freebsd-src/stand/veriexec.mk
Simon J. Gerraty f616d61ab6 libsecureboot do not report expected unverified files
By default only report unverified files at severity VE_WANT
and above.  This inlcudes *.conf but not *.hints, *.cookie
or *.tgz which get VE_TRY as their severity.

If Verbose is set to 0, then VerifyFlags should default to 0 too.
Thus the combination of

	module_verbose=0
	VE_VEBOSE=0

is sufficient to make the loader almost totally silent.

When verify_prep has to find_manifest and it is verified ok
return VE_NOT_CHECKED to verify_file so that it can skip
repeating verify_fd

Also add better debugging output for is_verified and add_verify_status.

vectx handle compressed modules

When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.

Note: because of the way libsa's open() works, verify_prep will see
the path to be verified as module.ko not module.ko.bz2 etc.  This is
actually ok, because we need a separate module.ko.bz2 entry so that
the package can be verified, and the hash for module.ko is of the
uncompressed file which is what vectx will see.

Re-work local.trust.mk so site.trust.mk need only set
VE_SIGN_URL_LIST (if using the mentioned signing server)

interp.c: restrict interactive input

Apply the same restrictions to interactive input as for
unverified conf and hints files.

Use version.veriexec when LOADER_VERIEXEC is yes

Reviewed by:	kevans
Sponsored by:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D43810
2024-02-12 14:35:01 -08:00

13 lines
360 B
Makefile

.if ${MK_LOADER_VERIEXEC} != "no"
.if exists(${VERSION_FILE}.veriexec)
VERSION_FILE:= ${VERSION_FILE}.veriexec
.endif
CFLAGS+= -DLOADER_VERIEXEC -I${SRCTOP}/lib/libsecureboot/h
.if ${MK_LOADER_VERIEXEC_VECTX} != "no"
CFLAGS+= -DLOADER_VERIEXEC_VECTX
.endif
.if ${MK_LOADER_VERIEXEC_PASS_MANIFEST} != "no"
CFLAGS+= -DLOADER_VERIEXEC_PASS_MANIFEST
.endif
.endif