svn commit: r344568 - in head/stand: . common ficl ficl32 i386/loader liblua libsa libsa32
Simon J. Gerraty
sjg at FreeBSD.org
Tue Feb 26 06:22:15 UTC 2019
Author: sjg
Date: Tue Feb 26 06:22:10 2019
New Revision: 344568
URL: https://svnweb.freebsd.org/changeset/base/344568
Log:
Enable veriexec for loader
This relies on libbearssl and libsecureboot
to verify files read by loader in a maner equivalent
to how mac_veriexec
Note: disabled by default.
Use is initially expected to be by embeded vendors
Reviewed by: emaste, imp
Sponsored by: Juniper Networks
Differential Revision: D16336
Modified:
head/stand/common/boot.c
head/stand/common/bootstrap.h
head/stand/common/interp_forth.c
head/stand/common/interp_simple.c
head/stand/common/load_elf.c
head/stand/common/load_elf_obj.c
head/stand/common/module.c
head/stand/ficl/Makefile.depend
head/stand/ficl/ficl.h
head/stand/ficl/fileaccess.c
head/stand/ficl32/Makefile.depend
head/stand/i386/loader/Makefile.depend
head/stand/liblua/Makefile
head/stand/liblua/lstd.c
head/stand/libsa/Makefile
head/stand/libsa/Makefile.depend
head/stand/libsa32/Makefile.depend
head/stand/loader.mk
Modified: head/stand/common/boot.c
==============================================================================
--- head/stand/common/boot.c Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/common/boot.c Tue Feb 26 06:22:10 2019 (r344568)
@@ -106,6 +106,10 @@ command_boot(int argc, char *argv[])
if (archsw.arch_autoload() != 0)
return(CMD_ERROR);
+#ifdef LOADER_VERIEXEC
+ verify_pcr_export(); /* for measured boot */
+#endif
+
/* Call the exec handler from the loader matching the kernel */
file_formats[fp->f_loader]->l_exec(fp);
return(CMD_ERROR);
Modified: head/stand/common/bootstrap.h
==============================================================================
--- head/stand/common/bootstrap.h Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/common/bootstrap.h Tue Feb 26 06:22:10 2019 (r344568)
@@ -330,6 +330,9 @@ struct arch_switch
/* Probe ZFS pool(s), if needed. */
void (*arch_zfs_probe)(void);
+ /* Return the hypervisor name/type or NULL if not virtualized. */
+ const char *(*arch_hypervisor)(void);
+
/* For kexec-type loaders, get ksegment structure */
void (*arch_kexec_kseg_get)(int *nseg, void **kseg);
};
@@ -344,6 +347,10 @@ time_t time(time_t *tloc);
#ifndef CTASSERT
#define CTASSERT(x) _Static_assert(x, "compile-time assertion failed")
+#endif
+
+#ifdef LOADER_VERIEXEC
+#include <verify_file.h>
#endif
#endif /* !_BOOTSTRAP_H_ */
Modified: head/stand/common/interp_forth.c
==============================================================================
--- head/stand/common/interp_forth.c Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/common/interp_forth.c Tue Feb 26 06:22:10 2019 (r344568)
@@ -379,6 +379,13 @@ interp_include(const char *filename)
return(CMD_ERROR);
}
+#ifdef LOADER_VERIEXEC
+ if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
+ close(fd);
+ sprintf(command_errbuf,"can't verify '%s'", filename);
+ return(CMD_ERROR);
+ }
+#endif
/*
* Read the script into memory.
*/
Modified: head/stand/common/interp_simple.c
==============================================================================
--- head/stand/common/interp_simple.c Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/common/interp_simple.c Tue Feb 26 06:22:10 2019 (r344568)
@@ -96,6 +96,14 @@ interp_include(const char *filename)
return(CMD_ERROR);
}
+#ifdef LOADER_VERIEXEC
+ if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
+ close(fd);
+ sprintf(command_errbuf,"can't verify '%s'", filename);
+ return(CMD_ERROR);
+ }
+#endif
+
/*
* Read the script into memory.
