Date: Fri, 12 Apr 2019 01:03:00 +0000 (UTC) From: "Simon J. Gerraty" <sjg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r346145 - in stable/12: contrib/bearssl etc/mtree include lib lib/libbearssl lib/libsecureboot lib/libsecureboot/tests sbin sbin/veriexec share/mk stand stand/common stand/ficl stand/fi... Message-ID: <201904120103.x3C1302P053933@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sjg Date: Fri Apr 12 01:03:00 2019 New Revision: 346145 URL: https://svnweb.freebsd.org/changeset/base/346145 Log: Add support for loader veriexec Also sbin/veriexec for mac_veriexec MFC r343281,344564-344568,344780,344784,345289,346070 Added: stable/12/contrib/bearssl/ - copied from r344564, head/contrib/bearssl/ stable/12/lib/libbearssl/ - copied from r344564, head/lib/libbearssl/ stable/12/lib/libsecureboot/ - copied from r344565, head/lib/libsecureboot/ stable/12/sbin/veriexec/ - copied from r344567, head/sbin/veriexec/ stable/12/tools/build/options/WITH_BEARSSL - copied unchanged from r344566, head/tools/build/options/WITH_BEARSSL stable/12/tools/build/options/WITH_LOADER_VERIEXEC - copied unchanged from r344566, head/tools/build/options/WITH_LOADER_VERIEXEC stable/12/tools/build/options/WITH_VERIEXEC - copied unchanged from r344566, head/tools/build/options/WITH_VERIEXEC Modified: stable/12/etc/mtree/BSD.include.dist stable/12/include/Makefile stable/12/lib/Makefile stable/12/lib/libsecureboot/Makefile.inc stable/12/lib/libsecureboot/tests/Makefile stable/12/lib/libsecureboot/verify_file.c stable/12/sbin/Makefile stable/12/share/mk/src.libnames.mk stable/12/share/mk/src.opts.mk stable/12/stand/common/boot.c stable/12/stand/common/bootstrap.h stable/12/stand/common/interp_forth.c stable/12/stand/common/interp_simple.c stable/12/stand/common/load_elf.c stable/12/stand/common/load_elf_obj.c stable/12/stand/common/module.c stable/12/stand/ficl/Makefile.depend stable/12/stand/ficl/ficl.h stable/12/stand/ficl/fileaccess.c stable/12/stand/ficl32/Makefile.depend stable/12/stand/i386/loader/Makefile.depend stable/12/stand/liblua/Makefile stable/12/stand/liblua/lstd.c stable/12/stand/libsa/Makefile stable/12/stand/libsa/Makefile.depend stable/12/stand/libsa32/Makefile.depend stable/12/stand/loader.mk Directory Properties: stable/12/ (props changed) Modified: stable/12/etc/mtree/BSD.include.dist ============================================================================== --- stable/12/etc/mtree/BSD.include.dist Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/etc/mtree/BSD.include.dist Fri Apr 12 01:03:00 2019 (r346145) @@ -160,6 +160,8 @@ .. usb .. + veriexec + .. vkbd .. wi @@ -353,6 +355,8 @@ mac_mls .. mac_partition + .. + mac_veriexec .. .. ssp Modified: stable/12/include/Makefile ============================================================================== --- stable/12/include/Makefile Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/include/Makefile Fri Apr 12 01:03:00 2019 (r346145) @@ -47,7 +47,7 @@ LSUBDIRS= cam/ata cam/mmc cam/nvme cam/scsi \ dev/hwpmc dev/hyperv \ dev/ic dev/iicbus dev/io dev/mfi dev/mmc dev/nvme \ dev/ofw dev/pbio dev/pci ${_dev_powermac_nvram} dev/ppbus dev/smbus \ - dev/speaker dev/tcp_log dev/vkbd dev/wi \ + dev/speaker dev/tcp_log dev/veriexec dev/vkbd dev/wi \ fs/devfs fs/fdescfs fs/msdosfs fs/nandfs fs/nfs fs/nullfs \ fs/procfs fs/smbfs fs/udf fs/unionfs \ geom/cache geom/concat geom/eli geom/gate geom/journal geom/label \ @@ -60,6 +60,7 @@ LSUBDIRS= cam/ata