d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2b9dde098f
freebsd-dev/lib
History
Marcin Wojtas b0fefb25c5 Create kernel module to parse Veriexec manifest based on envs 
The current approach of injecting manifest into mac_veriexec is to
verify the integrity of it in userspace (veriexec (8)) and pass its
entries into kernel using a char device (/dev/veriexec).
This requires verifying root partition integrity in loader,
for example by using memory disk and checking its hash.
Otherwise if rootfs is compromised an attacker could inject their own data.

This patch introduces an option to parse manifest in kernel based on envs.
The loader sets manifest path and digest.
EVENTHANDLER is used to launch the module right after the rootfs is mounted.
It has to be done this way, since one might want to verify integrity of the init file.
This means that manifest is required to be present on the root partition.
Note that the envs have to be set right before boot to make sure that no one can spoof them.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19281
2019-04-03 03:57:37 +00:00
..
atf DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
clang Standardize -std=c++* as CXXSTD` 2019-03-29 18:45:27 +00:00
csu Create crtsavres.o for powerpc builds 2019-01-12 21:29:54 +00:00
geom Add a “skip_dsn” option to g_part's bootcode verb to prevent g_part_mbr 2018-11-27 14:58:19 +00:00
googletest Import proof-of-concept for handling GTEST_SKIP() in Environment::SetUp 2019-04-01 18:07:48 +00:00
lib80211 Move regdomain.xml to lib/lib80211/ 2018-09-19 09:29:06 +00:00
libalias Move libalias.conf to lib/libalias/libalias/ 2018-09-18 20:54:37 +00:00
libarchive MFV r345495: 2019-03-25 11:49:57 +00:00
libauditd Disable -Wcast-align in libbsm and libauditd 2018-07-28 20:04:39 +00:00
libbe libbe: Fix zfs_is_mounted check w/ snapshots 2019-04-01 17:44:20 +00:00
libbearssl Add libbearssl 2019-02-26 05:59:22 +00:00
libbegemot DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libblacklist DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libblocksruntime DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libbluetooth Move all bluetooth related config files out of etc 2018-08-21 19:28:53 +00:00
libbsdstat lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libbsm Disable -Wcast-align in libbsm and libauditd 2018-07-28 20:04:39 +00:00
libbsnmp Add IPv6 transport for bsnmp. 2019-04-02 12:50:01 +00:00
libbz2 DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libc Allow users to override CSTD/CXXSTD on a per-prog basis 2019-03-29 18:49:08 +00:00
libc_nonshared lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libc++ Standardize -std=c++* as CXXSTD` 2019-03-29 18:45:27 +00:00
libc++experimental Standardize -std=c++* as CXXSTD` 2019-03-29 18:45:27 +00:00
libc++fs Standardize -std=c++* as CXXSTD` 2019-03-29 18:45:27 +00:00
libcalendar lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libcam Make cam_error_print() decode NVMe commands. 2019-04-02 19:37:52 +00:00
libcapsicum List caph_limit_stream() in the synopsis. 2019-01-21 20:56:29 +00:00
libcasper r341692 changed cap_syslog(3) to preserve the stdio descriptors inherited 2019-02-06 04:36:28 +00:00
libclang_rt Standardize -std=c++* as CXXSTD` 2019-03-29 18:45:27 +00:00
libcom_err DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libcompat ftime appeared in 7th Edition Unix to replace gtime. 2018-10-28 02:58:15 +00:00
libcompiler_rt The routines defined in comparedf2 and comparesf2 are defined in libc 2018-02-02 05:04:43 +00:00
libcrypt libcrypt: There is no need to clear message digest context after they 2018-07-20 07:16:28 +00:00
libcuse DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libcxxrt Standardize -std=c++* as CXXSTD` 2019-03-29 18:45:27 +00:00
