Page MenuHomeFreeBSD

sjg (Simon Gerraty)
User

Projects

User Details

User Since
Apr 9 2015, 9:27 PM (371 w, 3 d)

Recent Activity

Fri, May 13

sjg accepted D33246: Improve parameters handling in veriexec.
Fri, May 13, 6:01 PM
sjg accepted D35120: libsecureboot: Do not propagate empty string.
Fri, May 13, 5:59 PM

Fri, May 6

sjg added inline comments to D35120: libsecureboot: Do not propagate empty string.
Fri, May 6, 4:16 PM
sjg accepted D33246: Improve parameters handling in veriexec.

One style nit, but otherwise looks ok

Fri, May 6, 4:12 PM

Fri, Apr 29

sjg added inline comments to D35098: nfs: skip bootpc when vfs.root.mountfrom is other than nfs.
Fri, Apr 29, 11:41 PM · PowerPC

Sat, Apr 23

sjg committed R10:525d1e204bbc: Update dirdeps.mk (authored by sjg).
Update dirdeps.mk
Sat, Apr 23, 9:46 PM

Apr 22 2022

sjg committed R10:2f2a5ecdf8a0: Merge bmake-20220418 (authored by sjg).
Merge bmake-20220418
Apr 22 2022, 8:43 PM
sjg committed R10:92bfae0e6bd5: Add -m to post.sh (authored by sjg).
Add -m to post.sh
Apr 22 2022, 8:39 PM
sjg committed R10:2061c94e6fd9: Import bmake-20220418 (authored by sjg).
Import bmake-20220418
Apr 22 2022, 8:36 PM

Apr 19 2022

sjg added inline comments to D34971: bsd.test.mk: Attempt to work around installation race.
Apr 19 2022, 11:24 PM

Apr 18 2022

sjg committed R10:cc9e6590773d: Merge bearssl-20220418 (authored by sjg).
Merge bearssl-20220418
Apr 18 2022, 9:54 PM
sjg committed R10:666554111a7e: Update libsecureboot (authored by sjg).
Update libsecureboot
Apr 18 2022, 7:54 PM
sjg committed R10:f6acb9b9f81c: Vendor import of BearSSL at 2022-04-18 hash d40d23b (authored by sjg).
Vendor import of BearSSL at 2022-04-18 hash d40d23b
Apr 18 2022, 6:10 PM

Apr 15 2022

sjg added a comment to D34741: Speed up *-old-* make targets by using sed instead of xargs.

sed is a win over xargs but using :ts\n would be better still.

Apr 15 2022, 12:09 AM

Apr 4 2022

sjg abandoned D34782: libfetch do not include [] in IPv6 address.

nope fetch_resolve requires the [] survive

Apr 4 2022, 9:28 PM
sjg added reviewers for D34782: libfetch do not include [] in IPv6 address: des, cperciva.
Apr 4 2022, 8:16 PM
sjg requested review of D34782: libfetch do not include [] in IPv6 address.
Apr 4 2022, 8:13 PM

Apr 3 2022

sjg committed R10:1d3f2ddc32fc: Merge bmake-20220330 (authored by sjg).
Merge bmake-20220330
Apr 3 2022, 7:59 PM
sjg committed R10:a052cb432096: Import bmake-20220330 (authored by sjg).
Import bmake-20220330
Apr 3 2022, 7:53 PM

Mar 25 2022

sjg added inline comments to D34622: init: allow to start script executions with sh -o verify.
Mar 25 2022, 8:02 PM

Mar 10 2022

sjg committed R10:31fde973577d: script: use %n at the end of default tstamp_fmt (authored by sjg).
script: use %n at the end of default tstamp_fmt
Mar 10 2022, 5:45 PM
sjg committed R10:7b45ad3f89cc: script -T skip timstamps for same second (authored by sjg).
script -T skip timstamps for same second
Mar 10 2022, 6:21 AM

Mar 9 2022

sjg committed R10:6c4afed5667a: script add -T fmt to print time-stamps (authored by sjg).
script add -T fmt to print time-stamps
Mar 9 2022, 9:33 PM
sjg closed D34511: script add -T fmt to print time-stamps.
Mar 9 2022, 9:33 PM
sjg added inline comments to D34511: script add -T fmt to print time-stamps.
Mar 9 2022, 9:29 PM
sjg updated the diff for D34511: script add -T fmt to print time-stamps.

