Improving security of the FreeBSD boot process

Found the paper online, but have not found the video online (from either AsiaBSDCon or BSDCan) yet…

The talk describes recent security additions in the FreeBSD boot process. It will describe describe UEFI Secure Boot support in the FreeBSD loader and kernel. The loader is now able to parse UEFI databases of keys and certificates which are used to verify a signed FreeBSD kernel binary, using BearSSL as the cryptographic backend. FreeBSD veriexec capability is employed to verify various userland binaries and conguration files – it was extended with the ability to use UEFI trust anchors as a base for veriexec manifest verification Additionally, TPM 2.0 devices are now supported in FreeBSD. They are most often referred to in the context of a measured boot, i.e. secure measurements and attestation of all images in the boot chain. The basic features of TPM will be described, as well as some caveats and shortcomings which may have contributed to its limited adoption. The presentation will include practical TPM use case, such as hardening Strongswan IPSec tunnels by performing IKE-related cryptographic operations within the TPM, using private keys which never leave the device.

FreeBSD gets ASLR

Implement Address Space Layout Randomization (ASLR)

With this change, randomization can be enabled for all non-fixed
mappings. It means that the base address for the mapping is selected
with a guaranteed amount of entropy (bits). If the mapping was
requested to be superpage aligned, the randomization honours the
superpage attributes.[…]


FreeBSD 12.0 released

Highlights — from my perspective — include:

* The bsdinstall(8) utility now supports UEFI+GELI as an installation option.
* The bhyve(8) utility is now able to be run withing a jail(8).

PS: There’re a few days left to purchase a FreeBSD 25th Anniversary t-shirt:

Celebrate 25 Years of FreeBSD and Support the Project Fundraiser - unisex shirt design - front


ZFS Boot Environments

As long as sysadmins need to maintain, change and update operating systems there is always need to protect against problems that may occur during these operations. Various solutions were used starting from simple backup/restore procedures or copying the contents of system filesystems into spare disks to snapshots and clones recently. None of these solutions were transparent enough or bulletproof enough to provide complete and consistent protection again failures in the change or update process. One of such holy grails is ZFS Boot Environments solution. It protects entire system (and even additional data when needed) against almost any change or update process. As ZFS Boot Environments matured in Solaris/Illumos systems and then on FreeBSD UNIX other systems started to copy its principles to provide similar solutions such as snapper with BTRFS in SUSE or Boot Environment Manager for DragonFly BSD with their HAMMER filesystem. The presentation aims to walk through the history of these solutions with the focus on practical ZFS Boot Environments solutions and examples.

FreeBSD 11.2R released, with speculative execution and UEFI updates

The latest version of FreeBSD is out, and has a few speculative execution and UEFI changes, including:

[arm64] The bsdinstall(8) installer has been updated to default to UEFI-only boot. [r322254]
(Sponsored by The FreeBSD Foundation)

The efibootmgr(8) utility has been added, which is used to manipulate the EFI boot manager. [r332126]
(Sponsored by Netflix)

The cpucontrol(8) utility has been updated to include a new flag, -e, which is used to re-evaluate reported CPU features after applying firmware updates. [r327871]
Note: The cpucontrol(8) -e flag should only be used after microcode update have been applied to all CPUs in the system, otherwise system instability may be experienced if processor features are not identical across the system.

FreeBSD-SA-18:03.speculative_execution 14 March 2018.  Speculative Execution Vulnerabilities
Note: This advisory addresses the most significant issues for FreeBSD 11.x on amd64 CPUs. We expect to update this advisory to include i386 and other CPUs.

PS4 4.55 BPF Race Condition Kernel Exploit Writeup

PS4 4.55 BPF Race Condition Kernel Exploit Writeup
Cryptogenic Update PS4 4.55 BPF Race Condition Kernel Exploit Writeup

Note: While this bug is primarily interesting for exploitation on the PS4, this bug can also potentially be exploited on other unpatched platforms using FreeBSD if the attacker has read/write permissions on /dev/bpf, or if they want to escalate from root user to kernel code execution. As such, I’ve published it under the “FreeBSD” folder and not the “PS4” folder.[…]

FreeBSD bhyve UEFI support improved

MFC: r316746 Add UEFI support to

-E: Use UEFI mode
-f: path to UEFI firmware image (default: path to uefi-edk2-bhyve package)
-F: UEFI framebuffer size (default: w=1024,h=768)
-L: IP to listen for VNC connections on (default:
-P: Port to listen for VNC connections on (default: 5900)
-T: Enable tablnet device (for VNC)
-v: Wait for VNC client before booting VM


dual-booting FreeBSD or Windows

Kevin Bowling has an article that shows how to setup a UEFI system to work with FreeBSD — including ZFS on root — and another UEFI OS like Windows.

