mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-21 10:19:04 +00:00
Add SECURITY section to loader(8).
Reviewed by: bcr, jilles, imp (earlier version) MFC after: 2 weeks Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D16700
This commit is contained in:
parent
527d337fdb
commit
5469cc0ee9
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=337834
|
@ -31,7 +31,7 @@
|
|||
.\" @(#)init.8 8.3 (Berkeley) 4/18/94
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd August 14, 2018
|
||||
.Dd August 15, 2018
|
||||
.Dt INIT 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -86,6 +86,15 @@ The password check is skipped if the
|
|||
.Em console
|
||||
is marked as
|
||||
.Dq secure .
|
||||
Note that the password check does not protect from variables
|
||||
such as
|
||||
.Va init_script
|
||||
being set from the
|
||||
.Xr loader 8
|
||||
command line; see the
|
||||
.Sx SECURITY
|
||||
section of
|
||||
.Xr loader 8 .
|
||||
.Pp
|
||||
If the system security level (see
|
||||
.Xr security 7 )
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd August 14, 2018
|
||||
.Dd August 15, 2018
|
||||
.Dt LOADER 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -945,6 +945,42 @@ version at compile time.
|
|||
.Nm
|
||||
version.
|
||||
.El
|
||||
.Sh SECURITY
|
||||
Access to the
|
||||
.Nm
|
||||
command line provides several ways of compromising system security,
|
||||
including, but not limited to:
|
||||
.Pp
|
||||
.Bl -bullet -compact
|
||||
.It
|
||||
Booting from removable storage, by setting the
|
||||
.Va currdev
|
||||
or
|
||||
.Va loaddev
|
||||
variables
|
||||
.It
|
||||
Executing binary of choice, by setting the
|
||||
.Va init_path
|
||||
or
|
||||
.Va init_script
|
||||
variables
|
||||
.It
|
||||
Overriding ACPI DSDT to inject arbitrary code into the ACPI subsystem
|
||||
.El
|
||||
.Pp
|
||||
One can prevent unauthorized access
|
||||
to the
|
||||
.Nm
|
||||
command line by setting the
|
||||
.Va password ,
|
||||
or setting
|
||||
.Va autoboot_delay
|
||||
to -1.
|
||||
See
|
||||
.Xr loader.conf 5
|
||||
for details.
|
||||
In order for this to be effective, one should also configure the firmware
|
||||
(BIOS or UEFI) to prevent booting from unauthorized devices.
|
||||
.Sh FILES
|
||||
.Bl -tag -width /usr/share/examples/bootforth/ -compact
|
||||
.It Pa /boot/loader
|
||||
|
|
Loading…
Reference in a new issue