Fix synopsis

Mar 9 2022, 9:29 PM
sjg requested review of D34511: script add -T fmt to print time-stamps.
Mar 9 2022, 8:35 PM

Feb 24 2022

sjg committed R10:e6925175174b: Handle MODULE_VERBOSE_TWIDDLE in module_verbose_set (authored by sjg).
Handle MODULE_VERBOSE_TWIDDLE in module_verbose_set
Feb 24 2022, 5:27 AM

Feb 21 2022

sjg accepted D34327: mac_veriexec: Authorize reads of secured sysctls.

Thanks

Feb 21 2022, 5:13 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

[Firstly I'd much rather have this discussion over email - which is more suited to it]

Feb 21 2022, 5:08 PM

Feb 18 2022

sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

[not sure if editing a comment worked, so repeating it here]

Feb 18 2022, 2:43 AM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

Actually, what does the kernel do with the manifest? or the hash of the manifest?

Once root is mounted, mac_veriexec verifies the manifest hash, and parses the manifest. Each file listed in the manifest gets resolved into a vnode and is added to mac_veriexec with its corresponding hash and flags ; the vnode can then later be verified when accessed. When the system is ready, mac_veriexec is already in "loaded active enforced" state. Without this mac_veriexec would not know of any file, so no program would be allowed to run, not even veriexec(8).

Feb 18 2022, 2:05 AM

Feb 16 2022

sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

[I keep forgetting you cannot reply to the emails from this tool ]

Feb 16 2022, 11:48 PM
sjg committed R10:c4bf04f40bb5: cc-wrap.mk: fix typo in modifiers (authored by sjg).
cc-wrap.mk: fix typo in modifiers
Feb 16 2022, 11:22 PM
sjg accepted D34281: Don't delete hack.c - causes perpetual 'out of date' kernel.

LGTM

Feb 16 2022, 7:42 PM
sjg committed R10:bd8bde138531: Merge bmake-20220208 (authored by sjg).
Merge bmake-20220208
Feb 16 2022, 5:40 AM
sjg committed R10:22ade366be0b: Update to bmake-20220204 (authored by sjg).
Update to bmake-20220204
Feb 16 2022, 5:39 AM
sjg committed R10:b69c3b89fea2: Merge bmake-20220204 (authored by sjg).
Merge bmake-20220204
Feb 16 2022, 5:39 AM
sjg committed R10:76bc3cfd0b94: Merge bmake-20211212 (authored by sjg).
Merge bmake-20211212
Feb 16 2022, 5:39 AM
sjg committed R10:7f1879d674dc: After-import bmake-20211212 (authored by sjg).
After-import bmake-20211212
Feb 16 2022, 5:39 AM
sjg committed R10:9956ced97ea8: Update to bmake-20210621 (authored by sjg).
Update to bmake-20210621
Feb 16 2022, 5:39 AM
sjg committed R10:14f3c857000e: make: fix MAKE_JOB_ERROR_TOKEN (authored by sjg).
make: fix MAKE_JOB_ERROR_TOKEN
Feb 16 2022, 5:39 AM
sjg committed R10:4eda2649adec: Merge commit 'ee914ef902ae018bd4f67192832120f9bf05651f' into new_merge (authored by sjg).
Merge commit 'ee914ef902ae018bd4f67192832120f9bf05651f' into new_merge
Feb 16 2022, 5:39 AM

Feb 15 2022

sjg added inline comments to D33246: Improve parameters handling in veriexec.
Feb 15 2022, 6:39 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..
In D33926#775631, @sjg wrote:

Also I'm curious; if you are ok embedding trust anchors in the loader, what is the problem with embedding them in veriexec?

Legacy build system basically :s

It's much more convenient for us to separate the program compilation from its cryptographic configuration. This way the program can be compiled once and be used with various (trusted) CA stores.

Feb 15 2022, 6:28 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..
In D33926#775630, @sjg wrote:

Thanks for clarifying. The problem is; how does the kernel know/trust that the loader really verified anything ? rather than simply a loader.conf putting a hash into kenv?
It is one thing for the loader to verify the kernel before loading it (we also verify the kernel's rootfs) but the kernel cannot really verify the loader - or trust anything in kenv.

