5) for the list of available options.


----------



## SimonH (Oct 25, 2019)

Thank you for your reply!

In my /etc/src.conf there is:

WITH_BEARSSL=yes
WITH_LOADER_EFI_SECUREBOOT=yes
WITH_LOADER_VERIEXEC=yes
WITH_VERIEXEC=yes

If I try to check the signature of a manifest file, bearssl tells me that it's not OK.

BTW: I mean to have found a bug there, for which I created a pull request in the hardenedBSD repo, which may be the wrong place:








						unsupported hash algo should not be considered a success by Huwyler · Pull Request #14 · HardenedBSD/hardenedBSD-stable
					

I've stumbled over that one. My first pull request... hope I did it correctly




					github.com
				



If I sign the manifest using SHA512, it tells me that this is an unsupported hash algo (why?), but returns a success, so the manifest is considered signed.

My queststion here is if I'm doing it right if I sign the manifest (with --clearsign), for examlpe of the kernel: /boot/kernel/manifest, then remove the first header of /boot/kernel/manifest.asc, so I end up with:

----- BEGIN PGP SIGNATURE -----

.....

---- END PGP SIGNATURE -----

If I don't remove the GPG SIGNED MESSAGE header containing the manifest itself, it won't even read the public key (can't find the tag end)

Are there any limitations for the key pair I should be aware of? I created it with openPGP just like in the README of libsecureboot (on a linux machine).

Another question: If I remove WITH_BEARSSL=yes from the conf file, I end up with the linker complaining about undefined symbols which all happen to be in libsecureboot/verify_file.c when calling make from stand/

I know the info I provided here is fuzzy, but maybe someone knows already from this, what might be the problem. Of course I would be happy to give you more information upon request.

Best regards and thank you in advance!
Simon


----------



## SirDice (Oct 25, 2019)

HardenedBSD is a derivative and not supported here.


----------



## SimonH (Oct 25, 2019)

Thank you for your response.

I know that hardenedBSD is a derivative. But I thought I'd better ask here as the code found its way into hardenedBSD via freeBSD. And the mentioned pull request would actually also apply to FreeBSD.

So is there a difference between the loader and/or libsecureboot between hardenedBSD and freeBSD?


----------



## SirDice (Oct 25, 2019)

SimonH said:


> So is there a difference between the loader and/or libsecureboot between hardenedBSD and freeBSD?


Perhaps you should ask the HardenedBSD developers?


----------

