Veriexec
Simon J. Gerraty
sjg at juniper.net
Thu Jul 12 18:15:41 UTC 2018
Simon J. Gerraty <sjg at juniper.net> wrote:
> I've been working on tweaks to libve to make it suitable for use for a
> new loader that can verify the manifest signatures.
FYI this is done, and initial testing completed.
The manifest parser/lexer are derrived from the one in Junos.
The version of mac_veriexec in tree does not yet support storing
maclabels so the veriexec util has some ifdef's to deal with that
(same as Junos where we have to worry during upgrade about
all combinations of new kernel/old util and vice versa.)
I deally I'd like to see mac_veriexec up to date, so we can avoid
all those ifdef's.
Since it relies on the trust store and verification stuff in libve
(D16155) I'm not sure there's any point posting diffs until we close on
that, and in the meantime steve may find enough time to update
mac_veriexec, though as I mentioned before work has an anoying habbit of
getting in the way.
A follow-on effort might be to allow libve to use either BearSSL (needed
for loader due to size), or OpenSSL.
--sjg
More information about the freebsd-arch
mailing list