cam/mmc cam/nvme cam/scsi \ security/audit \ security/mac_biba security/mac_bsdextended security/mac_lomac \ security/mac_mls security/mac_partition \ + security/mac_veriexec \ sys/disk \ ufs/ffs ufs/ufs @@ -157,7 +158,7 @@ copies: .PHONY .META done; \ fi .endfor -.for i in ${LDIRS} ${LSUBDIRS:Ndev/agp:Ndev/acpica:Ndev/bktr:Ndev/evdev:Ndev/hyperv:Ndev/nand:Ndev/pci} ${LSUBSUBDIRS} +.for i in ${LDIRS} ${LSUBDIRS:Ndev/agp:Ndev/acpica:Ndev/bktr:Ndev/evdev:Ndev/hyperv:Ndev/nand:Ndev/pci:Ndev/veriexec} ${LSUBSUBDIRS} cd ${SRCTOP}/sys; \ ${INSTALL} -C ${TAG_ARGS} -o ${BINOWN} -g ${BINGRP} -m 444 $i/*.h \ ${SDESTDIR}${INCLUDEDIR}/$i @@ -196,6 +197,9 @@ copies: .PHONY .META cd ${SRCTOP}/sys/dev/pci; \ ${INSTALL} -C ${TAG_ARGS} -o ${BINOWN} -g ${BINGRP} -m 444 pcireg.h \ ${SDESTDIR}${INCLUDEDIR}/dev/pci + cd ${SRCTOP}/sys/dev/veriexec; \ + ${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 veriexec_ioctl.h \ + ${SDESTDIR}${INCLUDEDIR}/dev/veriexec cd ${SRCTOP}/sys/fs/cd9660/; \ ${INSTALL} -C ${TAG_ARGS} -o ${BINOWN} -g ${BINGRP} -m 444 *.h \ ${SDESTDIR}${INCLUDEDIR}/isofs/cd9660 @@ -264,7 +268,7 @@ symlinks: .PHONY .META ${INSTALL_SYMLINK} ${TAG_ARGS} ../../../sys/$i/$$h ${SDESTDIR}${INCLUDEDIR}/$i; \ done .endfor -.for i in ${LSUBDIRS:Ndev/agp:Ndev/acpica:Ndev/bktr:Ndev/evdev:Ndev/hyperv:Ndev/nand:Ndev/pci} +.for i in ${LSUBDIRS:Ndev/agp:Ndev/acpica:Ndev/bktr:Ndev/evdev:Ndev/hyperv:Ndev/nand:Ndev/pci:Ndev/veriexec} cd ${SRCTOP}/sys/$i; \ for h in *.h; do \ ${INSTALL_SYMLINK} ${TAG_ARGS} ../../../../sys/$i/$$h ${SDESTDIR}${INCLUDEDIR}/$i; \ @@ -311,6 +315,11 @@ symlinks: .PHONY .META for h in pcireg.h; do \ ${INSTALL_SYMLINK} ${TAG_ARGS} ../../../../sys/dev/pci/$$h \ ${SDESTDIR}${INCLUDEDIR}/dev/pci; \ + done + cd ${SRCTOP}/sys/dev/veriexec; \ + for h in veriexec_ioctl.h; do \ + ln -fs ../../../../sys/dev/veriexec/$$h \ + ${SDESTDIR}${INCLUDEDIR}/dev/veriexec; \ done .for i in ${LSUBSUBDIRS} cd ${SRCTOP}/sys/$i; \ Modified: stable/12/lib/Makefile ============================================================================== --- stable/12/lib/Makefile Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/lib/Makefile Fri Apr 12 01:03:00 2019 (r346145) @@ -133,6 +133,7 @@ SUBDIR_DEPEND_libpcap= ofed # NB: keep these sorted by MK_* knobs SUBDIR.${MK_ATM}+= libngatm +SUBDIR.${MK_BEARSSL}+= libbearssl libsecureboot SUBDIR.${MK_BLACKLIST}+=libblacklist SUBDIR.${MK_BLUETOOTH}+=libbluetooth libsdp SUBDIR.${MK_BSNMP}+= libbsnmp @@ -208,6 +209,7 @@ SUBDIR.${MK_TESTS}+= tests SUBDIR.${MK_UNBOUND}+= libunbound SUBDIR.${MK_USB}+= libusbhid libusb SUBDIR.${MK_OFED}+= ofed +SUBDIR.${MK_VERIEXEC}+= libveriexec SUBDIR.${MK_ZFS}+= libbe .if !make(install) Modified: stable/12/lib/libsecureboot/Makefile.inc ============================================================================== --- head/lib/libsecureboot/Makefile.inc Tue Feb 26 06:09:10 2019 (r344565) +++ stable/12/lib/libsecureboot/Makefile.inc Fri Apr 12 01:03:00 2019 (r346145) @@ -92,6 +92,19 @@ VE_HASH_KAT_STR?= vc_PEM XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR} .endif +# this should be updated occassionally this is 2019-01-01Z +SOURCE_DATE_EPOCH?= 1546329600 +.if ${MK_REPRODUCIBLE_BUILD} == "yes" +BUILD_UTC?= ${SOURCE_DATE_EPOCH} +.endif +# BUILD_UTC provides a basis for the loader's notion of time +# By default we use the mtime of BUILD_UTC_FILE +.if empty(BUILD_UTC_FILE) +BUILD_UTC_FILE:= ${.PARSEDIR:tA}/${.PARSEFILE} +.endif +# you can of course set BUILD_UTC to any value you like +BUILD_UTC?= ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh} + # Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM. # # If we are doing self-tests, we define another arrary vc_PEM @@ -110,9 +123,7 @@ ta.h: ${.ALLTARGETS:M[tv]*pem:O:u} ( cat ${.ALLSRC:N*crl*:Mv*.pem} /dev/null | \ file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET} .endif -.if !empty(BUILD_UTC_FILE) - echo '#define BUILD_UTC ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP} -.endif + echo '#define BUILD_UTC ${BUILD_UTC}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP} # This header records our preference for signature extensions. vesigned.o vesigned.po vesigned.pico: vse.h Modified: stable/12/lib/libsecureboot/tests/Makefile ============================================================================== --- head/lib/libsecureboot/tests/Makefile Tue Feb 26 06:09:10 2019 (r344565) +++ stable/12/lib/libsecureboot/tests/Makefile Fri Apr 12 01:03:00 2019 (r346145) @@ -1,5 +1,7 @@ # $FreeBSD$ +.include <src.opts.mk> + PROG= tvo SRCS+= tvo.c Modified: stable/12/lib/libsecureboot/verify_file.c ============================================================================== --- head/lib/libsecureboot/verify_file.c Tue Feb 26 06:09:10 2019 (r344565) +++ stable/12/lib/libsecureboot/verify_file.c Fri Apr 12 01:03:00 2019 (r346145) @@ -368,7 +368,7 @@ verify_file(int fd, const char *filename, off_t off, i return (rc); } - if (severity || verbose) + if (severity || verbose || rc == VE_FINGERPRINT_WRONG) printf("Unverified: %s\n", ve_error_get()); if (rc == VE_FINGERPRINT_UNKNOWN && severity < VE_MUST) rc = VE_UNVERIFIED_OK; Modified: stable/12/sbin/Makefile ============================================================================== --- stable/12/sbin/Makefile Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/sbin/Makefile Fri Apr 12 01:03:00 2019 (r346145) @@ -86,6 +86,7 @@ SUBDIR.${MK_PF}+= pfctl SUBDIR.${MK_PF}+= pflogd SUBDIR.${MK_QUOTAS}+= quotacheck SUBDIR.${MK_ROUTED}+= routed +SUBDIR.${MK_VERIEXEC}+= veriexec SUBDIR.${MK_ZFS}+= bectl SUBDIR.${MK_ZFS}+= zfsbootcfg Modified: stable/12/share/mk/src.libnames.mk ============================================================================== --- stable/12/share/mk/src.libnames.mk Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/share/mk/src.libnames.mk Fri Apr 12 01:03:00 2019 (r346145) @@ -209,6 +209,21 @@ _LIBRARIES+= \ osmvendor .endif +.if ${MK_BEARSSL} == "yes" +_INTERNALLIBS+= \ + bearssl \ + secureboot \ + +LIBBEARSSL?= ${LIBBEARSSLDIR}/libbearssl${PIE_SUFFIX}.a +LIBSECUREBOOT?= ${LIBSECUREBOOTDIR}/libsecureboot${PIE_SUFFIX}.a +.endif + +.if ${MK_VERIEXEC} == "yes" +_INTERNALLIBS+= veriexec + +LIBVERIEXEC?= ${LIBVERIEXECDIR}/libveriexec${PIE_SUFFIX}.a +.endif + # Each library's LIBADD needs to be duplicated here for static linkage of # 2nd+ order consumers. Auto-generating this would be better. _DP_80211= sbuf bsdxml Modified: stable/12/share/mk/src.opts.mk ============================================================================== --- stable/12/share/mk/src.opts.mk Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/share/mk/src.opts.mk Fri Apr 12 01:03:00 2019 (r346145) @@ -191,6 +191,7 @@ __DEFAULT_YES_OPTIONS = \ ZONEINFO __DEFAULT_NO_OPTIONS = \ + BEARSSL \ BSD_GREP \ CLANG_EXTRAS \ DTRACE_TESTS \ @@ -214,6 +215,8 @@ __DEFAULT_NO_OPTIONS = \ __DEFAULT_DEPENDENT_OPTIONS= \ CLANG_FULL/CLANG \ LLVM_TARGET_ALL/CLANG \ + LOADER_VERIEXEC/BEARSSL \ + VERIEXEC/BEARSSL \ # MK_*_SUPPORT options which default to "yes" unless their corresponding # MK_* variable is set to "no". Modified: stable/12/stand/common/boot.c ============================================================================== --- stable/12/stand/common/boot.c Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/common/boot.c Fri Apr 12 01:03:00 2019 (r346145) @@ -106,6 +106,10 @@ command_boot(int argc, char *argv[]) if (archsw.arch_autoload() != 0) return(CMD_ERROR); +#ifdef LOADER_VERIEXEC + verify_pcr_export(); /* for measured boot */ +#endif + /* Call the exec handler from the loader matching the kernel */ file_formats[fp->f_loader]->l_exec(fp); return(CMD_ERROR); Modified: stable/12/stand/common/bootstrap.h ============================================================================== --- stable/12/stand/common/bootstrap.h Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/common/bootstrap.h Fri Apr 12 01:03:00 2019 (r346145) @@ -330,6 +330,9 @@ struct arch_switch /* Probe ZFS pool(s), if needed. */ void (*arch_zfs_probe)(void); + /* Return the hypervisor name/type or NULL if not virtualized. */ + const char *(*arch_hypervisor)(void); + /* For kexec-type loaders, get ksegment structure */ void (*arch_kexec_kseg_get)(int *nseg, void **kseg); }; @@ -344,6 +347,10 @@ time_t time(time_t *tloc); #ifndef CTASSERT #define CTASSERT(x) _Static_assert(x, "compile-time assertion failed") +#endif + +#ifdef LOADER_VERIEXEC +#include <verify_file.h> #endif #endif /* !_BOOTSTRAP_H_ */ Modified: stable/12/stand/common/interp_forth.c ============================================================================== --- stable/12/stand/common/interp_forth.c Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/common/interp_forth.c Fri Apr 12 01:03:00 2019 (r346145) @@ -282,6 +282,12 @@ bf_init(void) /* try to load and run init file if present */ if ((fd = open("/boot/boot.4th", O_RDONLY)) != -1) { +#ifdef LOADER_VERIEXEC + if (verify_file(fd, "/boot/boot.4th", 0, VE_GUESS) < 0) { + close(fd); + return; + } +#endif (void)ficlExecFD(bf_vm, fd); close(fd); } @@ -378,6 +384,13 @@ interp_include(const char *filename) return(CMD_ERROR); } +#ifdef LOADER_VERIEXEC + if (verify_file(fd, filename, 0, VE_GUESS) < 0) { + close(fd); + sprintf(command_errbuf,"can't verify '%s'", filename); + return(CMD_ERROR); + } +#endif /* * Read the script into memory. */ Modified: stable/12/stand/common/interp_simple.c ============================================================================== --- stable/12/stand/common/interp_simple.c Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/common/interp_simple.c Fri Apr 12 01:03:00 2019 (r346145) @@ -96,6 +96,14 @@ interp_include(const char *filename) return(CMD_ERROR); } +#ifdef LOADER_VERIEXEC + if (verify_file(fd, filename, 0, VE_GUESS) < 0) { + close(fd); + sprintf(command_errbuf,"can't verify '%s'", filename); + return(CMD_ERROR); + } +#endif + /* * Read the script into memory. */ Modified: stable/12/stand/common/load_elf.c ============================================================================== --- stable/12/stand/common/load_elf.c Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/common/load_elf.c Fri Apr 12 01:03:00 2019 (r346145) @@ -245,6 +245,12 @@ __elfN(load_elf_header)(char *filename, elf_file_t ef) goto error; } +#ifdef LOADER_VERIEXEC + if (verify_file(ef->fd, filename, bytes_read, VE_MUST) < 0) { + err = EAUTH; + goto