From owner-freebsd-current@freebsd.org Thu Feb 11 01:34:52 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 99E47531DE0 for ; Thu, 11 Feb 2021 01:34:52 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4DbfM01Trzz4Sjk for ; Thu, 11 Feb 2021 01:34:52 +0000 (UTC) (envelope-from sjg@juniper.net) Received: by mailman.nyi.freebsd.org (Postfix) id 32EE4531A1B; Thu, 11 Feb 2021 01:34:52 +0000 (UTC) Delivered-To: current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 32AFE531EC3 for ; Thu, 11 Feb 2021 01:34:52 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.pphosted.com", Issuer "Thawte RSA CA 2018" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DbfLz4LqDz4Sjj for ; Thu, 11 Feb 2021 01:34:51 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 11B1TuL7017026; Wed, 10 Feb 2021 17:34:49 -0800 Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2172.outbound.protection.outlook.com [104.47.59.172]) by mx0b-00273201.pphosted.com with ESMTP id 36mm9wgn02-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 10 Feb 2021 17:34:49 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bTPCkLWvmOrJBBXdW3k/O0WF6emmRGHsrSWUuYcj9tHq+eSjFVMGhIAeKe60vqmj5xs/gvHyISoo9uaDMSAQd5/7wmJQuZuF/CEzMmS5IOnz6I3npUUQwYBp2oRvpHjlqjQqxbVFpF5Jgwb7eWo+Lyzjv25fxuvgbDkXtWRnyCbMrW+Y8e/XbZvI+Obek6vcmCcB4W2cOUlpdQOojr1yd5sZjKZBREZS1jZEXj9AZe5awGoj5cVaDP/lWdvVZ8RefqxOCOxcs1LRdFvEBMaXB0PRwGbEQ0Dr8kERmwhjUPE8kQbHfr5ayM5dGaejvC6RjuaH9Kj9tEKTILOXWzao/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ndGnXYt16yl+1bMfwZlDKnHFgpmswC0tNLNoctQZrAI=; b=ShOw2rExlKhOO475dW/WPHtOWsInbPWJqEHAUEeBEm0wwR52X6y6Cq5yB3Xhtjc19LBtDaI7uHYaxQnrHHNg7MC5aeC822osvsmYUxB15XOKGbImcv3NRuhWDsWyVgUsOuIACQUC8x5WUwykCzN7+ibL/ltchD6BXbSPYm3KWfIfwZF3MqlL/4JcO2iAfBEWZO4b0K8D+hQ/+CO+i2DxuXUDXNoQj+34UUFVzICUWKZGqhr2Z+W3lFqZbiWSEweMpjp8M/C+cfBtirL0XkZR/uYbFMd5ROTYPhQ4HRFkljV2xnlAAk/dhEHK6JxbQXawdBUCnaCopRblYFvv1Ysm6Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.13) smtp.rcpttodomain=freebsd.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none Received: from BN8PR04CA0061.namprd04.prod.outlook.com (2603:10b6:408:d4::35) by DM6PR05MB5308.namprd05.prod.outlook.com (2603:10b6:5:56::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.11; Thu, 11 Feb 2021 01:34:46 +0000 Received: from BN8NAM12FT030.eop-nam12.prod.protection.outlook.com (2603:10b6:408:d4:cafe::62) by BN8PR04CA0061.outlook.office365.com (2603:10b6:408:d4::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.25 via Frontend Transport; Thu, 11 Feb 2021 01:34:46 +0000 X-MS-Exchange-Authentication-Results: spf=softfail (sender IP is 66.129.239.13) smtp.mailfrom=juniper.net; freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=fail action=oreject header.from=juniper.net; Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.13 as permitted sender) Received: from P-EXFEND-EQX-02.jnpr.net (66.129.239.13) by BN8NAM12FT030.mail.protection.outlook.com (10.13.183.78) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3846.25 via Frontend Transport; Thu, 11 Feb 2021 01:34:46 +0000 Received: from P-EXBEND-EQX-02.jnpr.net (10.104.8.53) by P-EXFEND-EQX-02.jnpr.net (10.104.8.55) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 10 Feb 2021 17:34:45 -0800 Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-02.jnpr.net (10.104.8.53) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 10 Feb 2021 17:34:45 -0800 Received: from kaos.jnpr.net (kaos.jnpr.net [172.23.255.201]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id 11B1YhEZ021484; Wed, 10 Feb 2021 17:34:44 -0800 (envelope-from sjg@juniper.net) Received: by kaos.jnpr.net (Postfix, from userid 1377) id D81ED2901C; Wed, 10 Feb 2021 17:34:43 -0800 (PST) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id D7ABC2910A; Wed, 10 Feb 2021 17:34:43 -0800 (PST) To: CC: , Subject: Re: Enable veriexec for 13 Beta 1 In-Reply-To: <187ca3f70566e4dddf13326fba548625@rdsor.ro> References: <187ca3f70566e4dddf13326fba548625@rdsor.ro> Comments: In-reply-to: dan_partelly@rdsor.ro message dated "Tue, 09 Feb 2021 21:15:53 +0200." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 27.