mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-26 02:20:51 +01:00
f616d61ab6
By default only report unverified files at severity VE_WANT and above. This inlcudes *.conf but not *.hints, *.cookie or *.tgz which get VE_TRY as their severity. If Verbose is set to 0, then VerifyFlags should default to 0 too. Thus the combination of module_verbose=0 VE_VEBOSE=0 is sufficient to make the loader almost totally silent. When verify_prep has to find_manifest and it is verified ok return VE_NOT_CHECKED to verify_file so that it can skip repeating verify_fd Also add better debugging output for is_verified and add_verify_status. vectx handle compressed modules When verifying a compressed module (.ko.gz or .ko.bz2) stat() reports the size as -1 (unknown). vectx_lseek needs to spot this during closing - and just read until EOF is hit. Note: because of the way libsa's open() works, verify_prep will see the path to be verified as module.ko not module.ko.bz2 etc. This is actually ok, because we need a separate module.ko.bz2 entry so that the package can be verified, and the hash for module.ko is of the uncompressed file which is what vectx will see. Re-work local.trust.mk so site.trust.mk need only set VE_SIGN_URL_LIST (if using the mentioned signing server) interp.c: restrict interactive input Apply the same restrictions to interactive input as for unverified conf and hints files. Use version.veriexec when LOADER_VERIEXEC is yes Reviewed by: kevans Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D43810
109 lines
2.8 KiB
Makefile
109 lines
2.8 KiB
Makefile
|
|
# Consider this file an example.
|
|
#
|
|
# For Junos this is how we obtain trust anchor .pems
|
|
# the signing server (http://www.crufty.net/sjg/blog/signing-server.htm)
|
|
# for each key will provide the appropriate certificate chain on request
|
|
|
|
# allow site control
|
|
.-include "site.trust.mk"
|
|
|
|
#VE_DEBUG_LEVEL?=3
|
|
#VE_VERBOSE_DEFAULT?=2
|
|
|
|
VE_HASH_LIST?= \
|
|
SHA256 \
|
|
SHA384 \
|
|
|
|
VE_SELF_TESTS?= yes
|
|
|
|
# client for the signing server above
|
|
SIGNER?= /opt/sigs/sign.py
|
|
|
|
.if exists(${SIGNER})
|
|
OPENPGP_SIGNER?= ${SIGNER:H}/openpgp-sign.py
|
|
OPENPGP_SIGN_FLAGS= -a
|
|
OPENPGP_SIGN_HOST?= localhost
|
|
SIGN_HOST ?= localhost
|
|
|
|
# A list of name/ext/url tuples.
|
|
# name should be one of ECDSA, OPENPGP or RSA, they can be repeated
|
|
# Order of ext list implies runtime preference so do not sort!
|
|
VE_SIGN_URL_LIST?= \
|
|
ECDSA/esig/${SIGN_HOST}:${133%y:L:localtime} \
|
|
RSA/rsig/${SIGN_HOST}:${163%y:L:localtime} \
|
|
OPENPGP/asc/${OPENPGP_SIGN_HOST}:1234 \
|
|
|
|
.for sig ext url in ${VE_SIGN_URL_LIST:@x@${x:H:H} ${x:H:T} ${x:T}@}
|
|
SIGN_${sig}:= ${PYTHON} ${${sig}_SIGNER:U${SIGNER}} -u ${url} ${${sig}_SIGN_FLAGS:U-h sha256}
|
|
|
|
VE_SIGNATURE_LIST+= ${sig}
|
|
VE_SIGNATURE_EXT_LIST+= ${ext}
|
|
|
|
_SIGN_${sig}_USE: .USE
|
|
${SIGN_${sig}} ${.ALLSRC}
|
|
|
|
_TA_${sig}_USE: .USE
|
|
${SIGN_${sig}} -C ${.TARGET}
|
|
|
|
.if ${sig} == "OPENPGP"
|
|
ta_${sig:tl}.${ext}: _TA_${sig}_USE
|
|
ta_${ext}.h: ta_${sig:tl}.${ext}
|
|
.else
|
|
${ext:S/sig/certs/}.pem: _TA_${sig}_USE
|
|
# the last cert in the chain is the one we want
|
|
ta_${ext}.pem: ${ext:S/sig/certs/}.pem _LAST_PEM_USE
|
|
ta.h: ta_${ext}.pem
|
|
.if ${VE_SELF_TESTS} != "no"
|
|
# we use the 2nd last cert to test verification
|
|
vc_${ext}.pem: ${ext:S/sig/certs/}.pem _2ndLAST_PEM_USE
|
|
ta.h: vc_${ext}.pem
|
|
.endif
|
|
.endif
|
|
.endfor
|
|
|
|
# cleanup duplicates
|
|
VE_SIGNATURE_LIST:= ${VE_SIGNATURE_LIST:O:u}
|
|
|
|
.if target(ta_asc.h)
|
|
XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H
|
|
|
|
.if ${VE_SELF_TESTS} != "no"
|
|
# for self test
|
|
vc_openpgp.asc: ta_openpgp.asc
|
|
${SIGN_OPENPGP} ${.ALLSRC:M*.asc}
|
|
mv ta_openpgp.asc.asc ${.TARGET}
|
|
|
|
ta_asc.h: vc_openpgp.asc
|
|
.endif
|
|
.endif
|
|
|
|
.else
|
|
VE_SIGNATURE_LIST?= RSA
|
|
|
|
# you need to provide t*.pem or t*.asc files for each trust anchor
|
|
# below assumes they are named ta_${ext}.pem eg ta_esig.pem for ECDSA
|
|
.if empty(TRUST_ANCHORS)
|
|
TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null
|
|
.endif
|
|
.if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes"
|
|
.error Need TRUST_ANCHORS see ${.PARSEDIR}/README.rst
|
|
.endif
|
|
|
|
.if ${TRUST_ANCHORS:T:Mt*.pem} != ""
|
|
ta.h: ${TRUST_ANCHORS:M*.pem}
|
|
VE_SIGNATURE_EXT_LIST?= ${TRUST_ANCHORS:T:Mt*.pem:R:S/ta_//}
|
|
.if ${VE_SIGNATURE_EXT_LIST:Mesig} != ""
|
|
VE_SIGNATURE_LIST+= ECDSA
|
|
.endif
|
|
.endif
|
|
|
|
.if ${TRUST_ANCHORS:T:Mt*.asc} != ""
|
|
VE_SIGNATURE_LIST+= OPENPGP
|
|
VE_SIGNATURE_EXT_LIST+= asc
|
|
ta_asc.h: ${TRUST_ANCHORS:M*.asc}
|
|
.endif
|
|
# we take the mtime of this as our baseline time
|
|
BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]}
|
|
.endif
|