Page MenuHomeFreeBSD
Feed Advanced Search

May 13 2022

sjg accepted D33246: Improve parameters handling in veriexec.
May 13 2022, 6:01 PM
sjg accepted D35120: libsecureboot: Do not propagate empty string.
May 13 2022, 5:59 PM

May 6 2022

sjg added inline comments to D35120: libsecureboot: Do not propagate empty string.
May 6 2022, 4:16 PM
sjg accepted D33246: Improve parameters handling in veriexec.

One style nit, but otherwise looks ok

May 6 2022, 4:12 PM

Apr 29 2022

sjg added inline comments to D35098: nfs: skip bootpc when vfs.root.mountfrom is other than nfs.
Apr 29 2022, 11:41 PM ยท PowerPC

Apr 23 2022

sjg committed rG525d1e204bbc: Update dirdeps.mk (authored by sjg).
Update dirdeps.mk
Apr 23 2022, 9:46 PM

Apr 22 2022

sjg committed rG2f2a5ecdf8a0: Merge bmake-20220418 (authored by sjg).
Merge bmake-20220418
Apr 22 2022, 8:43 PM
sjg committed rG92bfae0e6bd5: Add -m to post.sh (authored by sjg).
Add -m to post.sh
Apr 22 2022, 8:39 PM
sjg committed rG2061c94e6fd9: Import bmake-20220418 (authored by sjg).
Import bmake-20220418
Apr 22 2022, 8:36 PM

Apr 19 2022

sjg added inline comments to D34971: bsd.test.mk: Attempt to work around installation race.
Apr 19 2022, 11:24 PM

Apr 18 2022

sjg committed rGcc9e6590773d: Merge bearssl-20220418 (authored by sjg).
Merge bearssl-20220418
Apr 18 2022, 9:54 PM
sjg committed rG666554111a7e: Update libsecureboot (authored by sjg).
Update libsecureboot
Apr 18 2022, 7:54 PM
sjg committed rGf6acb9b9f81c: Vendor import of BearSSL at 2022-04-18 hash d40d23b (authored by sjg).
Vendor import of BearSSL at 2022-04-18 hash d40d23b
Apr 18 2022, 6:10 PM

Apr 15 2022

sjg added a comment to D34741: Speed up *-old-* make targets by using sed instead of xargs.

sed is a win over xargs but using :ts\n would be better still.

Apr 15 2022, 12:09 AM

Apr 4 2022

sjg abandoned D34782: libfetch do not include [] in IPv6 address.

nope fetch_resolve requires the [] survive

Apr 4 2022, 9:28 PM
sjg added reviewers for D34782: libfetch do not include [] in IPv6 address: des, cperciva.
Apr 4 2022, 8:16 PM
sjg requested review of D34782: libfetch do not include [] in IPv6 address.
Apr 4 2022, 8:13 PM

Apr 3 2022

sjg committed rG1d3f2ddc32fc: Merge bmake-20220330 (authored by sjg).
Merge bmake-20220330
Apr 3 2022, 7:59 PM
sjg committed rGa052cb432096: Import bmake-20220330 (authored by sjg).
Import bmake-20220330
Apr 3 2022, 7:53 PM

Mar 25 2022

sjg added inline comments to D34622: init: allow to start script executions with sh -o verify.
Mar 25 2022, 8:02 PM

Mar 10 2022

sjg committed rG31fde973577d: script: use %n at the end of default tstamp_fmt (authored by sjg).
script: use %n at the end of default tstamp_fmt
Mar 10 2022, 5:45 PM
sjg committed rG7b45ad3f89cc: script -T skip timstamps for same second (authored by sjg).
script -T skip timstamps for same second
Mar 10 2022, 6:21 AM

Mar 9 2022

sjg committed rG6c4afed5667a: script add -T fmt to print time-stamps (authored by sjg).
script add -T fmt to print time-stamps
Mar 9 2022, 9:33 PM
sjg closed D34511: script add -T fmt to print time-stamps.
Mar 9 2022, 9:33 PM
sjg added inline comments to D34511: script add -T fmt to print time-stamps.
Mar 9 2022, 9:29 PM
sjg updated the diff for D34511: script add -T fmt to print time-stamps.

