Since we can now add OpenPGP trust anchors at runtime,
ensure the latent support is available.
Ensure we do not add duplicate keys to trust store.
Also allow reporting names of trust anchors added/revoked
We only do this for loader and only after initializing trust store.
Thus only changes to initial trust store will be logged.
Reviewed by: stevek
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D20700
During boot we only want to measure things which *must*
be verified - this should provide more deterministic ordering.
Reviewed by: stevek
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D20297
sbin/veriexec will ignore entries that have no hash anyway,
but loader needs to be explicitly told that such files are
ok to ignore (not verify).
We will report as Unverified depending on verbose level,
but with no reason - because we are not rejecting the file.
Reviewed by: imp, mindal_semihalf
Sponsored by: Juniper Networks
MFC After: 1 week
Differential Revision: https://reviews.freebsd.org//D20018
