D16336.id53859.diff
No OneTemporary
Actions

Size

8 KB

Referenced Files

None

Subscribers

None

D16336.id53859.diff
View Options

	Index: stand/common/boot.c
	===================================================================
	--- stand/common/boot.c
	+++ stand/common/boot.c
	@@ -106,6 +106,10 @@
	if (archsw.arch_autoload() != 0)
	return(CMD_ERROR);

	+#ifdef LOADER_VERIEXEC
	+ verify_pcr_export(); /* for measured boot */
	+#endif
	+
	/* Call the exec handler from the loader matching the kernel */
	file_formats[fp->f_loader]->l_exec(fp);
	return(CMD_ERROR);
	Index: stand/common/bootstrap.h
	===================================================================
	--- stand/common/bootstrap.h
	+++ stand/common/bootstrap.h
	@@ -330,6 +330,9 @@
	/* Probe ZFS pool(s), if needed. */
	void (*arch_zfs_probe)(void);

	+ /* Return the hypervisor name/type or NULL if not virtualized. */
	+ const char (arch_hypervisor)(void);
	+
	/* For kexec-type loaders, get ksegment structure */
	void (arch_kexec_kseg_get)(int nseg, void **kseg);
	};
	@@ -346,4 +349,8 @@
	#define CTASSERT(x) _Static_assert(x, "compile-time assertion failed")
	#endif

	+#ifdef LOADER_VERIEXEC
	+#include <verify_file.h>
	+#endif
	+
	#endif /* !_BOOTSTRAP_H_ */
	Index: stand/common/interp_forth.c
	===================================================================
	--- stand/common/interp_forth.c
	+++ stand/common/interp_forth.c
	@@ -379,6 +379,13 @@
	return(CMD_ERROR);
	}

	+#ifdef LOADER_VERIEXEC
	+ if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
	+ close(fd);
	+ sprintf(command_errbuf,"can't verify '%s'", filename);
	+ return(CMD_ERROR);
	+ }
	+#endif
	/*
	* Read the script into memory.
	*/
	Index: stand/common/interp_simple.c
	===================================================================
	--- stand/common/interp_simple.c
	+++ stand/common/interp_simple.c
	@@ -96,6 +96,14 @@
	return(CMD_ERROR);
	}

	+#ifdef LOADER_VERIEXEC
	+ if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
	+ close(fd);
	+ sprintf(command_errbuf,"can't verify '%s'", filename);
	+ return(CMD_ERROR);
	+ }
	+#endif
	+
	/*
	* Read the script into memory.
	*/
	Index: stand/common/load_elf.c
	===================================================================
	--- stand/common/load_elf.c
	+++ stand/common/load_elf.c
	@@ -245,6 +245,12 @@
	goto error;
	}

	+#ifdef LOADER_VERIEXEC
	+ if (verify_file(ef->fd, filename, bytes_read, VE_MUST) < 0) {
	+ err = EAUTH;
	+ goto error;
	+ }
	+#endif
	return (0);

	error:
	Index: stand/common/load_elf_obj.c
	===================================================================
	--- stand/common/load_elf_obj.c
	+++ stand/common/load_elf_obj.c
	@@ -129,6 +129,13 @@
	goto oerr;
	}

	+#ifdef LOADER_VERIEXEC
	+ if (verify_file(ef.fd, filename, bytes_read, VE_MUST) < 0) {
	+ err = EAUTH;
	+ goto oerr;
	+ }
	+#endif
	+
	kfp = file_findfile(NULL, __elfN(obj_kerneltype));
	if (kfp == NULL) {
	printf("elf" __XSTRING(__ELF_WORD_SIZE)
	Index: stand/common/module.c
	===================================================================
	--- stand/common/module.c
	+++ stand/common/module.c
	@@ -104,6 +104,8 @@
	{
	struct preloaded_file *fp;
	char *typestr;
	+ char *prefix;
	+ char *skip;
	int dofile, dokld, ch, error;

	dokld = dofile = 0;
	@@ -114,11 +116,18 @@
	command_errmsg = "no filename specified";
	return (CMD_CRIT);
	}
	- while ((ch = getopt(argc, argv, "kt:")) != -1) {
	+ prefix = skip = NULL;
	+ while ((ch = getopt(argc, argv, "kp:s:t:")) != -1) {
	switch(ch) {
	case 'k':
	dokld = 1;
	break;
	+ case 'p':
	+ prefix = optarg;
	+ break;
	+ case 's':
	+ skip = optarg;
	+ break;
	case 't':
	typestr = optarg;
	dofile = 1;
	@@ -141,6 +150,12 @@
	return (CMD_CRIT);
	}