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <27611.1613007283.1@kaos.jnpr.net> Content-Transfer-Encoding: quoted-printable Date: Wed, 10 Feb 2021 17:34:43 -0800 Message-ID: <27930.1613007283@kaos.jnpr.net> X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3529d5c0-a090-429f-3114-08d8ce2d36d8 X-MS-TrafficTypeDiagnostic: DM6PR05MB5308: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3968; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: MHomnMIB9AIzAnQFbZ9p0zfUc+reXB/2mm1VWZGbx7NHLUZd5ajtHxZLsI18aigBQ5Ae9jRC9qCR1AwdYVoXB5dexwEFocQh63yznprwseNekz1dRqteZrHMknfe0kNWF9Z5lPClg7r/N7k4V7Op9Ixs85/l/8mSPHpIKL5VxbbaqA1vilZ4OI1eRnV2jBqf5f/F/19QDAher65q+3oaV2fkINdZZhu/2qUO9G7x5nfTk3zP1tLGMBeU3vIpAvH4+eiQR2lQDEpmCwARV9bJC1yOpBtFVUTAQzk+eJBUhEYXV+sV1JZZNxw8cKR+joHgyujII2On8dZW8xHYIpu5126KlbXTJonBQ+53ymxbBQ+uyOs71cpc+E5ICAIjqFnLGvGboG4Ji8RztVroGPdDMFV7PmNygPpCw13uK6W0ajNLhF0T3MIAEzMqbTgzb0m8emc78BQMK7a6n3CoFqmwu2wMuysaXKuKpABKlc9sqkuIDjMjFCE26YbN/0J5Fvnw8FQzd45F7qnqvnkeG6j8MOQkbuFOjPREo2myr20FN+n3vUVYKOvHPo0DkBFznmRQAgHpQ58OrWLuxQmUVXBm/rXqW8UUKOyUeNQuaXnUiNoXb4JQstz8AHDk1+0S+zdWtEwoootlUKqDDiXAAKV5KUTrONCAyxCOSmO/xt7SJ9z6C1KrW3TBm0xfUotALcZ1 X-Forefront-Antispam-Report: CIP:66.129.239.13; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:P-EXFEND-EQX-02.jnpr.net; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(4636009)(136003)(39860400002)(376002)(346002)(396003)(36840700001)(46966006)(7126003)(478600001)(356005)(4326008)(107886003)(36860700001)(70206006)(82310400003)(336012)(82740400003)(81166007)(6916009)(7696005)(86362001)(70586007)(9686003)(186003)(316002)(47076005)(5660300002)(83380400001)(54906003)(2906002)(55016002)(26005)(8936002)(8676002)(6266002)(36900700001); DIR:OUT; SFP:1102; X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Feb 2021 01:34:46.0244 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 3529d5c0-a090-429f-3114-08d8ce2d36d8 X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.13]; Helo=[P-EXFEND-EQX-02.jnpr.net] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM12FT030.eop-nam12.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB5308 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.737 definitions=2021-02-10_11:2021-02-10, 2021-02-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 phishscore=0 mlxscore=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=974 priorityscore=1501 bulkscore=0 suspectscore=0 clxscore=1011 spamscore=0 adultscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102110005 X-Rspamd-Queue-Id: 4DbfLz4LqDz4Sjj X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.10 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[juniper.net:s=PPS1017,juniper.net:s=selector1]; FREEFALL_USER(0.00)[sjg]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:67.231.152.164]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; RWL_MAILSPIKE_EXCELLENT(0.00)[67.231.152.164:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[juniper.net:+]; DMARC_POLICY_ALLOW(-0.50)[juniper.net,reject]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:22843, ipnet:67.231.152.0/24, country:US]; RCVD_COUNT_SEVEN(0.00)[10]; MAILMAN_DEST(0.00)[current]; RCVD_IN_DNSWL_LOW(-0.10)[67.231.152.164:from] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2021 01:34:52 -0000 dan_partelly@rdsor.ro wrote: > [External Email. Be cautious of content] > = > = > Hey guys, > = > What are the config knobs for enabling the veriexec driver and veriexec > mac modules for testing and playing with this new subystem ? User mode > knob for user mode tool and lib is documented in man src.conf Thanks ! You would want... options MAC options MAC_VERIEXEC options MAC_VERIEXEC_SHA256 options MAC_VERIEXEC_SHA384 oh sys/conf/files needs a tweak see below. sha256 hashes are good for now, but best to have support for bigger in place. You will want WITH_BEARSSL=3D1 which will enable VERIEXEC for kernel and LOADER_VERIEXEC, LOADER_VERIEXEC_VECTX and LOADER_EFI_SECUREBOOT Also you need to configure lib/libsecureboot/local.trust.mk to provide the trust anchors, this is used by sbin/veriexec - the tool that loaded manifests into kernel as well as loader if LOADER_VERIEXEC are enabled. you'll need this diff diff --git a/sys/conf/files b/sys/conf/files index 1abfadb1e8d8eb347c2caa8e92a1d86375dc61af..459fcddd693b89d50c9fecfb6c= c93515b2799cb6 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -3450,7 +3450,7 @@ dev/videomode/videomode.c optional videomode dev/videomode/edid.c optional videomode dev/videomode/pickmode.c optional videomode dev/videomode/vesagtf.c optional videomode -dev/veriexec/verified_exec.c optional veriexec mac_veriexec +dev/veriexec/verified_exec.c optional mac_veriexec dev/vge/if_vge.c optional vge dev/viapm/viapm.c optional viapm pci dev/virtio/virtio.c optional virtio