Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 9 Apr 2020 04:50:19 +0000 (UTC)
From:      "Simon J. Gerraty" <sjg@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject:   svn commit: r359735 - in stable/12: lib/libsecureboot lib/libsecureboot/h lib/libsecureboot/tests share/mk stand stand/common stand/efi/loader stand/efi/loader/arch/i386 stand/ficl stand/i386/libi3...
Message-ID:  <202004090450.0394oJgJ080510@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: sjg
Date: Thu Apr  9 04:50:19 2020
New Revision: 359735
URL: https://svnweb.freebsd.org/changeset/base/359735

Log:
  veloader use vectx API for kernel and modules
  
  The vectx API, computes the hash for verifying a file as it is read.
  This avoids the overhead of reading files twice - once to verify, then
  again to load.
  
  For doing an install via loader, avoiding the need to rewind
  large files is critical.
  
  This API is only used for modules, kernel and mdimage as these are the
  biggest files read by the loader.
  The reduction in boot time depends on how expensive the I/O is
  on any given platform.  On a fast VM we see 6% improvement.
  
  For install via loader the first file to be verified is likely to be the
  kernel, so some of the prep work (finding manifest etc) done by
  verify_file() needs to be factored so it can be reused for
  vectx_open().
  
  For missing or unrecognized fingerprint entries, we fail
  in vectx_open() unless verifying is disabled.
  
  Otherwise fingerprint check happens in vectx_close() and
  since this API is only used for files which must be verified
  (VE_MUST) we panic if we get an incorrect hash.
  
  Fix pkgfs stat so it satisfies libsecureboot
  
  We need a valid st_dev, st_ino and st_mtime
  to correctly track which files have been verified
  and to update our notion of time.
  
  ve_utc_set(): ignore utc if it would jump our current time
  by more than VE_UTC_MAX_JUMP (20 years).
  
  Allow testing of install command via userboot.
  Need to fix its stat implementation too.
  
  bhyveload also needs stat fixed - due to change to userboot.h
  
  Call ve_error_get() from vectx_close() when hash is wrong.
  
  Track the names of files we have hashed into pcr
  
  For the purposes of measured boot, it is important
  to be able to reproduce the hash reflected in
  loader.ve.pcr
  so loader.ve.hashed provides a list of names in the order they
  were added.
  
  Avoid unused vars when VE_ECDSA_HASH_AGAIN undefined
  
  MFC of r358744 r358767 r359307 r355962
  
  Reviewed by:	imp,tsoome,emaste
  Sponsored by:	Juniper Networks
  Differential Revision:	https://reviews.freebsd.org//D23827 https://reviews.freebsd.org//D24027

Added:
  stable/12/stand/common/readin.h
     - copied unchanged from r358767, head/stand/common/readin.h
Modified:
  stable/12/lib/libsecureboot/h/libsecureboot.h
  stable/12/lib/libsecureboot/h/verify_file.h
  stable/12/lib/libsecureboot/tests/tvo.c
  stable/12/lib/libsecureboot/vectx.c
  stable/12/lib/libsecureboot/veopen.c
  stable/12/lib/libsecureboot/vepcr.c
  stable/12/lib/libsecureboot/verify_file.c
  stable/12/lib/libsecureboot/vets.c
  stable/12/share/mk/src.opts.mk
  stable/12/stand/common/bootstrap.h
  stable/12/stand/common/install.c
  stable/12/stand/common/interp_forth.c
  stable/12/stand/common/interp_simple.c
  stable/12/stand/common/load_elf.c
  stable/12/stand/common/load_elf_obj.c
  stable/12/stand/common/misc.c
  stable/12/stand/common/module.c
  stable/12/stand/efi/loader/arch/i386/i386_copy.c
  stable/12/stand/efi/loader/copy.c
  stable/12/stand/efi/loader/loader_efi.h
  stable/12/stand/efi/loader/main.c
  stable/12/stand/ficl/loader.c
  stable/12/stand/i386/libi386/i386_copy.c
  stable/12/stand/i386/libi386/libi386.h
  stable/12/stand/i386/loader/chain.c
  stable/12/stand/libsa/pkgfs.c
  stable/12/stand/loader.mk
  stable/12/stand/mips/beri/loader/arch.c
  stable/12/stand/powerpc/kboot/main.c
  stable/12/stand/uboot/lib/copy.c
  stable/12/stand/uboot/lib/libuboot.h
  stable/12/stand/userboot/test/test.c
  stable/12/stand/userboot/userboot.h
  stable/12/stand/userboot/userboot/conf.c
  stable/12/stand/userboot/userboot/copy.c
  stable/12/stand/userboot/userboot/host.c
  stable/12/stand/userboot/userboot/libuserboot.h
  stable/12/usr.sbin/bhyveload/bhyveload.c

Modified: stable/12/lib/libsecureboot/h/libsecureboot.h
==============================================================================
--- stable/12/lib/libsecureboot/h/libsecureboot.h	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/lib/libsecureboot/h/libsecureboot.h	Thu Apr  9 04:50:19 2020	(r359735)
@@ -69,12 +69,6 @@ void fingerprint_info_add(const char *, const char *, 
 int ve_check_hash(br_hash_compat_context *, const br_hash_class *,
     const char *, const char *, size_t);
 
-struct vectx;
-struct vectx* vectx_open(int, const char *, off_t, struct stat *, int *);
-ssize_t vectx_read(struct vectx *, void *, size_t);
-off_t vectx_lseek(struct vectx *, off_t, int);
-int vectx_close(struct vectx *);
-
 char * hexdigest(char *, size_t, unsigned char *, size_t);
 int  verify_fd(int, const char *, off_t, struct stat *);
 int  verify_open(const char *, int);
@@ -84,10 +78,11 @@ unsigned char *verify_sig(const char *, int);
 unsigned char *verify_asc(const char *, int); /* OpenPGP */
 
 void ve_pcr_init(void);
-void ve_pcr_update(unsigned char *, size_t);
+void ve_pcr_update(const char *, unsigned char *, size_t);
 ssize_t ve_pcr_get(unsigned char *, size_t);
 int ve_pcr_updating_get(void);
 void ve_pcr_updating_set(int);
+char * ve_pcr_hashed_get(int);
 
