mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-26 02:20:51 +01:00
f616d61ab6
By default only report unverified files at severity VE_WANT and above. This inlcudes *.conf but not *.hints, *.cookie or *.tgz which get VE_TRY as their severity. If Verbose is set to 0, then VerifyFlags should default to 0 too. Thus the combination of module_verbose=0 VE_VEBOSE=0 is sufficient to make the loader almost totally silent. When verify_prep has to find_manifest and it is verified ok return VE_NOT_CHECKED to verify_file so that it can skip repeating verify_fd Also add better debugging output for is_verified and add_verify_status. vectx handle compressed modules When verifying a compressed module (.ko.gz or .ko.bz2) stat() reports the size as -1 (unknown). vectx_lseek needs to spot this during closing - and just read until EOF is hit. Note: because of the way libsa's open() works, verify_prep will see the path to be verified as module.ko not module.ko.bz2 etc. This is actually ok, because we need a separate module.ko.bz2 entry so that the package can be verified, and the hash for module.ko is of the uncompressed file which is what vectx will see. Re-work local.trust.mk so site.trust.mk need only set VE_SIGN_URL_LIST (if using the mentioned signing server) interp.c: restrict interactive input Apply the same restrictions to interactive input as for unverified conf and hints files. Use version.veriexec when LOADER_VERIEXEC is yes Reviewed by: kevans Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D43810
417 lines
10 KiB
C
417 lines
10 KiB
C
/*-
|
|
* Copyright (c) 2018, Juniper Networks, Inc.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
#include <sys/cdefs.h>
|
|
#ifndef _STANDALONE
|
|
/* Avoid unwanted userlandish components */
|
|
#define _KERNEL
|
|
#include <sys/errno.h>
|
|
#undef _KERNEL
|
|
#endif
|
|
|
|
#ifdef VECTX_DEBUG
|
|
static int vectx_debug = VECTX_DEBUG;
|
|
# define DEBUG_PRINTF(n, x) if (vectx_debug >= n) printf x
|
|
#endif
|
|
|
|
#include "libsecureboot-priv.h"
|
|
#include <verify_file.h>
|
|
|
|
/**
|
|
* @file vectx.c
|
|
* @brief api to verify file while reading
|
|
*
|
|
* This API allows the hash of a file to be computed as it is read.
|
|
* Key to this is seeking by reading.
|
|
*
|
|
* On close an indication of the verification result is returned.
|
|
*/
|
|
|
|
struct vectx {
|
|
br_hash_compat_context vec_ctx; /* hash ctx */
|
|
const br_hash_class *vec_md; /* hash method */
|
|
const char *vec_path; /* path we are verifying */
|
|
const char *vec_want; /* hash value we want */
|
|
off_t vec_off; /* current offset */
|
|
off_t vec_hashed; /* where we have hashed to */
|
|
off_t vec_size; /* size of path */
|
|
size_t vec_hashsz; /* size of hash */
|
|
int vec_fd; /* file descriptor */
|
|
int vec_status; /* verification status */
|
|
int vec_closing; /* we are closing */
|
|
};
|
|
|
|
|
|
/**
|
|
* @brief
|
|
* verify an open file as we read it
|
|
*
|
|
* If the file has no fingerprint to match, we will still return a
|
|
* verification context containing little more than the file
|
|
* descriptor, and an error code in @c error.
|
|
*
|
|
* @param[in] fd
|
|
* open descriptor
|
|
*
|
|
* @param[in] path
|
|
* pathname to open
|
|
*
|
|
* @param[in] off
|
|
* current offset
|
|
*
|
|
* @param[in] stp
|
|
* pointer to struct stat
|
|
*
|
|
* @param[out] error
|
|
* @li 0 all is good
|
|
* @li ENOMEM out of memory
|
|
* @li VE_FINGERPRINT_NONE no entry found
|
|
* @li VE_FINGERPRINT_UNKNOWN no fingerprint in entry
|
|
*
|
|
* @return ctx or NULL on error.
|
|
* NULL is only returned for non-files or out-of-memory.
