2 * Copyright (c) 2018, Juniper Networks, Inc.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
14 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
15 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
16 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
17 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
18 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
19 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 #include <sys/cdefs.h>
26 __FBSDID("$FreeBSD$");
34 #include <libsecureboot.h>
35 #include <libveriexec.h>
42 int VeriexecVersion = 0;
44 const char *Cdir = NULL;
47 veriexec_load(const char *manifest)
49 unsigned char *content;
52 content = verify_signed(manifest, VEF_VERBOSE);
54 errx(EX_USAGE, "cannot verify %s", manifest);
55 if (manifest_open(manifest, content)) {
58 err(EX_NOINPUT, "cannot load %s", manifest);
65 main(int argc, char *argv[])
71 dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0);
73 while ((c = getopt(argc, argv, "C:i:x:vz:")) != -1) {
80 err(EX_UNAVAILABLE, "cannot open veriexec");
82 if (ioctl(dev_fd, VERIEXEC_GETSTATE, &x)) {
84 "Cannot get veriexec state");
87 case 'a': /* active */
88 ctl = VERIEXEC_STATE_ACTIVE;
90 case 'e': /* enforce */
91 ctl = VERIEXEC_STATE_ENFORCE;
93 case 'l': /* loaded/locked */
94 ctl = (strncmp(optarg, "lock", 4)) ?
95 VERIEXEC_STATE_LOCKED :
96 VERIEXEC_STATE_LOADED;
99 errx(EX_USAGE, "unknown state %s", optarg);
102 exit((x & ctl) == 0);
109 * -x says all other args are paths to check.
111 for (x = 0; optind < argc; optind++) {
112 if (veriexec_check_path(argv[optind])) {
113 warn("%s", argv[optind]);
121 case 'a': /* active */
122 ctl = VERIEXEC_ACTIVE;
124 case 'd': /* debug* */
125 ctl = (strstr(optarg, "off")) ?
126 VERIEXEC_DEBUG_OFF : VERIEXEC_DEBUG_ON;
127 if (optind < argc && ctl == VERIEXEC_DEBUG_ON) {
128 x = atoi(argv[optind]);
130 ctl = VERIEXEC_DEBUG_OFF;
133 case 'e': /* enforce */
134 ctl = VERIEXEC_ENFORCE;
137 ctl = VERIEXEC_GETSTATE; /* get state */
143 errx(EX_USAGE, "unknown command %s", optarg);
147 err(EX_UNAVAILABLE, "cannot open veriexec");
149 if (ioctl(dev_fd, ctl, &x)) {
150 err(EX_UNAVAILABLE, "cannot %s veriexec", optarg);
152 if (ctl == VERIEXEC_DEBUG_ON ||
153 ctl == VERIEXEC_DEBUG_OFF) {
154 printf("debug is: %d\n", x);
155 } else if (ctl == VERIEXEC_GETSTATE) {
162 openlog(getprogname(), LOG_PID, LOG_AUTH);
163 if (ve_trust_init() < 1)
164 errx(EX_OSFILE, "cannot initialize trust store");
165 #ifdef VERIEXEC_GETVERSION
166 if (ioctl(dev_fd, VERIEXEC_GETVERSION, &VeriexecVersion)) {
167 VeriexecVersion = 0; /* unknown */
171 for (; optind < argc; optind++) {
172 if (veriexec_load(argv[optind])) {
173 err(EX_DATAERR, "cannot load %s", argv[optind]);