SecureBoot verifies the loader so we know it has not be tampered with. I wouldn't know how one could guarantee veriexec to work if the loader is not protected by SecureBoot, as you are right, the kernel cannot verify the loader.
Our loader is further patched so to authorize only a whitelist of kenv in loader.conf and the likes, so the manifest hash cannot be passed this way.

Feb 15 2022, 6:16 PM
sjg added inline comments to D34281: Don't delete hack.c - causes perpetual 'out of date' kernel.
Feb 15 2022, 1:29 AM

Feb 14 2022

sjg committed R10:a8189e9bd4dd: veriexec(8): explain that only a unique prefix is required (authored by sjg).
veriexec(8): explain that only a unique prefix is required
Feb 14 2022, 9:55 PM
sjg added inline comments to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..
Feb 14 2022, 7:21 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

Also I'm curious; if you are ok embedding trust anchors in the loader, what is the problem with embedding them in veriexec?

Feb 14 2022, 7:14 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..
In D33926#773586, @sjg wrote:

The basic premise here is incorrect. There is a circular dependency.
veriexec cannot rely on O_VERIFY since veriexec is responsible for seeding mac_veriexec to enable O_VERIFY.
You would need to verify a detached signature of the archive - but then where do you get the trust anchors for that...

Thank you for your feedback. In our code base, we circumvent the circular dependency you mentioned:

  • The bootloader embeds its own CA store in its source code and verifies a first manifest file.
  • The hash of this manifest is passed to the kernel via kenv.
  • When the kernel mounts root, it verifies the hash of the manifest, and if correct, feeds the contents of the manifest to mac_veriexec.

Hence, once the system is started, mac_veriexec is initialized with a small set of files that are verified. Of course, in our case, the CA tarball ("/etc/veriexec/anchors.txz") is protected by the manifest that is verified by the loader, so it is known by mac_veriexec. Hence the O_VERIFY call will succeed.

Feb 14 2022, 7:13 PM
sjg added inline comments to D33246: Improve parameters handling in veriexec.
Feb 14 2022, 7:01 PM
sjg committed R10:01b0c35984c6: module_verbose should also affect non-ELF modules. (authored by sjg).
module_verbose should also affect non-ELF modules.
Feb 14 2022, 6:46 PM

Feb 13 2022

sjg committed R10:ec042f46e9bb: Add support for module_verbose (authored by sjg).
Add support for module_verbose
Feb 13 2022, 8:47 PM
sjg closed D34245: Add support for module_verbose.
Feb 13 2022, 8:46 PM
sjg updated the diff for D34245: Add support for module_verbose.

Pass correct initial value to env_setenv

Feb 13 2022, 2:36 AM
sjg updated the diff for D34245: Add support for module_verbose.

Avoid != and ==

Feb 13 2022, 2:12 AM

Feb 11 2022

sjg added inline comments to D34245: Add support for module_verbose.
Feb 11 2022, 3:55 PM
sjg updated the diff for D34245: Add support for module_verbose.

Use MODULE_VERBOSE_TWIDDLE as default

Feb 11 2022, 4:59 AM
sjg updated the diff for D34245: Add support for module_verbose.

Use enum for values

Feb 11 2022, 4:56 AM
sjg added a comment to D34245: Add support for module_verbose.

Might I suggest something like this next to the definition of module_verbose:

enum {
        MODULE_VERBOSE_SILENT,  /* 0 */
        MODULE_VERBOSE_QUIET,   /* 1 */
        MODULE_VERBOSE_DEFAULT, /* 2 */
        MODULE_VERBOSE_FULL,    /* 3 */
};

Or something along those lines. Then, rather than comparing against bare 0 or 2 (or potentially 3, as you mentioned here in Phabricator), you'd compare against the symbol. And of course get rid of MODULE_VERBOSE in favor of MODULE_VERBOSE_DEFAULT.

Feb 11 2022, 4:31 AM

Feb 10 2022

sjg requested review of D34245: Add support for module_verbose.
Feb 10 2022, 10:32 PM

Feb 9 2022

sjg committed R10:a6f0e10b24b6: Merge bmake-20220208 (authored by sjg).
Merge bmake-20220208
Feb 9 2022, 5:32 PM
sjg committed R10:535c59a6a921: Import bmake-20220208 (authored by sjg).
Import bmake-20220208
Feb 9 2022, 5:24 PM
sjg accepted D34219: bmake: make opt-debug-x-trace broken on Linux.

will cleanup at next import

Feb 9 2022, 3:16 AM
sjg added a comment to D34219: bmake: make opt-debug-x-trace broken on Linux.