 /* flags for verify_{asc,sig,signed} */
 #define VEF_VERBOSE		1

Modified: stable/12/lib/libsecureboot/h/verify_file.h
==============================================================================
--- stable/12/lib/libsecureboot/h/verify_file.h	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/lib/libsecureboot/h/verify_file.h	Thu Apr  9 04:50:19 2020	(r359735)
@@ -39,13 +39,21 @@
 
 struct stat;
 
-void    ve_debug_set(int);
-int     ve_status_get(int);
-void    ve_efi_init(void);
-int     load_manifest(const char *, const char *, const char *, struct stat *);
-int     pass_manifest(const char *, const char *);
-int     pass_manifest_export_envs(void);
-int     verify_file(int, const char *, off_t, int);
-void    verify_pcr_export(void);
+int	verify_prep(int, const char *, off_t, struct stat *, const char *);
+void	ve_debug_set(int);
+char	*ve_error_get(void);
+void	ve_efi_init(void);
+int	ve_status_get(int);
+int	load_manifest(const char *, const char *, const char *, struct stat *);
+int	pass_manifest(const char *, const char *);
+int	pass_manifest_export_envs(void);
+int	verify_file(int, const char *, off_t, int, const char *);
+void	verify_pcr_export(void);
+
+struct vectx;
+struct vectx* vectx_open(int, const char *, off_t, struct stat *, int *, const char *);
+ssize_t	vectx_read(struct vectx *, void *, size_t);
+off_t	vectx_lseek(struct vectx *, off_t, int);
+int	vectx_close(struct vectx *, int, const char *);
 
 #endif	/* _VERIFY_FILE_H_ */

Modified: stable/12/lib/libsecureboot/tests/tvo.c
==============================================================================
--- stable/12/lib/libsecureboot/tests/tvo.c	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/lib/libsecureboot/tests/tvo.c	Thu Apr  9 04:50:19 2020	(r359735)
@@ -31,6 +31,8 @@ __FBSDID("$FreeBSD$");
 #include <err.h>
 #include <verify_file.h>
 
+size_t DestdirLen;
+char *Destdir;
 char *Skip;
 
 int
@@ -42,7 +44,10 @@ main(int argc, char *argv[])
 	int Vflag;
 	char *cp;
 	char *prefix;
+	char *destdir;
 
+	Destdir = NULL;
+	DestdirLen = 0;
 	prefix = NULL;
 	Skip = NULL;
 
@@ -50,8 +55,12 @@ main(int argc, char *argv[])
 	printf("Trust %d\n", n);
 	Vflag = 0;
 
-	while ((c = getopt(argc, argv, "dp:s:T:V")) != -1) {
+	while ((c = getopt(argc, argv, "D:dp:s:T:V")) != -1) {
 		switch (c) {
+		case 'D':
+			Destdir = optarg;
+			DestdirLen = strlen(optarg);
+			break;
 		case 'd':
 			DebugVe++;
 			break;
@@ -92,7 +101,7 @@ main(int argc, char *argv[])
 				 */
 				int x;
 
-				x = verify_file(fd, argv[optind], 0, VE_GUESS);
+				x = verify_file(fd, argv[optind], 0, VE_GUESS, __func__);
 				printf("verify_file(%s) = %d\n", argv[optind], x);
 				close(fd);
 			}
@@ -147,7 +156,7 @@ main(int argc, char *argv[])
 				lseek(fd, 0, SEEK_SET);
 				off = st.st_size % 512;
 				vp = vectx_open(fd, argv[optind], off,
-				    &st, &error);
+				    &st, &error, __func__);
 				if (!vp) {
 					printf("vectx_open(%s) failed: %d %s\n",
 					    argv[optind], error,
@@ -155,7 +164,8 @@ main(int argc, char *argv[])
 				} else {
 					off = vectx_lseek(vp,
 					    (st.st_size % 1024), SEEK_SET);
-
+					/* we can seek backwards! */
+					off = vectx_lseek(vp, off/2, SEEK_SET);
 					if (off < st.st_size) {
 						n = vectx_read(vp, buf,
 						    sizeof(buf));
@@ -165,7 +175,7 @@ main(int argc, char *argv[])
 					off = vectx_lseek(vp, 0, SEEK_END);
 					/* repeating that should be harmless */
 					off = vectx_lseek(vp, 0, SEEK_END);
-					error = vectx_close(vp);
+					error = vectx_close(vp, VE_MUST, __func__);
 					if (error) {
 						printf("vectx_close(%s) == %d %s\n",
 						    argv[optind], error,

Modified: stable/12/lib/libsecureboot/vectx.c
==============================================================================
--- stable/12/lib/libsecureboot/vectx.c	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/lib/libsecureboot/vectx.c	Thu Apr  9 04:50:19 2020	(r359735)
@@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$");
 #endif
 
 #include "libsecureboot-priv.h"
+#include <verify_file.h>
 
 /**
  * @file vectx.c
@@ -50,12 +51,14 @@ struct vectx {
 	const char	*vec_path;	/* path we are verifying */
 	const char	*vec_want;	/* hash value we want */
 	off_t		vec_off;	/* current offset */
+	off_t		vec_hashed;	/* where we have hashed to */
 	size_t		vec_size;	/* size of path */
 	size_t		vec_hashsz;	/* size of hash */
 	int		vec_fd;		/* file descriptor */
 	int		vec_status;	/* verification status */
 };
 
