MFC r345830: Create kernel module to parse Veriexec manifest based on…

… envs Submitted by: Kornel Duleba <[email protected]> Obtained from: Semihalf Sponsored by: Stormshield
HardenedBSD · Apr 26, 2019 · d4e7b8a · d4e7b8a
1 parent 63e5661
commit d4e7b8a
Show file tree

Hide file tree

Showing 12 changed files with 677 additions and 12 deletions.
diff --git a/lib/libsecureboot/Makefile.libsa.inc b/lib/libsecureboot/Makefile.libsa.inc
@@ -29,6 +29,11 @@ CFLAGS+= \
 	-I${SRCTOP}/stand/efi/include/${MACHINE}
 .endif
 
+.if ${MK_LOADER_VERIEXEC_PASS_MANIFEST} == "yes"
+SRCS+= \
+	pass_manifest.c
+.endif
+
 # this is the list of paths (relative to a file
 # that we need to verify) used to find a signed manifest.
 # the signature extensions in VE_SIGNATURE_EXT_LIST

diff --git a/lib/libsecureboot/h/verify_file.h b/lib/libsecureboot/h/verify_file.h
@@ -32,6 +32,7 @@
 #define VE_WANT         1            /* we want this verified */
 #define VE_MUST         2            /* this must be verified */
 
+#define VE_NOT_CHECKED -42
 #define VE_VERIFIED     1            /* all good */
 #define VE_UNVERIFIED_OK 0           /* not verified but that's ok */
 #define VE_NOT_VERIFYING 2	     /* we are not verifying */
@@ -42,6 +43,8 @@ void    ve_debug_set(int);
 int     ve_status_get(int);
 void    ve_efi_init(void);
 int     load_manifest(const char *, const char *, const char *, struct stat *);
+int     pass_manifest(const char *, const char *);
+int     pass_manifest_export_envs(void);
 int     verify_file(int, const char *, off_t, int);
 void    verify_pcr_export(void);
 

diff --git a/lib/libsecureboot/libsecureboot-priv.h b/lib/libsecureboot/libsecureboot-priv.h
@@ -31,6 +31,8 @@
 /* public api */
 #include "libsecureboot.h"
 
+struct stat;
+
 typedef struct {
 	unsigned char	*data;
 	size_t		hash_size;
@@ -50,6 +52,9 @@ int verify_rsa_digest(br_rsa_public_key *pkey,
     unsigned char *mdata, size_t mlen,
     unsigned char *sdata, size_t slen);
 
+int is_verified(struct stat *stp);
+void add_verify_status(struct stat *stp, int status);
+
 int openpgp_self_tests(void);
 
 int                     efi_secure_boot_enabled(void);

