loader: ignore some variable settings if input unverified

libsecureboot can tell us if the most recent file opened was verfied or not. If it's state is VE_UNVERIFIED_OK, skip if variable matches one of the restricted prefixes. Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D20909
2019-07-17 23:33:14 +00:00 · 2019-07-17 23:33:14 +00:00 · bbac74ca3c
commit bbac74ca3c
parent 068ad27de3
1 changed files with 30 additions and 0 deletions
--- a/stand/common/commands.c
+++ b/stand/common/commands.c
@ -304,6 +304,36 @@ command_set(int argc, char *argv[])
 		command_errmsg = "wrong number of arguments";
 		return (CMD_ERROR);
 	} else {
+#ifdef LOADER_VERIEXEC
+		/*
+		 * Impose restrictions if input is not verified
+		 */
+		const char *restricted[] = {
+			"boot",
+			"init",
+			"loader.ve.",
+			"rootfs",
+			"secur",
+			"vfs.",
+			NULL,
+		};
+		const char **cp;
+		int ves;
+
+		ves = ve_status_get(-1);
+		if (ves == VE_UNVERIFIED_OK) {
+#ifdef LOADER_VERIEXEC_TESTING
+			printf("Checking: %s\n", argv[1]);
+#endif
+			for (cp = restricted; *cp; cp++) {
+				if (strncmp(argv[1], *cp, strlen(*cp)) == 0) {
+					printf("Ignoring restricted variable: %s\n",
+					    argv[1]);
+					return (CMD_OK);
+				}
+			}
+		}
+#endif
 		if ((err = putenv(argv[1])) != 0) {
 			command_errmsg = strerror(err);
 			return (CMD_ERROR);