mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-21 18:27:22 +00:00
f616d61ab6
By default only report unverified files at severity VE_WANT and above. This inlcudes *.conf but not *.hints, *.cookie or *.tgz which get VE_TRY as their severity. If Verbose is set to 0, then VerifyFlags should default to 0 too. Thus the combination of module_verbose=0 VE_VEBOSE=0 is sufficient to make the loader almost totally silent. When verify_prep has to find_manifest and it is verified ok return VE_NOT_CHECKED to verify_file so that it can skip repeating verify_fd Also add better debugging output for is_verified and add_verify_status. vectx handle compressed modules When verifying a compressed module (.ko.gz or .ko.bz2) stat() reports the size as -1 (unknown). vectx_lseek needs to spot this during closing - and just read until EOF is hit. Note: because of the way libsa's open() works, verify_prep will see the path to be verified as module.ko not module.ko.bz2 etc. This is actually ok, because we need a separate module.ko.bz2 entry so that the package can be verified, and the hash for module.ko is of the uncompressed file which is what vectx will see. Re-work local.trust.mk so site.trust.mk need only set VE_SIGN_URL_LIST (if using the mentioned signing server) interp.c: restrict interactive input Apply the same restrictions to interactive input as for unverified conf and hints files. Use version.veriexec when LOADER_VERIEXEC is yes Reviewed by: kevans Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D43810
61 lines
1.5 KiB
PHP
61 lines
1.5 KiB
PHP
|
|
BRSSL_CFLAGS+= -DNO_STDIO
|
|
|
|
.include "Makefile.inc"
|
|
|
|
# for "measured boot"
|
|
# loader puts the equivalent of TPM's PCR register into kenv
|
|
# this is not as good but *way* simpler than talking to TPM
|
|
CFLAGS+= -DVE_PCR_SUPPORT
|
|
|
|
# sources that only apply to libsa
|
|
SRCS+= \
|
|
vectx.c \
|
|
veopen.c \
|
|
vepcr.c \
|
|
verify_file.c \
|
|
|
|
# Build library with support for the UEFI based authentication
|
|
.if ${MK_LOADER_EFI_SECUREBOOT} == "yes"
|
|
SRCS+= \
|
|
efi/efi_variables.c \
|
|
efi/efi_init.c
|
|
|
|
# Add includes required by efi part
|
|
CFLAGS+= \
|
|
-I${SRCTOP}/stand/efi/include \
|
|
-I${SRCTOP}/lib/libsecureboot/efi/include \
|
|
-I${SRCTOP}/stand/efi/include/${MACHINE}
|
|
.endif
|
|
|
|
.if ${MK_LOADER_VERIEXEC_PASS_MANIFEST} == "yes"
|
|
SRCS+= \
|
|
pass_manifest.c
|
|
.endif
|
|
|
|
# this is the list of paths (relative to a file
|
|
# that we need to verify) used to find a signed manifest.
|
|
# the signature extensions in VE_SIGNATURE_EXT_LIST
|
|
# will be applied to each.
|
|
VE_MANIFEST_LIST?= manifest ../manifest
|
|
|
|
verify_file.o: manifests.h
|
|
manifests.h:
|
|
@( echo '/* Autogenerated - DO NOT EDIT!!! */'; echo; \
|
|
echo "static const char *manifest_names[] = {"; \
|
|
echo '${VE_MANIFEST_LIST:@m@"$m",${.newline}@}'; \
|
|
echo 'NULL };' ) > ${.TARGET}
|
|
|
|
# only add these if set
|
|
XCFLAGS.verify_file+= \
|
|
${VE_DEBUG_LEVEL \
|
|
VE_VERBOSE_DEFAULT \
|
|
VE_VERIFY_FLAGS \
|
|
:L:@v@${$v:S,^,-D$v=,}@}
|
|
|
|
.if !empty(MANIFEST_SKIP_ALWAYS)
|
|
XCFLAGS.verify_file+= -DMANIFEST_SKIP_ALWAYS=\"${MANIFEST_SKIP_ALWAYS}\"
|
|
.elif !empty(MANIFEST_SKIP)
|
|
XCFLAGS.verify_file+= -DMANIFEST_SKIP=\"${MANIFEST_SKIP}\"
|
|
.endif
|