Add verifying loader for mac_veriexec
ClosedPublic
Actions

Authored by sjg on Aug 2 2018, 11:40 PM.

Details

Reviewers

cem
jtl

Group Reviewers

manpages

Commits

rS344567: Add verifying manifest loader for mac_veriexec

Summary

If manifest signature can be verified, its content
is fed to mac_veriexec.

Options for querying and setting state as well
as testing files for verification status.

Right now this tool supports a couple of mac_veriexec features
which are not yet in FreeBSD.
It also allows for version skew between kernel and
userland.

Some of the resulting ifdef's can hopefully be removed before
commit.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

sjg created this revision.Aug 2 2018, 11:40 PM

Herald added a reviewer: manpages. · View Herald TranscriptAug 2 2018, 11:40 PM

Herald added a subscriber: imp. · View Herald Transcript

Harbormaster completed remote builds in B18542: Diff 46220.Aug 2 2018, 11:40 PM

This depends on D16335
which depends on D16334
and D16337

Adding xrefs to related reviews

D16337 for build options etc
D16335 for libve
D16334 for libbearssl

sjg mentioned this in D16335: Build libve for loader and sbin/veriexec.Sep 6 2018, 9:01 PM

kd added a subscriber: kd.Jan 15 2019, 9:26 AM

Renamed libve to libsecureboot

Harbormaster completed remote builds in B21971: Diff 52863.Jan 15 2019, 6:23 PM

kd added inline comments.Jan 22 2019, 12:49 PM

sbin/veriexec/manifest_parser.y
32 ↗	(On Diff #52863)	Since libve was renamed to libsecureboot this should be libsecureboot.h
sbin/veriexec/veriexec.c
34 ↗	(On Diff #52863)	Since libve was renamed to libsecureboot this should be libsecureboot.h