Changeset View
Standalone View
lib/libve/h/verify.h
- This file was added.
Property | Old Value | New Value |
---|---|---|
svn:eol-style | null | native \ No newline at end of property |
svn:keywords | null | FreeBSD=%H \ No newline at end of property |
svn:mime-type | null | text/plain \ No newline at end of property |
/*- | |||||
* Copyright (c) 2017, Juniper Networks, Inc. | |||||
* | |||||
* Redistribution and use in source and binary forms, with or without | |||||
* modification, are permitted provided that the following conditions | |||||
* are met: | |||||
* 1. Redistributions of source code must retain the above copyright | |||||
* notice, this list of conditions and the following disclaimer. | |||||
* 2. Redistributions in binary form must reproduce the above copyright | |||||
* notice, this list of conditions and the following disclaimer in the | |||||
* documentation and/or other materials provided with the distribution. | |||||
* | |||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||||
*/ | |||||
#define VE_GUESS -1 /* let verify_file work it out */ | |||||
#define VE_TRY 0 /* we don't mind if unverified */ | |||||
#define VE_WANT 1 /* we want this verified */ | |||||
cem: Both of these concepts seem pretty dubious.
The loader and kernel should not be guessing… | |||||
Not Done Inline ActionsThese defines address how to handle the case that no matching hash is found for a file. A file which does not have a hash cannot be verified - correct, but should it be accepted? sjg: These defines address how to handle the case that no matching hash is found for a file.
With… | |||||
Not Done Inline ActionsI'm still not clear on what GUESS or TRY are for. Can you elaborate further? I think it would be good to add a comment here with the exact semantics differences between the options. cem: I'm still not clear on what GUESS or TRY are for. Can you elaborate further?
I think it would… | |||||
Not Done Inline ActionsTRY just explicitly indicate that caller does no mind if file has no hash. sjg: TRY just explicitly indicate that caller does no mind if file has no hash.
Nothing in the… | |||||
#define VE_MUST 2 /* this must be verified */ | |||||
#define VE_VERIFIED 1 /* all good */ | |||||
#define VE_UNVERIFIED_OK 0 /* not verified but that's ok */ | |||||
#define VE_NOT_VERIFYING 2 /* we are not verifying */ | |||||
void ve_debug_set(int); | |||||
int ve_status_get(int); | |||||
int load_manifest(const char *, const char *, const char *, struct stat *); | |||||
int verify_file(int, const char *, off_t, int); | |||||
void verify_pcr_export(void); | |||||
Both of these concepts seem pretty dubious.
The loader and kernel should not be guessing signing policy — period.
Files either have a signature or do not. If they do, they must be verified. If they don't, they cannot be verified. Not sure what try or want has to do with that.