Verify files loaded in chain command.

The chain command can be used to chain load another binary.
If veriexec is enabled we should verify it first.
Note that on EFI systems the verification was already done
through firmware, assuming that Secure Boot was enabled there.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
MFC after: 1 week
Obtained from: Semihalf
Differential Revision: https://reviews.freebsd.org/D20952
This commit is contained in:
Marcin Wojtas 2019-08-08 17:03:30 +00:00
parent 4d3f1eafc9
commit 435672e322
2 changed files with 16 additions and 0 deletions

View File

@ -1440,6 +1440,14 @@ command_chain(int argc, char *argv[])
return (CMD_ERROR);
}
#ifdef LOADER_VERIEXEC
if (verify_file(fd, name, 0, VE_MUST) < 0) {
sprintf(command_errbuf, "can't verify: %s", name);
close(fd);
return (CMD_ERROR);
}
#endif
if (fstat(fd, &st) < -1) {
command_errmsg = "stat failed";
close(fd);

View File

@ -75,6 +75,14 @@ command_chain(int argc, char *argv[])
return (CMD_ERROR);
}
#ifdef LOADER_VERIEXEC
if (verify_file(fd, argv[1], 0, VE_MUST) < 0) {
sprintf(command_errbuf, "can't verify: %s", argv[1]);
close(fd);
return (CMD_ERROR);
}
#endif
len = strlen(argv[1]);
if (argv[1][len-1] != ':') {
if (fstat(fd, &st) == -1) {