	+#ifdef LOADER_VERIEXEC
	+ if (strncmp(typestr, "manifest", 8) == 0) {
	+ return (load_manifest(argv[1], prefix, skip, NULL));
	+ }
	+#endif
	+
	fp = file_findfile(argv[1], typestr);
	if (fp) {
	snprintf(command_errbuf, sizeof(command_errbuf),
	@@ -435,6 +450,15 @@
	return(NULL);
	}

	+#ifdef LOADER_VERIEXEC
	+ if (verify_file(fd, name, 0, VE_MUST) < 0) {
	+ sprintf(command_errbuf, "can't verify '%s'", name);
	+ free(name);
	+ close(fd);
	+ return(NULL);
	+ }
	+#endif
	+
	if (archsw.arch_loadaddr != NULL)
	loadaddr = archsw.arch_loadaddr(LOAD_RAW, name, loadaddr);

	Index: stand/ficl/Makefile.depend
	===================================================================
	--- stand/ficl/Makefile.depend
	+++ stand/ficl/Makefile.depend
	@@ -2,9 +2,7 @@
	# Autogenerated - do NOT edit!

	DIRDEPS = \
	- include \
	- include/xlocale \
	- lib/msun \
	+ stand/libsa \


	.include <dirdeps.mk>
	Index: stand/ficl/ficl.h
	===================================================================
	--- stand/ficl/ficl.h
	+++ stand/ficl/ficl.h
	@@ -1157,6 +1157,10 @@
	DATA_SET(Xficl_compile_set, func)
	SET_DECLARE(Xficl_compile_set, ficlCompileFcn);

	+#ifdef LOADER_VERIEXEC
	+#include <verify_file.h>
	+#endif
	+
	#ifdef __cplusplus
	}
	#endif
	Index: stand/ficl/fileaccess.c
	===================================================================
	--- stand/ficl/fileaccess.c
	+++ stand/ficl/fileaccess.c
	@@ -67,14 +67,21 @@
	if (f == NULL)
	stackPushPtr(pVM->pStack, NULL);
	else
	+#ifdef LOADER_VERIEXEC
	+ if (*mode == 'r' &&
	+ verify_file(fileno(f), filename, 0, VE_GUESS) < 0) {
	+ fclose(f);
	+ stackPushPtr(pVM->pStack, NULL);
	+ } else
	+#endif
	{
	- ficlFILE ff = (ficlFILE )malloc(sizeof(ficlFILE));
	- strcpy(ff->filename, filename);
	- ff->f = f;
	- stackPushPtr(pVM->pStack, ff);
	+ ficlFILE ff = (ficlFILE )malloc(sizeof(ficlFILE));
	+ strcpy(ff->filename, filename);
	+ ff->f = f;
	+ stackPushPtr(pVM->pStack, ff);

	- fseek(f, 0, SEEK_SET);
	- }
	+ fseek(f, 0, SEEK_SET);
	+ }
	pushIor(pVM, f != NULL);
	}

	Index: stand/ficl32/Makefile.depend
	===================================================================
	--- stand/ficl32/Makefile.depend
	+++ stand/ficl32/Makefile.depend
	@@ -2,9 +2,7 @@
	# Autogenerated - do NOT edit!

	DIRDEPS = \
	- include \
	- include/xlocale \
	- lib/msun \
	+ stand/libsa \


	.include <dirdeps.mk>
	Index: stand/i386/loader/Makefile.depend
	===================================================================
	--- stand/i386/loader/Makefile.depend
	+++ stand/i386/loader/Makefile.depend
	@@ -2,15 +2,12 @@
	# Autogenerated - do NOT edit!

