2 * Copyright (c) 2019 Stormshield.
3 * Copyright (c) 2019 Semihalf.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
16 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
18 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
19 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
22 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
23 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
24 * POSSIBILITY OF SUCH DAMAGE.
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
30 #include <sys/param.h>
31 #include <sys/ctype.h>
32 #include <sys/eventhandler.h>
33 #include <sys/fcntl.h>
35 #include <sys/module.h>
36 #include <sys/mutex.h>
37 #include <sys/namei.h>
39 #include <sys/systm.h>
40 #include <sys/vnode.h>
42 #include <crypto/sha2/sha256.h>
43 #include <crypto/sha2/sha384.h>
44 #include <crypto/sha2/sha512.h>
46 #include <security/mac_veriexec/mac_veriexec.h>
47 #include <security/mac_veriexec/mac_veriexec_internal.h>
49 /* The following are based on sbin/veriexec */
50 struct fingerprint_type {
56 const char *flag_name;
60 static const struct fingerprint_type fp_table[] = {
61 {"sha256=", SHA256_DIGEST_LENGTH},
62 #if MAXFINGERPRINTLEN >= SHA384_DIGEST_LENGTH
63 {"sha384=", SHA384_DIGEST_LENGTH},
65 #if MAXFINGERPRINTLEN >= SHA512_DIGEST_LENGTH
66 {"sha512=", SHA512_DIGEST_LENGTH},
71 static const struct fp_flag flags_table[] = {
72 {"indirect", VERIEXEC_INDIRECT},
73 {"no_ptrace", VERIEXEC_NOTRACE},
74 {"trusted", VERIEXEC_TRUSTED},
75 {"no_fips", VERIEXEC_NOFIPS},
79 extern struct mtx ve_mutex;
81 static unsigned char hexchar_to_byte(unsigned char c);
82 static int hexstring_to_bin(unsigned char *buf);
84 static int get_flags(const char *entry);
85 static int get_fp(const char *entry, char **type,
86 unsigned char **digest, int *flags);
87 static int verify_digest(const char *data, size_t len,
88 const unsigned char *expected_hash);
90 static int open_file(const char *path, struct nameidata *nid);
91 static char *read_manifest(char *path, unsigned char *digest);
92 static int parse_entry(char *entry, char *prefix);
93 static int parse_manifest(char *path, unsigned char *hash, char *prefix);
96 hexchar_to_byte(unsigned char c)
102 return (isupper(c) ? c - 'A' + 10 : c - 'a' + 10);
106 hexstring_to_bin(unsigned char *buf)
112 for (i = 0; i < len / 2; i++) {
113 if (!isxdigit(buf[2 * i]) || !isxdigit(buf[2 * i + 1]))
116 byte = hexchar_to_byte(buf[2 * i]) << 4;
117 byte += hexchar_to_byte(buf[2 * i + 1]);
124 get_flags(const char *entry)
129 for (i = 0; flags_table[i].flag_name != NULL; i++)
130 if (strstr(entry, flags_table[i].flag_name) != NULL)
131 result |= flags_table[i].flag;
137 * Parse a single line of manifest looking for a digest and its type.
138 * We expect it to be in form of "path shaX=hash".
139 * The line will be split into path, hash type and hash value.
142 get_fp(const char *entry, char **type, unsigned char **digest, int *flags)
155 for (i = 0; fp_table[i].fp_type != NULL; i++) {
156 fp_type = strstr(entry, fp_table[i].fp_type);
157 /* Look for the last "shaX=hash" in line */
158 while (fp_type != NULL) {
159 prev_fp_type = fp_type;
161 fp_type = strstr(fp_type, fp_table[i].fp_type);
163 fp_type = prev_fp_type;
164 if (fp_type != NULL) {
165 if (fp_type == entry || fp_type[-1] != ' ')
169 * The entry should contain at least
170 * fp_type and digest in hexadecimal form.
172 min_len = strlen(fp_table[i].fp_type) +
173 2 * fp_table[i].fp_size;
175 if (strnlen(fp_type, min_len) < min_len)
178 local_digest = &fp_type[strlen(fp_table[i].fp_type)];
179 delimiter = &local_digest[2 * fp_table[i].fp_size];
182 * Make sure that digest is followed by
183 * some kind of delimiter.
185 if (*delimiter != '\n' &&
186 *delimiter != '\0' &&
191 * Does the entry contain flags we need to parse?
193 if (*delimiter == ' ' && flags != NULL)
194 *flags = get_flags(delimiter);
197 * Split entry into three parts:
198 * path, fp_type and digest.
200 local_digest[-1] = '\0';
214 *digest = local_digest;
220 * Currently we verify manifest using sha256.
221 * In future another env with hash type could be introduced.
