From nobody Fri Apr 10 17:47:07 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fsklJ1Qdzz6Y6MF for ; Fri, 10 Apr 2026 17:47:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fsklJ0Tjmz3vLq for ; Fri, 10 Apr 2026 17:47:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1775843228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wbXBKTQLGlzfM9fe17T998xqr7q8Ups99Pd84eocA8g=; b=Avv3CHync5F1+6y2g3KeDVCeebH5a6hiz1vlkDpjyWMmH94/e5C46d3mHhebRsptU28d9n z9WhcE+C/OextUNcT15m2aqlkp0NZC3D5+TPmf813f7jOaKq/WC0UwsrLvk+UzxLgOwKmC 9wpXQEX7Mzxb+YbNigNWXIOu1VkuER+jFsFl+XkjhtG6BrpthWogMNoba4VYC2RW7eBEph cRECe9usttCmbSee86xGmrL5+EqwWELRbEis1TfjQY77Ta3XPQU0XLeUGS3/ZbO6r2HOQf 7zYJShD4CT5/OFH7OpsIb5+Msemei0X8NsPusfMC9Scpd7wCJWgawCE5dR5gZA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1775843228; a=rsa-sha256; cv=none; b=kYCh2w7ywc4nHUZg5tt+zqqB8aF5dWyBTgZpBgE3lmXNtm2j33+vogUMel8pYu3oSLS1R4 V6QN0VSWk9pe6HX3XONK/m+akpEHisyYX0ikxqYNTNV2Ol41kxz/pvVs5q+fDzZ0+PhnuW BintkJymPjjebjBksSP3eOytUI1g0m119UFuACP6xZ1P7fLerpoyUh1MXFT/CQyJOgwUax Z+yegA4/7Hy5qwDtYRbYogBXkXMlsi1rx57gOwbHmVOQtTsQHtgIhWp+8hXRwkvhVh0MrS XI6tae9xTI0n1bg3VPQXeHtxGJnGuckSQGUrz+KeX2ZmCw5zqx7xceSfvnECVA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1775843228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wbXBKTQLGlzfM9fe17T998xqr7q8Ups99Pd84eocA8g=; b=OcwF98+qCgDWt89AMiP4c2JDcGS9FvNUtmAmLYx++tAmBhm93lFvsMuoVqL5T+oOCXiogX G7sFLWAG0/zSYsIft2dfzLM86+JhzndqUFX/ZLauIaafSWiMrlxhtTA9TrnyueD+nln/6t nW7IZMsQUkBB/ERYPa+U1m5cUJfI119W9qAoykrwv6lxbDvGU7D0xBAKAt1oZm9xVXHaDe AdLSOFb0Fc/l3Uq2JcsjIc0O4tE0pK7br98s+Mr3+ZE6LaH7zA4W5xNtObWM3sv66vXSrE cagXD2S7AT1igTOd93kWwbsHE5b3sT8z9/LyBrlvMRCrZkqx5XP44f6FsupSWw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fsklH74q3zvBf for ; Fri, 10 Apr 2026 17:47:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 32cc5 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 10 Apr 2026 17:47:07 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Simon J. Gerraty Subject: git: 35bbdfad2862 - main - Pass severity to vectx_open() rather than vectx_close() List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: sjg X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 35bbdfad28626255c63360d98c45e41f2c692ef0 Auto-Submitted: auto-generated Date: Fri, 10 Apr 2026 17:47:07 +0000 Message-Id: <69d9379b.32cc5.bb2e37f@gitrepo.freebsd.org> The branch main has been updated by sjg: URL: https://cgit.FreeBSD.org/src/commit/?id=35bbdfad28626255c63360d98c45e41f2c692ef0 commit 35bbdfad28626255c63360d98c45e41f2c692ef0 Author: Simon J. Gerraty AuthorDate: 2026-04-10 17:43:15 +0000 Commit: Simon J. Gerraty CommitDate: 2026-04-10 17:46:54 +0000 Pass severity to vectx_open() rather than vectx_close() file_loadraw() can have a need to load unverified files like "dtrace_dof". Allow severity_guess() to look at the filename but if it returns less than VE_MUST check that the type is not one we insist on verifying. In vectx_open if severity < VE_MUST we can allow it to be unverified. If passed VE_GUESS we call severity_guess(). Regardless, we record severity in ctx so it is available to vectx_close(). Sponsored by: Hewlett Packard Enterprise Development LP Reviewed by: khng Differential Revision: https://reviews.freebsd.org/D56297 --- lib/libsecureboot/h/verify_file.h | 5 ++-- lib/libsecureboot/tests/tvo.c | 6 ++--- lib/libsecureboot/vectx.c | 48 ++++++++++++++++++++++++++------------- lib/libsecureboot/verify_file.c | 3 ++- stand/common/commands.c | 2 +- stand/common/load_elf.c | 7 +++--- stand/common/load_elf_obj.c | 5 ++-- stand/common/module.c | 16 +++++++++++-- stand/i386/loader/chain.c | 4 ++-- 9 files changed, 64 insertions(+), 32 deletions(-) diff --git a/lib/libsecureboot/h/verify_file.h b/lib/libsecureboot/h/verify_file.h index f918ed6d0e38..19bef24b1dee 100644 --- a/lib/libsecureboot/h/verify_file.h +++ b/lib/libsecureboot/h/verify_file.h @@ -51,6 +51,7 @@ int ve_status_get(int); int load_manifest(const char *, const char *, const char *, struct stat *); int pass_manifest(const char *, const char *); int pass_manifest_export_envs(void); +int severity_guess(const char *); void verify_report(const char *, int, int, struct stat *); int verify_file(int, const char *, off_t, int, const char *); void verify_pcr_export(void); @@ -59,9 +60,9 @@ int is_verified(struct stat *); void add_verify_status(struct stat *, int); struct vectx; -struct vectx* vectx_open(int, const char *, off_t, struct stat *, int *, const char *); +struct vectx* vectx_open(int, const char *, int, off_t, struct stat *, int *, const char *); ssize_t vectx_read(struct vectx *, void *, size_t); off_t vectx_lseek(struct vectx *, off_t, int); -int vectx_close(struct vectx *, int, const char *); +int vectx_close(struct vectx *, const char *); #endif /* _VERIFY_FILE_H_ */ diff --git a/lib/libsecureboot/tests/tvo.c b/lib/libsecureboot/tests/tvo.c index 7851e79c5a2a..407fcbefd6db 100644 --- a/lib/libsecureboot/tests/tvo.c +++ b/lib/libsecureboot/tests/tvo.c @@ -170,8 +170,8 @@ main(int argc, char *argv[]) fstat(fd, &st); lseek(fd, 0, SEEK_SET); off = st.st_size % 512; - vp = vectx_open(fd, argv[optind], off, - &st, &error, __func__); + vp = vectx_open(fd, argv[optind], VE_GUESS, + off, &st, &error, __func__); if (!vp) { printf("vectx_open(%s) failed: %d %s\n", argv[optind], error, @@ -190,7 +190,7 @@ main(int argc, char *argv[]) off = vectx_lseek(vp, 0, SEEK_END); /* repeating that should be harmless */ off = vectx_lseek(vp, 0, SEEK_END); - error = vectx_close(vp, VE_MUST, __func__); + error = vectx_close(vp, __func__); if (error) { printf("vectx_close(%s) == %d %s\n", argv[optind], error, diff --git a/lib/libsecureboot/vectx.c b/lib/libsecureboot/vectx.c index 2d56830cd81d..4b42293a0d93 100644 --- a/lib/libsecureboot/vectx.c +++ b/lib/libsecureboot/vectx.c @@ -60,6 +60,7 @@ struct vectx { int vec_fd; /* file descriptor */ int vec_status; /* verification status */ int vec_closing; /* we are closing */ + int vec_severity; /* usually VE_MUST */ }; @@ -93,7 +94,8 @@ struct vectx { * NULL is only returned for non-files or out-of-memory. */ struct vectx * -vectx_open(int fd, const char *path, off_t off, struct stat *stp, +vectx_open(int fd, const char *path, int severity, + off_t off, struct stat *stp, int *error, const char *caller) { struct vectx *ctx; @@ -106,14 +108,19 @@ vectx_open(int fd, const char *path, off_t off, struct stat *stp, stp = &st; rc = verify_prep(fd, path, off, stp, __func__); + if (severity == VE_GUESS) + severity = severity_guess(path); DEBUG_PRINTF(2, - ("vectx_open: caller=%s,fd=%d,name='%s',prep_rc=%d\n", - caller, fd, path, rc)); + ("vectx_open: caller=%s,fd=%d,name='%s',prep_rc=%d,severity=%d\n", + caller, fd, path, rc, severity)); switch (rc) { case VE_FINGERPRINT_NONE: case VE_FINGERPRINT_UNKNOWN: + if (severity < VE_MUST) + break; + /* FALLTHROUGH */ case VE_FINGERPRINT_WRONG: *error = rc; return (NULL); @@ -127,19 +134,24 @@ vectx_open(int fd, const char *path, off_t off, struct stat *stp, ctx->vec_off = 0; ctx->vec_hashed = 0; ctx->vec_want = NULL; + ctx->vec_severity = severity; ctx->vec_status = 0; ctx->vec_hashsz = hashsz = 0; ctx->vec_closing = 0; - if (rc == 0) { + if (rc == VE_UNVERIFIED_OK) { /* we are not verifying