	DIRDEPS = \
	- include \
	- include/xlocale \
	- stand/ficl32 \
	- stand/geli \
	- stand/i386/btx/btx \
	- stand/i386/btx/btxldr \
	- stand/i386/btx/lib \
	- stand/i386/libi386 \
	- stand/libsa32 \
	+ stand/${MACHINE_CPUARCH}/btx/btx \
	+ stand/${MACHINE_CPUARCH}/btx/btxldr \
	+ stand/${MACHINE_CPUARCH}/btx/lib \
	+ stand/${MACHINE_CPUARCH}/libi386 \
	+ stand/ficl \
	+ stand/libsa \


	.include <dirdeps.mk>
	Index: stand/liblua/lstd.c
	===================================================================
	--- stand/liblua/lstd.c
	+++ stand/liblua/lstd.c
	@@ -31,6 +31,10 @@
	#include "lstd.h"
	#include "math.h"

	+#ifdef LOADER_VERIEXEC
	+#include <verify_file.h>
	+#endif
	+
	FILE *
	fopen(const char filename, const char mode)
	{
	@@ -76,6 +80,17 @@
	return (NULL);
	}

	+#ifdef LOADER_VERIEXEC
	+ /* only regular files and only reading makes sense */
	+ if (S_ISREG(st.st_mode) && !(m & O_WRONLY)) {
	+ if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
	+ free(f);
	+ close(fd);
	+ return (NULL);
	+ }
	+ }
	+#endif
	+
	f->fd = fd;
	f->offset = 0;
	f->size = st.st_size;
	Index: stand/libsa/Makefile
	===================================================================
	--- stand/libsa/Makefile
	+++ stand/libsa/Makefile
	@@ -164,6 +164,11 @@
	.include "${SASRC}/geli/Makefile.inc"
	.endif

	+.if ${MK_LOADER_VERIEXEC} == "yes" && ${MK_BEARSSL} == "yes"
	+.include "${SRCTOP}/lib/libbearssl/Makefile.libsa.inc"
	+.include "${SRCTOP}/lib/libsecureboot/Makefile.libsa.inc"
	+.endif
	+
	# Maybe ZFS
	.if ${MK_LOADER_ZFS} == "yes"
	.include "${SASRC}/zfs/Makefile.inc"
	Index: stand/libsa/Makefile.depend
	===================================================================
	--- stand/libsa/Makefile.depend
	+++ stand/libsa/Makefile.depend
	@@ -2,10 +2,6 @@
	# Autogenerated - do NOT edit!

	DIRDEPS = \
	- include \
	- include/arpa \
	- include/xlocale \
	- lib/libbz2 \


	.include <dirdeps.mk>
	Index: stand/libsa32/Makefile.depend
	===================================================================
	--- stand/libsa32/Makefile.depend
	+++ stand/libsa32/Makefile.depend
	@@ -2,10 +2,7 @@
	# Autogenerated - do NOT edit!

	DIRDEPS = \
	- include \
	- include/arpa \
	- include/xlocale \
	- lib/libbz2 \
	+ stand/libsa \


	.include <dirdeps.mk>
	Index: stand/loader.mk
	===================================================================
	--- stand/loader.mk
	+++ stand/loader.mk
	@@ -73,6 +73,10 @@
	.error Unknown interpreter ${LOADER_INTERP}
	.endif

	+.if ${MK_LOADER_VERIEXEC} != "no"
	+CFLAGS+= -DLOADER_VERIEXEC -I${SRCTOP}/lib/libsecureboot/h
	+.endif
	+
	.if defined(BOOT_PROMPT_123)
	CFLAGS+= -DBOOT_PROMPT_123
	.endif

File Metadata

Mime Type: text/plain
Expires: Fri, Oct 17, 12:10 PM (8 h, 33 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 23831410
Default Alt Text: D16336.id53859.diff (8 KB)

D16336.id53859.diffNo OneTemporaryActions

D16336.id53859.diffView Options

File Metadata

Event Timeline

D16336.id53859.diff
No OneTemporary
Actions

D16336.id53859.diff
View Options