Correction, not NetBSD, most BROKEN_TEST stuff goes in bmake, fwiw next version will have:

--- a/bmake/unit-tests/Makefile Tue Feb 08 14:45:13 2022 -0800
+++ b/bmake/unit-tests/Makefile Tue Feb 08 18:45:22 2022 -0800
@@ -446,6 +446,17 @@
 .if ${.MAKE.OS:NDarwin} == ""
 BROKEN_TESTS+= shell-ksh
 .endif
+.if ${.MAKE.OS} == "Linux" && ${.SHELL:tA:T} != "bash"
+.if exists(/etc/os-release)
+distro!= . /etc/os-release && echo $$NAME
+.endif
+# dash fails -x output
+# .SHELL is not bash so may be dash
+# if distro is Ubuntu or we cannot tell, assume the worst
+.if ${distro:U:NUbuntu} == ""
+BROKEN_TESTS+= opt-debug-x-trace
+.endif
+.endif
 .if ${.MAKE.OS} == "SCO_SV"
 BROKEN_TESTS+= \
        opt-debug-graph[23] \
Feb 9 2022, 2:51 AM
sjg added inline comments to D34219: bmake: make opt-debug-x-trace broken on Linux.
Feb 9 2022, 2:31 AM

Feb 7 2022

sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

If the point here is to be able to *add* trust anchors or revoke them from an archive that was verified via the built in trust anchors, then that could work.
But the log message implies that is not your goal.
As stated I don't think it can be secure.

Feb 7 2022, 6:10 PM
sjg added a comment to D33926: This change allows the veriexec binary to (optionally) load its CA store from a verified tarball..

The basic premise here is incorrect. There is a circular dependency.
veriexec cannot rely on O_VERIFY since veriexec is responsible for seeding mac_veriexec to enable O_VERIFY.
You would need to verify a detached signature of the archive - but then where do you get the trust anchors for that...

Feb 7 2022, 6:06 PM
sjg added inline comments to D33246: Improve parameters handling in veriexec.
Feb 7 2022, 4:09 PM

Feb 5 2022

sjg committed R10:6598559fdf0c: Update to bmake-20220204 (authored by sjg).
Update to bmake-20220204
Feb 5 2022, 8:30 PM
sjg committed R10:9f45a3c8c82f: Merge bmake-20220204 (authored by sjg).
Merge bmake-20220204
Feb 5 2022, 8:29 PM
sjg committed R10:cdde9e894dee: Import bmake-20220204 (authored by sjg).
Import bmake-20220204
Feb 5 2022, 8:06 PM

Jan 15 2022

sjg accepted D33904: Remove quotes around Makefile .error/.warn/.info strings.
Jan 15 2022, 11:07 PM
sjg committed R10:bacb140f31aa: Ignore calcru: runtime went backwards for vm_guest (authored by sjg).
Ignore calcru: runtime went backwards for vm_guest
Jan 15 2022, 12:08 AM
sjg closed D33902: Ignore calcru: runtime went backwards for vm_guest.
Jan 15 2022, 12:08 AM

Jan 14 2022

sjg added a reviewer for D33902: Ignore calcru: runtime went backwards for vm_guest: jhb.
Jan 14 2022, 8:33 PM
sjg requested review of D33902: Ignore calcru: runtime went backwards for vm_guest.
Jan 14 2022, 8:30 PM

Dec 19 2021

sjg committed R10:623ecf233256: Move ve_check_hash prototype to libsecureboot-priv.h (authored by sjg).
Move ve_check_hash prototype to libsecureboot-priv.h
Dec 19 2021, 12:35 AM

Dec 18 2021

sjg committed R10:3b26e5a453df: Update dirdeps.mk et al to 20211212 versions (authored by sjg).
Update dirdeps.mk et al to 20211212 versions
Dec 18 2021, 9:38 PM
sjg committed R10:1c04cf7d5415: After-import bmake-20211212 (authored by sjg).
After-import bmake-20211212
Dec 18 2021, 6:15 PM
sjg committed R10:129043849f62: Merge bmake-20211212 (authored by sjg).
Merge bmake-20211212
Dec 18 2021, 6:15 PM
sjg committed R10:2935fe8237c8: Import bmake-20211212 (authored by sjg).
Import bmake-20211212
Dec 18 2021, 7:29 AM

Sep 10 2021

sjg committed R10:3b96abbab033: make: fix MAKE_JOB_ERROR_TOKEN (authored by sjg).
make: fix MAKE_JOB_ERROR_TOKEN
Sep 10 2021, 8:13 PM

Jul 23 2021

sjg accepted D31268: Fix mac_veriexec version mismatch.

