d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
00ef9f43b3
freebsd-dev/share/mk
History
Marcin Wojtas b0fefb25c5 Create kernel module to parse Veriexec manifest based on envs 
The current approach of injecting manifest into mac_veriexec is to
verify the integrity of it in userspace (veriexec (8)) and pass its
entries into kernel using a char device (/dev/veriexec).
This requires verifying root partition integrity in loader,
for example by using memory disk and checking its hash.
Otherwise if rootfs is compromised an attacker could inject their own data.

This patch introduces an option to parse manifest in kernel based on envs.
The loader sets manifest path and digest.
EVENTHANDLER is used to launch the module right after the rootfs is mounted.
It has to be done this way, since one might want to verify integrity of the init file.
This means that manifest is required to be present on the root partition.
Note that the envs have to be set right before boot to make sure that no one can spoof them.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19281
2019-04-03 03:57:37 +00:00
..
atf.test.mk Feex a cuple of small typos 2018-07-27 10:44:38 +00:00
auto.obj.mk Ensure .OBJDIR has known value 2017-11-04 21:02:26 +00:00
bsd.arch.inc.mk
bsd.clang-analyze.mk Add some missed OBJS_SRCS_FILTER from r323637. 2017-11-10 08:00:09 +00:00
bsd.compiler.mk Don't run cc --version during cleandir/obj stages 2018-10-31 10:45:28 +00:00
bsd.confs.mk Fix STAGE_DIR.* to handle indirect *DIR variables. 2019-01-15 23:37:49 +00:00
bsd.cpu.mk Catch up with Clang 8.0. 2019-03-21 21:45:02 +00:00
bsd.crunchgen.mk rescue: Restore 'make depend' call to fix WITH_META_MODE after r334008. 2018-05-24 18:49:19 +00:00
bsd.dep.mk Created static libc PIC/no-SSP library to be used by rtld. 2018-05-09 10:28:24 +00:00
bsd.dirs.mk DIRS: Rework how duplicated dirs are installed. 2018-09-17 22:15:12 +00:00
bsd.doc.mk Revert crap accidentally committed 2017-01-28 16:31:23 +00:00
bsd.dtb.mk Use known SRCTOP if possible to determine SYSDIR. 2018-04-12 20:48:17 +00:00
bsd.endian.mk Add -b/-l options to localedef(1) to specify output endianness and use 2018-10-20 20:51:05 +00:00
bsd.files.mk Fix STAGE_DIR.* to handle indirect *DIR variables. 2019-01-15 23:37:49 +00:00
bsd.incs.mk Reapply r295227: Stop hiding link install commands. 2017-11-06 19:33:50 +00:00
bsd.info.mk Revert r301079. 2016-06-03 19:25:36 +00:00
bsd.init.mk Reduce exec and fstat overhead for non-build targets. 2018-06-20 17:20:39 +00:00
bsd.kmod.mk Use known SRCTOP if possible to determine SYSDIR. 2018-04-12 20:48:17 +00:00
bsd.lib.mk Add WITH_PIE knob to build Position Independent Executables 2019-02-15 22:22:38 +00:00
bsd.libnames.mk Make libifconfig INTERNALLIB 2019-02-25 18:22:20 +00:00
bsd.linker.mk retire LINKER_FEATURES filter flag 2018-11-12 20:44:22 +00:00
bsd.links.mk Reapply r295227: Stop hiding link install commands. 2017-11-06 19:33:50 +00:00
bsd.man.mk Correct link metadata created when installing with -DNO_ROOT. 2018-06-29 16:07:56 +00:00
bsd.mkopt.mk
bsd.nls.mk Move all of the directory path into the DIR part of the component and make the 2018-05-31 13:26:12 +00:00
bsd.obj.mk AUTO_OBJ: Don't create nested OBJDIRS with print-dir or make -n. 2017-12-06 21:00:41 +00:00
bsd.opts.mk Add WITH_PIE knob to build Position Independent Executables 2019-02-15 22:22:38 +00:00