libdevctl Drop "All rights reserved" from my copyright statements. 2019-03-06 22:11:45 +00:00
libdevdctl zfsd: Allow zfsd to work on any type of GEOM provider 2018-02-14 23:52:39 +00:00
libdevinfo Update to device enumeration protocol 2 2018-05-31 02:58:03 +00:00
libdevstat lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libdl Add libdl to clibs package 2018-03-29 19:43:29 +00:00
libdpv Fix comparison between pointer and char literal 2018-06-16 20:00:41 +00:00
libdwarf DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libedit libedit: Avoid out of bounds read in 'bind' command 2019-01-16 21:59:18 +00:00
libefivar Regularize the Netflix copyright 2019-02-04 21:28:25 +00:00
libelf Update to ELF Tool Chain r3668 2019-01-10 14:35:23 +00:00
libelftc Update to ELF Tool Chain r3668 2019-01-10 14:35:23 +00:00
libevent DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libexecinfo DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libexpat Update expat to 2.2.6 2018-11-04 16:08:59 +00:00
libfetch When deciding whether to send the complete URL or just the document part, 2018-11-27 16:23:17 +00:00
libfigpar Slightly improve previous commit that silenced a Clang Scan warning. 2019-01-26 22:24:15 +00:00
libgcc_eh Standardize -std=c++* as CXXSTD` 2019-03-29 18:45:27 +00:00
libgcc_s Fix build by escaping a line break. 2018-01-31 21:41:42 +00:00
libgeom lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libgpio DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libgssapi lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libiconv_modules libiconv: correct undefined behavior. 2018-07-08 23:22:04 +00:00
libifconfig Make libifconfig INTERNALLIB 2019-02-25 18:22:20 +00:00
libipsec Update pfkey_open() function to set socket's write buffer size to 2018-03-11 19:26:34 +00:00
libipt Add new shared library -- libipt. 2018-03-21 14:37:04 +00:00
libjail Rename fuse(4) to fusefs(4) 2019-03-20 21:48:43 +00:00
libkiconv lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libkvm Drop "All rights reserved" from my copyright statements. 2019-03-06 22:11:45 +00:00
libldns Add libssl to libldns for DANE. 2018-10-12 05:27:58 +00:00
liblzma Enable use of Capsicum sandbox when there is only one 2019-01-09 05:30:46 +00:00
libmagic Don't use CCACHE for linking. 2018-06-27 19:29:15 +00:00
libmd r338270 had the side effect of no longer installing libmd.so into /lib. 2018-08-26 17:05:43 +00:00
libmemstat With r343051 UMA switched from atomic counts to counter(9) and now kernel 2019-02-18 21:27:13 +00:00
libmilter DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libmp Make libmp(3) buildable. 2018-09-19 07:05:31 +00:00
libmt Add IBM TS1160 density codes to libmt and the mt(1) man page. 2019-03-04 14:30:37 +00:00
libnandfs lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libnetbsd Make timespecadd(3) and friends public 2018-07-30 15:46:40 +00:00
libnetgraph s/NgSendMsgReply/NgSendReplyMsg/ in man to match the code. 2017-11-08 12:34:47 +00:00
libngatm DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libnv libnv: fix memory leaks 2019-02-10 23:28:55 +00:00
libomp Standardize -std=c++* as CXXSTD` 2019-03-29 18:45:27 +00:00
libopenbsd Allow bootstrapping libopenbsd on Linux 2018-12-05 10:58:02 +00:00
libopencsd Add new shared library -- libopencsd. 2018-04-04 14:31:56 +00:00
libopie Move opieaccess to lib/libopie/ 2018-09-20 09:26:10 +00:00
libpam Really fix pam install. Don't commit late at night or you make simple mistakes. 2018-09-13 16:14:33 +00:00
libpathconv Disconnect libpathconv tests since they require external perl and do not work with kyua. 2017-10-31 19:52:30 +00:00
libpcap Remove redundant header file from source list in libpcap. 2018-05-30 08:24:57 +00:00
