diff options
| author | Marcin Wojtas <mw@FreeBSD.org> | 2019-08-08 17:03:30 +0000 |
|---|---|---|
| committer | Marcin Wojtas <mw@FreeBSD.org> | 2019-08-08 17:03:30 +0000 |
| commit | 435672e322431c14352a096e8cd3bbae56a38979 (patch) | |
| tree | 11dfe715d8978d387fefe67b7518340af9188bd5 /stand/i386/loader | |
| parent | 4d3f1eafc9372600fc1e5472187846d07fe96c54 (diff) | |
| download | src-435672e322431c14352a096e8cd3bbae56a38979.tar.gz src-435672e322431c14352a096e8cd3bbae56a38979.zip | |
Verify files loaded in chain command.
The chain command can be used to chain load another binary.
If veriexec is enabled we should verify it first.
Note that on EFI systems the verification was already done
through firmware, assuming that Secure Boot was enabled there.
Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
MFC after: 1 week
Obtained from: Semihalf
Differential Revision: https://reviews.freebsd.org/D20952
Notes
Notes:
svn path=/head/; revision=350761
Diffstat (limited to 'stand/i386/loader')
| -rw-r--r-- | stand/i386/loader/chain.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/stand/i386/loader/chain.c b/stand/i386/loader/chain.c index 43ba2697e938..2a4816773882 100644 --- a/stand/i386/loader/chain.c +++ b/stand/i386/loader/chain.c @@ -75,6 +75,14 @@ command_chain(int argc, char *argv[]) return (CMD_ERROR); } +#ifdef LOADER_VERIEXEC + if (verify_file(fd, argv[1], 0, VE_MUST) < 0) { + sprintf(command_errbuf, "can't verify: %s", argv[1]); + close(fd); + return (CMD_ERROR); + } +#endif + len = strlen(argv[1]); if (argv[1][len-1] != ':') { if (fstat(fd, &st) == -1) { |