error; + } +#endif return (0); error: Modified: stable/12/stand/common/load_elf_obj.c ============================================================================== --- stable/12/stand/common/load_elf_obj.c Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/common/load_elf_obj.c Fri Apr 12 01:03:00 2019 (r346145) @@ -129,6 +129,13 @@ __elfN(obj_loadfile)(char *filename, uint64_t dest, goto oerr; } +#ifdef LOADER_VERIEXEC + if (verify_file(ef.fd, filename, bytes_read, VE_MUST) < 0) { + err = EAUTH; + goto oerr; + } +#endif + kfp = file_findfile(NULL, __elfN(obj_kerneltype)); if (kfp == NULL) { printf("elf" __XSTRING(__ELF_WORD_SIZE) Modified: stable/12/stand/common/module.c ============================================================================== --- stable/12/stand/common/module.c Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/common/module.c Fri Apr 12 01:03:00 2019 (r346145) @@ -104,9 +104,11 @@ command_load(int argc, char *argv[]) { struct preloaded_file *fp; char *typestr; - int dofile, dokld, ch, error; + char *prefix; + char *skip; + int dflag, dofile, dokld, ch, error; - dokld = dofile = 0; + dflag = dokld = dofile = 0; optind = 1; optreset = 1; typestr = NULL; @@ -114,11 +116,21 @@ command_load(int argc, char *argv[]) command_errmsg = "no filename specified"; return (CMD_CRIT); } - while ((ch = getopt(argc, argv, "kt:")) != -1) { + prefix = skip = NULL; + while ((ch = getopt(argc, argv, "dkp:s:t:")) != -1) { switch(ch) { + case 'd': + dflag++; + break; case 'k': dokld = 1; break; + case 'p': + prefix = optarg; + break; + case 's': + skip = optarg; + break; case 't': typestr = optarg; dofile = 1; @@ -141,6 +153,14 @@ command_load(int argc, char *argv[]) return (CMD_CRIT); } +#ifdef LOADER_VERIEXEC + if (strncmp(typestr, "manifest", 8) == 0) { + if (dflag > 0) + ve_debug_set(dflag); + return (load_manifest(argv[1], prefix, skip, NULL)); + } +#endif + fp = file_findfile(argv[1], typestr); if (fp) { snprintf(command_errbuf, sizeof(command_errbuf), @@ -434,6 +454,15 @@ file_loadraw(const char *fname, char *type, int insert free(name); return(NULL); } + +#ifdef LOADER_VERIEXEC + if (verify_file(fd, name, 0, VE_MUST) < 0) { + sprintf(command_errbuf, "can't verify '%s'", name); + free(name); + close(fd); + return(NULL); + } +#endif if (archsw.arch_loadaddr != NULL) loadaddr = archsw.arch_loadaddr(LOAD_RAW, name, loadaddr); Modified: stable/12/stand/ficl/Makefile.depend ============================================================================== --- stable/12/stand/ficl/Makefile.depend Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/ficl/Makefile.depend Fri Apr 12 01:03:00 2019 (r346145) @@ -2,9 +2,7 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - include \ - include/xlocale \ - lib/msun \ + stand/libsa \ .include <dirdeps.mk> Modified: stable/12/stand/ficl/ficl.h ============================================================================== --- stable/12/stand/ficl/ficl.h Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/ficl/ficl.h Fri Apr 12 01:03:00 2019 (r346145) @@ -1157,6 +1157,10 @@ typedef void ficlCompileFcn(FICL_SYSTEM *); DATA_SET(Xficl_compile_set, func) SET_DECLARE(Xficl_compile_set, ficlCompileFcn); +#ifdef LOADER_VERIEXEC +#include <verify_file.h> +#endif + #ifdef __cplusplus } #endif Modified: stable/12/stand/ficl/fileaccess.c ============================================================================== --- stable/12/stand/ficl/fileaccess.c Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/ficl/fileaccess.c