From bbac74ca3c6b1d33f98f7eb01b24d70a2195bcc3 Mon Sep 17 00:00:00 2001
From: "Simon J. Gerraty" <sjg@FreeBSD.org>
Date: Wed, 17 Jul 2019 23:33:14 +0000
Subject: [PATCH] loader: ignore some variable settings if input unverified

libsecureboot can tell us if the most recent file opened was
verfied or not.
If it's state is VE_UNVERIFIED_OK, skip if variable
matches one of the restricted prefixes.

Reviewed by:	stevek
MFC after:	1 week
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org//D20909
---
 stand/common/commands.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/stand/common/commands.c b/stand/common/commands.c
index 90375df1205b..4c1c9b2b6a86 100644
--- a/stand/common/commands.c
+++ b/stand/common/commands.c
@@ -304,6 +304,36 @@ command_set(int argc, char *argv[])
 		command_errmsg = "wrong number of arguments";
 		return (CMD_ERROR);
 	} else {
+#ifdef LOADER_VERIEXEC
+		/*
+		 * Impose restrictions if input is not verified
+		 */
+		const char *restricted[] = {
+			"boot",
+			"init",
+			"loader.ve.",
+			"rootfs",
+			"secur",
+			"vfs.",
+			NULL,
+		};
+		const char **cp;
+		int ves;
+
+		ves = ve_status_get(-1);
+		if (ves == VE_UNVERIFIED_OK) {
+#ifdef LOADER_VERIEXEC_TESTING
+			printf("Checking: %s\n", argv[1]);
+#endif
+			for (cp = restricted; *cp; cp++) {
+				if (strncmp(argv[1], *cp, strlen(*cp)) == 0) {
+					printf("Ignoring restricted variable: %s\n",
+					    argv[1]);
+					return (CMD_OK);
+				}
+			}
+		}
+#endif
 		if ((err = putenv(argv[1])) != 0) {
 			command_errmsg = strerror(err);
 			return (CMD_ERROR);