Page MenuHomeFreeBSD

Add calls to verify_file to loader.

Authored by sjg on Jul 19 2018, 12:30 AM.



The basic idea is that whenever the loader opens a file
it calls verify_file() to verify it.
If that returns < 0, the file should be discarded.
This can obviously cause the boot to fail.

Some parts of the loader like load_elf.c know exactly what they are
dealing with and how important verification is.
load_elf always passes VE_MUST which tells verify_file() that
a matching hash is always required.

Other parts of the loader have no idea what file they are opening
on behalf of loader.rc etc, and these typically pass VE_GUESS
asking verify_file() to decide.

For files like loader.conf, a missing hash can be tollerated so
VE_GUESS maps to VE_TRY, for other files it maps to VE_WANT.
The only difference in behavior from those two depends on how strict
the loader has been told to be, in strict mode (eg for FIPS mode)
VE_WANT is treated as for VE_MUST, otherwise it is treated like VE_TRY.

At no time is a hash error tollerated, all the above only applies to
the case where no hash for a file can be found.

The intergration at this point is aimed to be as simple
as possible.

Further work for example would be to overhaul load_elf.c
to make use of the more efficient api in libve/vectx.c
but that would be an extensive re-work.

Diff Detail

rS FreeBSD src repository - subversion
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Cannot find agc - who I know should be interested

155 ↗(On Diff #45506)

Per discussion with imp, this will not be committed (yet)

Adding xrefs to related reviews

D16337 for build options etc
D16335 for libve
D16334 for libbearssl
This revision was not accepted when it landed; it landed in state Needs Review.Feb 26 2019, 6:22 AM
Closed by commit rS344568: Enable veriexec for loader (authored by sjg). · Explain Why
This revision was automatically updated to reflect the committed changes.