+
 /**
  * @brief
  * verify an open file as we read it
@@ -86,24 +89,31 @@ struct vectx {
  *	NULL is only returned for non-files or out-of-memory.
  */
 struct vectx *
-vectx_open(int fd, const char *path, off_t off, struct stat *stp, int *error)
+vectx_open(int fd, const char *path, off_t off, struct stat *stp,
+    int *error, const char *caller)
 {
 	struct vectx *ctx;
 	struct stat st;
 	size_t hashsz;
 	char *cp;
+	int rc;
 
-	if (!stp) {
-		if (fstat(fd, &st) == 0)
-			stp = &st;
-	}
+	if (!stp)
+	    stp = &st;
 
-	/* we *should* only get called for files */
-	if (stp && !S_ISREG(stp->st_mode)) {
-		*error = 0;
+	rc = verify_prep(fd, path, off, stp, __func__);
+
+	DEBUG_PRINTF(2,
+	    ("vectx_open: caller=%s,fd=%d,name='%s',prep_rc=%d\n",
+		caller, fd, path, rc));
+
+	switch (rc) {
+	case VE_FINGERPRINT_NONE:
+	case VE_FINGERPRINT_UNKNOWN:
+	case VE_FINGERPRINT_WRONG:
+		*error = rc;
 		return (NULL);
 	}
-
 	ctx = malloc(sizeof(struct vectx));
 	if (!ctx)
 		goto enomem;
@@ -111,10 +121,16 @@ vectx_open(int fd, const char *path, off_t off, struct
 	ctx->vec_path = path;
 	ctx->vec_size = stp->st_size;
 	ctx->vec_off = 0;
+	ctx->vec_hashed = 0;
 	ctx->vec_want = NULL;
 	ctx->vec_status = 0;
-	hashsz = 0;
+	ctx->vec_hashsz = hashsz = 0;
 
+	if (rc == 0) {
+		/* we are not verifying this */
+		*error = 0;
+		return (ctx);
+	}
 	cp = fingerprint_info_lookup(fd, path);
 	if (!cp) {
 		ctx->vec_status = VE_FINGERPRINT_NONE;
@@ -161,6 +177,10 @@ vectx_open(int fd, const char *path, off_t off, struct
 			vectx_lseek(ctx, off, SEEK_SET);
 		}
 	}
+	DEBUG_PRINTF(2,
+	    ("vectx_open: caller=%s,name='%s',hashsz=%lu,status=%d\n",
+		caller, path, (unsigned long)ctx->vec_hashsz,
+		ctx->vec_status));
 	return (ctx);
 
 enomem:					/* unlikely */
@@ -175,6 +195,8 @@ enomem:					/* unlikely */
  *
  * It is critical that all file I/O comes through here.
  * We keep track of current offset.
+ * We also track what offset we have hashed to,
+ * so we won't replay data if we seek backwards.
  *
  * @param[in] pctx
  *	pointer to ctx
@@ -190,6 +212,8 @@ vectx_read(struct vectx *ctx, void *buf, size_t nbytes
 {
 	unsigned char *bp = buf;
 	int n;
+	int delta;
+	int x;
 	size_t off;
 
 	if (ctx->vec_hashsz == 0)	/* nothing to do */
@@ -201,9 +225,20 @@ vectx_read(struct vectx *ctx, void *buf, size_t nbytes
 		if (n < 0)
 			return (n);
 		if (n > 0) {
-			ctx->vec_md->update(&ctx->vec_ctx.vtable, &bp[off], n);
-			off += n;
-			ctx->vec_off += n;
+			/* we may have seeked backwards! */
+			delta = ctx->vec_hashed - ctx->vec_off;
+			if (delta > 0) {
+				x = MIN(delta, n);
+				off += x;
+				n -= x;
+				ctx->vec_off += x;
+			}
+			if (n > 0) {
+				ctx->vec_md->update(&ctx->vec_ctx.vtable, &bp[off], n);
+				off += n;
+				ctx->vec_off += n;
+				ctx->vec_hashed += n;
+			}
 		}
 	} while (n > 0 && off < nbytes);
 	return (off);
@@ -213,10 +248,10 @@ vectx_read(struct vectx *ctx, void *buf, size_t nbytes
  * @brief
  * vectx equivalent of lseek
  *
- * We do not actually, seek, but call vectx_read
+ * When seeking forwards we actually call vectx_read
  * to reach the desired offset.
  *
- * We do not support seeking backwards.
+ * We support seeking backwards.
  *
  * @param[in] pctx
  *	pointer to ctx
@@ -225,6 +260,8 @@ vectx_read(struct vectx *ctx, void *buf, size_t nbytes
  *	desired offset
  *
  * @param[in] whence
+ * 	We try to convert whence to ``SEEK_SET``.
+ *	We do not support ``SEEK_DATA`` or ``SEEK_HOLE``.
  *
  * @return offset or error.
  */
@@ -239,22 +276,26 @@ vectx_lseek(struct vectx *ctx, off_t off, int whence)
 		return (lseek(ctx->vec_fd, off, whence));
 
