Commit Graph

240915 Commits

Author SHA1 Message Date
Conrad Meyer
3782136ff1 random(4): Restore availability tradeoff prior to r346250
As discussed in that commit message, it is a dangerous default.  But the
safe default causes enough pain on a variety of platforms that for now,
restore the prior default.

Some of this is self-induced pain we should/could do better about; for
example, programmatic CI systems and VM managers should introduce entropy
from the host for individual VM instances.  This is considered a future work
item.

On modern x86 and Power9 systems, this may be wholly unnecessary after
D19928 lands (even in the non-ideal case where early /boot/entropy is
unavailable), because they have fast hardware random sources available early
in boot.  But D19928 is not yet landed and we have a host of architectures
which do not provide fast random sources.

This change adds several tunables and diagnostic sysctls, documented
thoroughly in UPDATING and sys/dev/random/random_infra.c.

PR:		230875 (reopens)
Reported by:	adrian, jhb, imp, and probably others
Reviewed by:	delphij, imp (earlier version), markm (earlier version)
Discussed with:	adrian
Approved by:	secteam(delphij)
Relnotes:	yeah
Security:	related
Differential Revision:	https://reviews.freebsd.org/D19944
2019-04-18 20:48:54 +00:00
Hans Petter Selasky
db92a6cd51 Implement flag for telling cuse(3) clients if the peer is running in 32-bit
compat mode or not. This is useful when implementing compatibility ioctl(2)
handlers in userspace.

MFC after:		1 week
Sponsored by:		Mellanox Technologies
2019-04-18 19:04:07 +00:00
Konstantin Belousov
2d8bfbdcb2 Use correct type name.
Sponsored by:	Mellanox Technologies
MFC after:	1 week
2019-04-18 15:31:03 +00:00
Warner Losh
a03d6f0a16 Add note that I'm the defacto maintainer of libegacy, our
compat shims for building bootstrap tools that use new features
on systems too old to have those new features. The world view
for this part of the build is unique to the whole build process
and continuty of design for new compat shims help this library
remain viable.
2019-04-18 15:19:28 +00:00
Warner Losh
375cd3bbaa Minor tweak to the debug
Make it clear we're loading from UFS.
2019-04-18 15:19:19 +00:00
Konstantin Belousov
f9feb09189 Correct handling of RMRR during early enumeration stages.
On some machines, DMAR contexts must be created before all devices
under the scope of the corresponding DMAR unit are enumerated.
Current code has two problems with that:
- scope lookup returns NULL device_t, which causes to skip creating a
  context with RMRR, which is fatal for the affected device.
- calculation of the final pci dbsf address fails if any bridge in the
  scope is not yet enumerated, because code relies on pcib_get_bus().

Make creation of contexts work either with device_t, or with DMAR PCI
scope paths.  Scope provides enough information to infer context
address, and it is directly matched against DMAR tables scopes.

When calculating bus addresses for the scope or device, use direct
pci_cfgregread(PCIR_SECBUS_1) to get the secondary bus number, instead
of pcib_get_bus().

The issue was observed on HP Gen servers, where iLO PCI devices are
located behind south bridge switch.  Turning on translation without
satisfying RMRR requests caused iLO to mostly hang, up to the level of
being unusable to control the server.

While there, remove hw.dmar.dmar_match_verbose tunable, and make the
normal logging under bootverbose useful and sufficient to diagnose
DRHD and RMRR parsing and matching.

Sponsored by:	Mellanox Technologies
MFC after:	1 week
2019-04-18 14:18:06 +00:00
Konstantin Belousov
c07640c430 Remove witness warning. dmar_bus_dmamap_create() does not sleep.
Sponsored by:	Mellanox Technologies
MFC after:	1 week
2019-04-18 14:03:59 +00:00
Konstantin Belousov
1ad4a0314f Reduce verbosity, do not announce details of irte programming by default.
Sponsored by:	Mellanox Technologies
MFC after:	1 week
2019-04-18 14:02:33 +00:00
Kristof Provost
1c75b9d2cd pf: No need to M_NOWAIT in DIOCRSETTFLAGS
Now that we don't hold a lock during DIOCRSETTFLAGS memory allocation we can
use M_WAITOK.

MFC after:	1 week
Event:		Aberdeen hackathon 2019
Pointed out by:	glebius@
2019-04-18 11:37:44 +00:00
Tom Jones
40a06c5b29 Add a bugs section to pflog man page
FreeBSD does not set the pid field in the pfloghdr struct. This field is
populated on other platforms, document this to save people from trying
to use this field.

