If the file is verified - do not allow write
otherwise do not allow read.
Add O_ACCMODE to stand.h
Reviewed by: stevek, mindal_semihalf.com
MFC after: 3 days
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D20387
This relies on libbearssl and libsecureboot
to verify files read by loader in a maner equivalent
to how mac_veriexec
Note: disabled by default.
Use is initially expected to be by embeded vendors
Reviewed by: emaste, imp
Sponsored by: Juniper Networks
Differential Revision: D16336
A foolish consistency is the hobgoblin of little minds, adored by
little statesmen and philosophers and divines. With consistency a
great soul has simply nothing to do. -- Ralph Waldo Emerson
testmain is a userland application intended to be built with standard
headers and whatnot, which we broke.
Fix it by having the testmain build clobber cflags, reducing it to just the
set of defines/includes it needs to build.
Discussed with: imp
MFC after: 3 days
OK. We don't really need a bsd.stand.mk, and it was causing a -fPIC
for the toolchain to be added (bogusly) when building on amd64. Pull
all relevant defs back into defs.mk and delete bsd.stand.mk.
This saves about 15-20k on i386 loader and zfsloader which when
combined with Lua give us a lot more stack space in those constrained
environments.
MK_CTF, MK_SSP, MK_PROFILE, NO_PIC, and INTERNALLIB are always the
same, so set them in defs.mk. MAN= is common, so set it here too.
This removes a lot of boring repetition from the Makefiles that added
almost no value.
This was an experiment that landed in the wrong branch and was pushed
accidentally. It's best if it is ignored because the difference was
due to vers.o being different, not float.o... And it was confirmed to
not fix anything...
Pointy Hat to: imp
We need to include ficl.h after the standard includes, rather than
before them. It changes the generated code in ways that haven't been
completely analyized. This restores the old code generation (as
verified by md5 changing back for zfsloader).
This should restore GPT + ZFS and GPT + ZFS + GELI booting that was
broken in r326585 (or would have been if r326584 hadn't broken the
build).
Sponsored by: Netflix