 	/*
-	 * Try to convert whence to SEEK_SET
-	 * but we cannot support seeking backwards!
-	 * Nor beyond end of file.
+	 * Convert whence to SEEK_SET
 	 */
 	if (whence == SEEK_END && off <= 0) {
 		whence = SEEK_SET;
 		off += ctx->vec_size;
-	} else if (whence == SEEK_CUR && off >= 0) {
+	} else if (whence == SEEK_CUR) {
 		whence = SEEK_SET;
 		off += ctx->vec_off;
 	}
-	if (whence != SEEK_SET || off < ctx->vec_off ||
+	if (whence != SEEK_SET ||
 	    (size_t)off > ctx->vec_size) {
-		printf("ERROR: %s: unsupported operation\n",  __func__);
+		printf("ERROR: %s: unsupported operation: whence=%d off=%lld -> %lld\n",
+		    __func__, whence, (long long)ctx->vec_off, (long long)off);
 		return (-1);
 	}
+	if (off < ctx->vec_hashed) {
+		/* seeking backwards! just do it */
+		ctx->vec_off = lseek(ctx->vec_fd, off, whence);
+		return (ctx->vec_off);
+	}
 	n = 0;
 	do {
 		delta = off - ctx->vec_off;
@@ -275,21 +316,48 @@ vectx_lseek(struct vectx *ctx, off_t off, int whence)
  * We have finished reading file, compare the hash with what
  * we wanted.
  *
+ * Be sure to call this before closing the file, since we may
+ * need to seek to the end to ensure hashing is complete.
+ *
  * @param[in] pctx
  *	pointer to ctx
  *
  * @return 0 or an error.
  */
 int
-vectx_close(struct vectx *ctx)
+vectx_close(struct vectx *ctx, int severity, const char *caller)
 {
 	int rc;
 
 	if (ctx->vec_hashsz == 0) {
 		rc = ctx->vec_status;
 	} else {
+#ifdef VE_PCR_SUPPORT
+		/*
+		 * Only update pcr with things that must verify
+		 * these tend to be processed in a more deterministic
+		 * order, which makes our pseudo pcr more useful.
+		 */
+		ve_pcr_updating_set((severity == VE_MUST));
+#endif
+		/* make sure we have hashed it all */
+		vectx_lseek(ctx, 0, SEEK_END);
 		rc = ve_check_hash(&ctx->vec_ctx, ctx->vec_md,
 		    ctx->vec_path, ctx->vec_want, ctx->vec_hashsz);
+	}
+	DEBUG_PRINTF(2,
+	    ("vectx_close: caller=%s,name='%s',rc=%d,severity=%d\n",
+		caller,ctx->vec_path, rc, severity));
+	if (rc == VE_FINGERPRINT_WRONG) {
+		printf("Unverified: %s\n", ve_error_get());
+#if !defined(UNIT_TEST) && !defined(DEBUG_VECTX)
+		/* we are generally called with VE_MUST */
+		if (severity > VE_WANT)
+			panic("cannot continue");
+#endif
+	} else if (severity > VE_WANT) {
+		printf("%serified %s\n", (rc <= 0) ? "Unv" : "V",
+		    ctx->vec_path);
 	}
 	free(ctx);
 	return ((rc < 0) ? rc : 0);

Modified: stable/12/lib/libsecureboot/veopen.c
==============================================================================
--- stable/12/lib/libsecureboot/veopen.c	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/lib/libsecureboot/veopen.c	Thu Apr  9 04:50:19 2020	(r359735)
@@ -86,9 +86,11 @@ fingerprint_info_add(const char *filename, const char 
 		}
 		nfip->fi_prefix = strdup(filename);
 		cp = strrchr(nfip->fi_prefix, '/');
-		if (cp)
+		if (cp == nfip->fi_prefix) {
+			cp[1] = '\0';
+		} else if (cp) {
 			*cp = '\0';
-		else {
+		} else {
 			free(nfip->fi_prefix);
 			free(nfip);
 			return;
@@ -96,7 +98,7 @@ fingerprint_info_add(const char *filename, const char 
 	}
 	/* collapse any trailing ..[/] */
 	n = 0;
-	while ((cp = strrchr(nfip->fi_prefix, '/')) != NULL) {
+	while ((cp = strrchr(nfip->fi_prefix, '/')) > nfip->fi_prefix) {
 		if (cp[1] == '\0') {	/* trailing "/" */
 			*cp = '\0';
 			continue;

Modified: stable/12/lib/libsecureboot/vepcr.c
==============================================================================
--- stable/12/lib/libsecureboot/vepcr.c	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/lib/libsecureboot/vepcr.c	Thu Apr  9 04:50:19 2020	(r359735)
@@ -25,6 +25,7 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include <sys/queue.h>
 #include "libsecureboot-priv.h"
 
 /*
@@ -43,8 +44,17 @@ __FBSDID("$FreeBSD$");
 static const br_hash_class *pcr_md = NULL;
 static br_hash_compat_context pcr_ctx;
 static size_t pcr_hlen = 0;
-static int pcr_updating;
+static int pcr_updating = -1;
 
+struct hashed_info {
+	const char *hi_path;
+	const char *hi_basename;
+	STAILQ_ENTRY(hashed_info) entries;
+};
+
+static STAILQ_HEAD(, hashed_info) hi_list;
+
+
 /**
  * @brief initialize pcr context
  *
@@ -54,10 +64,13 @@ static int pcr_updating;
 void
 ve_pcr_init(void)
 {
-	pcr_updating = 0;
-	pcr_hlen = br_sha256_SIZE;
-	pcr_md = &br_sha256_vtable;
-	pcr_md->init(&pcr_ctx.vtable);
+	if (pcr_updating < 0) {
+		pcr_updating = 0;
+		pcr_hlen = br_sha256_SIZE;
+		pcr_md = &br_sha256_vtable;
+		pcr_md->init(&pcr_ctx.vtable);
+		STAILQ_INIT(&hi_list);
+	}
 }
 
