... | ... | @@ -40,6 +40,7 @@ Some of the branches, but not all, are listed below: |
|
|
|
|
|
1. HEAD -> hardened/current/master
|
|
|
1. stable/13 -> hardened/13-stable/master
|
|
|
1. stable/14 -> hardened/14-stable/master
|
|
|
|
|
|
# Features
|
|
|
|
... | ... | @@ -68,6 +69,38 @@ HardenedBSD has successfully implemented the following features: |
|
|
1. Kernel malloc hardening
|
|
|
1. Shared memory hardening
|
|
|
|
|
|
# Verifying Build Artifacts
|
|
|
|
|
|
The HardenedBSD build artifacts are signed with an SSH key. SSH keys are used so
|
|
|
that artifacts can be validated using only tools included in the base operating
|
|
|
system.
|
|
|
|
|
|
First, download the SSH public key:
|
|
|
|
|
|
```
|
|
|
$ fetch https://installers.hardenedbsd.org/pub/keys/ssh.pub.txt
|
|
|
```
|
|
|
|
|
|
Then download the build artifact. For purposes of this documentation, the
|
|
|
compressed memstick installation image for HardenedBSD 14-STABLE will be used.
|
|
|
|
|
|
```
|
|
|
$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz
|
|
|
$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz.sig
|
|
|
```
|
|
|
|
|
|
Next, generate an `allowed_signers` file which contains the SSH public key:
|
|
|
|
|
|
```
|
|
|
$ echo "hbsd-os-build-01 $(cat ssh.pub.txt)" > allowed_signers
|
|
|
```
|
|
|
|
|
|
Now the signature file can be verified:
|
|
|
|
|
|
```
|
|
|
$ ssk-keygen -Y verify -f allowed_signers -I hbsd-os-build-01 -n file -s memstick.img.xz.sig < memstick.img.xz
|
|
|
```
|
|
|
|
|
|
# Generic Kernel Options
|
|
|
|
|
|
All of HardenedBSD's features that rely on kernel code require the
|
... | ... | |