aboutsummaryrefslogtreecommitdiff
path: root/stand
diff options
context:
space:
mode:
authorSimon J. Gerraty <sjg@FreeBSD.org>2026-04-10 17:43:15 +0000
committerSimon J. Gerraty <sjg@FreeBSD.org>2026-04-10 17:46:54 +0000
commit35bbdfad28626255c63360d98c45e41f2c692ef0 (patch)
treee03fcfd9fd379c4246a2e29f4160d582db89ede2 /stand
parentfc68534a9ad93f6df1756ffa8e707c30a35ce4d7 (diff)
Diffstat (limited to 'stand')
-rw-r--r--stand/common/commands.c2
-rw-r--r--stand/common/load_elf.c7
-rw-r--r--stand/common/load_elf_obj.c5
-rw-r--r--stand/common/module.c16
-rw-r--r--stand/i386/loader/chain.c4
5 files changed, 24 insertions, 10 deletions
diff --git a/stand/common/commands.c b/stand/common/commands.c
index 41687ece42fd..4ed247a6b935 100644
--- a/stand/common/commands.c
+++ b/stand/common/commands.c
@@ -308,7 +308,7 @@ command_set(int argc, char *argv[])
ves = ve_status_get(-1);
if (ves == VE_UNVERIFIED_OK) {
#ifdef LOADER_VERIEXEC_TESTING
- printf("Checking: %s\n", var);
+ printf("Checking: %s\n", argv[1]);
#endif
if (is_restricted_var(argv[1])) {
printf("Ignoring restricted variable: %s\n",
diff --git a/stand/common/load_elf.c b/stand/common/load_elf.c
index b9f55a21e403..10131f7ccb88 100644
--- a/stand/common/load_elf.c
+++ b/stand/common/load_elf.c
@@ -283,7 +283,8 @@ __elfN(load_elf_header)(char *filename, elf_file_t ef)
{
int verror;
- ef->vctx = vectx_open(ef->fd, filename, 0L, NULL, &verror, __func__);
+ ef->vctx = vectx_open(ef->fd, filename, VE_MUST,
+ 0L, NULL, &verror, __func__);
if (verror) {
printf("Unverified %s: %s\n", filename, ve_error_get());
close(ef->fd);
@@ -504,7 +505,7 @@ out:
if (!err && ef.vctx) {
int verror;
- verror = vectx_close(ef.vctx, VE_MUST, __func__);
+ verror = vectx_close(ef.vctx, __func__);
if (verror) {
err = EAUTH;
file_discard(fp);
@@ -1095,7 +1096,7 @@ out:
if (!err && ef.vctx) {
int verror;
- verror = vectx_close(ef.vctx, VE_MUST, __func__);
+ verror = vectx_close(ef.vctx, __func__);
if (verror) {
err = EAUTH;
file_discard(fp);
diff --git a/stand/common/load_elf_obj.c b/stand/common/load_elf_obj.c
index 9e32daa53696..706391ffbd8f 100644
--- a/stand/common/load_elf_obj.c
+++ b/stand/common/load_elf_obj.c
@@ -104,7 +104,8 @@ __elfN(obj_loadfile)(char *filename, uint64_t dest,
{
int verror;
- ef.vctx = vectx_open(ef.fd, filename, 0L, NULL, &verror, __func__);
+ ef.vctx = vectx_open(ef.fd, filename, VE_MUST,
+ 0L, NULL, &verror, __func__);
if (verror) {
printf("Unverified %s: %s\n", filename, ve_error_get());
close(ef.fd);
@@ -196,7 +197,7 @@ out:
if (!err && ef.vctx) {
int verror;
- verror = vectx_close(ef.vctx, VE_MUST, __func__);
+ verror = vectx_close(ef.vctx, __func__);
if (verror) {
err = EAUTH;
file_discard(fp);
diff --git a/stand/common/module.c b/stand/common/module.c
index bc06ba01fa06..f75428458373 100644
--- a/stand/common/module.c
+++ b/stand/common/module.c
@@ -661,6 +661,7 @@ file_loadraw(const char *fname, const char *type, int insert)
vm_offset_t laddr;
#ifdef LOADER_VERIEXEC_VECTX
struct vectx *vctx;
+ int severity;
int verror;
#endif
@@ -690,7 +691,16 @@ file_loadraw(const char *fname, const char *type, int insert)
}
#ifdef LOADER_VERIEXEC_VECTX
- vctx = vectx_open(fd, name, 0L, NULL, &verror, __func__);
+ severity = severity_guess(name);
+ if (severity < VE_MUST) {
+ /* double check against type */
+ if (strcmp(type, "md_image") == 0
+ || strcmp(type, "mfs_root") == 0
+ || strcmp(type, "acpi_dsdt") == 0
+ || strcmp(type, "cpu_microcode") == 0)
+ severity = VE_MUST;
+ }
+ vctx = vectx_open(fd, name, severity, 0L, NULL, &verror, __func__);
if (verror) {
sprintf(command_errbuf, "can't verify '%s': %s",
name, ve_error_get());
@@ -741,7 +751,9 @@ file_loadraw(const char *fname, const char *type, int insert)
if (module_verbose > MODULE_VERBOSE_SILENT)
printf("size=%#jx\n", (uintmax_t)(laddr - loadaddr));
#ifdef LOADER_VERIEXEC_VECTX
- verror = vectx_close(vctx, VE_MUST, __func__);
+ verror = vectx_close(vctx, __func__);
+ DEBUG_PRINTF(1,("%s: vectx_close(%s): %d\n", __func__,
+ name, verror));
if (verror) {
free(name);
close(fd);
diff --git a/stand/i386/loader/chain.c b/stand/i386/loader/chain.c
index 9d58f9f3de33..5d8d66039770 100644
--- a/stand/i386/loader/chain.c
+++ b/stand/i386/loader/chain.c
@@ -83,7 +83,7 @@ command_chain(int argc, char *argv[])
}
#ifdef LOADER_VERIEXEC_VECTX
- vctx = vectx_open(fd, argv[1], 0L, NULL, &verror, __func__);
+ vctx = vectx_open(fd, argv[1], VE_MUST, 0L, NULL, &verror, __func__);
if (verror) {
sprintf(command_errbuf, "can't verify: %s", argv[1]);
close(fd);
@@ -127,7 +127,7 @@ command_chain(int argc, char *argv[])
}
close(fd);
#ifdef LOADER_VERIEXEC_VECTX
- verror = vectx_close(vctx, VE_MUST, __func__);
+ verror = vectx_close(vctx, __func__);
if (verror) {
free(vctx);
return (CMD_ERROR);
generated by cgit v1.3 (git 2.53.0) at 2026-05-13 03:43:52 +0000