 /**
@@ -82,10 +95,28 @@ ve_pcr_updating_set(int updating)
  * @brief update pcr context
  */
 void
-ve_pcr_update(unsigned char *data, size_t dlen)
+ve_pcr_update(const char *path, unsigned char *data, size_t dlen)
 {
-	if (pcr_updating != 0 && pcr_md != NULL)
+	struct hashed_info *hip;
+	
+	if (pcr_updating > 0 && pcr_md != NULL) {
 		pcr_md->update(&pcr_ctx.vtable, data, dlen);
+		/* if mallocs fail, measured boot will likely fail too */
+		if ((hip = malloc(sizeof(struct hashed_info)))) {
+			hip->hi_path = strdup(path);
+			if (!hip->hi_path) {
+			    free(hip);
+			    return;
+			}
+			hip->hi_basename = strrchr(hip->hi_path, '/');
+			if (hip->hi_basename) {
+				hip->hi_basename++;
+			} else {
+				hip->hi_basename = hip->hi_path;
+			}
+			STAILQ_INSERT_TAIL(&hi_list, hip, entries);
+		}
+	}
 }
 
 /**
@@ -102,3 +133,37 @@ ve_pcr_get(unsigned char *buf, size_t sz)
 	return (pcr_hlen);
 }
 
+/**
+ * @brief get list of paths in prc
+ */
+char *
+ve_pcr_hashed_get(int flags)
+{
+	const char *cp;
+	char *hinfo;
+	struct hashed_info *hip;
+	size_t nbytes;
+	size_t x;
+	int n;
+
+	n = 0;
+	nbytes = x = 0;
+	hinfo = NULL;
+	STAILQ_FOREACH(hip, &hi_list, entries) {
+		nbytes += 1 + strlen(flags ? hip->hi_basename : hip->hi_path);
+	}
+	if (nbytes > 1) {
+		hinfo = malloc(nbytes + 2);
+		if (hinfo) {
+			STAILQ_FOREACH(hip, &hi_list, entries) {
+				cp = flags ? hip->hi_basename : hip->hi_path;
+				n = snprintf(&hinfo[x], nbytes - x, "%s,", cp);
+				x += n;
+			}
+			if (x > 0) {
+				hinfo[x-1] = '\0';
+			}
+		}
+	}
+	return hinfo;
+}

Modified: stable/12/lib/libsecureboot/verify_file.c
==============================================================================
--- stable/12/lib/libsecureboot/verify_file.c	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/lib/libsecureboot/verify_file.c	Thu Apr  9 04:50:19 2020	(r359735)
@@ -43,6 +43,8 @@ __FBSDID("$FreeBSD$");
  * define MANIFEST_SKIP to Skip - in tests/tvo.c so that
  * tvo can control the value we use in find_manifest()
  */
+extern char *Destdir;
+extern size_t DestdirLen;
 extern char *Skip;
 # undef MANIFEST_SKIP
 # define MANIFEST_SKIP Skip
@@ -115,10 +117,12 @@ is_verified(struct stat *stp)
 {
 	struct verify_status *vsp;
 
-	for (vsp = verified_files; vsp != NULL; vsp = vsp->vs_next) {
-		if (stp->st_dev == vsp->vs_dev &&
-		    stp->st_ino == vsp->vs_ino)
-			return (vsp->vs_status);
+	if (stp->st_ino > 0) {
+		for (vsp = verified_files; vsp != NULL; vsp = vsp->vs_next) {
+			if (stp->st_dev == vsp->vs_dev &&
+			    stp->st_ino == vsp->vs_ino)
+				return (vsp->vs_status);
+		}
 	}
 	return (VE_NOT_CHECKED);
 }
@@ -167,12 +171,21 @@ load_manifest(const char *name, const char *prefix,
 		ve_utc_set(stp->st_mtime);
 		content = (char *)verify_signed(name, VEF_VERBOSE);
 		if (content) {
+#ifdef UNIT_TEST
+			if (DestdirLen > 0 &&
+			    strncmp(name, Destdir, DestdirLen) == 0) {
+				name += DestdirLen;
+				if (prefix &&
+				    strncmp(prefix, Destdir, DestdirLen) == 0)
+					prefix += DestdirLen;
+			}
+#endif
 			fingerprint_info_add(name, prefix, skip, content, stp);
 			add_verify_status(stp, VE_VERIFIED);
 			loaded_manifests = 1; /* we are verifying! */
 			DEBUG_PRINTF(3, ("loaded: %s %s %s\n",
 				name, prefix, skip));
-			rc = 0;
+			rc = VE_VERIFIED;
 		} else {
 			rc = VE_FINGERPRINT_WRONG;
 			add_verify_status(stp, rc);	/* remember */
@@ -245,13 +258,15 @@ severity_guess(const char *filename)
 	return (VE_WANT);
 }
 
+static int Verifying = -1;		/* 0 if not verifying */
+
 static void
 verify_tweak(int fd, off_t off, struct stat *stp,
     char *tweak, int *accept_no_fp,
-    int *verbose, int *verifying)
+    int *verbose)
 {
 	if (strcmp(tweak, "off") == 0) {
-		*verifying = 0;
+		Verifying = 0;
 	} else if (strcmp(tweak, "strict") == 0) {
 		/* anything caller wants verified must be */
 		*accept_no_fp = VE_WANT;
@@ -314,7 +329,60 @@ getenv_int(const char *var, int def)
 	return (int)val;
 }
 
