Enable veriexec for 13 Beta 1

Simon J. Gerraty sjg at juniper.net
Thu Feb 11 01:34:52 UTC 2021


dan_partelly at rdsor.ro wrote:

> [External Email. Be cautious of content]
> 
> 
> Hey guys,
> 
> What are the config knobs for enabling the veriexec driver and veriexec
> mac modules for testing and playing with this new subystem ? User mode
> knob for user mode tool and lib is documented in man src.conf Thanks !

You would want...

options		MAC
options 	MAC_VERIEXEC
options 	MAC_VERIEXEC_SHA256
options 	MAC_VERIEXEC_SHA384

oh sys/conf/files needs a tweak see below.

sha256 hashes are good for now, but best to have support for bigger in
place.

You will want WITH_BEARSSL=1 which will enable VERIEXEC for kernel
and LOADER_VERIEXEC, LOADER_VERIEXEC_VECTX and LOADER_EFI_SECUREBOOT

Also you need to configure lib/libsecureboot/local.trust.mk to provide
the trust anchors, this is used by sbin/veriexec - the tool that loaded
manifests into kernel as well as loader if LOADER_VERIEXEC are enabled.

you'll need this diff

diff --git a/sys/conf/files b/sys/conf/files
index 1abfadb1e8d8eb347c2caa8e92a1d86375dc61af..459fcddd693b89d50c9fecfb6cc93515b2799cb6 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -3450,7 +3450,7 @@ dev/videomode/videomode.c		optional videomode
 dev/videomode/edid.c			optional videomode
 dev/videomode/pickmode.c		optional videomode
 dev/videomode/vesagtf.c			optional videomode
-dev/veriexec/verified_exec.c	optional veriexec mac_veriexec
+dev/veriexec/verified_exec.c	optional mac_veriexec
 dev/vge/if_vge.c		optional vge
 dev/viapm/viapm.c		optional viapm pci
 dev/virtio/virtio.c			optional	virtio


More information about the freebsd-current mailing list