From owner-svn-src-all@freebsd.org Tue Feb 26 06:22:15 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6AB49150CF93; Tue, 26 Feb 2019 06:22:15 +0000 (UTC) (envelope-from sjg@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0ACC76DD96; Tue, 26 Feb 2019 06:22:15 +0000 (UTC) (envelope-from sjg@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CF8BC1065; Tue, 26 Feb 2019 06:22:14 +0000 (UTC) (envelope-from sjg@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x1Q6ME2k003021; Tue, 26 Feb 2019 06:22:14 GMT (envelope-from sjg@FreeBSD.org) Received: (from sjg@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x1Q6MAI6003000; Tue, 26 Feb 2019 06:22:10 GMT (envelope-from sjg@FreeBSD.org) Message-Id: <201902260622.x1Q6MAI6003000@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: sjg set sender to sjg@FreeBSD.org using -f From: "Simon J. Gerraty" Date: Tue, 26 Feb 2019 06:22:10 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r344568 - in head/stand: . common ficl ficl32 i386/loader liblua libsa libsa32 X-SVN-Group: head X-SVN-Commit-Author: sjg X-SVN-Commit-Paths: in head/stand: . common ficl ficl32 i386/loader liblua libsa libsa32 X-SVN-Commit-Revision: 344568 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 0ACC76DD96 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.97)[-0.972,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 06:22:15 -0000 Author: sjg Date: Tue Feb 26 06:22:10 2019 New Revision: 344568 URL: https://svnweb.freebsd.org/changeset/base/344568 Log: Enable veriexec for loader This relies on libbearssl and libsecureboot to verify files read by loader in a maner equivalent to how mac_veriexec Note: disabled by default. Use is initially expected to be by embeded vendors Reviewed by: emaste, imp Sponsored by: Juniper Networks Differential Revision: D16336 Modified: head/stand/common/boot.c head/stand/common/bootstrap.h head/stand/common/interp_forth.c head/stand/common/interp_simple.c head/stand/common/load_elf.c head/stand/common/load_elf_obj.c head/stand/common/module.c head/stand/ficl/Makefile.depend head/stand/ficl/ficl.h head/stand/ficl/fileaccess.c head/stand/ficl32/Makefile.depend head/stand/i386/loader/Makefile.depend head/stand/liblua/Makefile head/stand/liblua/lstd.c head/stand/libsa/Makefile head/stand/libsa/Makefile.depend head/stand/libsa32/Makefile.depend head/stand/loader.mk Modified: head/stand/common/boot.c ============================================================================== --- head/stand/common/boot.c Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/common/boot.c Tue Feb 26 06:22:10 2019 (r344568) @@ -106,6 +106,10 @@ command_boot(int argc, char *argv[]) if (archsw.arch_autoload() != 0) return(CMD_ERROR); +#ifdef LOADER_VERIEXEC + verify_pcr_export(); /* for measured boot */ +#endif + /* Call the exec handler from the loader matching the kernel */ file_formats[fp->f_loader]->l_exec(fp); return(CMD_ERROR); Modified: head/stand/common/bootstrap.h ============================================================================== --- head/stand/common/bootstrap.h Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/common/bootstrap.h Tue Feb 26 06:22:10 2019 (r344568) @@ -330,6 +330,9 @@ struct arch_switch /* Probe ZFS pool(s), if needed. */ void (*arch_zfs_probe)(void); + /* Return the hypervisor name/type or NULL if not virtualized. */ + const char *(*arch_hypervisor)(void); + /* For kexec-type loaders, get ksegment structure */ void (*arch_kexec_kseg_get)(int *nseg, void **kseg); }; @@ -344,6 +347,10 @@ time_t time(time_t *tloc); #ifndef CTASSERT #define CTASSERT(x) _Static_assert(x, "compile-time assertion failed") +#endif + +#ifdef LOADER_VERIEXEC +#include #endif #endif /* !_BOOTSTRAP_H_ */ Modified: head/stand/common/interp_forth.c ============================================================================== --- head/stand/common/interp_forth.c Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/common/interp_forth.c Tue Feb 26 06:22:10 2019 (r344568) @@ -379,6 +379,13 @@ interp_include(const char *filename) return(CMD_ERROR); } +#ifdef LOADER_VERIEXEC + if (verify_file(fd, filename, 0, VE_GUESS) < 0) { + close(fd); + sprintf(command_errbuf,"can't verify '%s'", filename); + return(CMD_ERROR); + } +#endif /* * Read the script into memory. */ Modified: head/stand/common/interp_simple.c ============================================================================== --- head/stand/common/interp_simple.c Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/common/interp_simple.c Tue Feb 26 