svn commit: r346145 - in stable/12: contrib/bearssl etc/mtree include lib lib/libbearssl lib/libsecureboot lib/libsecureboot/tests sbin sbin/veriexec share/mk stand stand/common stand/ficl stand/fi...
Simon J. Gerraty
sjg at FreeBSD.org
Fri Apr 12 01:03:07 UTC 2019
Author: sjg
Date: Fri Apr 12 01:03:00 2019
New Revision: 346145
URL: https://svnweb.freebsd.org/changeset/base/346145
Log:
Add support for loader veriexec
Also sbin/veriexec for mac_veriexec
MFC r343281,344564-344568,344780,344784,345289,346070
Added:
stable/12/contrib/bearssl/
- copied from r344564, head/contrib/bearssl/
stable/12/lib/libbearssl/
- copied from r344564, head/lib/libbearssl/
stable/12/lib/libsecureboot/
- copied from r344565, head/lib/libsecureboot/
stable/12/sbin/veriexec/
- copied from r344567, head/sbin/veriexec/
stable/12/tools/build/options/WITH_BEARSSL
- copied unchanged from r344566, head/tools/build/options/WITH_BEARSSL
stable/12/tools/build/options/WITH_LOADER_VERIEXEC
- copied unchanged from r344566, head/tools/build/options/WITH_LOADER_VERIEXEC
stable/12/tools/build/options/WITH_VERIEXEC
- copied unchanged from r344566, head/tools/build/options/WITH_VERIEXEC
Modified:
stable/12/etc/mtree/BSD.include.dist
stable/12/include/Makefile
stable/12/lib/Makefile
stable/12/lib/libsecureboot/Makefile.inc
stable/12/lib/libsecureboot/tests/Makefile
stable/12/lib/libsecureboot/verify_file.c
stable/12/sbin/Makefile
stable/12/share/mk/src.libnames.mk
stable/12/share/mk/src.opts.mk
stable/12/stand/common/boot.c
stable/12/stand/common/bootstrap.h
stable/12/stand/common/interp_forth.c
stable/12/stand/common/interp_simple.c
stable/12/stand/common/load_elf.c
stable/12/stand/common/load_elf_obj.c
stable/12/stand/common/module.c
stable/12/stand/ficl/Makefile.depend
stable/12/stand/ficl/ficl.h
stable/12/stand/ficl/fileaccess.c
stable/12/stand/ficl32/Makefile.depend
stable/12/stand/i386/loader/Makefile.depend
stable/12/stand/liblua/Makefile
stable/12/stand/liblua/lstd.c
stable/12/stand/libsa/Makefile
stable/12/stand/libsa/Makefile.depend
stable/12/stand/libsa32/Makefile.depend
stable/12/stand/loader.mk
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/etc/mtree/BSD.include.dist
==============================================================================
--- stable/12/etc/mtree/BSD.include.dist Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/etc/mtree/BSD.include.dist Fri Apr 12 01:03:00 2019 (r346145)
@@ -160,6 +160,8 @@
..
usb
..
+ veriexec
+ ..
vkbd
..
wi
@@ -353,6 +355,8 @@
mac_mls
..
mac_partition
+ ..
+ mac_veriexec
..
..
