Page MenuHomeFreeBSD

libsecureboot do not report expected unverified files
ClosedPublic

Authored by sjg on Feb 9 2024, 9:21 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 18, 6:47 AM
Unknown Object (File)
Sep 27 2024, 11:29 PM
Unknown Object (File)
Sep 27 2024, 9:25 PM
Unknown Object (File)
Sep 23 2024, 1:18 PM
Unknown Object (File)
Sep 19 2024, 5:33 AM
Unknown Object (File)
Sep 18 2024, 2:47 PM
Unknown Object (File)
Sep 18 2024, 6:57 AM
Unknown Object (File)
Sep 17 2024, 2:48 PM
Subscribers

Details

Summary

By default only report unverified files at severity VE_WANT
and above. This inlcudes *.conf but not *.hints, *.cookie
or *.tgz which get VE_TRY as their severity.

If Verbose is set to 0, then VerifyFlags should default to 0 too.
Thus the combination of

module_verbose=0
VE_VEBOSE=0

is sufficient to make the loader almost totally silent.

When verify_prep has to find_manifest and it is verified ok
return VE_NOT_CHECKED to verify_file so that it can skip
repeating verify_fd

Also add better debugging output for is_verified and add_verify_status.

vectx handle compressed modules

When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.

Note: because of the way libsa's open() works, verify_prep will see
the path to be verified as module.ko not module.ko.bz2 etc. This is
actually ok, because we need a separate module.ko.bz2 entry so that
the package can be verified, and the hash for module.ko is of the
uncompressed file which is what vectx will see.

Re-work local.trust.mk so site.trust.mk need only set
VE_SIGN_URL_LIST (if using the mentioned signing server)

interp.c: restrict interactive input

Apply the same restrictions to interactive input as for
unverified conf and hints files.

Sponsored by: Juniper Networks, Inc.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 55896
Build 52785: arc lint + arc unit

Event Timeline

sjg requested review of this revision.Feb 9 2024, 9:21 PM

Use version.veriexec when LOADER_VERIEXEC is enabled

Put _TA_*_USE after _SIGN_*_USE

Update version.veriexec for SMBIOS 3 support

clean up local.trust.mk more

No comment on the veriexec bits (they seem generally sane, but that's your area of course :-)), but the motivation described here:

When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.

and the relevant hunk of the diff look OK to me.

This revision is now accepted and ready to land.Feb 12 2024, 9:49 PM

No comment on the veriexec bits (they seem generally sane, but that's your area of course :-)), but the motivation described here:

When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.

and the relevant hunk of the diff look OK to me.

compressed modules are problematic, in that the verification logic in the loader sees the uncompress content - for which stat() cannot provide a size,
this means you need two manifest entries - one for the compressed module - so the package content can be verified, and one for the uncompressed content
so loader can verify.

We ended up not using them, but retain the support.