Page MenuHomeFreeBSD
Differential D16336

Add calls to verify_file to loader.
ClosedPublic
Actions

Authored by sjg on Jul 19 2018, 12:30 AM.
Tags
None
Referenced Files
F107473661: D16336.id52849.diff
Tue, Jan 14, 4:55 PM
Unknown Object (File)
Fri, Dec 27, 10:44 PM
Unknown Object (File)
Sat, Dec 21, 2:07 AM
Unknown Object (File)
Dec 5 2024, 8:44 PM
Unknown Object (File)
Nov 5 2024, 7:24 PM
Unknown Object (File)
Oct 27 2024, 10:43 AM
Unknown Object (File)
Oct 26 2024, 9:49 PM
Unknown Object (File)
Oct 25 2024, 2:11 PM
View All Files
Subscribers
imp
kd
kevans

Details

Reviewers
imp
cem
Commits
rS344568: Enable veriexec for loader
Summary

The basic idea is that whenever the loader opens a file
it calls verify_file() to verify it.
If that returns < 0, the file should be discarded.
This can obviously cause the boot to fail.

Some parts of the loader like load_elf.c know exactly what they are
dealing with and how important verification is.
load_elf always passes VE_MUST which tells verify_file() that
a matching hash is always required.

Other parts of the loader have no idea what file they are opening
on behalf of loader.rc etc, and these typically pass VE_GUESS
asking verify_file() to decide.

For files like loader.conf, a missing hash can be tollerated so
VE_GUESS maps to VE_TRY, for other files it maps to VE_WANT.
The only difference in behavior from those two depends on how strict
the loader has been told to be, in strict mode (eg for FIPS mode)
VE_WANT is treated as for VE_MUST, otherwise it is treated like VE_TRY.

At no time is a hash error tollerated, all the above only applies to
the case where no hash for a file can be found.

The intergration at this point is aimed to be as simple
as possible.

Further work for example would be to overhaul load_elf.c
to make use of the more efficient api in libve/vectx.c
but that would be an extensive re-work.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

sjg created this revision.Jul 19 2018, 12:30 AM
Herald added a subscriber: imp. · View Herald TranscriptJul 19 2018, 12:30 AM
Harbormaster completed remote builds in B18149: Diff 45506.Jul 19 2018, 12:30 AM
sjg added reviewers: imp, cem.Jul 19 2018, 12:38 AM

Cannot find agc - who I know should be interested

sjg added inline comments.Jul 19 2018, 12:43 AM
stand/defs.mk
155 ↗(On Diff #45506)

Per discussion with imp, this will not be committed (yet)

emaste mentioned this in D16155: Add veriexec to loader.Jul 30 2018, 5:02 PM
sjg mentioned this in D16337: Build options etc for libbearssl and libve.Sep 5 2018, 10:00 PM

Adding xrefs to related reviews

D16337 for build options etc
D16335 for libve
D16334 for libbearssl
kd added a subscriber: kd.Jan 14 2019, 12:59 PM
sjg updated this revision to Diff 52849.Jan 15 2019, 6:16 AM

Update per feedback

Harbormaster completed remote builds in B21965: Diff 52849.Jan 15 2019, 6:16 AM
sjg updated this revision to Diff 52871.Jan 15 2019, 10:23 PM

Update per feedback

Harbormaster completed remote builds in B21976: Diff 52871.Jan 15 2019, 10:23 PM
kd added a child revision: D19093: Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation.Feb 6 2019, 1:30 PM
sjg updated this revision to Diff 53859.Feb 13 2019, 12:05 AM

Hook lua fopen

Harbormaster completed remote builds in B22473: Diff 53859.Feb 13 2019, 12:05 AM
kevans added a subscriber: kevans.Feb 13 2019, 4:39 AM
sjg updated this revision to Diff 53873.Feb 13 2019, 4:14 PM

liblua/Makefile

Harbormaster completed remote builds in B22480: Diff 53873.Feb 13 2019, 4:14 PM
sjg updated this revision to Diff 53875.Feb 13 2019, 5:03 PM

liblua/Makefile -I

Harbormaster completed remote builds in B22482: Diff 53875.Feb 13 2019, 5:03 PM
This revision was not accepted when it landed; it landed in state Needs Review.Feb 26 2019, 6:22 AM
Closed by commit rS344568: Enable veriexec for loader (authored by sjg). · Explain Why
This revision was automatically updated to reflect the committed changes.
sjg mentioned this in rS344568: Enable veriexec for loader.

Revision Contents
Changeset List

PathSize
head/
stand/
common/
4 lines
7 lines
7 lines
8 lines
6 lines
7 lines
26 lines
ficl/
4 lines
4 lines
19 lines
ficl32/
4 lines
i386/
loader/
15 lines
liblua/
3 lines
15 lines
libsa/
5 lines
4 lines
libsa32/
5 lines
4 lines

Diff 54396

View Options

head/stand/common/boot.c

Loading...
View Options

head/stand/common/bootstrap.h

Loading...
View Options

head/stand/common/interp_forth.c

Loading...
View Options

head/stand/common/interp_simple.c

Loading...
View Options

head/stand/common/load_elf.c

Loading...
View Options

head/stand/common/load_elf_obj.c

Loading...
View Options

head/stand/common/module.c

Loading...
View Options

head/stand/ficl/Makefile.depend

Loading...
View Options

head/stand/ficl/ficl.h

Loading...
View Options

head/stand/ficl/fileaccess.c

Loading...
View Options

head/stand/ficl32/Makefile.depend

Loading...
View Options

head/stand/i386/loader/Makefile.depend

Loading...
View Options

head/stand/liblua/Makefile

Loading...
View Options

head/stand/liblua/lstd.c

Loading...
View Options

head/stand/libsa/Makefile

Loading...
View Options

head/stand/libsa/Makefile.depend

Loading...
View Options

head/stand/libsa32/Makefile.depend

Loading...
View Options

head/stand/loader.mk

Loading...