*/
Modified: head/stand/common/load_elf.c
==============================================================================
--- head/stand/common/load_elf.c Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/common/load_elf.c Tue Feb 26 06:22:10 2019 (r344568)
@@ -245,6 +245,12 @@ __elfN(load_elf_header)(char *filename, elf_file_t ef)
goto error;
}
+#ifdef LOADER_VERIEXEC
+ if (verify_file(ef->fd, filename, bytes_read, VE_MUST) < 0) {
+ err = EAUTH;
+ goto error;
+ }
+#endif
return (0);
error:
Modified: head/stand/common/load_elf_obj.c
==============================================================================
--- head/stand/common/load_elf_obj.c Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/common/load_elf_obj.c Tue Feb 26 06:22:10 2019 (r344568)
@@ -129,6 +129,13 @@ __elfN(obj_loadfile)(char *filename, uint64_t dest,
goto oerr;
}
+#ifdef LOADER_VERIEXEC
+ if (verify_file(ef.fd, filename, bytes_read, VE_MUST) < 0) {
+ err = EAUTH;
+ goto oerr;
+ }
+#endif
+
kfp = file_findfile(NULL, __elfN(obj_kerneltype));
if (kfp == NULL) {
printf("elf" __XSTRING(__ELF_WORD_SIZE)
Modified: head/stand/common/module.c
==============================================================================
--- head/stand/common/module.c Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/common/module.c Tue Feb 26 06:22:10 2019 (r344568)
@@ -104,6 +104,8 @@ command_load(int argc, char *argv[])
{
struct preloaded_file *fp;
char *typestr;
+ char *prefix;
+ char *skip;
int dofile, dokld, ch, error;
dokld = dofile = 0;
@@ -114,11 +116,18 @@ command_load(int argc, char *argv[])
command_errmsg = "no filename specified";
return (CMD_CRIT);
}
- while ((ch = getopt(argc, argv, "kt:")) != -1) {
+ prefix = skip = NULL;
+ while ((ch = getopt(argc, argv, "kp:s:t:")) != -1) {
switch(ch) {
case 'k':
dokld = 1;
break;
+ case 'p':
+ prefix = optarg;
+ break;
+ case 's':
+ skip = optarg;
+ break;
case 't':
typestr = optarg;
dofile = 1;
@@ -141,6 +150,12 @@ command_load(int argc, char *argv[])
return (CMD_CRIT);
}
+#ifdef LOADER_VERIEXEC
+ if (strncmp(typestr, "manifest", 8) == 0) {
+ return (load_manifest(argv[1], prefix, skip, NULL));
+ }
+#endif
+
fp = file_findfile(argv[1], typestr);
if (fp) {
snprintf(command_errbuf, sizeof(command_errbuf),
@@ -434,6 +449,15 @@ file_loadraw(const char *fname, char *type, int insert
free(name);
return(NULL);
}
+
+#ifdef LOADER_VERIEXEC
+ if (verify_file(fd, name, 0, VE_MUST) < 0) {
+ sprintf(command_errbuf, "can't verify '%s'", name);
+ free(name);
+ close(fd);
+ return(NULL);
+ }
+#endif
if (archsw.arch_loadaddr != NULL)
loadaddr = archsw.arch_loadaddr(LOAD_RAW, name, loadaddr);
Modified: head/stand/ficl/Makefile.depend
==============================================================================
--- head/stand/ficl/Makefile.depend Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/ficl/Makefile.depend Tue Feb 26 06:22:10 2019 (r344568)
@@ -2,9 +2,7 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
- include \
- include/xlocale \
- lib/msun \
+ stand/libsa \
.include <dirdeps.mk>
Modified: head/stand/ficl/ficl.h
==============================================================================
--- head/stand/ficl/ficl.h Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/ficl/ficl.h Tue Feb 26 06:22:10 2019 (r344568)
@@ -1157,6 +1157,10 @@ typedef void ficlCompileFcn(FICL_SYSTEM *);
DATA_SET(Xficl_compile_set, func)
SET_DECLARE(Xficl_compile_set, ficlCompileFcn);
+#ifdef LOADER_VERIEXEC
+#include <verify_file.h>
+#endif
+
#ifdef __cplusplus
}
#endif
Modified: head/stand/ficl/fileaccess.c
==============================================================================
--- head/stand/ficl/fileaccess.c Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/ficl/fileaccess.c Tue Feb 26 06:22:10 2019 (r344568)
@@ -67,14 +67,21 @@ static void ficlFopen(FICL_VM *pVM, char *writeMode) /
if (f == NULL)
stackPushPtr(pVM->pStack, NULL);
else
+#ifdef LOADER_VERIEXEC
+ if (*mode == 'r' &&
+ verify_file(fileno(f), filename, 0, VE_GUESS) < 0) {
+ fclose(f);
+ stackPushPtr(pVM->pStack, NULL);
+ } else
+#endif
{
- ficlFILE *ff = (ficlFILE *)malloc(sizeof(ficlFILE));
- strcpy(ff->filename, filename);
- ff->f = f;
- stackPushPtr(pVM->pStack, ff);
+ ficlFILE *ff = (ficlFILE *)malloc(sizeof(ficlFILE));
+ strcpy(ff->filename, filename);
+ ff->f = f;
+ stackPushPtr(pVM->pStack, ff);
- fseek(f, 0, SEEK_SET);
- }
+ fseek(f, 0, SEEK_SET);
+ }
pushIor(pVM, f != NULL);
}
Modified: head/stand/ficl32/Makefile.depend
