mirror of
https://github.com/opnsense/src.git
synced 2026-02-25 11:00:15 -05:00
ed7b25da78
The veriexec device features the following ioctl commands:
VERIEXEC_ACTIVE
Activate veriexec functionality
VERIEXEC_DEBUG_ON
Enable debugging mode and increment or set the debug level
VERIEXEC_DEBUG_OFF
Disable debugging mode
VERIEXEC_ENFORCE
Enforce veriexec fingerprinting (and acitvate if not already)
VERIEXEC_GETSTATE
Get current veriexec state
VERIEXEC_LOCK
Lock changes to veriexec meta-data store
VERIEXEC_LOAD
Load veriexec fingerprint if secure level is not raised (and passes the
checks for VERIEXEC_SIGNED_LOAD)
VERIEXEC_SIGNED_LOAD
Load veriexec fingerprints from loader that supports signed manifest
(and thus we can be more lenient about secure level being raised.)
Fingerprints can be loaded if the meta-data store is not locked. Also
securelevel must not have been raised or some fingerprints must have
already been loaded, otherwise it would be dangerous to allow loading.
(Note: this assumes that the fingerprints in the meta-data store at
least cover the fingerprint loader.)
Reviewed by: jtl
Obtained from: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D8561
12 lines
175 B
Makefile
12 lines
175 B
Makefile
# $FreeBSD$
|
|
|
|
.PATH: ${.PARSEDIR:H:H}/dev/veriexec
|
|
|
|
.include <bsd.own.mk>
|
|
|
|
KMOD= veriexec
|
|
SRCS= verified_exec.c
|
|
SRCS+= bus_if.h device_if.h vnode_if.h
|
|
|
|
.include <bsd.kmod.mk>
|
|
|