+
 /**
+ * @brief prepare to verify an open file
+ *
+ * @param[in] fd
+ * 	open descriptor
+ *
+ * @param[in] filename
+ * 	path we opened and will use to lookup fingerprint
+ *
+ * @param[in] stp
+ *	stat pointer so we can check file type
+ */
+int
+verify_prep(int fd, const char *filename, off_t off, struct stat *stp,
+    const char *caller)
+{
+	int rc;
+
+	if (Verifying < 0) {
+		Verifying = ve_trust_init();
+#ifndef UNIT_TEST
+		ve_debug_set(getenv_int("VE_DEBUG_LEVEL", VE_DEBUG_LEVEL));
+#endif
+		/* initialize ve_status with default result */
+		rc = Verifying ? VE_NOT_CHECKED : VE_NOT_VERIFYING;
+		ve_status_set(0, rc);
+		ve_status_state = VE_STATUS_NONE;
+		if (Verifying) {
+			ve_self_tests();
+			ve_anchor_verbose_set(1);
+		}
+	}
+	if (!Verifying || fd < 0)
+		return (0);
+	if (stp) {
+		if (fstat(fd, stp) < 0 || !S_ISREG(stp->st_mode))
+			return (0);
+	}
+	DEBUG_PRINTF(2,
+	    ("verify_prep: caller=%s,fd=%d,name='%s',off=%lld,dev=%lld,ino=%lld\n",
+		caller, fd, filename, (long long)off, (long long)stp->st_dev,
+		(long long)stp->st_ino));
+	rc = is_verified(stp);
+	DEBUG_PRINTF(4,("verify_prep: is_verified()->%d\n", rc));
+	if (rc == VE_NOT_CHECKED) {
+		rc = find_manifest(filename);
+	} else {
+		ve_status_set(fd, rc);
+	}
+	return (rc);
+}
+
+/**
  * @brief verify an open file
  *
  * @param[in] fd
@@ -342,45 +410,26 @@ getenv_int(const char *var, int def)
  * @return >= 0 on success < 0 on failure
  */
 int
-verify_file(int fd, const char *filename, off_t off, int severity)
+verify_file(int fd, const char *filename, off_t off, int severity,
+    const char *caller)
 {
-	static int verifying = -1;
+	static int once;
 	static int accept_no_fp = ACCEPT_NO_FP_DEFAULT;
 	static int verbose = VE_VERBOSE_DEFAULT;
 	struct stat st;
 	char *cp;
 	int rc;
 
-	if (verifying < 0) {
-		verifying = ve_trust_init();
-		verbose = getenv_int("VE_VERBOSE", VE_VERBOSE_DEFAULT);
-		ve_debug_set(getenv_int("VE_DEBUG_LEVEL", VE_DEBUG_LEVEL));
-		/* initialize ve_status with default result */
-		rc = verifying ? VE_NOT_CHECKED : VE_NOT_VERIFYING;
-		ve_status_set(0, rc);
-		ve_status_state = VE_STATUS_NONE;
-		if (verifying) {
-			ve_self_tests();
-			ve_anchor_verbose_set(1);
-		}
-	}
-	if (!verifying)
-		return (0);
+	rc = verify_prep(fd, filename, off, &st, caller);
 
-	if (fd < 0 || fstat(fd, &st) < 0 || !S_ISREG(st.st_mode))
+	if (!rc)
 		return (0);
 
-	DEBUG_PRINTF(3, ("fd=%d,name='%s',off=%lld,dev=%lld,ino=%lld\n",
-		fd, filename, (long long)off, (long long)st.st_dev,
-		(long long)st.st_ino));
-    
-
-	rc = is_verified(&st);
-	if (rc != VE_NOT_CHECKED) {
-		ve_status_set(fd, rc);
-		return (rc);
+	if (!once) {
+		once++;
+		verbose = getenv_int("VE_VERBOSE", VE_VERBOSE_DEFAULT);
 	}
-	rc = find_manifest(filename);
+
 	if (rc != VE_FINGERPRINT_WRONG && loaded_manifests) {
 		if (severity <= VE_GUESS)
 			severity = severity_guess(filename);
@@ -392,6 +441,12 @@ verify_file(int fd, const char *filename, off_t off, i
 		 */
 		ve_pcr_updating_set((severity == VE_MUST));
 #endif
+#ifdef UNIT_TEST
+		if (DestdirLen > 0 &&
+		    strncmp(filename, Destdir, DestdirLen) == 0) {
+			filename += DestdirLen;
+		}
+#endif
 		if ((rc = verify_fd(fd, filename, off, &st)) >= 0) {
 			if (verbose || severity > VE_WANT) {
 #if defined(VE_DEBUG_LEVEL) && VE_DEBUG_LEVEL > 0
@@ -406,14 +461,12 @@ verify_file(int fd, const char *filename, off_t off, i
 #endif
 			}
 			if (severity < VE_MUST) { /* not a kernel or module */
-				
 				if ((cp = strrchr(filename, '/'))) {
 					cp++;
 					if (strncmp(cp, "loader.ve.", 10) == 0) {
 						cp += 10;
 						verify_tweak(fd, off, &st, cp,
-						    &accept_no_fp, &verbose,
-						    &verifying);
+						    &accept_no_fp, &verbose);
 					}
 				}
 			}
@@ -460,6 +513,7 @@ verify_pcr_export(void)
 #ifdef VE_PCR_SUPPORT
 	char hexbuf[br_sha256_SIZE * 2 + 2];
 	unsigned char hbuf[br_sha256_SIZE];
+	char *hinfo;
 	char *hex;
 	ssize_t hlen;
 
@@ -469,6 +523,17 @@ verify_pcr_export(void)
 		if (hex) {
 			hex[hlen*2] = '\0'; /* clobber newline */
 			setenv("loader.ve.pcr", hex, 1);
+			DEBUG_PRINTF(1,
+			    ("%s: setenv(loader.ve.pcr, %s\n", __func__,
+				hex));
+			hinfo = ve_pcr_hashed_get(1);
+			if (hinfo) {
+				setenv("loader.ve.hashed", hinfo, 1);
+				DEBUG_PRINTF(1,
+				    ("%s: setenv(loader.ve.hashed, %s\n",
+					__func__, hinfo));
+				free(hinfo);
+			}
 		}
 	}
 #endif

