Page MenuHomeFreeBSD

veriexec: fix two compat issues in kernel manifest parser

Authored by vangyzen on Jun 30 2021, 2:53 PM.
Referenced Files
F58279059: D30962.diff
Tue, Mar 21, 2:10 PM
Unknown Object (File)
Feb 15 2023, 9:38 PM
Unknown Object (File)
Dec 13 2022, 2:55 PM



The kernel's veriexec manifest parser behaves differently from the
loader's in two ways: It does not honor "no_hash", and it does not
handle compressed entries. The kernel emits "Failed to parse entry"
messages during boot, even though the entry is well formed and works
in the loader. Fix these compatibility issues to silence the

If an entry is marked "no_hash", ignore it, as the loader does.

If the file referenced by an entry doesn't exist, but the same file
name plus a ".gz" extension does exist, ignore the entry. The
loader handles these in a more useful way, but kldload cannot load
compressed kernel modules, so just silence the warning message. If
kldload ever grows support for compressed modules, we will need to
revisit this.

Test Plan

With some files marked as no_hash and some gzipped kernel modules,
the messages from the kernel disappear. Uncompressed modules listed
in the manifest can still be loaded by kldload.

Diff Detail

rS FreeBSD src repository - subversion
Lint Passed
No Test Coverage
Build Status
Buildable 40187
Build 37076: arc lint + arc unit

Event Timeline

This revision is now accepted and ready to land.Jun 30 2021, 3:26 PM

Sorry this does not look like a good idea.
1/ why would you want no_hash for a kernel module?
2/ why would you have a manifest with .ko.gz entries that cannot be loaded?