==============================================================================
--- head/stand/ficl32/Makefile.depend Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/ficl32/Makefile.depend Tue Feb 26 06:22:10 2019 (r344568)
@@ -2,9 +2,7 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
- include \
- include/xlocale \
- lib/msun \
+ stand/libsa \
.include <dirdeps.mk>
Modified: head/stand/i386/loader/Makefile.depend
==============================================================================
--- head/stand/i386/loader/Makefile.depend Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/i386/loader/Makefile.depend Tue Feb 26 06:22:10 2019 (r344568)
@@ -2,15 +2,12 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
- include \
- include/xlocale \
- stand/ficl32 \
- stand/geli \
- stand/i386/btx/btx \
- stand/i386/btx/btxldr \
- stand/i386/btx/lib \
- stand/i386/libi386 \
- stand/libsa32 \
+ stand/${MACHINE_CPUARCH}/btx/btx \
+ stand/${MACHINE_CPUARCH}/btx/btxldr \
+ stand/${MACHINE_CPUARCH}/btx/lib \
+ stand/${MACHINE_CPUARCH}/libi386 \
+ stand/ficl \
+ stand/libsa \
.include <dirdeps.mk>
Modified: head/stand/liblua/Makefile
==============================================================================
--- head/stand/liblua/Makefile Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/liblua/Makefile Tue Feb 26 06:22:10 2019 (r344568)
@@ -35,5 +35,8 @@ CFLAGS+= -I${BOOTSRC}/include -I${LIBLUASRC} -I${LUASR
.if ${MACHINE_CPUARCH} == "amd64" && ${DO32:U0} == 0
CFLAGS+= -fPIC
.endif
+.if ${MK_LOADER_VERIEXEC} == "yes"
+CFLAGS+= -I${SRCTOP}/lib/libsecureboot/h -DLOADER_VERIEXEC
+.endif
.include <bsd.lib.mk>
Modified: head/stand/liblua/lstd.c
==============================================================================
--- head/stand/liblua/lstd.c Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/liblua/lstd.c Tue Feb 26 06:22:10 2019 (r344568)
@@ -31,6 +31,10 @@ __FBSDID("$FreeBSD$");
#include "lstd.h"
#include "math.h"
+#ifdef LOADER_VERIEXEC
+#include <verify_file.h>
+#endif
+
FILE *
fopen(const char *filename, const char *mode)
{
@@ -75,6 +79,17 @@ fopen(const char *filename, const char *mode)
close(fd);
return (NULL);
}
+
+#ifdef LOADER_VERIEXEC
+ /* only regular files and only reading makes sense */
+ if (S_ISREG(st.st_mode) && !(m & O_WRONLY)) {
+ if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
+ free(f);
+ close(fd);
+ return (NULL);
+ }
+ }
+#endif
f->fd = fd;
f->offset = 0;
Modified: head/stand/libsa/Makefile
==============================================================================
--- head/stand/libsa/Makefile Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/libsa/Makefile Tue Feb 26 06:22:10 2019 (r344568)
@@ -164,6 +164,11 @@ SRCS+= explicit_bzero.c crc32_libkern.c
.include "${SASRC}/geli/Makefile.inc"
.endif
+.if ${MK_LOADER_VERIEXEC} == "yes" && ${MK_BEARSSL} == "yes"
+.include "${SRCTOP}/lib/libbearssl/Makefile.libsa.inc"
+.include "${SRCTOP}/lib/libsecureboot/Makefile.libsa.inc"
+.endif
+
# Maybe ZFS
.if ${MK_LOADER_ZFS} == "yes"
.include "${SASRC}/zfs/Makefile.inc"
Modified: head/stand/libsa/Makefile.depend
==============================================================================
--- head/stand/libsa/Makefile.depend Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/libsa/Makefile.depend Tue Feb 26 06:22:10 2019 (r344568)
@@ -2,10 +2,6 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
- include \
- include/arpa \
- include/xlocale \
- lib/libbz2 \
.include <dirdeps.mk>
Modified: head/stand/libsa32/Makefile.depend
==============================================================================
--- head/stand/libsa32/Makefile.depend Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/libsa32/Makefile.depend Tue Feb 26 06:22:10 2019 (r344568)
@@ -2,10 +2,7 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
- include \
- include/arpa \
- include/xlocale \
- lib/libbz2 \
+ stand/libsa \
.include <dirdeps.mk>
Modified: head/stand/loader.mk
==============================================================================
--- head/stand/loader.mk Tue Feb 26 06:17:23 2019 (r344567)
+++ head/stand/loader.mk Tue Feb 26 06:22:10 2019 (r344568)
@@ -73,6 +73,10 @@ SRCS+= interp_simple.c
.error Unknown interpreter ${LOADER_INTERP}
.endif
+.if ${MK_LOADER_VERIEXEC} != "no"
+CFLAGS+= -DLOADER_VERIEXEC -I${SRCTOP}/lib/libsecureboot/h
+.endif
+
.if defined(BOOT_PROMPT_123)
CFLAGS+= -DBOOT_PROMPT_123
.endif
More information about the svn-src-head
mailing list