06:22:10 2019 (r344568) @@ -96,6 +96,14 @@ interp_include(const char *filename) return(CMD_ERROR); } +#ifdef LOADER_VERIEXEC + if (verify_file(fd, filename, 0, VE_GUESS) < 0) { + close(fd); + sprintf(command_errbuf,"can't verify '%s'", filename); + return(CMD_ERROR); + } +#endif + /* * Read the script into memory. */ Modified: head/stand/common/load_elf.c ============================================================================== --- head/stand/common/load_elf.c Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/common/load_elf.c Tue Feb 26 06:22:10 2019 (r344568) @@ -245,6 +245,12 @@ __elfN(load_elf_header)(char *filename, elf_file_t ef) goto error; } +#ifdef LOADER_VERIEXEC + if (verify_file(ef->fd, filename, bytes_read, VE_MUST) < 0) { + err = EAUTH; + goto error; + } +#endif return (0); error: Modified: head/stand/common/load_elf_obj.c ============================================================================== --- head/stand/common/load_elf_obj.c Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/common/load_elf_obj.c Tue Feb 26 06:22:10 2019 (r344568) @@ -129,6 +129,13 @@ __elfN(obj_loadfile)(char *filename, uint64_t dest, goto oerr; } +#ifdef LOADER_VERIEXEC + if (verify_file(ef.fd, filename, bytes_read, VE_MUST) < 0) { + err = EAUTH; + goto oerr; + } +#endif + kfp = file_findfile(NULL, __elfN(obj_kerneltype)); if (kfp == NULL) { printf("elf" __XSTRING(__ELF_WORD_SIZE) Modified: head/stand/common/module.c ============================================================================== --- head/stand/common/module.c Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/common/module.c Tue Feb 26 06:22:10 2019 (r344568) @@ -104,6 +104,8 @@ command_load(int argc, char *argv[]) { struct preloaded_file *fp; char *typestr; + char *prefix; + char *skip; int dofile, dokld, ch, error; dokld = dofile = 0; @@ -114,11 +116,18 @@ command_load(int argc, char *argv[]) command_errmsg = "no filename specified"; return (CMD_CRIT); } - while ((ch = getopt(argc, argv, "kt:")) != -1) { + prefix = skip = NULL; + while ((ch = getopt(argc, argv, "kp:s:t:")) != -1) { switch(ch) { case 'k': dokld = 1; break; + case 'p': + prefix = optarg; + break; + case 's': + skip = optarg; + break; case 't': typestr = optarg; dofile = 1; @@ -141,6 +150,12 @@ command_load(int argc, char *argv[]) return (CMD_CRIT); } +#ifdef LOADER_VERIEXEC + if (strncmp(typestr, "manifest", 8) == 0) { + return (load_manifest(argv[1], prefix, skip, NULL)); + } +#endif + fp = file_findfile(argv[1], typestr); if (fp) { snprintf(command_errbuf, sizeof(command_errbuf), @@ -434,6 +449,15 @@ file_loadraw(const char *fname, char *type, int insert free(name); return(NULL); } + +#ifdef LOADER_VERIEXEC + if (verify_file(fd, name, 0, VE_MUST) < 0) { + sprintf(command_errbuf, "can't verify '%s'", name); + free(name); + close(fd); + return(NULL); + } +#endif if (archsw.arch_loadaddr != NULL) loadaddr = archsw.arch_loadaddr(LOAD_RAW, name, loadaddr); Modified: head/stand/ficl/Makefile.depend ============================================================================== --- head/stand/ficl/Makefile.depend Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/ficl/Makefile.depend Tue Feb 26 06:22:10 2019 (r344568) @@ -2,9 +2,7 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - include \ - include/xlocale \ - lib/msun \ + stand/libsa \ .include Modified: head/stand/ficl/ficl.h ============================================================================== --- head/stand/ficl/ficl.h Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/ficl/ficl.h Tue Feb 26 06:22:10 2019 (r344568) @@ -1157,6 +1157,10 @@ typedef void ficlCompileFcn(FICL_SYSTEM *); DATA_SET(Xficl_compile_set, func) SET_DECLARE(Xficl_compile_set, ficlCompileFcn); +#ifdef LOADER_VERIEXEC +#include +#endif + #ifdef __cplusplus } #endif Modified: head/stand/ficl/fileaccess.c ============================================================================== --- head/stand/ficl/fileaccess.c Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/ficl/fileaccess.c Tue Feb 26 06:22:10 2019 (r344568) @@ -67,14 +67,21 @@ static void ficlFopen(FICL_VM *pVM, char *writeMode) / if (f == NULL) stackPushPtr(pVM->pStack, NULL); else +#ifdef LOADER_VERIEXEC + if (*mode == 'r' && + verify_file(fileno(f), filename, 0, VE_GUESS) < 0) { + fclose(f); + stackPushPtr(pVM->pStack, NULL); + } else +#endif { - ficlFILE *ff = (ficlFILE *)malloc(sizeof(ficlFILE)); - strcpy(ff->filename, filename); - ff->f = f; - stackPushPtr(pVM->pStack, ff); + ficlFILE *ff = (ficlFILE *)malloc(sizeof(ficlFILE)); + strcpy(ff->filename, filename); + ff->f = f; + stackPushPtr(pVM->pStack, ff); - fseek(f, 0, SEEK_SET); - } + fseek(f, 0, SEEK_SET); + } pushIor(pVM, f != NULL); } Modified: head/stand/ficl32/Makefile.depend ============================================================================== --- head/stand/ficl32/Makefile.depend Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/ficl32/Makefile.depend Tue Feb 26 06:22:10 2019 (r344568) @@ -2,9 +2,7 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - include \ - include/xlocale \ - lib/msun \ + stand/libsa \ .include Modified: head/stand/i386/loader/Makefile.depend ============================================================================== --- head/stand/i386/loader/Makefile.depend Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/i386/loader/Makefile.depend Tue Feb 26 06:22:10 2019 (r344568) @@ -2,15 +2,12 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - include \ - include/xlocale \ - stand/ficl32 \ - stand/geli \ - stand/i386/btx/btx \ - stand/i386/btx/btxldr \ - stand/i386/btx/lib \ - stand/i386/libi386 \ - stand/libsa32 \ + stand/${MACHINE_CPUARCH}/btx/btx \ + stand/${MACHINE_CPUARCH}/btx/btxldr \ + stand/${MACHINE_CPUARCH}/btx/lib \ + stand/${MACHINE_CPUARCH}/libi386 \ + stand/ficl \ + stand/libsa \ .include Modified: head/stand/liblua/Makefile ============================================================================== --- head/stand/liblua/Makefile Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/liblua/Makefile Tue Feb 26 06:22:10 2019 (r344568) @@ -35,5 +35,8 @@ CFLAGS+= -I${BOOTSRC}/include -I${LIBLUASRC} -I${LUASR .if ${MACHINE_CPUARCH} == "amd64" && ${DO32:U0} == 0 CFLAGS+= -fPIC .endif +.if ${MK_LOADER_VERIEXEC} == "yes" +CFLAGS+= -I${SRCTOP}/lib/libsecureboot/h -DLOADER_VERIEXEC +.endif .include Modified: head/stand/liblua/lstd.c ============================================================================== --- head/stand/liblua/lstd.c Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/liblua/lstd.c Tue Feb 26 06:22:10 2019 (r344568) @@ -31,6 +31,10 @@ __FBSDID("$FreeBSD$"); #include "lstd.h" #include "math.h" +#ifdef LOADER_VERIEXEC +#include +#endif + FILE * fopen(const char *filename, const char *mode) { @@ -75,6 +79,17 @@ fopen(const char *filename, const char *mode) close(fd); return (NULL); } + +#ifdef LOADER_VERIEXEC + /* only regular files and only reading makes sense */ + if (S_ISREG(st.st_mode) && !(m & O_WRONLY)) { + if (verify_file(fd, filename, 0, VE_GUESS) < 0) { + free(f); + close(fd); + return (NULL); + } + } +#endif f->fd = fd; f->offset = 0; Modified: head/stand/libsa/Makefile ============================================================================== --- head/stand/libsa/Makefile Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/libsa/Makefile Tue Feb 26 06:22:10 2019 (r344568) @@ -164,6 +164,11 @@ SRCS+= explicit_bzero.c crc32_libkern.c .include "${SASRC}/geli/Makefile.inc" .endif +.if ${MK_LOADER_VERIEXEC} == "yes" && ${MK_BEARSSL} == "yes" +.include "${SRCTOP}/lib/libbearssl/Makefile.libsa.inc" +.include "${SRCTOP}/lib/libsecureboot/Makefile.libsa.inc" +.endif + # Maybe ZFS .if ${MK_LOADER_ZFS} == "yes" .include "${SASRC}/zfs/Makefile.inc" Modified: head/stand/libsa/Makefile.depend ============================================================================== --- head/stand/libsa/Makefile.depend Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/libsa/Makefile.depend Tue Feb 26 06:22:10 2019 (r344568) @@ -2,10 +2,6 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - include \ - include/arpa \ - include/xlocale \ - lib/libbz2 \ .include Modified: head/stand/libsa32/Makefile.depend ============================================================================== --- head/stand/libsa32/Makefile.depend Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/libsa32/Makefile.depend Tue Feb 26 06:22:10 2019 (r344568) @@ -2,10 +2,7 @@ # Autogenerated - do NOT edit! DIRDEPS = \ - include \ - include/arpa \ - include/xlocale \ - lib/libbz2 \ + stand/libsa \ .include Modified: head/stand/loader.mk ============================================================================== --- head/stand/loader.mk Tue Feb 26 06:17:23 2019 (r344567) +++ head/stand/loader.mk Tue Feb 26 06:22:10 2019 (r344568) @@ -73,6 +73,10 @@ SRCS+= interp_simple.c .error Unknown interpreter ${LOADER_INTERP} .endif +.if ${MK_LOADER_VERIEXEC} != "no" +CFLAGS+= -DLOADER_VERIEXEC -I${SRCTOP}/lib/libsecureboot/h +.endif + .if defined(BOOT_PROMPT_123) CFLAGS+= -DBOOT_PROMPT_123 .endif