|
|
*/
|
|
struct vectx *
|
|
vectx_open(int fd, const char *path, off_t off, struct stat *stp,
|
|
int *error, const char *caller)
|
|
{
|
|
struct vectx *ctx;
|
|
struct stat st;
|
|
size_t hashsz;
|
|
char *cp;
|
|
int rc;
|
|
|
|
if (!stp)
|
|
stp = &st;
|
|
|
|
rc = verify_prep(fd, path, off, stp, __func__);
|
|
|
|
DEBUG_PRINTF(2,
|
|
("vectx_open: caller=%s,fd=%d,name='%s',prep_rc=%d\n",
|
|
caller, fd, path, rc));
|
|
|
|
switch (rc) {
|
|
case VE_FINGERPRINT_NONE:
|
|
case VE_FINGERPRINT_UNKNOWN:
|
|
case VE_FINGERPRINT_WRONG:
|
|
*error = rc;
|
|
return (NULL);
|
|
}
|
|
ctx = malloc(sizeof(struct vectx));
|
|
if (!ctx)
|
|
goto enomem;
|
|
ctx->vec_fd = fd;
|
|
ctx->vec_path = path;
|
|
ctx->vec_size = stp->st_size;
|
|
ctx->vec_off = 0;
|
|
ctx->vec_hashed = 0;
|
|
ctx->vec_want = NULL;
|
|
ctx->vec_status = 0;
|
|
ctx->vec_hashsz = hashsz = 0;
|
|
ctx->vec_closing = 0;
|
|
|
|
if (rc == 0) {
|
|
/* we are not verifying this */
|
|
*error = 0;
|
|
return (ctx);
|
|
}
|
|
cp = fingerprint_info_lookup(fd, path);
|
|
if (!cp) {
|
|
ctx->vec_status = VE_FINGERPRINT_NONE;
|
|
ve_error_set("%s: no entry", path);
|
|
} else {
|
|
if (strncmp(cp, "no_hash", 7) == 0) {
|
|
ctx->vec_status = VE_FINGERPRINT_IGNORE;
|
|
hashsz = 0;
|
|
} else if (strncmp(cp, "sha256=", 7) == 0) {
|
|
ctx->vec_md = &br_sha256_vtable;
|
|
hashsz = br_sha256_SIZE;
|
|
cp += 7;
|
|
#ifdef VE_SHA1_SUPPORT
|
|
} else if (strncmp(cp, "sha1=", 5) == 0) {
|
|
ctx->vec_md = &br_sha1_vtable;
|
|
hashsz = br_sha1_SIZE;
|
|
cp += 5;
|
|
#endif
|
|
#ifdef VE_SHA384_SUPPORT
|
|
} else if (strncmp(cp, "sha384=", 7) == 0) {
|
|
ctx->vec_md = &br_sha384_vtable;
|
|
hashsz = br_sha384_SIZE;
|
|
cp += 7;
|
|
#endif
|
|
#ifdef VE_SHA512_SUPPORT
|
|
} else if (strncmp(cp, "sha512=", 7) == 0) {
|
|
ctx->vec_md = &br_sha512_vtable;
|
|
hashsz = br_sha512_SIZE;
|
|
cp += 7;
|
|
#endif
|
|
} else {
|
|
ctx->vec_status = VE_FINGERPRINT_UNKNOWN;
|
|
ve_error_set("%s: no supported fingerprint", path);
|
|
}
|
|
}
|
|
*error = ctx->vec_status;
|
|
ctx->vec_hashsz = hashsz;
|
|
ctx->vec_want = cp;
|
|
if (hashsz > 0) {
|
|
ctx->vec_md->init(&ctx->vec_ctx.vtable);
|
|
|
|
if (off > 0) {
|
|
lseek(fd, 0, SEEK_SET);
|
|
vectx_lseek(ctx, off, SEEK_SET);
|
|
}
|
|
}
|
|
DEBUG_PRINTF(2,
|
|
("vectx_open: caller=%s,name='%s',hashsz=%lu,status=%d\n",
|
|
caller, path, (unsigned long)ctx->vec_hashsz,
|
|
ctx->vec_status));
|
|
return (ctx);
|
|
|
|
enomem: /* unlikely */
|
|
*error = ENOMEM;
|
|
free(ctx);
|
|
return (NULL);
|
|
}
|
|
|
|
/**
|
|
* @brief
|
|
* read bytes from file and update hash
|
|
*
|
|
* It is critical that all file I/O comes through here.