Fri Apr 12 01:03:00 2019 (r346145) @@ -67,14 +67,21 @@ static void ficlFopen(FICL_VM *pVM, char *writeMode) / if (f == NULL) stackPushPtr(pVM->pStack, NULL); else +#ifdef LOADER_VERIEXEC + if (*mode == 'r' && + verify_file(fileno(f), filename, 0, VE_GUESS) < 0) { + fclose(f); + stackPushPtr(pVM->pStack, NULL); + } else +#endif { - ficlFILE *ff = (ficlFILE *)malloc(sizeof(ficlFILE)); - strcpy(ff->filename, filename); - ff->f = f; - stackPushPtr(pVM->pStack, ff); + ficlFILE *ff = (ficlFILE *)malloc(sizeof(ficlFILE)); + strcpy(ff->filename, filename); + ff->f = f; + stackPushPtr(pVM->pStack, ff); - fseek(f, 0, SEEK_SET); - } + fseek(f, 0, SEEK_SET); + } pushIor(pVM, f != NULL); } Modified: stable/12/stand/ficl32/Makefile.depend ============================================================================== --- stable/12/stand/ficl32/Makefile.depend Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/ficl32/Makefile.depend Fri Apr 12 01:03:00 2019 (r346145) @@ -2,9 +2,7 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - include \ - include/xlocale \ - lib/msun \ + stand/libsa \ .include <dirdeps.mk> Modified: stable/12/stand/i386/loader/Makefile.depend ============================================================================== --- stable/12/stand/i386/loader/Makefile.depend Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/i386/loader/Makefile.depend Fri Apr 12 01:03:00 2019 (r346145) @@ -2,15 +2,12 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - include \ - include/xlocale \ - stand/ficl32 \ - stand/geli \ - stand/i386/btx/btx \ - stand/i386/btx/btxldr \ - stand/i386/btx/lib \ - stand/i386/libi386 \ - stand/libsa32 \ + stand/${MACHINE_CPUARCH}/btx/btx \ + stand/${MACHINE_CPUARCH}/btx/btxldr \ + stand/${MACHINE_CPUARCH}/btx/lib \ + stand/${MACHINE_CPUARCH}/libi386 \ + stand/ficl \ + stand/libsa \ .include <dirdeps.mk> Modified: stable/12/stand/liblua/Makefile ============================================================================== --- stable/12/stand/liblua/Makefile Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/liblua/Makefile Fri Apr 12 01:03:00 2019 (r346145) @@ -35,5 +35,8 @@ CFLAGS+= -I${BOOTSRC}/include -I${LIBLUASRC} -I${LUASR .if ${MACHINE_CPUARCH} == "amd64" && ${DO32:U0} == 0 CFLAGS+= -fPIC .endif +.if ${MK_LOADER_VERIEXEC} == "yes" +CFLAGS+= -I${SRCTOP}/lib/libsecureboot/h -DLOADER_VERIEXEC +.endif .include <bsd.lib.mk> Modified: stable/12/stand/liblua/lstd.c ============================================================================== --- stable/12/stand/liblua/lstd.c Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/liblua/lstd.c Fri Apr 12 01:03:00 2019 (r346145) @@ -31,6 +31,10 @@ __FBSDID("$FreeBSD$"); #include "lstd.h" #include "math.h" +#ifdef LOADER_VERIEXEC +#include <verify_file.h> +#endif + FILE * fopen(const char *filename, const char *mode) { @@ -75,6 +79,17 @@ fopen(const char *filename, const char *mode) close(fd); return (NULL); } + +#ifdef LOADER_VERIEXEC + /* only regular files and only reading makes sense */ + if (S_ISREG(st.st_mode) && !