FreeBSD source tree https://cgit-dev.freebsd.org/src-test/atom?h=main 2020-08-21T00:27:06Z 2020-08-21T00:27:06Z Simon J. Gerraty sjg@FreeBSD.org 2020-08-21T00:27:06Z urn:sha1:0929924b610c8365202e04e3482ecda88e895a1a When files are read from .rc or .4th, verify_file is asked to guess the severity (VE_TRY,VE_WANT,VE_MUST) Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks 2020-06-12T21:55:30Z Simon J. Gerraty sjg@FreeBSD.org 2020-06-12T21:55:30Z urn:sha1:3e6e3de0aa0a25d4e2ddc43e19ed4686353ceb44 The loader.ve.hashed list can easily exceed KENV_MVALLEN. If so, bump kenv_mvallen to a multiple of KENV_MVALLEN to accommodate the value. Reviewed by: stevek MFC after: 1 week 2020-03-25T19:12:19Z Simon J. Gerraty sjg@FreeBSD.org 2020-03-25T19:12:19Z urn:sha1:53f151f90603580d0c0a8fa1840ba1262958a7c1 We need a valid st_dev, st_ino and st_mtime to correctly track which files have been verified and to update our notion of time. ve_utc_set(): ignore utc if it would jump our current time by more than VE_UTC_MAX_JUMP (20 years). Allow testing of install command via userboot. Need to fix its stat implementation too. bhyveload also needs stat fixed - due to change to userboot.h Call ve_error_get() from vectx_close() when hash is wrong. Track the names of files we have hashed into pcr For the purposes of measured boot, it is important to be able to reproduce the hash reflected in loader.ve.pcr so loader.ve.hashed provides a list of names in the order they were added. Reviewed by: imp MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D24027 2020-03-08T17:42:42Z Simon J. Gerraty sjg@FreeBSD.org 2020-03-08T17:42:42Z urn:sha1:afc571b1a6fb341b0e3f603d4f3a2538093e91f5 The vectx API, computes the hash for verifying a file as it is read. This avoids the overhead of reading files twice - once to verify, then again to load. For doing an install via loader, avoiding the need to rewind large files is critical. This API is only used for modules, kernel and mdimage as these are the biggest files read by the loader. The reduction in boot time depends on how expensive the I/O is on any given platform. On a fast VM we see 6% improvement. For install via loader the first file to be verified is likely to be the kernel, so some of the prep work (finding manifest etc) done by verify_file() needs to be factored so it can be reused for vectx_open(). For missing or unrecognized fingerprint entries, we fail in vectx_open() unless verifying is disabled. Otherwise fingerprint check happens in vectx_close() and since this API is only used for files which must be verified (VE_MUST) we panic if we get an incorrect hash. Reviewed by: imp,tsoome MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D23827 2019-10-24T19:50:18Z Simon J. Gerraty sjg@FreeBSD.org 2019-10-24T19:50:18Z urn:sha1:18e2fbc0d8c137286c5086e52666f43598d4387e For EFI at least, we can seed the environment with VE_VERBOSE etc. Reviewed by: stevek imp Sponsored by: Juniper Networks MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D22135 2019-06-26T23:33:32Z Simon J. Gerraty sjg@FreeBSD.org 2019-06-26T23:33:32Z urn:sha1:f9510887eeb5ad2eab96b48c41631886f8f33ad6 Since we can now add OpenPGP trust anchors at runtime, ensure the latent support is available. Ensure we do not add duplicate keys to trust store. Also allow reporting names of trust anchors added/revoked We only do this for loader and only after initializing trust store. Thus only changes to initial trust store will be logged. Reviewed by: stevek MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D20700 2019-05-19T20:28:49Z Simon J. Gerraty sjg@FreeBSD.org 2019-05-19T20:28:49Z urn:sha1:980bde58344a6b226ed1618e3dcc22271e10cfa3 During boot we only want to measure things which *must* be verified - this should provide more deterministic ordering. Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20297 2019-04-23T20:25:25Z Simon J. Gerraty sjg@FreeBSD.org 2019-04-23T20:25:25Z urn:sha1:64ca9a7ff6748eed582b28aa6ff728bf69b2fe27 sbin/veriexec will ignore entries that have no hash anyway, but loader needs to be explicitly told that such files are ok to ignore (not verify). We will report as Unverified depending on verbose level, but with no reason - because we are not rejecting the file. Reviewed by: imp, mindal_semihalf Sponsored by: Juniper Networks MFC After: 1 week Differential Revision: https://reviews.freebsd.org//D20018 2019-04-09T22:20:11Z Simon J. Gerraty sjg@FreeBSD.org 2019-04-09T22:20:11Z urn:sha1:7b8b0fdba02ab829870d1b60d997e577c225a7a8 2019-04-03T03:57:37Z Marcin Wojtas mw@FreeBSD.org 2019-04-03T03:57:37Z urn:sha1:b0fefb25c558179e9f9c7f0d375c6a03fb567eb9 The current approach of injecting manifest into mac_veriexec is to verify the integrity of it in userspace (veriexec (8)) and pass its entries into kernel using a char device (/dev/veriexec). This requires verifying root partition integrity in loader, for example by using memory disk and checking its hash. Otherwise if rootfs is compromised an attacker could inject their own data. This patch introduces an option to parse manifest in kernel based on envs. The loader sets manifest path and digest. EVENTHANDLER is used to launch the module right after the rootfs is mounted. It has to be done this way, since one might want to verify integrity of the init file. This means that manifest is required to be present on the root partition. Note that the envs have to be set right before boot to make sure that no one can spoof them. Submitted by: Kornel Duleba <mindal@semihalf.com> Reviewed by: sjg Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D19281