libpe
libpjdlog Revert 335888 ("Ensure va_list is declared by including stdarg.h.") 2018-07-03 15:48:34 +00:00
libpmc Fix deterministic builds by sorting input to fts in jevents 2019-02-05 00:31:25 +00:00
libpmcstat pmc(3)/hwpmc(4): update supported Intel processors to rely fully on the 2018-05-26 19:29:19 +00:00
libproc Detach from the child process before completing the test. 2018-07-27 20:34:15 +00:00
libprocstat Bump SPECNAMELEN to MAXNAMLEN. 2019-01-27 00:46:06 +00:00
libradius Make libradius(3) buildable. 2018-09-19 07:06:20 +00:00
libregex libregex: Mark gnuext test as an expected fail 2018-01-29 14:00:33 +00:00
librpcsec_gss lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
librpcsvc spdx: initial adoption of licensing ID tags. 2017-11-18 14:26:50 +00:00
librss DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
librt lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
librtld_db lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libsbuf DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libsdp Add support for Audio Sink and Audio Source profiles to sdpd(8). 2019-01-30 09:44:54 +00:00
libsecureboot Create kernel module to parse Veriexec manifest based on envs 2019-04-03 03:57:37 +00:00
libsm
libsmb Move nsmb.conf to lib/libsmb/ 2018-09-20 09:31:27 +00:00
libsmdb
libsmutil
libsqlite3 Disable FTS3, FTS4, and RTREE in bundled and private sqlite3. 2019-01-12 17:56:23 +00:00
libstdbuf lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libstdthreads lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libsysdecode Drop "All rights reserved" from my copyright statements. 2019-03-06 22:11:45 +00:00
libtacplus lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libtelnet Remove redundant include directories which expand to a noop, 2017-07-31 19:07:45 +00:00
libthr Fix initial exec TLS mode for dynamically loaded shared objects. 2019-03-29 17:52:57 +00:00
libthread_db Implement pt_fpreg_to_ucontext(), pt_ucontext_to_fpreg(). 2018-08-02 12:24:34 +00:00
libucl DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
libufs Continuing efforts to provide hardening of FFS. This change adds a 2018-12-11 22:14:37 +00:00
libugidfw Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8), 2018-07-03 23:47:20 +00:00
libulog lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libunbound Update Makefile for 1.8.0, apologies for the breakage. 2018-10-10 08:19:11 +00:00
libusb Fix typos in libusb. 2019-03-05 14:47:15 +00:00
libusbhid lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libutil Fix pidfile_open(3) to handle relative paths with multiple components. 2019-03-27 19:40:18 +00:00
libveriexec This library allows for user space applications to check file descriptors 2018-06-20 00:55:18 +00:00
libvgl Fix restoring to graphics modes in VGLEnd(). 2019-03-29 16:30:19 +00:00
libvmmapi bhyve: Use MAP_GUARD when mapping guest memory ranges. 2018-09-06 20:29:40 +00:00
libwrap Move hosts.allow to lib/libwrap/ 2018-09-22 13:17:30 +00:00
libxo Import libxo-0.9.0: 2018-05-23 01:20:31 +00:00
liby liby: rewrite yyerror.h 2018-06-17 18:05:27 +00:00
libypclnt lib: further adoption of SPDX licensing ID tags. 2017-11-26 02:00:33 +00:00
libz Add zdopen(3) to complement zopen(3). 2018-12-06 20:03:06 +00:00
libzstd Update to Zstandard 1.3.8 2018-12-29 21:18:01 +00:00
msun Replace calls to sin(x) and cos(x) with a single call to sincos(). 2019-02-10 08:46:07 +00:00
ncurses Fix ncurses fallback.c build with a strict build shell 2018-10-23 06:31:31 +00:00
ofed Standardize -std=c++* as CXXSTD` 2019-03-29 18:45:27 +00:00
tests
Makefile Enable building libomp.so for 32-bit x86. This is done by selectively 2019-03-18 21:04:28 +00:00
Makefile.inc