ssp
Modified: stable/12/include/Makefile
==============================================================================
--- stable/12/include/Makefile Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/include/Makefile Fri Apr 12 01:03:00 2019 (r346145)
@@ -47,7 +47,7 @@ LSUBDIRS= cam/ata cam/mmc cam/nvme cam/scsi \
dev/hwpmc dev/hyperv \
dev/ic dev/iicbus dev/io dev/mfi dev/mmc dev/nvme \
dev/ofw dev/pbio dev/pci ${_dev_powermac_nvram} dev/ppbus dev/smbus \
- dev/speaker dev/tcp_log dev/vkbd dev/wi \
+ dev/speaker dev/tcp_log dev/veriexec dev/vkbd dev/wi \
fs/devfs fs/fdescfs fs/msdosfs fs/nandfs fs/nfs fs/nullfs \
fs/procfs fs/smbfs fs/udf fs/unionfs \
geom/cache geom/concat geom/eli geom/gate geom/journal geom/label \
@@ -60,6 +60,7 @@ LSUBDIRS= cam/ata cam/mmc cam/nvme cam/scsi \
security/audit \
security/mac_biba security/mac_bsdextended security/mac_lomac \
security/mac_mls security/mac_partition \
+ security/mac_veriexec \
sys/disk \
ufs/ffs ufs/ufs
@@ -157,7 +158,7 @@ copies: .PHONY .META
done; \
fi
.endfor
-.for i in ${LDIRS} ${LSUBDIRS:Ndev/agp:Ndev/acpica:Ndev/bktr:Ndev/evdev:Ndev/hyperv:Ndev/nand:Ndev/pci} ${LSUBSUBDIRS}
+.for i in ${LDIRS} ${LSUBDIRS:Ndev/agp:Ndev/acpica:Ndev/bktr:Ndev/evdev:Ndev/hyperv:Ndev/nand:Ndev/pci:Ndev/veriexec} ${LSUBSUBDIRS}
cd ${SRCTOP}/sys; \
${INSTALL} -C ${TAG_ARGS} -o ${BINOWN} -g ${BINGRP} -m 444 $i/*.h \
${SDESTDIR}${INCLUDEDIR}/$i
@@ -196,6 +197,9 @@ copies: .PHONY .META
cd ${SRCTOP}/sys/dev/pci; \
${INSTALL} -C ${TAG_ARGS} -o ${BINOWN} -g ${BINGRP} -m 444 pcireg.h \
${SDESTDIR}${INCLUDEDIR}/dev/pci
+ cd ${SRCTOP}/sys/dev/veriexec; \
+ ${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 veriexec_ioctl.h \
+ ${SDESTDIR}${INCLUDEDIR}/dev/veriexec
cd ${SRCTOP}/sys/fs/cd9660/; \
${INSTALL} -C ${TAG_ARGS} -o ${BINOWN} -g ${BINGRP} -m 444 *.h \
${SDESTDIR}${INCLUDEDIR}/isofs/cd9660
@@ -264,7 +268,7 @@ symlinks: .PHONY .META
${INSTALL_SYMLINK} ${TAG_ARGS} ../../../sys/$i/$$h ${SDESTDIR}${INCLUDEDIR}/$i; \
done
.endfor
-.for i in ${LSUBDIRS:Ndev/agp:Ndev/acpica:Ndev/bktr:Ndev/evdev:Ndev/hyperv:Ndev/nand:Ndev/pci}
+.for i in ${LSUBDIRS:Ndev/agp:Ndev/acpica:Ndev/bktr:Ndev/evdev:Ndev/hyperv:Ndev/nand:Ndev/pci:Ndev/veriexec}
cd ${SRCTOP}/sys/$i; \
for h in *.h; do \
${INSTALL_SYMLINK} ${TAG_ARGS} ../../../../sys/$i/$$h ${SDESTDIR}${INCLUDEDIR}/$i; \
@@ -311,6 +315,11 @@ symlinks: .PHONY .META
for h in pcireg.h; do \
${INSTALL_SYMLINK} ${TAG_ARGS} ../../../../sys/dev/pci/$$h \
${SDESTDIR}${INCLUDEDIR}/dev/pci; \
+ done
+ cd ${SRCTOP}/sys/dev/veriexec; \
+ for h in veriexec_ioctl.h; do \
+ ln -fs ../../../../sys/dev/veriexec/$$h \
+ ${SDESTDIR}${INCLUDEDIR}/dev/veriexec; \
done
.for i in ${LSUBSUBDIRS}
cd ${SRCTOP}/sys/$i; \
Modified: stable/12/lib/Makefile
==============================================================================
--- stable/12/lib/Makefile Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/lib/Makefile Fri Apr 12 01:03:00 2019 (r346145)
@@ -133,6 +133,7 @@ SUBDIR_DEPEND_libpcap= ofed
# NB: keep these sorted by MK_* knobs
SUBDIR.${MK_ATM}+= libngatm
+SUBDIR.${MK_BEARSSL}+= libbearssl libsecureboot
SUBDIR.${MK_BLACKLIST}+=libblacklist
SUBDIR.${MK_BLUETOOTH}+=libbluetooth libsdp
SUBDIR.${MK_BSNMP}+= libbsnmp
@@ -208,6 +209,7 @@ SUBDIR.${MK_TESTS}+= tests
SUBDIR.${MK_UNBOUND}+= libunbound
SUBDIR.${MK_USB}+= libusbhid libusb
SUBDIR.${MK_OFED}+= ofed
+SUBDIR.${MK_VERIEXEC}+= libveriexec
SUBDIR.${MK_ZFS}+= libbe
.if !make(install)
Modified: stable/12/lib/libsecureboot/Makefile.inc
==============================================================================
--- head/lib/libsecureboot/Makefile.inc Tue Feb 26 06:09:10 2019 (r344565)
+++ stable/12/lib/libsecureboot/Makefile.inc Fri Apr 12 01:03:00 2019 (r346145)
@@ -92,6 +92,19 @@ VE_HASH_KAT_STR?= vc_PEM
XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR}
.endif
+# this should be updated occassionally this is 2019-01-01Z
+SOURCE_DATE_EPOCH?= 1546329600
+.if ${MK_REPRODUCIBLE_BUILD} == "yes"
+BUILD_UTC?= ${SOURCE_DATE_EPOCH}
+.endif
+# BUILD_UTC provides a basis for the loader's notion of time
+# By default we use the mtime of BUILD_UTC_FILE
+.if empty(BUILD_UTC_FILE)
+BUILD_UTC_FILE:= ${.PARSEDIR:tA}/${.PARSEFILE}
+.endif
+# you can of course set BUILD_UTC to any value you like
+BUILD_UTC?= ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}
+
# Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM.
