Page MenuHomeFreeBSD

Add examples to veriexec(8)
ClosedPublic

Authored by sjg on Aug 1 2024, 8:50 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 26, 6:06 AM
Unknown Object (File)
Wed, Dec 18, 2:03 PM
Unknown Object (File)
Sat, Dec 14, 6:05 PM
Unknown Object (File)
Thu, Dec 12, 9:45 AM
Unknown Object (File)
Nov 26 2024, 11:41 PM
Unknown Object (File)
Nov 26 2024, 11:41 PM
Unknown Object (File)
Nov 23 2024, 6:17 AM
Unknown Object (File)
Nov 18 2024, 10:02 PM
Subscribers

Details

Reviewers
markj
imp
stevek
Group Reviewers
Restricted Owners Package(Owns No Changed Paths)
Commits
rGb77f618568f2: Add examples to veriexec(8)
Summary

Add missing flags to veriexec(8) as well as some examples to
help explain usage.

Also add veriexec.4

Sponsored by: Juniper Networks, Inc.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Owners added a reviewer: Restricted Owners Package.Aug 1 2024, 8:50 PM
sjg requested review of this revision.Aug 1 2024, 8:50 PM
This revision is now accepted and ready to land.Aug 1 2024, 9:07 PM

Update history to avoid ambiguity

This revision now requires review to proceed.Aug 1 2024, 9:57 PM
This revision was not accepted when it landed; it landed in state Needs Review.Aug 1 2024, 10:00 PM
This revision was automatically updated to reflect the committed changes.

Thanks for writing this. I didn't get a chance to review yesterday, but I added some comments below.

sbin/veriexec/veriexec.8
198
205

Some documentation on how to configure a trust store would be useful too.

227
share/man/man4/veriexec.4
34

This is missing some description of how to compile veriexec support into the kernel. Currently there is only options MAC_VERIEXEC, which compiles both mac_veriexec and dev/veriexec into the kernel.

mac_veriexec.ko does not include dev/veriexec for some reason (i.e., sys/modules/mac_veriexec/Makefile is only lists sources files for the MAC component), so the kernel module is not useful. This seems unintentional.

49

Missing a word here.

share/man/man4/veriexec.4
34

There is sys/modules/veriexec for the device side.

The MAC module does not have a dependency on the veriexec device. One could have another implementation that just uses the MAC/veriexec functionality to populate the meta-data store.

Note that the veriexec.ko module has a dependency on mac_veriexec

share/man/man4/veriexec.4
34

Ah, I see, I missed that. Unless I'm missing something though, it's not listed in sys/modules/Makefile so never gets built, even when compiling with WITH_VERIEXEC=.

When compiling into the kernel, dev/veriexec/verified_exec.c is dependent on options MAC_VERIEXEC, which seems incorrect.

share/man/man4/veriexec.4
34

Yes, that probably should be "optional mac_veriexec veriexec" for the "files" file.

The sys/modules/Makefile bit will need to be corrected.