mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 21:05:08 +00:00
Verify files loaded in chain command.
The chain command can be used to chain load another binary. If veriexec is enabled we should verify it first. Note that on EFI systems the verification was already done through firmware, assuming that Secure Boot was enabled there. Submitted by: Kornel Duleba <mindal@semihalf.com> Reviewed by: sjg MFC after: 1 week Obtained from: Semihalf Differential Revision: https://reviews.freebsd.org/D20952
This commit is contained in:
parent
4d3f1eafc9
commit
435672e322
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=350761
|
@ -1440,6 +1440,14 @@ command_chain(int argc, char *argv[])
|
|||
return (CMD_ERROR);
|
||||
}
|
||||
|
||||
#ifdef LOADER_VERIEXEC
|
||||
if (verify_file(fd, name, 0, VE_MUST) < 0) {
|
||||
sprintf(command_errbuf, "can't verify: %s", name);
|
||||
close(fd);
|
||||
return (CMD_ERROR);
|
||||
}
|
||||
#endif
|
||||
|
||||
if (fstat(fd, &st) < -1) {
|
||||
command_errmsg = "stat failed";
|
||||
close(fd);
|
||||
|
|
|
@ -75,6 +75,14 @@ command_chain(int argc, char *argv[])
|
|||
return (CMD_ERROR);
|
||||
}
|
||||
|
||||
#ifdef LOADER_VERIEXEC
|
||||
if (verify_file(fd, argv[1], 0, VE_MUST) < 0) {
|
||||
sprintf(command_errbuf, "can't verify: %s", argv[1]);
|
||||
close(fd);
|
||||
return (CMD_ERROR);
|
||||
}
|
||||
#endif
|
||||
|
||||
len = strlen(argv[1]);
|
||||
if (argv[1][len-1] != ':') {
|
||||
if (fstat(fd, &st) == -1) {
|
||||
|
|
Loading…
Reference in a new issue