I’m not sure if this article is an improved version of or just a rebroadcast of:


FreeBSD 11.0 RC released

The first release candidate of FreeBSD 11.0-STABLE is out. Below, excerpted from their release notes, is an excerpt of some of the changes:

Initial support for the ARM AArch64 architecture has been added. [r280259] (Sponsored by The FreeBSD Foundation)

Initial ACPI support has been added for FreeBSD/aarch64. [r284273] (Sponsored by The FreeBSD Foundation)

The uefisign(8) utility has been added. [r279315] (Sponsored by The FreeBSD Foundation)

Support for bzipfs has been added to the EFI loader. [r279950]

The mkimg(1) utility has been updated to support the MBR EFI partition type. [r276893] (Sponsored by The FreeBSD Foundation)

The gpart(8) utility has been updated to include a new attribute for GPT partitions, lenovofix, which when set, which works around BIOS compatibility issues reported on several Lenovo ™ laptops. [r285594] (Sponsored by ScaleEngine, Inc.)

[arm] The arm boot loader, ubldr, is now relocatable. In addition, ubldr.bin is now created during build time, which is a stripped binary with an entry point of 0, providing the ability to specify the load address by running go ${loadaddr} in u-boot. [r282731]

Support for the “Virtual Interrupt Delivery” feature of Intel® VT-x is enabled if supported by the CPU. This feature can be disabled by running sysctl hw.vmm.vmx.use_apic_vid=0. Additionally, to persist this setting across reboots, add hw.vmm.vmx.use_apic_vid=0 to /etc/sysctl.conf. [r260410]

Support for “Posted Interrupt Processing” is enabled if supported by the CPU. This feature can be disabled by running sysctl hw.vmm.vmx.use_apic_pir=0. Additionally, to persist this setting across reboots, add hw.vmm.vmx.use_apic_pir=0 to /etc/sysctl.conf. [r260532]

Support for running a FreeBSD/amd64 Xen guest instance as PVH guest has been added. PVH mode, short for “Para-Virtualized Hardware”, uses para-virtualized drivers for boot and I/O, and uses hardware virtualization extensions for all other tasks, without the need for emulation. [r267536] (Sponsored by Citrix Systems R&D)

The bhyve(8) hypervisor has been updated to support AMD® processors with SVM and AMD-V hardware extensions. [r273375]

The Hyper-V™ drivers have been updated with several enhancements: [r282212] (Sponsored by Microsoft Open Source Technology Center)

A new device control utility, devctl(8) has been added, which allows making administrative changes to individual devices, such as attaching and detaching drivers, and enabling and disabling devices. The devctl(8) utility uses the new devctl(3) library. [r278320]

The pciconf(8) utility has been updated to use the PCI ID database from the misc/pciids package, if present, falling back to the PCI ID database in the FreeBSD base system. [r287522]

The acpi(4) subsystem has been updated to version 20150818. [r287168]

ACPICA has been updated to version 20160527. [r300879]

Firmware for Intel® Centrino™ Wireless-N 105 devices has been added to the base system. [r260552]

The stack protector has been upgraded to the “strong” level, elevating the protection against buffer overflows. While this significantly improves the security of the system, extensive testing was done to ensure there are no measurable side effects in performance or functionality. [r288669]

An issue that could cause a system to hang when entering ACPI S3 state (suspend to RAM) has been corrected in the acpi(4) and pci(4) drivers. [r274386]

Full relnotes:

FreeBSD UEFI status update

FreeBSD’s quarterly status update is out.

There’s two entries on UEFI, excerpted below:

EFI Refactoring and GELI Support: The EFI bootloader has undergone considerable refactoring to make more use of the EFI API. The filesystem code in boot1 has been eliminated, and a single codebase for filesystems now serves both boot1 and loader. This codebase is organized around the EFI driver model and it should be possible to export any filesystem implementation as a standalone EFI driver without too much effort. Both boot1 and loader have been refactored to utilize the EFI_SIMPLE_FILE_SYSTEM interface. In the loader, this is accomplished with a dummy filesystem driver that is just a translation layer between the loader filesystem interface and EFI_SIMPLE_FILE_SYSTEM. A reverse translation layer allows the existing filesystem drivers to function as EFI drivers. The EFI refactoring by itself exists in a branch on github. Additionally, GELI support has been added using the EFI refactoring. This allows booting from a GELI-encrypted filesystem. Note that the EFI system partition, which contains boot1, must be a plaintext msdosfs partition. This patch adds an intake buffer to the crypto framework, which allows injection of keys directly into a loaded kernel, without the need to pass them through arguments or environment variables. This patch only uses the intake buffer for EFI GELI support, as legacy BIOS GELI support still uses environment variables. EFI GELI support depends on the efize branch. These patches have been tested and used and should be able to handle use by early adopters. Note that the LOADER_PATH variable has been changed to /boot/loader.tst, to facilitate safe testing.

loader.efi has been updated to use an event timer to implement its internal time function. This is needed, as many UEFI implementations do not handle the GetTime runtime service method. This means that loader.efi will now correctly count down before automatically booting.

