1 /*- 2 * Copyright (c) 2018, Juniper Networks, Inc. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 14 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 15 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 16 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 17 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 18 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 19 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 #include <sys/cdefs.h> 26 __FBSDID("$FreeBSD$"); 27 28 #include <stdlib.h> 29 #include <sysexits.h> 30 #include <unistd.h> 31 #include <paths.h> 32 #include <err.h> 33 #include <syslog.h> 34 #include <libsecureboot.h> 35 #include <libveriexec.h> 36 37 #include "veriexec.h" 38 39 int dev_fd = -1; 40 int ForceFlags = 0; 41 int Verbose = 0; 42 int VeriexecVersion = 0; 43 44 const char *Cdir = NULL; 45 46 static int 47 veriexec_load(const char *manifest) 48 { 49 unsigned char *content; 50 int rc; 51 52 content = verify_signed(manifest, VEF_VERBOSE); 53 if (!content) 54 errx(EX_USAGE, "cannot verify %s", manifest); 55 if (manifest_open(manifest, content)) { 56 rc = yyparse(); 57 } else { 58 err(EX_NOINPUT, "cannot load %s", manifest); 59 } 60 free(content); 61 return (rc); 62 } 63 64 int 65 main(int argc, char *argv[]) 66 { 67 unsigned long ctl; 68 int c; 69 int x; 70 71 dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0); 72 73 while ((c = getopt(argc, argv, "C:i:x:vz:")) != -1) { 74 switch (c) { 75 case 'C': 76 Cdir = optarg; 77 break; 78 case 'i': 79 if (dev_fd < 0) { 80 err(EX_UNAVAILABLE, "cannot open veriexec"); 81 } 82 if (ioctl(dev_fd, VERIEXEC_GETSTATE, &x)) { 83 err(EX_UNAVAILABLE, 84 "Cannot get veriexec state"); 85 } 86 switch (optarg[0]) { 87 case 'a': /* active */ 88 ctl = VERIEXEC_STATE_ACTIVE; 89 break; 90 case 'e': /* enforce */ 91 ctl = VERIEXEC_STATE_ENFORCE; 92 break; 93 case 'l': /* loaded/locked */ 94 ctl = (strncmp(optarg, "lock", 4)) ? 95 VERIEXEC_STATE_LOCKED : 96 VERIEXEC_STATE_LOADED; 97 break; 98 default: 99 errx(EX_USAGE, "unknown state %s", optarg); 100 break; 101 } 102 exit((x & ctl) == 0); 103 break; 104 case 'v': 105 Verbose++; 106 break; 107 case 'x': 108 /* 109 * -x says all other args are paths to check. 110 */ 111 for (x = 0; optind < argc; optind++) { 112 if (veriexec_check_path(argv[optind])) { 113 warn("%s", argv[optind]); 114 x = 2; 115 } 116 } 117 exit(x); 118 break; 119 case 'z': 120 switch (optarg[0]) { 121 case 'a': /* active */ 122 ctl = VERIEXEC_ACTIVE; 123 break; 124 case 'd': /* debug* */ 125 ctl = (strstr(optarg, "off")) ? 126 VERIEXEC_DEBUG_OFF : VERIEXEC_DEBUG_ON; 127 if (optind < argc && ctl == VERIEXEC_DEBUG_ON) { 128 x = atoi(argv[optind]); 129 if (x == 0) 130 ctl = VERIEXEC_DEBUG_OFF; 131 } 132 break; 133 case 'e': /* enforce */ 134 ctl = VERIEXEC_ENFORCE; 135 break; 136 case 'g': 137 ctl = VERIEXEC_GETSTATE; /* get state */ 138 break; 139 case 'l': /* lock */ 140 ctl = VERIEXEC_LOCK; 141 break; 142 default: 143 errx(EX_USAGE, "unknown command %s", optarg); 144 break; 145 } 146 if (dev_fd < 0) { 147 err(EX_UNAVAILABLE, "cannot open veriexec"); 148 } 149 if (ioctl(dev_fd, ctl, &x)) { 150 err(EX_UNAVAILABLE, "cannot %s veriexec", optarg); 151 } 152 if (ctl == VERIEXEC_DEBUG_ON || 153 ctl == VERIEXEC_DEBUG_OFF) { 154 printf("debug is: %d\n", x); 155 } else if (ctl == VERIEXEC_GETSTATE) { 156 printf("%#o\n", x); 157 } 158 exit(EX_OK); 159 break; 160 } 161 } 162 openlog(getprogname(), LOG_PID, LOG_AUTH); 163 if (ve_trust_init() < 1) 164 errx(EX_OSFILE, "cannot initialize trust store"); 165 #ifdef VERIEXEC_GETVERSION 166 if (ioctl(dev_fd, VERIEXEC_GETVERSION, &VeriexecVersion)) { 167 VeriexecVersion = 0; /* unknown */ 168 } 169 #endif 170 171 for (; optind < argc; optind++) { 172 if (veriexec_load(argv[optind])) { 173 err(EX_DATAERR, "cannot load %s", argv[optind]); 174 } 175 } 176 exit(EX_OK); 177 } 178