Event:	Aberdeen hackathon 2019
Reviewed by:	kp, bcr, bz
Approved by:	bz (mentor)
Differential Revision:	https://reviews.freebsd.org/D19952
2019-04-18 11:06:45 +00:00
Kristof Provost
b20ff7b90a pf tests: Fail the test if we can't set the rules
The test should fail if pf rules can't be set. This is helpful both
while writing tests and to verify that pfctl works as expected.

MFC after:	1 week
Event:		Aberdeen hackathon 2019
2019-04-18 10:54:08 +00:00
Warner Losh
a13881aff4 Add efi_delenv
Add an interface to remove / delete UEFI variables.
2019-04-18 05:40:50 +00:00
Warner Losh
883d342d38 Add a more generic efi_setenv function.
efi_setenv allows any UEFI variable to be set.
2019-04-18 05:37:18 +00:00
Cy Schubert
6389bef8f1 As an interim measure until a more permanent solution is implemented
workaround the following error:

/usr/src/contrib/elftoolchain/strings/strings.c:198:55: error: use of
undeclared identifier
'FA_OPEN' fa = fileargs_init(argc, argv, O_RDONLY, 0, &rights, FA_OPEN);

Reported by:	O. Hartmann <ohartmann@walstatt.org>
Reported by:	Michael Butler <imb@protected-networks.net>
Reported by:	gjb@ & cy@ (implicit)
Reviewed by:	emaste@
Noted by:	rgrimes@
2019-04-18 01:02:00 +00:00
Emmanuel Vadot
bfcf888a87 arm: allwinner: Fix audio for Allwinner H3/H5
Due to three conditions the codec driver for Allwinner A10/A20 and H3/H5 did not work properly here:

    Wrong bit position for the analog audio reset
    Hardware Reset of codec was not de-asserted correctly
    Linux DTS file did not contain the address of the analog register the way as the driver was expecting it.

This patch proposes fixes for those three parts.

Submitted by:	freebsdnewbie@freenet.de (Manuel Stühn)
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D19910
2019-04-17 21:45:19 +00:00
Emmanuel Vadot
9a4eed0be2 ofw_graph: Add functions for graph bindings
Those functions are helpers to work on graph bindings.
graphs are mostly use with video related devices.
See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/devicetree/bindings/graph.txt?id=4436a3711e3249840e0679e92d3c951bcaf25515

MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D19877
2019-04-17 20:09:01 +00:00
Ed Maste
79b02e7017 Put QEMU CI smoke test boot log in /tmp if TMPDIR not set
Sponsored by:	The FreeBSD Foundation
2019-04-17 19:24:41 +00:00
Ed Maste
297ce4ce2d Install some entropy for QEMU CI smoke test
See r346250 and followup commits and mailing list discussion.
We currently fail to boot properly in the absense of boot-time entropy.

Sponsored by:	The FreeBSD Foundation
2019-04-17 19:16:26 +00:00
Kyle Evans
499d565a91 Compile sha1.c when ether support is included
sha1 is used by ether_gen_addr after r346324. Perhaps in an ideal world we
could detect that the kernel's been compiled without sha1_* bits included
and silently fallback to arc4random instead because these platforms/kernel
configs are far and few between. It's fairly lightweight, though, so just
include it for now.
2019-04-17 18:08:28 +00:00
Ed Maste
cb12a6901a readelf: use size_t for object counts
PR:		212539
Reported by:	cem
Sponsored by:	The FreeBSD Foundation
2019-04-17 17:50:44 +00:00
Kyle Evans
1fd8c72c0a iflib: Use new ether_gen_addr, restricting addresses to that subset
Differential Revision:	https://reviews.freebsd.org/D19587
2019-04-17 17:19:54 +00:00
Kyle Evans
3c3aa8c170 net: adjust randomized address bits
Give devices that need a MAC a 16-bit allocation out of the FreeBSD
Foundation OUI range. Change the name ether_fakeaddr to ether_gen_addr now
that we're dealing real MAC addresses with a real OUI rather than random
locally-administered addresses.

Reviewed by:	bz, rgrimes
Differential Revision:	https://reviews.freebsd.org/D19587
2019-04-17 17:18:43 +00:00
Ed Maste
9817bae932 readelf: speed up readelf -wo
Use an array instead of STAILQ, and sort at the end instead of while
adding new elements.