#
# If we are doing self-tests, we define another arrary vc_PEM
@@ -110,9 +123,7 @@ ta.h: ${.ALLTARGETS:M[tv]*pem:O:u}
( cat ${.ALLSRC:N*crl*:Mv*.pem} /dev/null | \
file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET}
.endif
-.if !empty(BUILD_UTC_FILE)
- echo '#define BUILD_UTC ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP}
-.endif
+ echo '#define BUILD_UTC ${BUILD_UTC}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP}
# This header records our preference for signature extensions.
vesigned.o vesigned.po vesigned.pico: vse.h
Modified: stable/12/lib/libsecureboot/tests/Makefile
==============================================================================
--- head/lib/libsecureboot/tests/Makefile Tue Feb 26 06:09:10 2019 (r344565)
+++ stable/12/lib/libsecureboot/tests/Makefile Fri Apr 12 01:03:00 2019 (r346145)
@@ -1,5 +1,7 @@
# $FreeBSD$
+.include <src.opts.mk>
+
PROG= tvo
SRCS+= tvo.c
Modified: stable/12/lib/libsecureboot/verify_file.c
==============================================================================
--- head/lib/libsecureboot/verify_file.c Tue Feb 26 06:09:10 2019 (r344565)
+++ stable/12/lib/libsecureboot/verify_file.c Fri Apr 12 01:03:00 2019 (r346145)
@@ -368,7 +368,7 @@ verify_file(int fd, const char *filename, off_t off, i
return (rc);
}
- if (severity || verbose)
+ if (severity || verbose || rc == VE_FINGERPRINT_WRONG)
printf("Unverified: %s\n", ve_error_get());
if (rc == VE_FINGERPRINT_UNKNOWN && severity < VE_MUST)
rc = VE_UNVERIFIED_OK;
Modified: stable/12/sbin/Makefile
==============================================================================
--- stable/12/sbin/Makefile Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/sbin/Makefile Fri Apr 12 01:03:00 2019 (r346145)
@@ -86,6 +86,7 @@ SUBDIR.${MK_PF}+= pfctl
SUBDIR.${MK_PF}+= pflogd
SUBDIR.${MK_QUOTAS}+= quotacheck
SUBDIR.${MK_ROUTED}+= routed
+SUBDIR.${MK_VERIEXEC}+= veriexec
SUBDIR.${MK_ZFS}+= bectl
SUBDIR.${MK_ZFS}+= zfsbootcfg
Modified: stable/12/share/mk/src.libnames.mk
==============================================================================
--- stable/12/share/mk/src.libnames.mk Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/share/mk/src.libnames.mk Fri Apr 12 01:03:00 2019 (r346145)
@@ -209,6 +209,21 @@ _LIBRARIES+= \
osmvendor
.endif
+.if ${MK_BEARSSL} == "yes"
+_INTERNALLIBS+= \
+ bearssl \
+ secureboot \
+
+LIBBEARSSL?= ${LIBBEARSSLDIR}/libbearssl${PIE_SUFFIX}.a
+LIBSECUREBOOT?= ${LIBSECUREBOOTDIR}/libsecureboot${PIE_SUFFIX}.a
+.endif
+
+.if ${MK_VERIEXEC} == "yes"