|
|
* We keep track of current offset.
|
|
* We also track what offset we have hashed to,
|
|
* so we won't replay data if we seek backwards.
|
|
*
|
|
* @param[in] pctx
|
|
* pointer to ctx
|
|
*
|
|
* @param[in] buf
|
|
*
|
|
* @param[in] nbytes
|
|
*
|
|
* @return bytes read or error.
|
|
*/
|
|
ssize_t
|
|
vectx_read(struct vectx *ctx, void *buf, size_t nbytes)
|
|
{
|
|
unsigned char *bp = buf;
|
|
int d;
|
|
int n;
|
|
int delta;
|
|
int x;
|
|
size_t off;
|
|
|
|
if (ctx->vec_hashsz == 0) /* nothing to do */
|
|
return (read(ctx->vec_fd, buf, nbytes));
|
|
|
|
off = 0;
|
|
do {
|
|
/*
|
|
* Do this in reasonable chunks so
|
|
* we don't timeout if doing tftp
|
|
*/
|
|
x = nbytes - off;
|
|
x = MIN(PAGE_SIZE, x);
|
|
d = n = read(ctx->vec_fd, &bp[off], x);
|
|
if (ctx->vec_closing && n < x) {
|
|
DEBUG_PRINTF(3,
|
|
("%s: read %d off=%ld hashed=%ld size=%ld\n",
|
|
__func__, n, (long)ctx->vec_off,
|
|
(long)ctx->vec_hashed, (long)ctx->vec_size));
|
|
}
|
|
if (n < 0) {
|
|
return (n);
|
|
}
|
|
if (d > 0) {
|
|
/* we may have seeked backwards! */
|
|
delta = ctx->vec_hashed - ctx->vec_off;
|
|
if (delta > 0) {
|
|
x = MIN(delta, d);
|
|
off += x;
|
|
d -= x;
|
|
ctx->vec_off += x;
|
|
}
|
|
if (d > 0) {
|
|
if (ctx->vec_closing && d < PAGE_SIZE) {
|
|
DEBUG_PRINTF(3,
|
|
("%s: update %ld + %d\n",
|
|
__func__,
|
|
(long)ctx->vec_hashed, d));
|
|
}
|
|
ctx->vec_md->update(&ctx->vec_ctx.vtable, &bp[off], d);
|
|
off += d;
|
|
ctx->vec_off += d;
|
|
ctx->vec_hashed += d;
|
|
}
|
|
}
|
|
} while (n > 0 && off < nbytes);
|
|
return (off);
|
|
}
|
|
|
|
/**
|
|
* @brief
|
|
* vectx equivalent of lseek
|
|
*
|
|
* When seeking forwards we actually call vectx_read
|
|
* to reach the desired offset.
|
|
*
|
|
* We support seeking backwards.
|
|
*
|
|
* @param[in] pctx
|
|
* pointer to ctx
|
|
*
|
|
* @param[in] off
|
|
* desired offset
|
|
*
|
|
* @param[in] whence
|
|
* We try to convert whence to ``SEEK_SET``.
|
|
* We do not support ``SEEK_DATA`` or ``SEEK_HOLE``.
|
|
*
|
|
* @return offset or error.