(m & O_WRONLY)) { + if (verify_file(fd, filename, 0, VE_GUESS) < 0) { + free(f); + close(fd); + return (NULL); + } + } +#endif f->fd = fd; f->offset = 0; Modified: stable/12/stand/libsa/Makefile ============================================================================== --- stable/12/stand/libsa/Makefile Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/libsa/Makefile Fri Apr 12 01:03:00 2019 (r346145) @@ -164,6 +164,11 @@ SRCS+= explicit_bzero.c .include "${SASRC}/geli/Makefile.inc" .endif +.if ${MK_LOADER_VERIEXEC} == "yes" && ${MK_BEARSSL} == "yes" +.include "${SRCTOP}/lib/libbearssl/Makefile.libsa.inc" +.include "${SRCTOP}/lib/libsecureboot/Makefile.libsa.inc" +.endif + # Maybe ZFS .if ${MK_LOADER_ZFS} == "yes" .include "${SASRC}/zfs/Makefile.inc" Modified: stable/12/stand/libsa/Makefile.depend ============================================================================== --- stable/12/stand/libsa/Makefile.depend Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/libsa/Makefile.depend Fri Apr 12 01:03:00 2019 (r346145) @@ -2,10 +2,6 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - include \ - include/arpa \ - include/xlocale \ - lib/libbz2 \ .include <dirdeps.mk> Modified: stable/12/stand/libsa32/Makefile.depend ============================================================================== --- stable/12/stand/libsa32/Makefile.depend Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/libsa32/Makefile.depend Fri Apr 12 01:03:00 2019 (r346145) @@ -2,10 +2,7 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - include \ - include/arpa \ - include/xlocale \ - lib/libbz2 \ + stand/libsa \ .include <dirdeps.mk> Modified: stable/12/stand/loader.mk ============================================================================== --- stable/12/stand/loader.mk Fri Apr 12 00:53:30 2019 (r346144) +++ stable/12/stand/loader.mk Fri Apr 12 01:03:00 2019 (r346145) @@ -73,6 +73,10 @@ SRCS+= interp_simple.c .error Unknown interpreter ${LOADER_INTERP} .endif +.if ${MK_LOADER_VERIEXEC} != "no" +CFLAGS+= -DLOADER_VERIEXEC -I${SRCTOP}/lib/libsecureboot/h +.endif + .if defined(BOOT_PROMPT_123) CFLAGS+= -DBOOT_PROMPT_123 .endif Copied: stable/12/tools/build/options/WITH_BEARSSL (from r344566, head/tools/build/options/WITH_BEARSSL) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ stable/12/tools/build/options/WITH_BEARSSL Fri Apr 12 01:03:00 2019 (r346145, copy of r344566, head/tools/build/options/WITH_BEARSSL) @@ -0,0 +1,11 @@ +.\" $FreeBSD$ +Build the BearSSL library. +.Pp +BearSSL is a tiny SSL library suitable for embedded environments. +For details see +.Lk http://www.BearSSL.org/ +.Pp +This library is currently only used to perform +signature verification and related operations +for Verified Exec and +.Xr loader 8 . Copied: stable/12/tools/build/options/WITH_LOADER_VERIEXEC (from r344566, head/tools/build/options/WITH_LOADER_VERIEXEC) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ stable/12/tools/build/options/WITH_LOADER_VERIEXEC Fri Apr 12 01:03:00 2019 (r346145, copy of r344566, head/tools/build/options/WITH_LOADER_VERIEXEC) @@ -0,0 +1,7 @@ +.\" $FreeBSD$ +Enable building +.Xr loader 8 +with support for verifcation similar to Verified Exec. +.Pp +It depends on +.Va WITH_BEARSSL Copied: stable/12/tools/build/options/WITH_VERIEXEC (from r344566, head/tools/build/options/WITH_VERIEXEC) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ stable/12/tools/build/options/WITH_VERIEXEC Fri Apr 12 01:03:00 2019 (r346145, copy of r344566, head/tools/build/options/WITH_VERIEXEC) @@ -0,0 +1,9 @@ +.\" $FreeBSD$ +Enable building +.Xr veriexec 8 +which loads the contents of verified manifests into the kernel +for use by +.Xr mac_veriexec 4 +.Pp +It depends on +.Va WITH_BEARSSL
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904120103.x3C1302P053933>