mirror of
https://github.com/opnsense/src.git
synced 2026-06-04 06:15:33 -04:00
16d49d0e4f
By default only report unverified files at severity VE_WANT
and above. This inlcudes *.conf but not *.hints, *.cookie
or *.tgz which get VE_TRY as their severity.
If Verbose is set to 0, then VerifyFlags should default to 0 too.
Thus the combination of
module_verbose=0
VE_VEBOSE=0
is sufficient to make the loader almost totally silent.
When verify_prep has to find_manifest and it is verified ok
return VE_NOT_CHECKED to verify_file so that it can skip
repeating verify_fd
Also add better debugging output for is_verified and add_verify_status.
vectx handle compressed modules
When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.
Note: because of the way libsa's open() works, verify_prep will see
the path to be verified as module.ko not module.ko.bz2 etc. This is
actually ok, because we need a separate module.ko.bz2 entry so that
the package can be verified, and the hash for module.ko is of the
uncompressed file which is what vectx will see.
Re-work local.trust.mk so site.trust.mk need only set
VE_SIGN_URL_LIST (if using the mentioned signing server)
interp.c: restrict interactive input
Apply the same restrictions to interactive input as for
unverified conf and hints files.
Use version.veriexec when LOADER_VERIEXEC is yes
Reviewed by: kevans
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D43810
(cherry picked from commit f616d61ab6)
60 lines
1.5 KiB
PHP
60 lines
1.5 KiB
PHP
|
|
BRSSL_CFLAGS+= -DNO_STDIO
|
|
|
|
.include "Makefile.inc"
|
|
|
|
# for "measured boot"
|
|
# loader puts the equivalent of TPM's PCR register into kenv
|
|
# this is not as good but *way* simpler than talking to TPM
|
|
CFLAGS+= -DVE_PCR_SUPPORT
|
|
|
|
# sources that only apply to libsa
|
|
SRCS+= \
|
|
vectx.c \
|
|
veopen.c \
|
|
vepcr.c \
|
|
verify_file.c \
|
|
|
|
# Build library with support for the UEFI based authentication
|
|
.if ${MK_LOADER_EFI_SECUREBOOT} == "yes"
|
|
SRCS+= \
|
|
efi/efi_variables.c \
|
|
efi/efi_init.c
|
|
|
|
# Add includes required by efi part
|
|
CFLAGS+= \
|
|
-I${SRCTOP}/stand/efi/include \
|
|
-I${SRCTOP}/lib/libsecureboot/efi/include \
|
|
-I${SRCTOP}/stand/efi/include/${MACHINE}
|
|
.endif
|
|
|
|
.if ${MK_LOADER_VERIEXEC_PASS_MANIFEST} == "yes"
|
|
SRCS+= \
|
|
pass_manifest.c
|
|
.endif
|
|
|
|
# this is the list of paths (relative to a file
|
|
# that we need to verify) used to find a signed manifest.
|
|
# the signature extensions in VE_SIGNATURE_EXT_LIST
|
|
# will be applied to each.
|
|
VE_MANIFEST_LIST?= manifest ../manifest
|
|
|
|
verify_file.o: manifests.h
|
|
manifests.h:
|
|
@( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
|
|
echo "static const char *manifest_names[] = {"; \
|
|
echo '${VE_MANIFEST_LIST:@m@"$m",${.newline}@}'; \
|
|
echo 'NULL };' ) > ${.TARGET}
|
|
|
|
# only add these if set
|
|
XCFLAGS.verify_file+= \
|
|
${VE_DEBUG_LEVEL \
|
|
VE_VERBOSE_DEFAULT \
|
|
VE_VERIFY_FLAGS \
|
|
:L:@v@${$v:S,^,-D$v=,}@}
|
|
|
|
.if !empty(MANIFEST_SKIP_ALWAYS)
|
|
XCFLAGS.verify_file+= -DMANIFEST_SKIP_ALWAYS=\"${MANIFEST_SKIP_ALWAYS}\"
|
|
.elif !empty(MANIFEST_SKIP)
|
|
XCFLAGS.verify_file+= -DMANIFEST_SKIP=\"${MANIFEST_SKIP}\"
|
|
.endif
|