224 verify_digest(const char *data, size_t len, const unsigned char *expected_hash)
227 unsigned char hash[SHA256_DIGEST_LENGTH];
230 SHA256_Update(&ctx, data, len);
231 SHA256_Final(hash, &ctx);
233 return (memcmp(expected_hash, hash, SHA256_DIGEST_LENGTH));
237 open_file(const char *path, struct nameidata *nid)
245 NDINIT(nid, LOOKUP, 0, UIO_SYSSPACE, path, curthread);
246 rc = vn_open(nid, &flags, 0, NULL);
247 NDFREE(nid, NDF_ONLY_PNBUF);
255 * Read the manifest from location specified in path and verify its digest.
258 read_manifest(char *path, unsigned char *digest)
260 struct nameidata nid;
263 ssize_t bytes_read, resid;
269 rc = open_file(path, &nid);
273 rc = VOP_GETATTR(nid.ni_vp, &va, curthread->td_ucred);
277 data = (char *)malloc(va.va_size + 1, M_VERIEXEC, M_WAITOK);
279 while (bytes_read < va.va_size) {
281 UIO_READ, nid.ni_vp, data,
282 va.va_size - bytes_read, bytes_read,
283 UIO_SYSSPACE, IO_NODELOCKED,
284 curthread->td_ucred, NOCRED, &resid, curthread);
288 bytes_read = va.va_size - resid;
291 data[bytes_read] = '\0';
293 VOP_UNLOCK(nid.ni_vp);
294 (void)vn_close(nid.ni_vp, FREAD, curthread->td_ucred, curthread);
297 * If digest is wrong someone might be trying to fool us.
299 if (verify_digest(data, va.va_size, digest))
300 panic("Manifest hash doesn't match expected value!");
306 free(data, M_VERIEXEC);
312 * Process single line.
313 * First split it into path, digest_type and digest.
314 * Then try to open the file and insert its fingerprint into metadata store.
317 parse_entry(char *entry, char *prefix)
319 struct nameidata nid;
321 char path[MAXPATHLEN];
323 unsigned char *digest;
324 int rc, is_exec, flags;
330 rc = get_fp(entry, &fp_type, &digest, &flags);
334 rc = hexstring_to_bin(digest);
338 if (strnlen(entry, MAXPATHLEN) == MAXPATHLEN)
341 /* If the path is not absolute prepend it with a prefix */
342 if (prefix != NULL && entry[0] != '/') {
343 rc = snprintf(path, MAXPATHLEN, "%s/%s",
351 rc = open_file(path, &nid);
352 NDFREE(&nid, NDF_ONLY_PNBUF);
356 rc = VOP_GETATTR(nid.ni_vp, &va, curthread->td_ucred);
360 is_exec = (va.va_mode & VEXEC);
363 rc = mac_veriexec_metadata_add_file(
365 va.va_fsid, va.va_fileid, va.va_gen,
369 mtx_unlock(&ve_mutex);
372 VOP_UNLOCK(nid.ni_vp);
373 vn_close(nid.ni_vp, FREAD, curthread->td_ucred, curthread);
378 * Look for manifest in env that have beed passed by loader.
379 * This routine should be called right after the rootfs is mounted.
382 parse_manifest(char *path, unsigned char *hash, char *prefix)
387 int rc, success_count;
393 data = read_manifest(path, hash);
400 while (entry != NULL) {
401 next_entry = strchr(entry, '\n');
402 if (next_entry != NULL) {
406 if (entry[0] == '\n' || entry[0] == '\0') {
410 if ((rc = parse_entry(entry, prefix)))
411 printf("mac_veriexec_parser: Warning: Failed to parse"
412 " entry with rc:%d, entry:\"%s\"\n", rc, entry);
422 free(data, M_VERIEXEC);
424 if (success_count == 0)
431 parse_manifest_event(void *dummy)
434 char *manifest_prefix;
435 unsigned char *manifest_hash;
438 /* If the envs are not set fail silently */
439 manifest_path = kern_getenv("veriexec.manifest_path");
440 if (manifest_path == NULL)
443 manifest_hash = kern_getenv("veriexec.manifest_hash");
444 if (manifest_hash == NULL) {
445 freeenv(manifest_path);
449 manifest_prefix = kern_getenv("veriexec.manifest_prefix");
451 if (strlen(manifest_hash) != 2 * SHA256_DIGEST_LENGTH)
452 panic("veriexec.manifest_hash has incorrect size");
454 rc = hexstring_to_bin(manifest_hash);
456 panic("mac_veriexec: veriexec.loader.manifest_hash"
457 " doesn't contain a hash in hexadecimal form");
459 rc = parse_manifest(manifest_path, manifest_hash, manifest_prefix);
461 panic("mac_veriexec: Failed to parse manifest err=%d", rc);
464 mac_veriexec_set_state(
465 VERIEXEC_STATE_LOADED | VERIEXEC_STATE_ACTIVE |
466 VERIEXEC_STATE_LOCKED | VERIEXEC_STATE_ENFORCE);
467 mtx_unlock(&ve_mutex);
469 freeenv(manifest_path);
470 freeenv(manifest_hash);
471 if (manifest_prefix != NULL)
472 freeenv(manifest_prefix);
475 EVENTHANDLER_DEFINE(mountroot, parse_manifest_event, NULL, 0);