Page MenuHomeFreeBSD

Add verifying loader for mac_veriexec
ClosedPublic

Authored by sjg on Aug 2 2018, 11:40 PM.

Details

Summary

If manifest signature can be verified, its content
is fed to mac_veriexec.

Options for querying and setting state as well
as testing files for verification status.

Right now this tool supports a couple of mac_veriexec features
which are not yet in FreeBSD.
It also allows for version skew between kernel and
userland.

Some of the resulting ifdef's can hopefully be removed before
commit.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

This depends on D16335
which depends on D16334
and D16337

Adding xrefs to related reviews

D16337 for build options etc
D16335 for libve
D16334 for libbearssl

Renamed libve to libsecureboot

sbin/veriexec/manifest_parser.y
32 ↗(On Diff #52863)

Since libve was renamed to libsecureboot this should be libsecureboot.h

sbin/veriexec/veriexec.c
34 ↗(On Diff #52863)

Since libve was renamed to libsecureboot this should be libsecureboot.h

This revision was not accepted when it landed; it landed in state Needs Review.Feb 26 2019, 6:17 AM
This revision was automatically updated to reflect the committed changes.