K 10
svn:author
V 6
stevek
K 8
svn:date
V 27
2018-06-20T00:48:46.408941Z
K 7
svn:log
V 1202
Device for user space to interface with MAC/veriexec.

The veriexec device features the following ioctl commands:

VERIEXEC_ACTIVE
  Activate veriexec functionality
VERIEXEC_DEBUG_ON
  Enable debugging mode and increment or set the debug level
VERIEXEC_DEBUG_OFF
  Disable debugging mode
VERIEXEC_ENFORCE
  Enforce veriexec fingerprinting (and acitvate if not already)
VERIEXEC_GETSTATE
  Get current veriexec state
VERIEXEC_LOCK
  Lock changes to veriexec meta-data store
VERIEXEC_LOAD
  Load veriexec fingerprint if secure level is not raised (and passes the
  checks for VERIEXEC_SIGNED_LOAD)
VERIEXEC_SIGNED_LOAD
  Load veriexec fingerprints from loader that supports signed manifest
  (and thus we can be more lenient about secure level being raised.)
  Fingerprints can be loaded if the meta-data store is not locked. Also
  securelevel must not have been raised or some fingerprints must have
  already been loaded, otherwise it would be dangerous to allow loading.
  (Note: this assumes that the fingerprints in the meta-data store at
         least cover the fingerprint loader.)

Reviewed by:	jtl
Obtained from:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D8561

END