+_INTERNALLIBS+= veriexec
+
+LIBVERIEXEC?= ${LIBVERIEXECDIR}/libveriexec${PIE_SUFFIX}.a
+.endif
+
# Each library's LIBADD needs to be duplicated here for static linkage of
# 2nd+ order consumers. Auto-generating this would be better.
_DP_80211= sbuf bsdxml
Modified: stable/12/share/mk/src.opts.mk
==============================================================================
--- stable/12/share/mk/src.opts.mk Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/share/mk/src.opts.mk Fri Apr 12 01:03:00 2019 (r346145)
@@ -191,6 +191,7 @@ __DEFAULT_YES_OPTIONS = \
ZONEINFO
__DEFAULT_NO_OPTIONS = \
+ BEARSSL \
BSD_GREP \
CLANG_EXTRAS \
DTRACE_TESTS \
@@ -214,6 +215,8 @@ __DEFAULT_NO_OPTIONS = \
__DEFAULT_DEPENDENT_OPTIONS= \
CLANG_FULL/CLANG \
LLVM_TARGET_ALL/CLANG \
+ LOADER_VERIEXEC/BEARSSL \
+ VERIEXEC/BEARSSL \
# MK_*_SUPPORT options which default to "yes" unless their corresponding
# MK_* variable is set to "no".
Modified: stable/12/stand/common/boot.c
==============================================================================
--- stable/12/stand/common/boot.c Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/common/boot.c Fri Apr 12 01:03:00 2019 (r346145)
@@ -106,6 +106,10 @@ command_boot(int argc, char *argv[])
if (archsw.arch_autoload() != 0)
return(CMD_ERROR);
+#ifdef LOADER_VERIEXEC
+ verify_pcr_export(); /* for measured boot */
+#endif
+
/* Call the exec handler from the loader matching the kernel */
file_formats[fp->f_loader]->l_exec(fp);
return(CMD_ERROR);
Modified: stable/12/stand/common/bootstrap.h
==============================================================================
--- stable/12/stand/common/bootstrap.h Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/common/bootstrap.h Fri Apr 12 01:03:00 2019 (r346145)
@@ -330,6 +330,9 @@ struct arch_switch
/* Probe ZFS pool(s), if needed. */
void (*arch_zfs_probe)(void);
+ /* Return the hypervisor name/type or NULL if not virtualized. */
+ const char *(*arch_hypervisor)(void);
+
/* For kexec-type loaders, get ksegment structure */
void (*arch_kexec_kseg_get)(int *nseg, void **kseg);
};
@@ -344,6 +347,10 @@ time_t time(time_t *tloc);
#ifndef CTASSERT
#define CTASSERT(x) _Static_assert(x, "compile-time assertion failed")
+#endif
+
+#ifdef LOADER_VERIEXEC
+#include <verify_file.h>
#endif
#endif /* !_BOOTSTRAP_H_ */
Modified: stable/12/stand/common/interp_forth.c
==============================================================================
--- stable/12/stand/common/interp_forth.c Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/common/interp_forth.c Fri Apr 12 01:03:00 2019 (r346145)
@@ -282,6 +282,12 @@ bf_init(void)
/* try to load and run init file if present */
if ((fd = open("/boot/boot.4th", O_RDONLY)) != -1) {
+#ifdef LOADER_VERIEXEC
+ if (verify_file(fd, "/boot/boot.4th", 0, VE_GUESS) < 0) {
+ close(fd);
+ return;
+ }
+#endif
(void)ficlExecFD(bf_vm, fd);
close(fd);
}
@@ -378,6 +384,13 @@ interp_include(const char *filename)
return(CMD_ERROR);
}
+#ifdef LOADER_VERIEXEC
+ if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
+ close(fd);
+ sprintf(command_errbuf,"can't verify '%s'", filename);
+ return(CMD_ERROR);
+ }
+#endif
/*
* Read the script into memory.
*/
Modified: stable/12/stand/common/interp_simple.c
==============================================================================
--- stable/12/stand/common/interp_simple.c Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/common/interp_simple.c Fri Apr 12 01:03:00 2019 (r346145)
@@ -96,6 +96,14 @@ interp_include(const char *filename)
return(CMD_ERROR);
}
+#ifdef LOADER_VERIEXEC
+ if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
+ close(fd);
+ sprintf(command_errbuf,"can't verify '%s'", filename);
+ return(CMD_ERROR);
+ }
+#endif
+
/*
* Read the script into memory.