PR:		212539
Submitted by:	Bora Özarslan <borako.ozarslan@gmail.com>
Reviewed by:	markj
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
2019-04-17 17:00:16 +00:00
Adrian Chadd
d2fd7f28fe [casper] fix compilation when casper is disabled.
This triggers an error in gcc-mips 6.4.0 complaining about unused arguments.

Tested:

* compiled/run on mips32; nothing complained.
2019-04-17 16:58:38 +00:00
Ed Maste
151744cf5c cap_fileargs: fix test after r346318
Reported by:	danfe, mjg
MFC after:	3 weeks
MFC with:	r346315
Sponsored by:	The FreeBSD Foundation
2019-04-17 16:45:42 +00:00
Kristof Provost
246e18b224 pf tests: Try to provoke the panic with invalid DIOCRSETTFLAGS
There was an issue with copyin() on DIOCRSETTFLAGS, which would panic if
pfrio_buffer was NULL.
Test for the issue fixed in r346319.

MFC after:	1 week
Event:		Aberdeen hackathon 2019
2019-04-17 16:45:35 +00:00
Kristof Provost
f5e0d9fcb4 pf: Fix panic on invalid DIOCRSETTFLAGS
If during DIOCRSETTFLAGS pfrio_buffer is NULL copyin() will fault, which we're
not allowed to do with a lock held.
We must count the number of entries in the table and release the lock during
copyin(). Only then can we re-acquire the lock. Note that this is safe, because
pfr_set_tflags() will check if the table and entries exist.

This was discovered by a local syzcaller instance.

MFC after:	1 week
Event:		Aberdeen hackathon 2019
2019-04-17 16:42:54 +00:00
Ed Maste
b6539d47bd cap_fileargs: fix GCC build, don't shadow 'stat'
Reported by:	ci.freebsd.org
MFC after:	3 weeks
MFC with:	r346315
Sponsored by:	The FreeBSD Foundation
2019-04-17 16:31:30 +00:00
Ian Lepore
2614c4835f Allow this test script to be run from within src/tools/boot dir, and create
the temporary image in $TMPDIR.

Allow the script to be run from the src/tools/boot directory by using make
-V SRCTOP to find the top of the tree, because this script is handy for
quick smoke-testing of loader changes, as well as being useful in CI testing.

Also, use a temp directory in $TMPDIR to assemble the boot image, and write
the boot log file to $TMPDIR.  Arrange to have the temporary image clean
itself up, but leave the log file in $TMPDIR for post-mortem analysis of
failures when the script is run interactively.

Differential Revision:	https://reviews.freebsd.org/D19876
2019-04-17 16:27:43 +00:00
Ed Maste
d76eef3430 cap_fileargs: chase r346315, update fileargs_init in consumers
Reported by:	ci.freebsd.org (8 times so far)
MFC after:	3 weeks
MFC with:	r346315
Sponsored by:	The FreeBSD Foundation
2019-04-17 16:18:14 +00:00
Ed Maste
7b558caee3 cap_fileargs: add fileargs_lstat service
Add fileargs_lstat function to cap_fileargs casper service to be able to
lstat files while in capability mode.  It can only lstat files given in
fileargs_init.

Submitted by:	Bora Özarslan <borako.ozarslan@gmail.com>
Reviewed by:	oshogbo, cem (partial)
MFC after:	3 weeks
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D19548
2019-04-17 16:02:57 +00:00
Ed Maste
fc07a84f80 cap_fileargs.3: typo and markup corrections
Submitted by:	Bora Özarslan" <borako.ozarslan@gmail.com>
MFC after:	1 week
MFC with:	r346313
Sponsored by:	The FreeBSD Foundation
2019-04-17 16:00:33 +00:00
Ed Maste
731d06abf2 cap_fileargs.3: correct 'filerags' typo
Submitted by:	Bora Özarslan" <borako.ozarslan@gmail.com>
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2019-04-17 15:48:33 +00:00
Ian Lepore
77f9408865 Only set up the interrupts that will actually be used in arm generic_timer.
The code previously set up interrupt handlers for all the interrupt
resources available, including for timers that are not in use.  That could
lead to interrupt storms.  For example, if boot firmware enabled the virtual
timer but the kernel is using the physical timer, it could get flooded with
interrupts on the virtual timer which it cannot shut off.  By only setting
up an interrupt handler for the hardware that will actually be used, any
interrupts from other timer units will remain masked in the interrupt
controller.