Modified: stable/12/lib/libsecureboot/vets.c
==============================================================================
--- stable/12/lib/libsecureboot/vets.c	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/lib/libsecureboot/vets.c	Thu Apr  9 04:50:19 2020	(r359735)
@@ -44,6 +44,10 @@ __FBSDID("$FreeBSD$");
 #endif
 
 #define SECONDS_PER_DAY		86400
+#define SECONDS_PER_YEAR	365 * SECONDS_PER_DAY
+#ifndef VE_UTC_MAX_JUMP
+# define VE_UTC_MAX_JUMP	20 * SECONDS_PER_YEAR
+#endif
 #define X509_DAYS_TO_UTC0	719528
 
 int DebugVe = 0;
@@ -113,12 +117,14 @@ static time_t ve_utc = 0;
  * set ve_utc used for certificate verification
  *
  * @param[in] utc
- *	time - ignored unless greater than current value.
+ *	time - ignored unless greater than current value
+ *	and not a leap of 20 years or more.
  */
 void
 ve_utc_set(time_t utc)
 {
-	if (utc > ve_utc) {
+	if (utc > ve_utc &&
+	    (ve_utc == 0 || (utc - ve_utc) < VE_UTC_MAX_JUMP)) {
 		DEBUG_PRINTF(2, ("Set ve_utc=%jd\n", (intmax_t)utc));
 		ve_utc = utc;
 	}
@@ -345,11 +351,11 @@ ve_trust_init(void)
 
 	if (once >= 0)
 		return (once);
-
-	ve_utc_set(time(NULL));
+	once = 0;			/* to be sure */
 #ifdef BUILD_UTC
-	ve_utc_set(BUILD_UTC);		/* just in case */
+	ve_utc_set(BUILD_UTC);		/* ensure sanity */
 #endif
+	ve_utc_set(time(NULL));
 	ve_error_set(NULL);		/* make sure it is empty */
 #ifdef VE_PCR_SUPPORT
 	ve_pcr_init();
@@ -642,9 +648,10 @@ hexdigest(char *buf, size_t bufsz, unsigned char *foo,
 static unsigned char *
 verify_ec(br_x509_pkey *pk, const char *file, const char *sigfile)
 {
-	char hexbuf[br_sha512_SIZE * 2 + 2];
+#ifdef VE_ECDSA_HASH_AGAIN
+	char *hex, hexbuf[br_sha512_SIZE * 2 + 2];
+#endif
 	unsigned char rhbuf[br_sha512_SIZE];
-	char *hex;
 	br_sha256_context ctx;
 	unsigned char *fcp, *scp;
 	size_t flen, slen, plen;
@@ -902,7 +909,7 @@ ve_check_hash(br_hash_compat_context *ctx, const br_ha
 
 	md->out(&ctx->vtable, hbuf);
 #ifdef VE_PCR_SUPPORT
-	ve_pcr_update(hbuf, hlen);
+	ve_pcr_update(path, hbuf, hlen);
 #endif
 	hex = hexdigest(hexbuf, sizeof(hexbuf), hbuf, hlen);
 	if (!hex)

Modified: stable/12/share/mk/src.opts.mk
==============================================================================
--- stable/12/share/mk/src.opts.mk	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/share/mk/src.opts.mk	Thu Apr  9 04:50:19 2020	(r359735)
@@ -221,6 +221,7 @@ __DEFAULT_DEPENDENT_OPTIONS= \
 	CLANG_FULL/CLANG \
 	LOADER_VERIEXEC/BEARSSL \
 	LOADER_EFI_SECUREBOOT/LOADER_VERIEXEC \
+	LOADER_VERIEXEC_VECTX/LOADER_VERIEXEC \
 	VERIEXEC/BEARSSL \
 
 # MK_*_SUPPORT options which default to "yes" unless their corresponding

Modified: stable/12/stand/common/bootstrap.h
==============================================================================
--- stable/12/stand/common/bootstrap.h	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/stand/common/bootstrap.h	Thu Apr  9 04:50:19 2020	(r359735)
@@ -33,6 +33,8 @@
 #include <sys/queue.h>
 #include <sys/linker_set.h>
 
+#include "readin.h"
+
 /* Commands and return values; nonzero return sets command_errmsg != NULL */
 typedef int	(bootblk_cmd_t)(int argc, char *argv[]);
 #define	COMMAND_ERRBUFSZ	(256)
@@ -70,8 +72,8 @@ void	hexdump(caddr_t region, size_t len);
 size_t	strlenout(vm_offset_t str);
 char	*strdupout(vm_offset_t str);
 void	kern_bzero(vm_offset_t dest, size_t len);
-int	kern_pread(int fd, vm_offset_t dest, size_t len, off_t off);
-void	*alloc_pread(int fd, off_t off, size_t len);
+int	kern_pread(readin_handle_t fd, vm_offset_t dest, size_t len, off_t off);
+void	*alloc_pread(readin_handle_t fd, off_t off, size_t len);
 
 /* bcache.c */
 void	bcache_init(size_t nblks, size_t bsize);
@@ -303,7 +305,7 @@ struct arch_switch
     ssize_t	(*arch_copyout)(const vm_offset_t src, void *dest,
 				const size_t len);
     /* Read from file to module address space, same semantics as read() */
-    ssize_t	(*arch_readin)(const int fd, vm_offset_t dest,
+    ssize_t	(*arch_readin)(readin_handle_t fd, vm_offset_t dest,
 			       const size_t len);
     /* Perform ISA byte port I/O (only for systems with ISA) */
     int		(*arch_isainb)(int port);
@@ -347,10 +349,6 @@ time_t	time(time_t *tloc);
 
 #ifndef CTASSERT
 #define	CTASSERT(x)	_Static_assert(x, "compile-time assertion failed")
-#endif
-
-#ifdef LOADER_VERIEXEC
-#include <verify_file.h>
 #endif
 