FWIW we don't build this as a loadable module - it is baked into our kernel

Jul 23 2021, 12:14 AM

Jul 18 2021

sjg added a comment to D31154: make buildworld with time logging for each stage.

Sounds like something that should be put in a variabe TIME_ENV ?= time env that way anyone who doesn't want it, or suspects it is causing trouble can TIME_ENV= to disable

Jul 18 2021, 11:13 PM

Jul 6 2021

sjg accepted D31015: Makefile: Fix MAKEOBJDIRPREFIX command-line variable check for bmake.
Jul 6 2021, 3:33 AM
sjg added inline comments to D30990: src.sys.obj.mk: Export OBJTOP like OBJROOT.
Jul 6 2021, 3:21 AM
sjg added a comment to D30962: veriexec: fix two compat issues in kernel manifest parser.

Sorry this does not look like a good idea.
1/ why would you want no_hash for a kernel module?
2/ why would you have a manifest with .ko.gz entries that cannot be loaded?

Jul 6 2021, 3:14 AM
sjg added a comment to D30960: veriexec: handle VE_FINGERPRINT_IGNORE from vectx_open.

There should be no need for anything outside libsecureboot to grok VE_FINGERPRINT_IGNORE, vectx should not return an error status in such a case.
But we (I) do not expect vectx to be used for anything which does not require a valid fingerprint.

Jul 6 2021, 3:09 AM
sjg accepted D30952: veriexec: Fix veriexec -i's confusion between loaded and locked states.

Oops - thanks

Jul 6 2021, 3:00 AM

Jun 25 2021

sjg committed R10:68c4481aac28: Update to bmake-20210621 (authored by sjg).
Update to bmake-20210621
Jun 25 2021, 11:03 PM
sjg committed R10:b0c40a00a67f: Merge commit 'ee914ef902ae018bd4f67192832120f9bf05651f' into new_merge (authored by sjg).
Merge commit 'ee914ef902ae018bd4f67192832120f9bf05651f' into new_merge
Jun 25 2021, 11:02 PM
sjg committed R10:ee914ef902ae: Import bmake-20210621 (authored by sjg).
Import bmake-20210621
Jun 25 2021, 6:18 PM

Jun 3 2021

sjg added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

BTW wrt creating test cases, assuming you have a system which is capable of enforcing veriexec and still operate, a package which contains a manifest with various failures is handy.
I have something like that for testing the verifying loader - it cannot be installed using my package system; since it would fail all the pre-install checks, so a manual install.sh
script is provided.

Jun 3 2021, 5:51 PM
sjg added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.
In D30464#686471, @imp wrote:
In D30464#686275, @sjg wrote:
vdot()
{
        if test -s $1 && _rc_verify $1 > /dev/null 2>&1; then
                . $1
        fi
}

Besides I believe there is race condition here. The file $1 can be tampered with after the call to _rc_verify and before the source call

$1 is a local variable to vdot. Who could possibly change it?

Jun 3 2021, 5:46 PM
sjg added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

AFAIK mac_veriexec does not block the opening of files with O_VERIFY if inactive. (i.e. the new sh verify option blocks nothing if mac_veriexec is inactive / not loaded).

Jun 3 2021, 5:44 PM

May 30 2021

sjg added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

Looks reasonable, assuming veriexec itself is reasonable (in many cases, it seems to me that verifying the root filesystem would be a simpler and more reliable approach).

May 30 2021, 11:26 PM
sjg accepted D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

But fwiw

May 30 2021, 11:19 PM
sjg added a comment to D30464: sh: Add -o verify to use O_VERIFY when sourcing scripts.

And in run_rc_script we have

May 30 2021, 11:18 PM