Page MenuHomeFreeBSD

Add calls to verify_file to loader.
ClosedPublic

Authored by sjg on Jul 19 2018, 12:30 AM.

Details

Summary

The basic idea is that whenever the loader opens a file
it calls verify_file() to verify it.
If that returns < 0, the file should be discarded.
This can obviously cause the boot to fail.

Some parts of the loader like load_elf.c know exactly what they are
dealing with and how important verification is.
load_elf always passes VE_MUST which tells verify_file() that
a matching hash is always required.

Other parts of the loader have no idea what file they are opening
on behalf of loader.rc etc, and these typically pass VE_GUESS
asking verify_file() to decide.

For files like loader.conf, a missing hash can be tollerated so
VE_GUESS maps to VE_TRY, for other files it maps to VE_WANT.
The only difference in behavior from those two depends on how strict
the loader has been told to be, in strict mode (eg for FIPS mode)
VE_WANT is treated as for VE_MUST, otherwise it is treated like VE_TRY.

At no time is a hash error tollerated, all the above only applies to
the case where no hash for a file can be found.

The intergration at this point is aimed to be as simple
as possible.

Further work for example would be to overhaul load_elf.c
to make use of the more efficient api in libve/vectx.c
but that would be an extensive re-work.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

sjg created this revision.Jul 19 2018, 12:30 AM
sjg added reviewers: imp, cem.Jul 19 2018, 12:38 AM

Cannot find agc - who I know should be interested

sjg added inline comments.Jul 19 2018, 12:43 AM
stand/defs.mk
155 ↗(On Diff #45506)

Per discussion with imp, this will not be committed (yet)

Adding xrefs to related reviews

D16337 for build options etc
D16335 for libve
D16334 for libbearssl
sjg updated this revision to Diff 52849.Jan 15 2019, 6:16 AM

Update per feedback

sjg updated this revision to Diff 52871.Jan 15 2019, 10:23 PM

Update per feedback

sjg updated this revision to Diff 53859.Feb 13 2019, 12:05 AM

Hook lua fopen

kevans added a subscriber: kevans.Feb 13 2019, 4:39 AM
sjg updated this revision to Diff 53873.Feb 13 2019, 4:14 PM

liblua/Makefile

sjg updated this revision to Diff 53875.Feb 13 2019, 5:03 PM

liblua/Makefile -I

This revision was not accepted when it landed; it landed in state Needs Review.Feb 26 2019, 6:22 AM
Closed by commit rS344568: Enable veriexec for loader (authored by sjg). · Explain Why
This revision was automatically updated to reflect the committed changes.