Enable veriexec for 13 Beta 1
Simon J. Gerraty
sjg at juniper.net
Thu Feb 11 01:34:52 UTC 2021
dan_partelly at rdsor.ro wrote:
> [External Email. Be cautious of content]
>
>
> Hey guys,
>
> What are the config knobs for enabling the veriexec driver and veriexec
> mac modules for testing and playing with this new subystem ? User mode
> knob for user mode tool and lib is documented in man src.conf Thanks !
You would want...
options MAC
options MAC_VERIEXEC
options MAC_VERIEXEC_SHA256
options MAC_VERIEXEC_SHA384
oh sys/conf/files needs a tweak see below.
sha256 hashes are good for now, but best to have support for bigger in
place.
You will want WITH_BEARSSL=1 which will enable VERIEXEC for kernel
and LOADER_VERIEXEC, LOADER_VERIEXEC_VECTX and LOADER_EFI_SECUREBOOT
Also you need to configure lib/libsecureboot/local.trust.mk to provide
the trust anchors, this is used by sbin/veriexec - the tool that loaded
manifests into kernel as well as loader if LOADER_VERIEXEC are enabled.
you'll need this diff
diff --git a/sys/conf/files b/sys/conf/files
index 1abfadb1e8d8eb347c2caa8e92a1d86375dc61af..459fcddd693b89d50c9fecfb6cc93515b2799cb6 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -3450,7 +3450,7 @@ dev/videomode/videomode.c optional videomode
dev/videomode/edid.c optional videomode
dev/videomode/pickmode.c optional videomode
dev/videomode/vesagtf.c optional videomode
-dev/veriexec/verified_exec.c optional veriexec mac_veriexec
+dev/veriexec/verified_exec.c optional mac_veriexec
dev/vge/if_vge.c optional vge
dev/viapm/viapm.c optional viapm pci
dev/virtio/virtio.c optional virtio
More information about the freebsd-current
mailing list