this */ *error = 0; return (ctx); } cp = fingerprint_info_lookup(fd, path); if (!cp) { - ctx->vec_status = VE_FINGERPRINT_NONE; - ve_error_set("%s: no entry", path); + if (severity < VE_MUST) + ctx->vec_status = VE_UNVERIFIED_OK; + else { + ctx->vec_status = VE_FINGERPRINT_NONE; + ve_error_set("%s: no entry", path); + } } else { if (strncmp(cp, "no_hash", 7) == 0) { ctx->vec_status = VE_FINGERPRINT_IGNORE; @@ -167,8 +179,12 @@ vectx_open(int fd, const char *path, off_t off, struct stat *stp, cp += 7; #endif } else { - ctx->vec_status = VE_FINGERPRINT_UNKNOWN; - ve_error_set("%s: no supported fingerprint", path); + if (severity < VE_MUST) + ctx->vec_status = VE_UNVERIFIED_OK; + else { + ctx->vec_status = VE_FINGERPRINT_UNKNOWN; + ve_error_set("%s: no supported fingerprint", path); + } } } *error = ctx->vec_status; @@ -183,9 +199,9 @@ vectx_open(int fd, const char *path, off_t off, struct stat *stp, } } DEBUG_PRINTF(2, - ("vectx_open: caller=%s,name='%s',hashsz=%lu,status=%d\n", + ("vectx_open: caller=%s,name='%s',hashsz=%lu,severity=%d,status=%d\n", caller, path, (unsigned long)ctx->vec_hashsz, - ctx->vec_status)); + severity, ctx->vec_status)); return (ctx); enomem: /* unlikely */ @@ -379,7 +395,7 @@ vectx_lseek(struct vectx *ctx, off_t off, int whence) * @return 0 or an error. */ int -vectx_close(struct vectx *ctx, int severity, const char *caller) +vectx_close(struct vectx *ctx, const char *caller) { int rc; @@ -393,7 +409,7 @@ vectx_close(struct vectx *ctx, int severity, const char *caller) * these tend to be processed in a more deterministic * order, which makes our pseudo pcr more useful. */ - ve_pcr_updating_set((severity == VE_MUST)); + ve_pcr_updating_set((ctx->vec_severity == VE_MUST)); #endif /* make sure we have hashed it all */ vectx_lseek(ctx, 0, SEEK_END); @@ -401,13 +417,13 @@ vectx_close(struct vectx *ctx, int severity, const char *caller) ctx->vec_path, ctx->vec_want, ctx->vec_hashsz); } DEBUG_PRINTF(2, - ("vectx_close: caller=%s,name='%s',rc=%d,severity=%d\n", - caller,ctx->vec_path, rc, severity)); - verify_report(ctx->vec_path, severity, rc, NULL); + ("vectx_close: caller=%s,name='%s',severity=%d,rc=%d\n", + caller,ctx->vec_path, ctx->vec_severity, rc)); + verify_report(ctx->vec_path, ctx->vec_severity, rc, NULL); if (rc == VE_FINGERPRINT_WRONG) { #if !defined(UNIT_TEST) && !defined(DEBUG_VECTX) /* we are generally called with VE_MUST */ - if (severity > VE_WANT) + if (ctx->vec_severity > VE_WANT) panic("cannot continue"); #endif } diff --git a/lib/libsecureboot/verify_file.c b/lib/libsecureboot/verify_file.c index ee263dafe774..b1aad36672d0 100644 --- a/lib/libsecureboot/verify_file.c +++ b/lib/libsecureboot/verify_file.c @@ -271,7 +271,7 @@ find_manifest(const char *name) # define ACCEPT_NO_FP_DEFAULT VE_MUST #endif -static int +int severity_guess(const char *filename) { const char *cp; @@ -285,6 +285,7 @@ severity_guess(const char *filename) */ if ((cp = strrchr(filename, '.'))) { if (strcmp(cp, ".cookie") == 0 || + strcmp(cp, ".dof") == 0 || strcmp(cp, ".hints") == 0 || strcmp(cp, ".order") == 0 || strcmp(cp, ".tgz") == 0) diff --git a/stand/common/commands.c b/stand/common/commands.c index 41687ece42fd..4ed247a6b935 100644 --- a/stand/common/commands.c +++ b/stand/common/commands.c @@ -308,7 +308,7 @@ command_set(int argc, char *argv[]) ves = ve_status_get(-1); if (ves == VE_UNVERIFIED_OK) { #ifdef LOADER_VERIEXEC_TESTING - printf("Checking: %s\n", var); + printf("Checking: %s\n", argv[1]); #endif if (is_restricted_var(argv[1])) { printf("Ignoring restricted variable: %s\n", diff --git a/stand/common/load_elf.c