Fix synopsis

Mar 9 2022, 9:29 PM
sjg requested review of D34511: script add -T fmt to print time-stamps.
Mar 9 2022, 8:35 PM

Feb 24 2022

sjg committed rGe6925175174b: Handle MODULE_VERBOSE_TWIDDLE in module_verbose_set (authored by sjg).
Handle MODULE_VERBOSE_TWIDDLE in module_verbose_set
Feb 24 2022, 5:27 AM

Feb 21 2022

sjg accepted D34327: mac_veriexec: Authorize reads of secured sysctls.

Thanks

Feb 21 2022, 5:13 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

[Firstly I'd much rather have this discussion over email - which is more suited to it]

Feb 21 2022, 5:08 PM

Feb 18 2022

sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

[not sure if editing a comment worked, so repeating it here]

Feb 18 2022, 2:43 AM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

Actually, what does the kernel do with the manifest? or the hash of the manifest?

Once root is mounted, mac_veriexec verifies the manifest hash, and parses the manifest. Each file listed in the manifest gets resolved into a vnode and is added to mac_veriexec with its corresponding hash and flags ; the vnode can then later be verified when accessed. When the system is ready, mac_veriexec is already in "loaded active enforced" state. Without this mac_veriexec would not know of any file, so no program would be allowed to run, not even veriexec(8).

Feb 18 2022, 2:05 AM

Feb 16 2022

sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

[I keep forgetting you cannot reply to the emails from this tool ]

Feb 16 2022, 11:48 PM
sjg committed rGc4bf04f40bb5: cc-wrap.mk: fix typo in modifiers (authored by sjg).
cc-wrap.mk: fix typo in modifiers
Feb 16 2022, 11:22 PM
sjg accepted D34281: Don't delete hack.c - causes perpetual 'out of date' kernel.

LGTM

Feb 16 2022, 7:42 PM
sjg committed rGbd8bde138531: Merge bmake-20220208 (authored by sjg).
Merge bmake-20220208
Feb 16 2022, 5:40 AM
sjg committed rG22ade366be0b: Update to bmake-20220204 (authored by sjg).
Update to bmake-20220204
Feb 16 2022, 5:39 AM
sjg committed rGb69c3b89fea2: Merge bmake-20220204 (authored by sjg).
Merge bmake-20220204
Feb 16 2022, 5:39 AM
sjg committed rG76bc3cfd0b94: Merge bmake-20211212 (authored by sjg).
Merge bmake-20211212
Feb 16 2022, 5:39 AM
sjg committed rG7f1879d674dc: After-import bmake-20211212 (authored by sjg).
After-import bmake-20211212
Feb 16 2022, 5:39 AM
sjg committed rG9956ced97ea8: Update to bmake-20210621 (authored by sjg).
Update to bmake-20210621
Feb 16 2022, 5:39 AM
sjg committed rG14f3c857000e: make: fix MAKE_JOB_ERROR_TOKEN (authored by sjg).
make: fix MAKE_JOB_ERROR_TOKEN
Feb 16 2022, 5:39 AM
sjg committed rG4eda2649adec: Merge commit 'ee914ef902ae018bd4f67192832120f9bf05651f' into new_merge (authored by sjg).
Merge commit 'ee914ef902ae018bd4f67192832120f9bf05651f' into new_merge
Feb 16 2022, 5:39 AM

Feb 15 2022

sjg added inline comments to D33246: Improve parameters handling in veriexec.
Feb 15 2022, 6:39 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..
In D33926#775631, @sjg wrote:

Also I'm curious; if you are ok embedding trust anchors in the loader, what is the problem with embedding them in veriexec?

Legacy build system basically :s

It's much more convenient for us to separate the program compilation from its cryptographic configuration. This way the program can be compiled once and be used with various (trusted) CA stores.

Feb 15 2022, 6:28 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..
In D33926#775630, @sjg wrote:

Thanks for clarifying. The problem is; how does the kernel know/trust that the loader really verified anything ? rather than simply a loader.conf putting a hash into kenv?
It is one thing for the loader to verify the kernel before loading it (we also verify the kernel's rootfs) but the kernel cannot really verify the loader - or trust anything in kenv.

