Page MenuHomeFreeBSD
Differential D46207

Add examples to veriexec(8)
ClosedPublic
Actions

Authored by sjg on Aug 1 2024, 8:50 PM.
Tags
None
Referenced Files
F102704301: D46207.diff
Sat, Nov 16, 2:38 AM
F102702037: D46207.diff
Sat, Nov 16, 1:45 AM
F102700403: D46207.id141701.diff
Sat, Nov 16, 1:13 AM
Unknown Object (File)
Fri, Nov 1, 11:55 PM
Unknown Object (File)
Oct 17 2024, 12:32 AM
Unknown Object (File)
Oct 4 2024, 7:12 PM
Unknown Object (File)
Oct 4 2024, 11:00 AM
Unknown Object (File)
Oct 4 2024, 9:11 AM
View All 36 Files
Subscribers
dab

Details

Reviewers
markj
imp
stevek
Group Reviewers
Restricted Owners Package(Owns No Changed Paths)
Commits
rGb77f618568f2: Add examples to veriexec(8)
Summary

Add missing flags to veriexec(8) as well as some examples to
help explain usage.

Also add veriexec.4

Sponsored by: Juniper Networks, Inc.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

sjg created this revision.Aug 1 2024, 8:50 PM
Owners added a reviewer: Restricted Owners Package.Aug 1 2024, 8:50 PM
Herald added a subscriber: dab. · View Herald TranscriptAug 1 2024, 8:50 PM
sjg requested review of this revision.Aug 1 2024, 8:50 PM
Harbormaster completed remote builds in B58916: Diff 141695.Aug 1 2024, 8:50 PM
imp accepted this revision.Aug 1 2024, 9:07 PM
This revision is now accepted and ready to land.Aug 1 2024, 9:07 PM
sjg updated this revision to Diff 141699.Aug 1 2024, 9:57 PM

Update history to avoid ambiguity

This revision now requires review to proceed.Aug 1 2024, 9:57 PM
Harbormaster completed remote builds in B58917: Diff 141699.Aug 1 2024, 9:57 PM
sjg updated this revision to Diff 141700.Aug 1 2024, 9:59 PM

Add missing comma

Harbormaster completed remote builds in B58918: Diff 141700.Aug 1 2024, 9:59 PM
This revision was not accepted when it landed; it landed in state Needs Review.Aug 1 2024, 10:00 PM
Closed by commit rGb77f618568f2: Add examples to veriexec(8) (authored by sjg). · Explain Why
This revision was automatically updated to reflect the committed changes.
sjg added a commit: rGb77f618568f2: Add examples to veriexec(8).
markj added a comment.Aug 2 2024, 2:38 PM

Thanks for writing this. I didn't get a chance to review yesterday, but I added some comments below.

sbin/veriexec/veriexec.8
198
205

Some documentation on how to configure a trust store would be useful too.

227
share/man/man4/veriexec.4
34

This is missing some description of how to compile veriexec support into the kernel. Currently there is only options MAC_VERIEXEC, which compiles both mac_veriexec and dev/veriexec into the kernel.

mac_veriexec.ko does not include dev/veriexec for some reason (i.e., sys/modules/mac_veriexec/Makefile is only lists sources files for the MAC component), so the kernel module is not useful. This seems unintentional.

49

Missing a word here.

stevek added inline comments.Aug 2 2024, 4:25 PM
share/man/man4/veriexec.4
34

There is sys/modules/veriexec for the device side.

The MAC module does not have a dependency on the veriexec device. One could have another implementation that just uses the MAC/veriexec functionality to populate the meta-data store.

Note that the veriexec.ko module has a dependency on mac_veriexec

markj added inline comments.Aug 2 2024, 4:37 PM
share/man/man4/veriexec.4
34

Ah, I see, I missed that. Unless I'm missing something though, it's not listed in sys/modules/Makefile so never gets built, even when compiling with WITH_VERIEXEC=.

When compiling into the kernel, dev/veriexec/verified_exec.c is dependent on options MAC_VERIEXEC, which seems incorrect.

stevek added inline comments.Aug 2 2024, 5:54 PM
share/man/man4/veriexec.4
34

Yes, that probably should be "optional mac_veriexec veriexec" for the "files" file.

The sys/modules/Makefile bit will need to be corrected.

Revision Contents
Changeset List

PathSize
sbin/
veriexec/
84 lines
share/
man/
man4/
1 line
96 lines

Diff 141701

View Options

sbin/veriexec/veriexec.8

Loading...
View Options

share/man/man4/Makefile

Loading...
View Options

share/man/man4/veriexec.4

Loading...