b/stand/common/load_elf.c index b9f55a21e403..10131f7ccb88 100644 --- a/stand/common/load_elf.c +++ b/stand/common/load_elf.c @@ -283,7 +283,8 @@ __elfN(load_elf_header)(char *filename, elf_file_t ef) { int verror; - ef->vctx = vectx_open(ef->fd, filename, 0L, NULL, &verror, __func__); + ef->vctx = vectx_open(ef->fd, filename, VE_MUST, + 0L, NULL, &verror, __func__); if (verror) { printf("Unverified %s: %s\n", filename, ve_error_get()); close(ef->fd); @@ -504,7 +505,7 @@ out: if (!err && ef.vctx) { int verror; - verror = vectx_close(ef.vctx, VE_MUST, __func__); + verror = vectx_close(ef.vctx, __func__); if (verror) { err = EAUTH; file_discard(fp); @@ -1095,7 +1096,7 @@ out: if (!err && ef.vctx) { int verror; - verror = vectx_close(ef.vctx, VE_MUST, __func__); + verror = vectx_close(ef.vctx, __func__); if (verror) { err = EAUTH; file_discard(fp); diff --git a/stand/common/load_elf_obj.c b/stand/common/load_elf_obj.c index 9e32daa53696..706391ffbd8f 100644 --- a/stand/common/load_elf_obj.c +++ b/stand/common/load_elf_obj.c @@ -104,7 +104,8 @@ __elfN(obj_loadfile)(char *filename, uint64_t dest, { int verror; - ef.vctx = vectx_open(ef.fd, filename, 0L, NULL, &verror, __func__); + ef.vctx = vectx_open(ef.fd, filename, VE_MUST, + 0L, NULL, &verror, __func__); if (verror) { printf("Unverified %s: %s\n", filename, ve_error_get()); close(ef.fd); @@ -196,7 +197,7 @@ out: if (!err && ef.vctx) { int verror; - verror = vectx_close(ef.vctx, VE_MUST, __func__); + verror = vectx_close(ef.vctx, __func__); if (verror) { err = EAUTH; file_discard(fp); diff --git a/stand/common/module.c b/stand/common/module.c index bc06ba01fa06..f75428458373 100644 --- a/stand/common/module.c +++ b/stand/common/module.c @@ -661,6 +661,7 @@ file_loadraw(const char *fname, const char *type, int insert) vm_offset_t laddr; #ifdef LOADER_VERIEXEC_VECTX struct vectx *vctx; + int severity; int verror; #endif @@ -690,7 +691,16 @@ file_loadraw(const char *fname, const char *type, int insert) } #ifdef LOADER_VERIEXEC_VECTX - vctx = vectx_open(fd, name, 0L, NULL, &verror, __func__); + severity = severity_guess(name); + if (severity < VE_MUST) { + /* double check against type */ + if (strcmp(type, "md_image") == 0 + || strcmp(type, "mfs_root") == 0 + || strcmp(type, "acpi_dsdt") == 0 + || strcmp(type, "cpu_microcode") == 0) + severity = VE_MUST; + } + vctx = vectx_open(fd, name, severity, 0L, NULL, &verror, __func__); if (verror) { sprintf(command_errbuf, "can't verify '%s': %s", name, ve_error_get()); @@ -741,7 +751,9 @@ file_loadraw(const char *fname, const char *type, int insert) if (module_verbose > MODULE_VERBOSE_SILENT) printf("size=%#jx\n", (uintmax_t)(laddr - loadaddr)); #ifdef LOADER_VERIEXEC_VECTX - verror = vectx_close(vctx, VE_MUST, __func__); + verror = vectx_close(vctx, __func__); + DEBUG_PRINTF(1,("%s: vectx_close(%s): %d\n", __func__, + name, verror)); if (verror) { free(name); close(fd); diff --git a/stand/i386/loader/chain.c b/stand/i386/loader/chain.c index 9d58f9f3de33..5d8d66039770 100644 --- a/stand/i386/loader/chain.c +++ b/stand/i386/loader/chain.c @@ -83,7 +83,7 @@ command_chain(int argc, char *argv[]) } #ifdef LOADER_VERIEXEC_VECTX - vctx = vectx_open(fd, argv[1], 0L, NULL, &verror, __func__); + vctx = vectx_open(fd, argv[1], VE_MUST, 0L, NULL, &verror, __func__); if (verror) { sprintf(command_errbuf, "can't verify: %s", argv[1]); close(fd); @@ -127,7 +127,7 @@ command_chain(int argc, char *argv[]) } close(fd); #ifdef LOADER_VERIEXEC_VECTX - verror = vectx_close(vctx, VE_MUST, __func__); + verror = vectx_close(vctx, __func__); if (verror) { free(vctx); return (CMD_ERROR);