SecureBoot verifies the loader so we know it has not be tampered with. I wouldn't know how one could guarantee veriexec to work if the loader is not protected by SecureBoot, as you are right, the kernel cannot verify the loader.
Our loader is further patched so to authorize only a whitelist of kenv in loader.conf and the likes, so the manifest hash cannot be passed this way.

Feb 15 2022, 6:16 PM
sjg added inline comments to D34281: Don't delete hack.c - causes perpetual 'out of date' kernel.
Feb 15 2022, 1:29 AM

Feb 14 2022

sjg committed rGa8189e9bd4dd: veriexec(8): explain that only a unique prefix is required (authored by sjg).
veriexec(8): explain that only a unique prefix is required
Feb 14 2022, 9:55 PM
sjg added inline comments to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..
Feb 14 2022, 7:21 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

Also I'm curious; if you are ok embedding trust anchors in the loader, what is the problem with embedding them in veriexec?

Feb 14 2022, 7:14 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..
In D33926#773586, @sjg wrote:

The basic premise here is incorrect. There is a circular dependency.
veriexec cannot rely on O_VERIFY since veriexec is responsible for seeding mac_veriexec to enable O_VERIFY.
You would need to verify a detached signature of the archive - but then where do you get the trust anchors for that...

Thank you for your feedback. In our code base, we circumvent the circular dependency you mentioned:

  • The bootloader embeds its own CA store in its source code and verifies a first manifest file.
  • The hash of this manifest is passed to the kernel via kenv.
  • When the kernel mounts root, it verifies the hash of the manifest, and if correct, feeds the contents of the manifest to mac_veriexec.

Hence, once the system is started, mac_veriexec is initialized with a small set of files that are verified. Of course, in our case, the CA tarball ("/etc/veriexec/anchors.txz") is protected by the manifest that is verified by the loader, so it is known by mac_veriexec. Hence the O_VERIFY call will succeed.

Feb 14 2022, 7:13 PM
sjg added inline comments to D33246: Improve parameters handling in veriexec.
Feb 14 2022, 7:01 PM
sjg committed rG01b0c35984c6: module_verbose should also affect non-ELF modules. (authored by sjg).
module_verbose should also affect non-ELF modules.
Feb 14 2022, 6:46 PM

Feb 13 2022

sjg committed rGec042f46e9bb: Add support for module_verbose (authored by sjg).
Add support for module_verbose
Feb 13 2022, 8:47 PM
sjg closed D34245: Add support for module_verbose.
Feb 13 2022, 8:46 PM
sjg updated the diff for D34245: Add support for module_verbose.

Pass correct initial value to env_setenv

Feb 13 2022, 2:36 AM
sjg updated the diff for D34245: Add support for module_verbose.

Avoid != and ==

Feb 13 2022, 2:12 AM

Feb 11 2022

sjg added inline comments to D34245: Add support for module_verbose.
Feb 11 2022, 3:55 PM
sjg updated the diff for D34245: Add support for module_verbose.

Use MODULE_VERBOSE_TWIDDLE as default

Feb 11 2022, 4:59 AM
sjg updated the diff for D34245: Add support for module_verbose.

Use enum for values

Feb 11 2022, 4:56 AM
sjg added a comment to D34245: Add support for module_verbose.

Might I suggest something like this next to the definition of module_verbose:

enum {
        MODULE_VERBOSE_SILENT,  /* 0 */
        MODULE_VERBOSE_QUIET,   /* 1 */
        MODULE_VERBOSE_DEFAULT, /* 2 */
        MODULE_VERBOSE_FULL,    /* 3 */
};

Or something along those lines. Then, rather than comparing against bare 0 or 2 (or potentially 3, as you mentioned here in Phabricator), you'd compare against the symbol. And of course get rid of MODULE_VERBOSE in favor of MODULE_VERBOSE_DEFAULT.

Feb 11 2022, 4:31 AM

Feb 10 2022

sjg requested review of D34245: Add support for module_verbose.
Feb 10 2022, 10:32 PM

Feb 9 2022

sjg committed rGa6f0e10b24b6: Merge bmake-20220208 (authored by sjg).
Merge bmake-20220208
Feb 9 2022, 5:32 PM
sjg committed rG535c59a6a921: Import bmake-20220208 (authored by sjg).
Import bmake-20220208
Feb 9 2022, 5:24 PM
sjg accepted D34219: bmake: make opt-debug-x-trace broken on Linux.

will cleanup at next import

Feb 9 2022, 3:16 AM
sjg added a comment to D34219: bmake: make opt-debug-x-trace broken on Linux.

