Page MenuHomeFreeBSD

veriexec: fix two compat issues in kernel manifest parser
AcceptedPublic

Authored by vangyzen on Jun 30 2021, 2:53 PM.

Details

Reviewers
stevek
sjg
dab
Summary

The kernel's veriexec manifest parser behaves differently from the
loader's in two ways: It does not honor "no_hash", and it does not
handle compressed entries. The kernel emits "Failed to parse entry"
messages during boot, even though the entry is well formed and works
in the loader. Fix these compatibility issues to silence the
messages.

If an entry is marked "no_hash", ignore it, as the loader does.

If the file referenced by an entry doesn't exist, but the same file
name plus a ".gz" extension does exist, ignore the entry. The
loader handles these in a more useful way, but kldload cannot load
compressed kernel modules, so just silence the warning message. If
kldload ever grows support for compressed modules, we will need to
revisit this.

Test Plan

With some files marked as no_hash and some gzipped kernel modules,
the messages from the kernel disappear. Uncompressed modules listed
in the manifest can still be loaded by kldload.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 40187
Build 37076: arc lint + arc unit

Event Timeline

This revision is now accepted and ready to land.Jun 30 2021, 3:26 PM

Sorry this does not look like a good idea.
1/ why would you want no_hash for a kernel module?
2/ why would you have a manifest with .ko.gz entries that cannot be loaded?