|
|
*/
|
|
off_t
|
|
vectx_lseek(struct vectx *ctx, off_t off, int whence)
|
|
{
|
|
unsigned char buf[PAGE_SIZE];
|
|
size_t delta;
|
|
ssize_t n;
|
|
|
|
if (ctx->vec_hashsz == 0) /* nothing to do */
|
|
return (lseek(ctx->vec_fd, off, whence));
|
|
|
|
/*
|
|
* Convert whence to SEEK_SET
|
|
*/
|
|
DEBUG_PRINTF(3,
|
|
("%s(%s, %ld, %d)\n", __func__, ctx->vec_path, (long)off, whence));
|
|
if (whence == SEEK_END && off <= 0) {
|
|
if (ctx->vec_size < 0) {
|
|
if (ctx->vec_closing) {
|
|
/* size unknown - read until EOF */
|
|
do {
|
|
n = vectx_read(ctx, buf, PAGE_SIZE);
|
|
if (n < 0)
|
|
return (n);
|
|
} while (n > 0);
|
|
return (ctx->vec_off);
|
|
}
|
|
} else {
|
|
if (ctx->vec_closing && ctx->vec_hashed < ctx->vec_size) {
|
|
DEBUG_PRINTF(3, ("%s: SEEK_END %ld\n",
|
|
__func__,
|
|
(long)(ctx->vec_size - ctx->vec_hashed)));
|
|
}
|
|
whence = SEEK_SET;
|
|
off += ctx->vec_size;
|
|
}
|
|
} else if (whence == SEEK_CUR) {
|
|
whence = SEEK_SET;
|
|
off += ctx->vec_off;
|
|
}
|
|
if (whence != SEEK_SET ||
|
|
(off > ctx->vec_size && ctx->vec_size > 0)) {
|
|
printf("ERROR: %s: unsupported operation: whence=%d off=%ld -> %ld\n",
|
|
__func__, whence, (long)ctx->vec_off, (long)off);
|
|
return (-1);
|
|
}
|
|
if (off < ctx->vec_hashed) {
|
|
#ifdef _STANDALONE
|
|
struct open_file *f = fd2open_file(ctx->vec_fd);
|
|
|
|
if (f != NULL &&
|
|
strncmp(f->f_ops->fs_name, "tftp", 4) == 0) {
|
|
/* we cannot rewind if we've hashed much of the file */
|
|
if (ctx->vec_hashed > ctx->vec_size / 5)
|
|
return (-1); /* refuse! */
|
|
}
|
|
#endif
|
|
/* seeking backwards! just do it */
|
|
ctx->vec_off = lseek(ctx->vec_fd, off, whence);
|
|
return (ctx->vec_off);
|
|
}
|
|
n = 0;
|
|
do {
|
|
delta = off - ctx->vec_off;
|
|
if (delta > 0) {
|
|
delta = MIN(PAGE_SIZE, delta);
|
|
n = vectx_read(ctx, buf, delta);
|
|
if (n < 0)
|
|
return (n);
|
|
}
|
|
} while (ctx->vec_off < off && n > 0);
|
|
return (ctx->vec_off);
|
|
}
|
|
|
|
/**
|
|
* @brief
|
|
* check that hashes match and cleanup
|
|
*
|
|
* We have finished reading file, compare the hash with what
|
|
* we wanted.
|
|
*
|
|
* Be sure to call this before closing the file, since we may
|
|
* need to seek to the end to ensure hashing is complete.
|
|
*
|
|
* @param[in] pctx
|
|
* pointer to ctx
|
|
*
|
|
* @return 0 or an error.
|
|
*/
|
|
int
|
|
vectx_close(struct vectx *ctx, int severity, const char *caller)
|
|
{
|
|
int rc;
|
|
|
|
ctx->vec_closing = 1;
|
|
if (ctx->vec_hashsz == 0) {
|
|
rc = ctx->vec_status;
|
|
} else {
|
|
#ifdef VE_PCR_SUPPORT
|
|
/*
|
|
* Only update pcr with things that must verify
|
|
* these tend to be processed in a more deterministic
|
|
* order, which makes our pseudo pcr more useful.
|
|
*/
|
|
ve_pcr_updating_set((severity == VE_MUST));
|
|
#endif
|
|
/* make sure we have hashed it all */
|
|
vectx_lseek(ctx, 0, SEEK_END);
|
|
rc = ve_check_hash(&ctx->vec_ctx, ctx->vec_md,
|
|
ctx->vec_path, ctx->vec_want, ctx->vec_hashsz);
|
|
}
|
|
DEBUG_PRINTF(2,
|
|
("vectx_close: caller=%s,name='%s',rc=%d,severity=%d\n",
|
|
caller,ctx->vec_path, rc, severity));
|
|
verify_report(ctx->vec_path, severity, rc, NULL);
|
|
if (rc == VE_FINGERPRINT_WRONG) {
|
|
#if !defined(UNIT_TEST) && !defined(DEBUG_VECTX)
|
|
/* we are generally called with VE_MUST */
|
|
if (severity > VE_WANT)
|
|
panic("cannot continue");
|
|
#endif
|
|
}
|
|
free(ctx);
|
|
return ((rc < 0) ? rc : 0);
|
|
}
|