bsd.own.mk Correct default path of kernel modules. 2018-08-09 16:42:13 +00:00
bsd.port.mk
bsd.port.options.mk
bsd.port.post.mk
bsd.port.pre.mk
bsd.port.subdir.mk
bsd.prog.mk Fixup bsd.prog.mk after r344182 2019-02-15 23:41:54 +00:00
bsd.progs.mk Allow programs to set NO_SHARED on a per-PROG basis 2019-03-30 17:23:15 +00:00
bsd.README Document GTESTS variable in googletest.test.mk 2019-02-20 01:12:59 +00:00
bsd.snmpmod.mk Update bsnmp to version 1.13. This does not bring user-visible changes. 2018-07-03 08:44:40 +00:00
bsd.subdir.mk installdirs can be a recursive/standalone target. 2018-09-17 22:15:09 +00:00
bsd.suffixes-posix.mk Extract suffix rules into bsd.suffixes[-posix].mk. 2016-10-12 00:42:46 +00:00
bsd.suffixes.mk CCACHE_BUILD: Don't try using ccache for compile-linking .c files. 2018-06-27 16:58:07 +00:00
bsd.symver.mk
bsd.sys.mk Standardize -std=c++* as CXXSTD` 2019-03-29 18:45:27 +00:00
bsd.test.mk Add googletest.test.mk and integrate into bsd.test.mk 2019-02-20 01:09:03 +00:00
dirdeps-options.mk Use .undef per variable 2019-01-15 23:35:53 +00:00
dirdeps.mk Update dirdeps.mk et al to latest 2018-08-02 21:33:45 +00:00
gendirdeps.mk Update dirdeps.mk et al to latest 2018-08-02 21:33:45 +00:00
googletest.test.inc.mk Standardize -std=c++* as CXXSTD` 2019-03-29 18:45:27 +00:00
googletest.test.mk Fix a typo 2019-02-21 03:36:09 +00:00
host-target.mk
install-new.mk
local.autodep.mk Update dirdeps.mk et al to latest 2018-08-02 21:33:45 +00:00
local.dirdeps.mk Update dirdeps.mk et al to latest 2018-08-02 21:33:45 +00:00
local.gendirdeps.mk Update dirdeps.mk et al to latest 2018-08-02 21:33:45 +00:00
local.init.mk
local.meta.sys.mk Update dirdeps.mk et al to latest 2018-08-02 21:33:45 +00:00
local.sys.env.mk AUTO_OBJ: Hide 'creating dirs' output with 'make -s'. 2017-11-08 16:03:58 +00:00
local.sys.mk Follow-up r320061: Need to respect make.conf/env LIBDIR overrides. 2017-06-19 18:08:02 +00:00
Makefile Correct gmock/gtest expectations w.r.t. C++11/RTTI 2019-02-20 20:09:59 +00:00
meta2deps.py Update dirdeps.mk et al to latest 2018-08-02 21:33:45 +00:00
meta2deps.sh Update meta* from bmake-20161212 2016-12-23 02:57:00 +00:00
meta.autodep.mk Update dirdeps.mk et al to latest 2018-08-02 21:33:45 +00:00
meta.stage.mk Update dirdeps.mk et al to latest 2018-08-02 21:33:45 +00:00
meta.subdir.mk
meta.sys.mk Update dirdeps.mk et al to latest 2018-08-02 21:33:45 +00:00
netbsd-tests.test.mk
plain.test.mk Feex a cuple of small typos 2018-07-27 10:44:38 +00:00
src.init.mk
src.libnames.mk MFhead@r344786 2019-03-05 01:00:38 +00:00
src.opts.mk Create kernel module to parse Veriexec manifest based on envs 2019-04-03 03:57:37 +00:00
src.sys.env.mk Ignore MAKEOBJDIRPREFIX from src-env.conf in sub-makes. 2018-03-03 23:23:01 +00:00
src.sys.mk Enable AUTO_OBJ by default if the OBJDIR is writable, only for in-tree builds. 2017-11-02 18:09:07 +00:00
src.sys.obj.mk tinderbox: Only build clang/lld once if needed. 2018-06-27 16:58:10 +00:00
stage-install.sh
suite.test.mk Clean up all directories created by make hier 2019-02-06 21:24:44 +00:00
sys.dependfile.mk
sys.mk Reduce exec and fstat overhead for non-build targets. 2018-06-20 17:20:39 +00:00
tap.test.mk Feex a cuple of small typos 2018-07-27 10:44:38 +00:00
version_gen.awk share and pc-sysinstall: adoption of SPDX licensing ID tags. 2017-11-27 15:28:26 +00:00