*/
Modified: stable/12/stand/common/load_elf.c
==============================================================================
--- stable/12/stand/common/load_elf.c Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/common/load_elf.c Fri Apr 12 01:03:00 2019 (r346145)
@@ -245,6 +245,12 @@ __elfN(load_elf_header)(char *filename, elf_file_t ef)
goto error;
}
+#ifdef LOADER_VERIEXEC
+ if (verify_file(ef->fd, filename, bytes_read, VE_MUST) < 0) {
+ err = EAUTH;
+ goto error;
+ }
+#endif
return (0);
error:
Modified: stable/12/stand/common/load_elf_obj.c
==============================================================================
--- stable/12/stand/common/load_elf_obj.c Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/common/load_elf_obj.c Fri Apr 12 01:03:00 2019 (r346145)
@@ -129,6 +129,13 @@ __elfN(obj_loadfile)(char *filename, uint64_t dest,
goto oerr;
}
+#ifdef LOADER_VERIEXEC
+ if (verify_file(ef.fd, filename, bytes_read, VE_MUST) < 0) {
+ err = EAUTH;
+ goto oerr;
+ }
+#endif
+
kfp = file_findfile(NULL, __elfN(obj_kerneltype));
if (kfp == NULL) {
printf("elf" __XSTRING(__ELF_WORD_SIZE)
Modified: stable/12/stand/common/module.c
==============================================================================
--- stable/12/stand/common/module.c Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/common/module.c Fri Apr 12 01:03:00 2019 (r346145)
@@ -104,9 +104,11 @@ command_load(int argc, char *argv[])
{
struct preloaded_file *fp;
char *typestr;
- int dofile, dokld, ch, error;
+ char *prefix;
+ char *skip;
+ int dflag, dofile, dokld, ch, error;
- dokld = dofile = 0;
+ dflag = dokld = dofile = 0;
optind = 1;
optreset = 1;
typestr = NULL;
@@ -114,11 +116,21 @@ command_load(int argc, char *argv[])
command_errmsg = "no filename specified";
return (CMD_CRIT);
}
- while ((ch = getopt(argc, argv, "kt:")) != -1) {
+ prefix = skip = NULL;
+ while ((ch = getopt(argc, argv, "dkp:s:t:")) != -1) {
switch(ch) {
+ case 'd':
+ dflag++;
+ break;
case 'k':
dokld = 1;
break;
+ case 'p':
+ prefix = optarg;
+ break;
+ case 's':
+ skip = optarg;
+ break;
case 't':
typestr = optarg;
dofile = 1;
@@ -141,6 +153,14 @@ command_load(int argc, char *argv[])
return (CMD_CRIT);
}
+#ifdef LOADER_VERIEXEC
+ if (strncmp(typestr, "manifest", 8) == 0) {
+ if (dflag > 0)
+ ve_debug_set(dflag);
+ return (load_manifest(argv[1], prefix, skip, NULL));
+ }
+#endif
+
fp = file_findfile(argv[1], typestr);
if (fp) {
snprintf(command_errbuf, sizeof(command_errbuf),
@@ -434,6 +454,15 @@ file_loadraw(const char *fname, char *type, int insert
free(name);
return(NULL);
}
+
+#ifdef LOADER_VERIEXEC
+ if (verify_file(fd, name, 0, VE_MUST) < 0) {
+ sprintf(command_errbuf, "can't verify '%s'", name);
+ free(name);
+ close(fd);
+ return(NULL);
+ }
+#endif
if (archsw.arch_loadaddr != NULL)
loadaddr = archsw.arch_loadaddr(LOAD_RAW, name, loadaddr);
Modified: stable/12/stand/ficl/Makefile.depend
==============================================================================
--- stable/12/stand/ficl/Makefile.depend Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/ficl/Makefile.depend Fri Apr 12 01:03:00 2019 (r346145)
@@ -2,9 +2,7 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
- include \
- include/xlocale \
- lib/msun \
+ stand/libsa \
.include <dirdeps.mk>
Modified: stable/12/stand/ficl/ficl.h
==============================================================================
--- stable/12/stand/ficl/ficl.h Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/ficl/ficl.h Fri Apr 12 01:03:00 2019 (r346145)
@@ -1157,6 +1157,10 @@ typedef void ficlCompileFcn(FICL_SYSTEM *);
DATA_SET(Xficl_compile_set, func)