BSSSD: Trusted Computing for FreeBSD and OpenBSD

Excerpting the recent TCG announcement:

BSSSD: Trusted Computing now available for FreeBSD and OpenBSD: All pieces to utilize Trusted Computing and build Trusted Computing applications on FreeBSD and OpenBSD have been made available by the BSSSD-project.

Software components:
 * TPM device driver for the FreeBSD-kernel
 * TPM device driver for the OpenBSD-kernel
 * TCG Software Stack TrouSerS
 * TrustedGRUB boot-loader
 * TPM-Tools
 * OpenSSL-TPMengine
 * OpenCryptoKi
 * TPM-Emulator
 * TPM-Testsuite

Kernel drivers were developed for the following TPMs:
 * Atmel 97SC3203
 * Broadcom BCM0102
 * Infineon IFX SLB 9635 TT 1.2
 * Intel INTC0102
 * Sinosun SNS SSX35
 * STM ST19WP18
 * Winbond WEC WPCT200
 * TPMemulator

FreeBSD 10.3 released

Marius Strobl announced FreeSD 10.3, with changes to UEFI, amongst other updates and new features. An excerpt of the highlights listed in the announcement:

* The UEFI boot loader received several improvements: It now follows /boot/config and /boot.config files, multi-device boot support works and command line arguments are parsed. Additionally, its framebuffer driver has been enhanced with GOP (Graphics Output Protocol) and UGA (Universal Graphics Adapter) handling, allowing to set the current graphics mode on systems using one of these methods. Moreover, ZFS boot capability has been added to the UEFI boot loader, including support for multiple ZFS Boot Environments (BEs), e. g. those provided by sysutils/beadm.

* The bsdinstall(8) utility has been updated to allow for creating root-on-ZFS installations on UEFI-based systems in automatic mode.

* The mkimg(1) utility has been updated to support NTFS file systems in both GPT and MBR partitioning schemes.

* And much more …

More information:


FreeBSD 10.3.b3 adds new commands to UEFI boot loader

Marius Strobl of the FreeBSD project has announced the 10.3-BETA3 FreeBSD. In terms of UEFI, there are two new UEFI bootloader commands, ‘gop‘ and ‘uga‘:

 Two new commands have been added to the amd64 framebuffer driver
  of the UEFI boot loader.  The first is `gop` (as in Graphics Output
  Protocol), which allows to diagnose problems with efifb(4) but also
  to set the current graphics mode on machines employing GOP.  With
  `uga` (as in Universal Graphics Adapter), it is possible to do the
  same on systems using the UGA protocol, which mainly translates to
  Apple hardware.  The latter change also generally introduced UGA
  support and currently hardcodes the necessary settings for mid-2007
  iMacs (iMac7,1) and late-2007 MacBooks (MacBook3,1).  But it is
  likewise possible to manually supply the necessary information for
  additional systems.

FreeBSD 10.3.beta2’s UEFI changes

Excerpting Phoronix:

Over the past week were some fixes/improvements around FreeBSD’s UEFI support, “The UEFI ZFS loader has been updated to support the latest ZFS Boot Environment (BE) loader menu features” and “The UEFI boot loader received several improvements: /boot/config and /boot.config files now are adhered to, multi device boot support works and command line argument parsing has been added.”

FreeBSD gets EFI ZFS boot support

Add EFI ZFS boot support: This builds on the modular EFI loader support added r294060 adding a module to provide ZFS boot support on EFI systems. It should be noted that EFI uses a fixed size memory block for all allocations performed by the loader so it may be necessary to tune this size. For example when building an image which uses mfs_root e.g. mfsbsd, adding the following to /etc/make.conf would be needed to prevent EFI from running out of memory when loading the mfs_root image.


FreeBSD’s 2015 UEFI update

From the FreeBSD Foundation’s December 2015 (end-of-year) update, in summarizing their development efforts, they mention firmware (as well as improvements to x86 hardware support, and AArch64 support):


UEFI and secure boot: FreeBSD’s UEFI boot support needs to interoperate with many different EFI firmware implementations, and it’s only after broad testing that we were able to identify some incompatibilities. Through effort from Foundation staff and from volunteers in the FreeBSD community we’ve fixed UEFI boot on a variety of hardware and virtualization platforms, including Apple Macbook and Mac Pro computers and VirtualBox and VMware. These improvements will be available in FreeBSD 11.0 and 10.3. We also started working on support for secure boot. To date we’ve been working on individual tools — the uefisign(8) utility to add Authenticode signatures to EFI files, and the sysutils/pesign, sysutils/sbsigntool and sysutils/shim ports. Next year we’ll integrate these components into a broader secure boot implementation.

More information: click on the tiny-URL PDF in the below tweet: