Date: Thu, 12 Jul 2018 11:14:33 -0700 From: "Simon J. Gerraty" <sjg@juniper.net> To: <cem@freebsd.org>, "freebsd-arch@freebsd.org" <arch@freebsd.org>, "Stephen J. Kiernan" <stevek@freebsd.org>, <sjg@juniper.net> Subject: Re: Veriexec Message-ID: <8666.1531419273@kaos.jnpr.net> In-Reply-To: <88827.1530660165@kaos.jnpr.net> References: <CAG6CVpW3xL5pmiU91WgzXKram7ogMYNzBF3a-ggaXjkD3fMbWw@mail.gmail.com> <88827.1530660165@kaos.jnpr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Simon J. Gerraty <sjg@juniper.net> wrote: > I've been working on tweaks to libve to make it suitable for use for a > new loader that can verify the manifest signatures. FYI this is done, and initial testing completed. The manifest parser/lexer are derrived from the one in Junos. The version of mac_veriexec in tree does not yet support storing maclabels so the veriexec util has some ifdef's to deal with that (same as Junos where we have to worry during upgrade about all combinations of new kernel/old util and vice versa.) I deally I'd like to see mac_veriexec up to date, so we can avoid all those ifdef's. Since it relies on the trust store and verification stuff in libve (D16155) I'm not sure there's any point posting diffs until we close on that, and in the meantime steve may find enough time to update mac_veriexec, though as I mentioned before work has an anoying habbit of getting in the way. A follow-on effort might be to allow libve to use either BearSSL (needed for loader due to size), or OpenSSL. --sjg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8666.1531419273>