Page MenuHomeFreeBSD

mac_veriexec: Create kernel module to parse manifest based on envs.

Authored by on Feb 21 2019, 3:05 PM.



The current approach of injecting manifest into mac_veriexec is to verify the integrity of it in userspace(veriexec (8)) and pass its entries into kernel using a char device. (/dev/veriexec)
This requires verifying root partition integrity in loader, for example by using memory disk and checking its hash.
Otherwise if rootfs is compromised an attacker could inject their own data.

This patch introduces an option to parse manifest in kernel based on envs.
The loader sets manifest path and digest.
EVENTHANDLER is used to launch the module right after the rootfs is mounted.
It has to be done this way, since one might want to verify integrity of the init file.
This means that manifest is required to be present on the root partition.
Note that the envs have to be set right before boot to make sure that no one can spoof them.

Diff Detail

rS FreeBSD src repository
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

sjg added a comment.Feb 21 2019, 5:33 PM

First off; The changes to verify_file* should really be in a separate file.
Also this should all be guarded by a knob, since in the absence of verifying loader it introduces a new attack vector.
Thus anyone using this should be doing so very deliberately.

sjg added a reviewer: stevek.Feb 21 2019, 5:46 PM

Moved libsecureboot changes to a new file and added a separate build option for new code in kernel.

emaste added a subscriber: emaste.Feb 26 2019, 7:48 PM edited the summary of this revision. (Show Details)

Updates based on email exchange with @sjg.

  1. Add a build option to the loader to have the functionality that passes a manifest to the kernel disabled by default.
  2. Move the parser to a separate module.
  3. Parse flags from manifest.
sjg accepted this revision.Apr 1 2019, 4:01 PM

Looks better

This revision is now accepted and ready to land.Apr 1 2019, 4:01 PM
This revision was automatically updated to reflect the committed changes.