diff --git a/lib/libsecureboot/pass_manifest.c b/lib/libsecureboot/pass_manifest.c
@@ -0,0 +1,152 @@
+/*-
+ * Copyright (c) 2019 Stormshield.
+ * Copyright (c) 2019 Semihalf.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/stat.h>
+
+#include "libsecureboot-priv.h"
+#include <verify_file.h>
+
+/*
+ * Values to pass to kernel by envs.
+ */
+static char manifest_path[MAXPATHLEN];
+static char manifest_prefix[MAXPATHLEN];
+static char manifest_hash[2 * br_sha256_SIZE + 2];
+static int manifest_present = 0;
+
+/*
+ * Verify and pass manifest path and digest to kernel through envs.
+ * The paths in manifest can be either absolute,
+ * or "prefix", if exists will be added to the ones that are not.
+ */
+int
+pass_manifest(const char *path, const char *prefix)
+{
+	char *content;
+	struct stat st;
+	unsigned char digest[br_sha256_SIZE];
+	const br_hash_class *md;
+	br_hash_compat_context ctx;
+	int rc;
+
+	content = NULL;
+	md = &br_sha256_vtable;
+
+	if (strnlen(path, MAXPATHLEN) == MAXPATHLEN ||
+	    strnlen(prefix, MAXPATHLEN) == MAXPATHLEN)
+		return (EINVAL);
+
+	rc = stat(path, &st);
+	if (rc != 0)
+		goto out;
+
+	if (!S_ISREG(st.st_mode)) {
+		rc = EINVAL;
+		goto out;
+	}
+
+	rc = is_verified(&st);
+
+	if (rc != VE_NOT_CHECKED && rc != VE_VERIFIED) {
+		rc = EPERM;
+		goto out;
+	}
+
+	if (rc == VE_VERIFIED)
+		content = read_file(path, NULL);
+	else
+		content = (char *)verify_signed(path, VEF_VERBOSE);
+
+	if (content == NULL) {
+		add_verify_status(&st, VE_FINGERPRINT_WRONG);
+		rc = EIO;
+		goto out;
+	}
+
+	add_verify_status(&st, VE_VERIFIED);
+
+	md->init(&ctx.vtable);
+	md->update(&ctx.vtable, content, st.st_size);
+	md->out(&ctx.vtable, digest);
+
+	if (prefix == NULL)
+		manifest_prefix[0] = '\0';
+	else
+		strcpy(manifest_prefix, prefix);
+
+	strcpy(manifest_path, path);
+
+	hexdigest(manifest_hash, 2 * br_sha256_SIZE + 2,
+	    digest, br_sha256_SIZE);
+	manifest_hash[2*br_sha256_SIZE] = '\0';
+
+	manifest_present = 1;
+	rc = 0;
+
+out:
+	if (content != NULL)
+		free(content);
+
+	return (rc);
+}
+
+/*
+ * Set appropriate envs to inform kernel about manifest location and digest.
+ * This should be called right before boot so that envs can't be replaced.
+ */
+int
+pass_manifest_export_envs()
+{
+	int rc;
+
+	/* If we have nothing to pass make sure that envs are empty. */
+	if (!manifest_present) {
+		unsetenv("veriexec.manifest_path");
+		unsetenv("veriexec.manifest_hash");
+		unsetenv("veriexec.manifest_prefix");
+		return (0);
+	}
+
+	rc = setenv("veriexec.manifest_path", manifest_path, 1);
+	if (rc != 0)
+		return (rc);
+
+	rc = setenv("veriexec.manifest_hash", manifest_hash, 1);
+	if (rc != 0) {
+		unsetenv("veriexec.manifest_path");
+		return (rc);
+	}
+
+	if (manifest_prefix[0] != '\0')
+		rc = setenv("veriexec.manifest_prefix", manifest_prefix, 1);
+
+	return (rc);
+}
+
diff --git a/lib/libsecureboot/verify_file.c b/lib/libsecureboot/verify_file.c
@@ -36,8 +36,6 @@ __FBSDID("$FreeBSD$");
 #include <verify_file.h>
 #include <manifests.h>
 
-#define VE_NOT_CHECKED -42
-
 #ifdef UNIT_TEST
 # include <err.h>
 # define panic warn
@@ -112,7 +110,7 @@ struct verify_status {
 	struct verify_status *vs_next;
 };
 
-static int
+int
 is_verified(struct stat *stp)
 {
 	struct verify_status *vsp;
@@ -126,7 +124,7 @@ is_verified(struct stat *stp)
 }
 
 /* most recent first, since most likely to see repeated calls. */
-static void
+void
 add_verify_status(struct stat *stp, int status)
 {
 	struct verify_status *vsp;

diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk
@@ -200,6 +200,7 @@ __DEFAULT_NO_OPTIONS = \
     LIBSOFT \
     LOADER_FIREWIRE \
     LOADER_FORCE_LE \
+    LOADER_VERIEXEC_PASS_MANIFEST \
     NAND \
     OFED_EXTRA \
     OPENLDAP \
@@ -545,6 +546,10 @@ MK_CLANG_FULL:= no
 MK_LLVM_COV:= no
 .endif
 
