Page MenuHomeFreeBSD
Differential D43810

libsecureboot do not report expected unverified files
ClosedPublic
Actions

Authored by sjg on Feb 9 2024, 9:21 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 18, 6:47 AM
Unknown Object (File)
Sep 27 2024, 11:29 PM
Unknown Object (File)
Sep 27 2024, 9:25 PM
Unknown Object (File)
Sep 23 2024, 1:18 PM
Unknown Object (File)
Sep 19 2024, 5:33 AM
Unknown Object (File)
Sep 18 2024, 2:47 PM
Unknown Object (File)
Sep 18 2024, 6:57 AM
Unknown Object (File)
Sep 17 2024, 2:48 PM
View All 76 Files
Subscribers
bcran
dab

Details

Reviewers
stevek
imp
kevans
manu
Commits
rG16d49d0e4fe7: libsecureboot do not report expected unverified files
rGf616d61ab6b0: libsecureboot do not report expected unverified files
Summary

By default only report unverified files at severity VE_WANT
and above. This inlcudes *.conf but not *.hints, *.cookie
or *.tgz which get VE_TRY as their severity.

If Verbose is set to 0, then VerifyFlags should default to 0 too.
Thus the combination of

module_verbose=0
VE_VEBOSE=0

is sufficient to make the loader almost totally silent.

When verify_prep has to find_manifest and it is verified ok
return VE_NOT_CHECKED to verify_file so that it can skip
repeating verify_fd

Also add better debugging output for is_verified and add_verify_status.

vectx handle compressed modules

When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.

Note: because of the way libsa's open() works, verify_prep will see
the path to be verified as module.ko not module.ko.bz2 etc. This is
actually ok, because we need a separate module.ko.bz2 entry so that
the package can be verified, and the hash for module.ko is of the
uncompressed file which is what vectx will see.

Re-work local.trust.mk so site.trust.mk need only set
VE_SIGN_URL_LIST (if using the mentioned signing server)

interp.c: restrict interactive input

Apply the same restrictions to interactive input as for
unverified conf and hints files.

Sponsored by: Juniper Networks, Inc.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 55898
Build 52787: arc lint + arc unit

Event Timeline

sjg created this revision.Feb 9 2024, 9:21 PM
Herald added a reviewer: manu. · View Herald TranscriptFeb 9 2024, 9:21 PM
Herald added a subscriber: dab. · View Herald Transcript
sjg requested review of this revision.Feb 9 2024, 9:21 PM
Harbormaster completed remote builds in B55896: Diff 134070.Feb 9 2024, 9:21 PM
sjg updated this revision to Diff 134072.Feb 9 2024, 9:35 PM

Use version.veriexec when LOADER_VERIEXEC is enabled

Herald added a subscriber: bcran. · View Herald TranscriptFeb 9 2024, 9:35 PM
Harbormaster completed remote builds in B55897: Diff 134072.Feb 9 2024, 9:35 PM
sjg updated this revision to Diff 134073.Feb 9 2024, 9:39 PM

Put _TA_*_USE after _SIGN_*_USE

Harbormaster completed remote builds in B55898: Diff 134073.Feb 9 2024, 9:39 PM
sjg updated this revision to Diff 134085.Feb 10 2024, 2:42 AM

Update version.veriexec for SMBIOS 3 support

Harbormaster completed remote builds in B55904: Diff 134085.Feb 10 2024, 2:42 AM
sjg updated this revision to Diff 134189.Feb 12 2024, 5:15 PM

clean up local.trust.mk more

Harbormaster completed remote builds in B55956: Diff 134189.Feb 12 2024, 5:15 PM
kevans accepted this revision.Feb 12 2024, 9:49 PM

No comment on the veriexec bits (they seem generally sane, but that's your area of course :-)), but the motivation described here:

When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.

and the relevant hunk of the diff look OK to me.

This revision is now accepted and ready to land.Feb 12 2024, 9:49 PM
sjg added a comment.Feb 12 2024, 10:35 PM
In D43810#1000521, @kevans wrote:

No comment on the veriexec bits (they seem generally sane, but that's your area of course :-)), but the motivation described here:

When verifying a compressed module (.ko.gz or .ko.bz2)
stat() reports the size as -1 (unknown).
vectx_lseek needs to spot this during closing - and just read until
EOF is hit.

and the relevant hunk of the diff look OK to me.

compressed modules are problematic, in that the verification logic in the loader sees the uncompress content - for which stat() cannot provide a size,
this means you need two manifest entries - one for the compressed module - so the package content can be verified, and one for the uncompressed content
so loader can verify.

We ended up not using them, but retain the support.

Closed by commit rGf616d61ab6b0: libsecureboot do not report expected unverified files (authored by sjg). · Explain WhyFeb 12 2024, 10:36 PM
This revision was automatically updated to reflect the committed changes.
sjg added a commit: rGf616d61ab6b0: libsecureboot do not report expected unverified files.
imp added a commit: rG16d49d0e4fe7: libsecureboot do not report expected unverified files.Apr 16 2024, 8:13 PM

Revision Contents
Changeset List

PathSize
lib/
libsecureboot/
8 lines
7 lines
h/
1 line
88 lines
26 lines
35 lines
stand/
common/
8 lines
efi/
loader/
6 lines
3 lines

Diff 134073

View Options

lib/libsecureboot/Makefile.inc

Loading...
View Options

lib/libsecureboot/Makefile.libsa.inc

Loading...
View Options

lib/libsecureboot/h/verify_file.h

Loading...
View Options

lib/libsecureboot/local.trust.mk

Loading...
View Options

lib/libsecureboot/vectx.c

Loading...
View Options

lib/libsecureboot/verify_file.c

Loading...
View Options

stand/common/interp.c

Loading...
View Options

stand/efi/loader/version.veriexec

Loading...
View Options

stand/veriexec.mk

Loading...