SET_DECLARE(Xficl_compile_set, ficlCompileFcn);
+#ifdef LOADER_VERIEXEC
+#include <verify_file.h>
+#endif
+
#ifdef __cplusplus
}
#endif
Modified: stable/12/stand/ficl/fileaccess.c
==============================================================================
--- stable/12/stand/ficl/fileaccess.c Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/ficl/fileaccess.c Fri Apr 12 01:03:00 2019 (r346145)
@@ -67,14 +67,21 @@ static void ficlFopen(FICL_VM *pVM, char *writeMode) /
if (f == NULL)
stackPushPtr(pVM->pStack, NULL);
else
+#ifdef LOADER_VERIEXEC
+ if (*mode == 'r' &&
+ verify_file(fileno(f), filename, 0, VE_GUESS) < 0) {
+ fclose(f);
+ stackPushPtr(pVM->pStack, NULL);
+ } else
+#endif
{
- ficlFILE *ff = (ficlFILE *)malloc(sizeof(ficlFILE));
- strcpy(ff->filename, filename);
- ff->f = f;
- stackPushPtr(pVM->pStack, ff);
+ ficlFILE *ff = (ficlFILE *)malloc(sizeof(ficlFILE));
+ strcpy(ff->filename, filename);
+ ff->f = f;
+ stackPushPtr(pVM->pStack, ff);
- fseek(f, 0, SEEK_SET);
- }
+ fseek(f, 0, SEEK_SET);
+ }
pushIor(pVM, f != NULL);
}
Modified: stable/12/stand/ficl32/Makefile.depend
==============================================================================
--- stable/12/stand/ficl32/Makefile.depend Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/ficl32/Makefile.depend Fri Apr 12 01:03:00 2019 (r346145)
@@ -2,9 +2,7 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
- include \
- include/xlocale \
- lib/msun \
+ stand/libsa \
.include <dirdeps.mk>
Modified: stable/12/stand/i386/loader/Makefile.depend
==============================================================================
--- stable/12/stand/i386/loader/Makefile.depend Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/i386/loader/Makefile.depend Fri Apr 12 01:03:00 2019 (r346145)
@@ -2,15 +2,12 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
- include \
- include/xlocale \
- stand/ficl32 \
- stand/geli \
- stand/i386/btx/btx \
- stand/i386/btx/btxldr \
- stand/i386/btx/lib \
- stand/i386/libi386 \
- stand/libsa32 \
+ stand/${MACHINE_CPUARCH}/btx/btx \
+ stand/${MACHINE_CPUARCH}/btx/btxldr \
+ stand/${MACHINE_CPUARCH}/btx/lib \
+ stand/${MACHINE_CPUARCH}/libi386 \
+ stand/ficl \
+ stand/libsa \
.include <dirdeps.mk>
Modified: stable/12/stand/liblua/Makefile
==============================================================================
--- stable/12/stand/liblua/Makefile Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/liblua/Makefile Fri Apr 12 01:03:00 2019 (r346145)
@@ -35,5 +35,8 @@ CFLAGS+= -I${BOOTSRC}/include -I${LIBLUASRC} -I${LUASR
.if ${MACHINE_CPUARCH} == "amd64" && ${DO32:U0} == 0
CFLAGS+= -fPIC
.endif
+.if ${MK_LOADER_VERIEXEC} == "yes"
+CFLAGS+= -I${SRCTOP}/lib/libsecureboot/h -DLOADER_VERIEXEC
+.endif
.include <bsd.lib.mk>
Modified: stable/12/stand/liblua/lstd.c
==============================================================================
--- stable/12/stand/liblua/lstd.c Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/liblua/lstd.c Fri Apr 12 01:03:00 2019 (r346145)
@@ -31,6 +31,10 @@ __FBSDID("$FreeBSD$");
#include "lstd.h"
#include "math.h"
+#ifdef LOADER_VERIEXEC
+#include <verify_file.h>
+#endif
+
FILE *
fopen(const char *filename, const char *mode)
{
@@ -75,6 +79,17 @@ fopen(const char *filename, const char *mode)
close(fd);
return (NULL);
}
+
+#ifdef LOADER_VERIEXEC
+ /* only regular files and only reading makes sense */
+ if (S_ISREG(st.st_mode) && !(m & O_WRONLY)) {
+ if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
+ free(f);
+ close(fd);
+ return (NULL);
+ }
+ }
+#endif
f->fd = fd;
f->offset = 0;
Modified: stable/12/stand/libsa/Makefile
