faba5effd4
The veriexec device features the following ioctl commands: VERIEXEC_ACTIVE Activate veriexec functionality VERIEXEC_DEBUG_ON Enable debugging mode and increment or set the debug level VERIEXEC_DEBUG_OFF Disable debugging mode VERIEXEC_ENFORCE Enforce veriexec fingerprinting (and acitvate if not already) VERIEXEC_GETSTATE Get current veriexec state VERIEXEC_LOCK Lock changes to veriexec meta-data store VERIEXEC_LOAD Load veriexec fingerprint if secure level is not raised (and passes the checks for VERIEXEC_SIGNED_LOAD) VERIEXEC_SIGNED_LOAD Load veriexec fingerprints from loader that supports signed manifest (and thus we can be more lenient about secure level being raised.) Fingerprints can be loaded if the meta-data store is not locked. Also securelevel must not have been raised or some fingerprints must have already been loaded, otherwise it would be dangerous to allow loading. (Note: this assumes that the fingerprints in the meta-data store at least cover the fingerprint loader.) Reviewed by: jtl Obtained from: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D8561
13 lines
175 B
Makefile
13 lines
175 B
Makefile
# $FreeBSD$
|
|
|
|
.PATH: ${.PARSEDIR:H:H}/dev/veriexec
|
|
|
|
.include <bsd.own.mk>
|
|
|
|
KMOD= veriexec
|
|
SRCS= verified_exec.c
|
|
SRCS+= bus_if.h device_if.h vnode_if.h
|
|
|
|
.include <bsd.kmod.mk>
|
|
|