Page MenuHomeFreeBSD

Add verifying loader for mac_veriexec
ClosedPublic

Authored by sjg on Aug 2 2018, 11:40 PM.

Details

Summary

If manifest signature can be verified, its content
is fed to mac_veriexec.

Options for querying and setting state as well
as testing files for verification status.

Right now this tool supports a couple of mac_veriexec features
which are not yet in FreeBSD.
It also allows for version skew between kernel and
userland.

Some of the resulting ifdef's can hopefully be removed before
commit.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

sjg created this revision.Aug 2 2018, 11:40 PM
sjg added reviewers: cem, jtl.Aug 2 2018, 11:43 PM

This depends on D16335
which depends on D16334
and D16337

sjg added a comment.Sep 5 2018, 10:03 PM

Adding xrefs to related reviews

D16337 for build options etc
D16335 for libve
D16334 for libbearssl
sjg updated this revision to Diff 52863.Jan 15 2019, 6:23 PM

Renamed libve to libsecureboot

sbin/veriexec/manifest_parser.y
32 ↗(On Diff #52863)

Since libve was renamed to libsecureboot this should be libsecureboot.h

sbin/veriexec/veriexec.c
34 ↗(On Diff #52863)

Since libve was renamed to libsecureboot this should be libsecureboot.h

sjg updated this revision to Diff 53102.Jan 22 2019, 11:51 PM

Use libsecureboot

This revision was not accepted when it landed; it landed in state Needs Review.Feb 26 2019, 6:17 AM
This revision was automatically updated to reflect the committed changes.