 #endif /* !_BOOTSTRAP_H_ */

Modified: stable/12/stand/common/install.c
==============================================================================
--- stable/12/stand/common/install.c	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/stand/common/install.c	Thu Apr  9 04:50:19 2020	(r359735)
@@ -210,6 +210,13 @@ install(char *pkgname)
 		if (currdev != NULL && strcmp(currdev, "pxe0:") == 0) {
 			devname = "pxe0";
 			proto = NULL;
+#ifdef HOSTPROG
+		} else if (currdev != NULL && strcmp(currdev, "host0:") == 0) {
+			extern struct fs_ops host_fsops;
+
+			devname = "host0";
+			proto = &host_fsops;
+#endif
 		} else {
 			devname = "disk1";
 			proto = &dosfs_fsops;
@@ -236,6 +243,10 @@ install(char *pkgname)
 			goto invalid_url;
 
 		setenv("serverip", inet_ntoa(servip), 1);
+
+		if (proto == &tftp_fsops) {
+			tftpip.s_addr = servip.s_addr;
+		}
 
 		*pkgname = '/';
 	} else

Modified: stable/12/stand/common/interp_forth.c
==============================================================================
--- stable/12/stand/common/interp_forth.c	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/stand/common/interp_forth.c	Thu Apr  9 04:50:19 2020	(r359735)
@@ -284,7 +284,7 @@ bf_init(void)
 	/* try to load and run init file if present */
 	if ((fd = open("/boot/boot.4th", O_RDONLY)) != -1) {
 #ifdef LOADER_VERIEXEC
-		if (verify_file(fd, "/boot/boot.4th", 0, VE_GUESS) < 0) {
+		if (verify_file(fd, "/boot/boot.4th", 0, VE_GUESS, __func__) < 0) {
 			close(fd);
 			return;
 		}
@@ -386,7 +386,7 @@ interp_include(const char *filename)
 	}
 
 #ifdef LOADER_VERIEXEC
-	if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
+	if (verify_file(fd, filename, 0, VE_GUESS, __func__) < 0) {
 		close(fd);
 		sprintf(command_errbuf,"can't verify '%s'", filename);
 		return(CMD_ERROR);

Modified: stable/12/stand/common/interp_simple.c
==============================================================================
--- stable/12/stand/common/interp_simple.c	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/stand/common/interp_simple.c	Thu Apr  9 04:50:19 2020	(r359735)
@@ -97,7 +97,7 @@ interp_include(const char *filename)
 	}
 
 #ifdef LOADER_VERIEXEC
-	if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
+	if (verify_file(fd, filename, 0, VE_GUESS, __func__) < 0) {
 		close(fd);
 		sprintf(command_errbuf,"can't verify '%s'", filename);
 		return(CMD_ERROR);

Modified: stable/12/stand/common/load_elf.c
==============================================================================
--- stable/12/stand/common/load_elf.c	Thu Apr  9 02:00:59 2020	(r359734)
+++ stable/12/stand/common/load_elf.c	Thu Apr  9 04:50:19 2020	(r359735)
@@ -71,8 +71,17 @@ typedef struct elf_file {
 	size_t	firstlen;
 	int		kernel;
 	uint64_t	off;
+#ifdef LOADER_VERIEXEC_VECTX
+	struct vectx	*vctx;
+#endif
 } *elf_file_t;
 
+#ifdef LOADER_VERIEXEC_VECTX
+#define VECTX_HANDLE(ef) (ef)->vctx
+#else
+#define VECTX_HANDLE(ef) (ef)->fd
+#endif
+
 static int __elfN(loadimage)(struct preloaded_file *mp, elf_file_t ef,
     uint64_t loadaddr);
 static int __elfN(lookup_symbol)(struct preloaded_file *mp, elf_file_t ef,
@@ -214,7 +223,20 @@ __elfN(load_elf_header)(char *filename, elf_file_t ef)
 		close(ef->fd);
 		return (ENOMEM);
 	}
-	bytes_read = read(ef->fd, ef->firstpage, PAGE_SIZE);
+#ifdef LOADER_VERIEXEC_VECTX
+	{
+		int verror;
+
+		ef->vctx = vectx_open(ef->fd, filename, 0L, NULL, &verror, __func__);
+		if (verror) {
+			printf("Unverified %s: %s\n", filename, ve_error_get());
+			close(ef->fd);
+			free(ef->vctx);
+			return (EAUTH);
+		}
+	}
+#endif
+	bytes_read = VECTX_READ(VECTX_HANDLE(ef), ef->firstpage, PAGE_SIZE);
 	ef->firstlen = (size_t)bytes_read;
 	if (bytes_read < 0 || ef->firstlen <= sizeof(Elf_Ehdr)) {
 		err = EFTYPE; /* could be EIO, but may be small file */
@@ -245,10 +267,10 @@ __elfN(load_elf_header)(char *filename, elf_file_t ef)
 		goto error;
 	}
 
-#ifdef LOADER_VERIEXEC
-	if (verify_file(ef->fd, filename, bytes_read, VE_MUST) < 0) {
-	    err = EAUTH;
-	    goto error;
+#if defined(LOADER_VERIEXEC) && !defined(LOADER_VERIEXEC_VECTX)
+	if (verify_file(ef->fd, filename, bytes_read, VE_MUST, __func__) < 0) {
+		err = EAUTH;
+		goto error;
 	}
 #endif
 	return (0);
@@ -259,6 +281,9 @@ error:
 		ef->firstpage = NULL;
 	}
 	if (ef->fd != -1) {
+#ifdef LOADER_VERIEXEC_VECTX
+		free(ef->vctx);
+#endif
 		close(ef->fd);
 		ef->fd = -1;
 	}

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202004090450.0394oJgJ080510>