+.if ${MK_LOADER_VERIEXEC} == "no"
+MK_LOADER_VERIEXEC_PASS_MANIFEST := no
+.endif
+
 #
 # MK_* options whose default value depends on another option.
 #

diff --git a/stand/common/boot.c b/stand/common/boot.c
@@ -108,6 +108,9 @@ command_boot(int argc, char *argv[])
 
 #ifdef LOADER_VERIEXEC
 	verify_pcr_export();		/* for measured boot */
+#ifdef LOADER_VERIEXEC_PASS_MANIFEST
+	pass_manifest_export_envs();
+#endif
 #endif
 
 	/* Call the exec handler from the loader matching the kernel */

diff --git a/stand/common/module.c b/stand/common/module.c
@@ -159,6 +159,13 @@ command_load(int argc, char *argv[])
 		ve_debug_set(dflag);
 	    return (load_manifest(argv[1], prefix, skip, NULL));
 	}
+#ifdef LOADER_VERIEXEC_PASS_MANIFEST
+		if (strncmp(typestr, "pass_manifest", 13) == 0) {
+			if (dflag > 0)
+				ve_debug_set(dflag);
+		    return (pass_manifest(argv[1], prefix));
+		}
+#endif
 #endif
 
 	fp = file_findfile(argv[1], typestr);

diff --git a/stand/loader.mk b/stand/loader.mk
@@ -77,6 +77,10 @@ SRCS+=	interp_simple.c
 CFLAGS+= -DLOADER_VERIEXEC -I${SRCTOP}/lib/libsecureboot/h
 .endif
 
+.if ${MK_LOADER_VERIEXEC_PASS_MANIFEST} != "no"
+CFLAGS+= -DLOADER_VERIEXEC_PASS_MANIFEST -I${SRCTOP}/lib/libsecureboot/h
+.endif
+
 .if defined(BOOT_PROMPT_123)
 CFLAGS+=	-DBOOT_PROMPT_123
 .endif

diff --git a/sys/conf/files b/sys/conf/files
@@ -4934,14 +4934,15 @@ security/mac_portacl/mac_portacl.c optional mac_portacl
 security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids
 security/mac_stub/mac_stub.c	optional mac_stub
 security/mac_test/mac_test.c	optional mac_test
-security/mac_veriexec/mac_veriexec.c		optional mac_veriexec
-security/mac_veriexec/veriexec_fingerprint.c	optional mac_veriexec
-security/mac_veriexec/veriexec_metadata.c	optional mac_veriexec
-security/mac_veriexec/mac_veriexec_rmd160.c	optional mac_veriexec_rmd160
-security/mac_veriexec/mac_veriexec_sha1.c	optional mac_veriexec_sha1
-security/mac_veriexec/mac_veriexec_sha256.c	optional mac_veriexec_sha256
-security/mac_veriexec/mac_veriexec_sha384.c	optional mac_veriexec_sha384
-security/mac_veriexec/mac_veriexec_sha512.c	optional mac_veriexec_sha512
+security/mac_veriexec/mac_veriexec.c			optional mac_veriexec
+security/mac_veriexec/veriexec_fingerprint.c		optional mac_veriexec
+security/mac_veriexec/veriexec_metadata.c		optional mac_veriexec
+security/mac_veriexec_parser/mac_veriexec_parser.c	optional mac_veriexec mac_veriexec_parser
+security/mac_veriexec/mac_veriexec_rmd160.c		optional mac_veriexec_rmd160
+security/mac_veriexec/mac_veriexec_sha1.c		optional mac_veriexec_sha1
+security/mac_veriexec/mac_veriexec_sha256.c		optional mac_veriexec_sha256
+security/mac_veriexec/mac_veriexec_sha384.c		optional mac_veriexec_sha384
+security/mac_veriexec/mac_veriexec_sha512.c		optional mac_veriexec_sha512
 teken/teken.c			optional sc | vt
 ufs/ffs/ffs_alloc.c		optional ffs
 ufs/ffs/ffs_balloc.c		optional ffs