FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F14.4.0 2025-02-18T18:41:07Z 2025-02-18T18:41:07Z Huwyler simon.huwyler@gmail.com 2025-01-17T14:55:15Z urn:sha1:0ea2924f8126bb32ee704b071a87185140297ab3 Reviewed by: sjg Pull request: https://github.com/freebsd/freebsd-src/pull/1574 (cherry picked from commit caaeab697bf98bf96e2fa8cb4a1e22240511fbcc) 2024-04-16T19:54:22Z Simon J. Gerraty sjg@FreeBSD.org 2024-02-12T22:35:01Z urn:sha1:16d49d0e4fe7061832c2c23ff9e91e7abdc272ac By default only report unverified files at severity VE_WANT and above. This inlcudes *.conf but not *.hints, *.cookie or *.tgz which get VE_TRY as their severity. If Verbose is set to 0, then VerifyFlags should default to 0 too. Thus the combination of module_verbose=0 VE_VEBOSE=0 is sufficient to make the loader almost totally silent. When verify_prep has to find_manifest and it is verified ok return VE_NOT_CHECKED to verify_file so that it can skip repeating verify_fd Also add better debugging output for is_verified and add_verify_status. vectx handle compressed modules When verifying a compressed module (.ko.gz or .ko.bz2) stat() reports the size as -1 (unknown). vectx_lseek needs to spot this during closing - and just read until EOF is hit. Note: because of the way libsa's open() works, verify_prep will see the path to be verified as module.ko not module.ko.bz2 etc. This is actually ok, because we need a separate module.ko.bz2 entry so that the package can be verified, and the hash for module.ko is of the uncompressed file which is what vectx will see. Re-work local.trust.mk so site.trust.mk need only set VE_SIGN_URL_LIST (if using the mentioned signing server) interp.c: restrict interactive input Apply the same restrictions to interactive input as for unverified conf and hints files. Use version.veriexec when LOADER_VERIEXEC is yes Reviewed by: kevans Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D43810 (cherry picked from commit f616d61ab6b071e5fbfdbae7033a9ef04c1444ad) 2024-01-07T19:39:17Z Stéphane Rochoy stephane.rochoy@stormshield.eu 2023-12-04T09:57:43Z urn:sha1:a13066579c6f0b80786472505f115cadbf301c25 Reviewed by: imp, sjg Pull Request: https://github.com/freebsd/freebsd-src/pull/916 (cherry picked from commit 4b9d605768acabc460aa6dcfe8a1f8db35b16794) 2023-08-16T17:55:20Z Warner Losh imp@FreeBSD.org 2023-08-16T17:55:20Z urn:sha1:05248206f720394d95c2a7475429311df670a2e9 Remove /^\s*\$FreeBSD\$$\n/ 2023-08-16T17:55:03Z Warner Losh imp@FreeBSD.org 2023-08-16T17:55:03Z urn:sha1:d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ 2023-08-16T17:54:42Z Warner Losh imp@FreeBSD.org 2023-08-16T17:54:42Z urn:sha1:1d386b48a555f61cb7325543adbbb5c3f3407a66 Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/ 2023-08-16T17:54:23Z Warner Losh imp@FreeBSD.org 2023-08-16T17:54:23Z urn:sha1:42b388439bd3795e09258c57a74ce9eec3651c7b Remove /^\s*\*+\s*\$FreeBSD\$.*$\n/ 2023-08-16T17:54:16Z Warner Losh imp@FreeBSD.org 2023-08-16T17:54:16Z urn:sha1:b3e7694832e81d7a904a10f525f8797b753bf0d3 Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/ 2023-07-05T19:37:14Z Simon J. Gerraty sjg@FreeBSD.org 2023-07-05T19:37:14Z urn:sha1:9c3478cb226385c468c0d029337f4e78e69931c8 Although we care more about the CN of a certificate than its status (for purpose of reporting), we should skip if we have errors decoding. Reviewed by: stevek Sponsored by: Juniper Networks, Inc. 2023-06-30T06:52:17Z Simon J. Gerraty sjg@FreeBSD.org 2023-06-30T06:52:17Z urn:sha1:56f3f2d2491e30f369f9461c3cb2a366bdffbe1d Reviewed by: stevek