HomeFreeBSD

Device for user space to interface with MAC/veriexec.

Description

Device for user space to interface with MAC/veriexec.

The veriexec device features the following ioctl commands:

VERIEXEC_ACTIVE

Activate veriexec functionality

VERIEXEC_DEBUG_ON

Enable debugging mode and increment or set the debug level

VERIEXEC_DEBUG_OFF

Disable debugging mode

VERIEXEC_ENFORCE

Enforce veriexec fingerprinting (and acitvate if not already)

VERIEXEC_GETSTATE

Get current veriexec state

VERIEXEC_LOCK

Lock changes to veriexec meta-data store

VERIEXEC_LOAD

Load veriexec fingerprint if secure level is not raised (and passes the
checks for VERIEXEC_SIGNED_LOAD)

VERIEXEC_SIGNED_LOAD

Load veriexec fingerprints from loader that supports signed manifest
(and thus we can be more lenient about secure level being raised.)
Fingerprints can be loaded if the meta-data store is not locked. Also
securelevel must not have been raised or some fingerprints must have
already been loaded, otherwise it would be dangerous to allow loading.
(Note: this assumes that the fingerprints in the meta-data store at
       least cover the fingerprint loader.)

Reviewed by: jtl
Obtained from: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D8561

Details