==============================================================================
--- stable/12/stand/libsa/Makefile Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/libsa/Makefile Fri Apr 12 01:03:00 2019 (r346145)
@@ -164,6 +164,11 @@ SRCS+= explicit_bzero.c
.include "${SASRC}/geli/Makefile.inc"
.endif
+.if ${MK_LOADER_VERIEXEC} == "yes" && ${MK_BEARSSL} == "yes"
+.include "${SRCTOP}/lib/libbearssl/Makefile.libsa.inc"
+.include "${SRCTOP}/lib/libsecureboot/Makefile.libsa.inc"
+.endif
+
# Maybe ZFS
.if ${MK_LOADER_ZFS} == "yes"
.include "${SASRC}/zfs/Makefile.inc"
Modified: stable/12/stand/libsa/Makefile.depend
==============================================================================
--- stable/12/stand/libsa/Makefile.depend Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/libsa/Makefile.depend Fri Apr 12 01:03:00 2019 (r346145)
@@ -2,10 +2,6 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
- include \
- include/arpa \
- include/xlocale \
- lib/libbz2 \
.include <dirdeps.mk>
Modified: stable/12/stand/libsa32/Makefile.depend
==============================================================================
--- stable/12/stand/libsa32/Makefile.depend Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/libsa32/Makefile.depend Fri Apr 12 01:03:00 2019 (r346145)
@@ -2,10 +2,7 @@
# Autogenerated - do NOT edit!
DIRDEPS = \
- include \
- include/arpa \
- include/xlocale \
- lib/libbz2 \
+ stand/libsa \
.include <dirdeps.mk>
Modified: stable/12/stand/loader.mk
==============================================================================
--- stable/12/stand/loader.mk Fri Apr 12 00:53:30 2019 (r346144)
+++ stable/12/stand/loader.mk Fri Apr 12 01:03:00 2019 (r346145)
@@ -73,6 +73,10 @@ SRCS+= interp_simple.c
.error Unknown interpreter ${LOADER_INTERP}
.endif
+.if ${MK_LOADER_VERIEXEC} != "no"
+CFLAGS+= -DLOADER_VERIEXEC -I${SRCTOP}/lib/libsecureboot/h
+.endif
+
.if defined(BOOT_PROMPT_123)
CFLAGS+= -DBOOT_PROMPT_123
.endif
Copied: stable/12/tools/build/options/WITH_BEARSSL (from r344566, head/tools/build/options/WITH_BEARSSL)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ stable/12/tools/build/options/WITH_BEARSSL Fri Apr 12 01:03:00 2019 (r346145, copy of r344566, head/tools/build/options/WITH_BEARSSL)
@@ -0,0 +1,11 @@
+.\" $FreeBSD$
+Build the BearSSL library.
+.Pp
+BearSSL is a tiny SSL library suitable for embedded environments.
+For details see
+.Lk http://www.BearSSL.org/
+.Pp
+This library is currently only used to perform
+signature verification and related operations
+for Verified Exec and
+.Xr loader 8 .
Copied: stable/12/tools/build/options/WITH_LOADER_VERIEXEC (from r344566, head/tools/build/options/WITH_LOADER_VERIEXEC)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ stable/12/tools/build/options/WITH_LOADER_VERIEXEC Fri Apr 12 01:03:00 2019 (r346145, copy of r344566, head/tools/build/options/WITH_LOADER_VERIEXEC)
@@ -0,0 +1,7 @@
+.\" $FreeBSD$
+Enable building
+.Xr loader 8
+with support for verifcation similar to Verified Exec.
+.Pp
+It depends on
+.Va WITH_BEARSSL
Copied: stable/12/tools/build/options/WITH_VERIEXEC (from r344566, head/tools/build/options/WITH_VERIEXEC)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ stable/12/tools/build/options/WITH_VERIEXEC Fri Apr 12 01:03:00 2019 (r346145, copy of r344566, head/tools/build/options/WITH_VERIEXEC)
@@ -0,0 +1,9 @@
+.\" $FreeBSD$
+Enable building
+.Xr veriexec 8
+which loads the contents of verified manifests into the kernel
+for use by
+.Xr mac_veriexec 4
+.Pp
+It depends on
+.Va WITH_BEARSSL
More information about the svn-src-stable
mailing list