Correction, not NetBSD, most BROKEN_TEST stuff goes in bmake, fwiw next version will have:

--- a/bmake/unit-tests/Makefile Tue Feb 08 14:45:13 2022 -0800
+++ b/bmake/unit-tests/Makefile Tue Feb 08 18:45:22 2022 -0800
@@ -446,6 +446,17 @@
 .if ${.MAKE.OS:NDarwin} == ""
 BROKEN_TESTS+= shell-ksh
 .endif
+.if ${.MAKE.OS} == "Linux" && ${.SHELL:tA:T} != "bash"
+.if exists(/etc/os-release)
+distro!= . /etc/os-release && echo $$NAME
+.endif
+# dash fails -x output
+# .SHELL is not bash so may be dash
+# if distro is Ubuntu or we cannot tell, assume the worst
+.if ${distro:U:NUbuntu} == ""
+BROKEN_TESTS+= opt-debug-x-trace
+.endif
+.endif
 .if ${.MAKE.OS} == "SCO_SV"
 BROKEN_TESTS+= \
        opt-debug-graph[23] \
Feb 9 2022, 2:51 AM
sjg added inline comments to D34219: bmake: make opt-debug-x-trace broken on Linux.
Feb 9 2022, 2:31 AM

Feb 7 2022

sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

If the point here is to be able to *add* trust anchors or revoke them from an archive that was verified via the built in trust anchors, then that could work.
But the log message implies that is not your goal.
As stated I don't think it can be secure.

Feb 7 2022, 6:10 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

The basic premise here is incorrect. There is a circular dependency.
veriexec cannot rely on O_VERIFY since veriexec is responsible for seeding mac_veriexec to enable O_VERIFY.
You would need to verify a detached signature of the archive - but then where do you get the trust anchors for that...

Feb 7 2022, 6:06 PM
sjg added inline comments to D33246: Improve parameters handling in veriexec.
Feb 7 2022, 4:09 PM

Feb 5 2022

sjg committed rG6598559fdf0c: Update to bmake-20220204 (authored by sjg).
Update to bmake-20220204
Feb 5 2022, 8:30 PM
sjg committed rG9f45a3c8c82f: Merge bmake-20220204 (authored by sjg).
Merge bmake-20220204
Feb 5 2022, 8:29 PM
sjg committed rGcdde9e894dee: Import bmake-20220204 (authored by sjg).
Import bmake-20220204
Feb 5 2022, 8:06 PM

Jan 15 2022

sjg accepted D33904: Remove quotes around Makefile .error/.warn/.info strings.
Jan 15 2022, 11:07 PM
sjg committed rGbacb140f31aa: Ignore calcru: runtime went backwards for vm_guest (authored by sjg).
Ignore calcru: runtime went backwards for vm_guest
Jan 15 2022, 12:08 AM
sjg closed D33902: Ignore calcru: runtime went backwards for vm_guest.
Jan 15 2022, 12:08 AM

Jan 14 2022

sjg added a reviewer for D33902: Ignore calcru: runtime went backwards for vm_guest: jhb.
Jan 14 2022, 8:33 PM
sjg requested review of D33902: Ignore calcru: runtime went backwards for vm_guest.
Jan 14 2022, 8:30 PM

Dec 19 2021

sjg committed rG623ecf233256: Move ve_check_hash prototype to libsecureboot-priv.h (authored by sjg).
Move ve_check_hash prototype to libsecureboot-priv.h
Dec 19 2021, 12:35 AM

Dec 18 2021

sjg committed rG3b26e5a453df: Update dirdeps.mk et al to 20211212 versions (authored by sjg).
Update dirdeps.mk et al to 20211212 versions
Dec 18 2021, 9:38 PM
sjg committed rG1c04cf7d5415: After-import bmake-20211212 (authored by sjg).
After-import bmake-20211212
Dec 18 2021, 6:15 PM
sjg committed rG129043849f62: Merge bmake-20211212 (authored by sjg).
Merge bmake-20211212
Dec 18 2021, 6:15 PM
sjg committed rG2935fe8237c8: Import bmake-20211212 (authored by sjg).
Import bmake-20211212
Dec 18 2021, 7:29 AM

