Date: Wed, 10 Feb 2021 17:34:43 -0800 From: "Simon J. Gerraty" <sjg@juniper.net> To: <dan_partelly@rdsor.ro> Cc: <current@freebsd.org>, <sjg@juniper.net> Subject: Re: Enable veriexec for 13 Beta 1 Message-ID: <27930.1613007283@kaos.jnpr.net> In-Reply-To: <187ca3f70566e4dddf13326fba548625@rdsor.ro> References: <187ca3f70566e4dddf13326fba548625@rdsor.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
dan_partelly@rdsor.ro wrote: > [External Email. Be cautious of content] > = > = > Hey guys, > = > What are the config knobs for enabling the veriexec driver and veriexec > mac modules for testing and playing with this new subystem ? User mode > knob for user mode tool and lib is documented in man src.conf Thanks ! You would want... options MAC options MAC_VERIEXEC options MAC_VERIEXEC_SHA256 options MAC_VERIEXEC_SHA384 oh sys/conf/files needs a tweak see below. sha256 hashes are good for now, but best to have support for bigger in place. You will want WITH_BEARSSL=3D1 which will enable VERIEXEC for kernel and LOADER_VERIEXEC, LOADER_VERIEXEC_VECTX and LOADER_EFI_SECUREBOOT Also you need to configure lib/libsecureboot/local.trust.mk to provide the trust anchors, this is used by sbin/veriexec - the tool that loaded manifests into kernel as well as loader if LOADER_VERIEXEC are enabled. you'll need this diff diff --git a/sys/conf/files b/sys/conf/files index 1abfadb1e8d8eb347c2caa8e92a1d86375dc61af..459fcddd693b89d50c9fecfb6c= c93515b2799cb6 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -3450,7 +3450,7 @@ dev/videomode/videomode.c optional videomode dev/videomode/edid.c optional videomode dev/videomode/pickmode.c optional videomode dev/videomode/vesagtf.c optional videomode -dev/veriexec/verified_exec.c optional veriexec mac_veriexec +dev/veriexec/verified_exec.c optional mac_veriexec dev/vge/if_vge.c optional vge dev/viapm/viapm.c optional viapm pci dev/virtio/virtio.c optional virtio
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27930.1613007283>