Sep 10 2021

sjg committed rG3b96abbab033: make: fix MAKE_JOB_ERROR_TOKEN (authored by sjg).
make: fix MAKE_JOB_ERROR_TOKEN
Sep 10 2021, 8:13 PM

Jul 23 2021

sjg accepted D31268: Fix mac_veriexec version mismatch.

FWIW we don't build this as a loadable module - it is baked into our kernel

Jul 23 2021, 12:14 AM

Jul 18 2021

sjg added a comment to D31154: make buildworld with time logging for each stage.

Sounds like something that should be put in a variabe TIME_ENV ?= time env that way anyone who doesn't want it, or suspects it is causing trouble can TIME_ENV= to disable

Jul 18 2021, 11:13 PM

Jul 6 2021

sjg accepted D31015: Makefile: Fix MAKEOBJDIRPREFIX command-line variable check for bmake.
Jul 6 2021, 3:33 AM
sjg added inline comments to D30990: src.sys.obj.mk: Export OBJTOP like OBJROOT.
Jul 6 2021, 3:21 AM
sjg added a comment to D30962: veriexec: fix two compat issues in kernel manifest parser.

Sorry this does not look like a good idea.
1/ why would you want no_hash for a kernel module?
2/ why would you have a manifest with .ko.gz entries that cannot be loaded?

Jul 6 2021, 3:14 AM
sjg added a comment to D30960: veriexec: handle VE_FINGERPRINT_IGNORE from vectx_open.

There should be no need for anything outside libsecureboot to grok VE_FINGERPRINT_IGNORE, vectx should not return an error status in such a case.
But we (I) do not expect vectx to be used for anything which does not require a valid fingerprint.

Jul 6 2021, 3:09 AM
sjg accepted D30952: veriexec: Fix veriexec -i's confusion between loaded and locked states.

Oops - thanks

Jul 6 2021, 3:00 AM

Jun 25 2021

sjg committed rG68c4481aac28: Update to bmake-20210621 (authored by sjg).
Update to bmake-20210621
Jun 25 2021, 11:03 PM
sjg committed rGb0c40a00a67f: Merge commit 'ee914ef902ae018bd4f67192832120f9bf05651f' into new_merge (authored by sjg).
Merge commit 'ee914ef902ae018bd4f67192832120f9bf05651f' into new_merge
Jun 25 2021, 11:02 PM
sjg committed rGee914ef902ae: Import bmake-20210621 (authored by sjg).
Import bmake-20210621
Jun 25 2021, 6:18 PM

Jun 3 2021

sjg added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

BTW wrt creating test cases, assuming you have a system which is capable of enforcing veriexec and still operate, a package which contains a manifest with various failures is handy.
I have something like that for testing the verifying loader - it cannot be installed using my package system; since it would fail all the pre-install checks, so a manual install.sh
script is provided.

Jun 3 2021, 5:51 PM
sjg added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.
In D30464#686471, @imp wrote:
In D30464#686275, @sjg wrote:
vdot()
{
        if test -s $1 && _rc_verify $1 > /dev/null 2>&1; then
                . $1
        fi
}

Besides I believe there is race condition here. The file $1 can be tampered with after the call to _rc_verify and before the source call

$1 is a local variable to vdot. Who could possibly change it?

Jun 3 2021, 5:46 PM
sjg added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

AFAIK mac_veriexec does not block the opening of files with O_VERIFY if inactive. (i.e. the new sh verify option blocks nothing if mac_veriexec is inactive / not loaded).

Jun 3 2021, 5:44 PM

May 30 2021

sjg added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

Looks reasonable, assuming veriexec itself is reasonable (in many cases, it seems to me that verifying the root filesystem would be a simpler and more reliable approach).

May 30 2021, 11:26 PM
sjg accepted D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

But fwiw

May 30 2021, 11:19 PM
sjg added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

And in run_rc_script we have

May 30 2021, 11:18 PM