Differential Revision:	https://reviews.freebsd.org/D19871
2019-04-17 15:27:11 +00:00
Pedro F. Giffuni
adefd2ea56 Add orphan mentee. 2019-04-17 14:20:55 +00:00
Pedro F. Giffuni
3df1d861a4 Add myself to ports committers.
Approved by: pfg (mentor)
2019-04-17 14:12:11 +00:00
Kyle Evans
924f8189b0 fdt: further consolidate DTB building and revise manpage
FDT_DTS_FILE was built separately with a rule in sys/conf/files and
recreated the rules we used in dtb.mk. Now that we have other infrastructure
to build a DTB along with the kernel, fold FDT_DTS_FILE into that since it
doesn't have any special requirements.

fdt(4) never got revised to mention the DTS/DTSO make options, so do that
now.

Reviewed by:	imp
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D19736
2019-04-17 03:29:16 +00:00
Emmanuel Vadot
f52ce0326c arm: allwinner: Makes more device optional
MFC after:	2 weeks
2019-04-16 22:42:50 +00:00
Ed Maste
4066060c0b iflibtxrx.9: update function descriptions to match implementation
isc_rxd_refill, isc_rxd_flush return nothing, not void *.

isc_txd_credits_update, isc_rxd_available return int, not int *.

isc_txd_credits_update has a bool as final argument, not a uint32_t.
Prior to r315217 it took four arguments; the final two were
uint32_t, bool.

Reported by:	Gerald Aryeetey <aryeeteygerald_rogers.com>
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2019-04-16 20:41:04 +00:00
Emmanuel Vadot
91221f548e config: Only warn if duplicate option/device comes from the same file
This is useful for arm (possibly other arches too) where we want to have
a GENERIC kernel that only include files for the different SoC. Since
multiple SoCs/Board needs the same device we would need to do either :

    Include the device in a generic file
    Include the device in each file that really needs it

Option 1 works but if someone wants to create a specific kernel config
(which isn't uncommon for embedded system), he will need to add a lots
of nodevice to it.

Option 2 also works but produce a lots of warnings.

Reviewed by:	kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D19424
2019-04-16 20:08:19 +00:00
Emmanuel Vadot
67bf7c5186 arm: Order files.arm to have cloudabi and annapurna sections
MFC after:	2 weeks
2019-04-16 20:06:39 +00:00
Emmanuel Vadot
dbfb4063ae arm: Add kern_clocksource.c directly in files.arm
This files is needed and included in all our config so move it to a common
location.

MFC after:	2 weeks
2019-04-16 20:04:22 +00:00
Konstantin Belousov
fdfe249b63 Fix initial x87 state after r345562.
After the referenced commit, we did not set x87 and sse valid bits in
the xstate_bv bitmask for initial fpu state (stored in memory), when
using XSAVE.

The state is loaded into FPU register file to initialize the process
FPU state, and since both bits were clear, the default x87 and SSE
states were loaded.  By chance, FreeBSD ABI SSE2 state is same as FPU
initial state, so the bug is not visible for 64bit processes.  But on
i386, the precision control should be set to double (53bit mantissa),
instead of the default double extended (64bit mantissa). For 32bit
processes on amd64, kernel reloads control word with the right mask,
which only left native i386 and amd64 native but using x87 as
affected.

Fix it by setting minimal required xstate_bv mask.

Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2019-04-16 19:46:02 +00:00
Emmanuel Vadot
b800eb9d17 allwinner: clk: Garbage collect old clock implementation
The old clocks are disconneted from the build since r337344.
Remove all those pseudo drivers. The only one remaining is for gmac
(the ethernet controller) so move it to sys/arm/allwinner.
While here remove a83t support from gmacclk as it is unneeded since r326114.

MFC after:	1 month
2019-04-16 19:38:16 +00:00
Conrad Meyer
ba57dad4b0 stack_protector: Add tunable to bypass random cookies
This is a stopgap measure to unbreak installer/VM/embedded boot issues
introduced (or at least exposed by) in r346250.

Add the new tunable, "security.stack_protect.permit_nonrandom_cookies," in
order to continue boot with insecure non-random stack cookies if the random
device is unavailable.

For now, enable it by default.  This is NOT safe.  It will be disabled by
default in a future revision.

There is follow-on work planned to use fast random sources (e.g., RDRAND on
x86 and DARN on Power) to seed when the early entropy file cannot be
provided, for whatever reason.  Please see D19928.

Some better hacks may be used to make the non-random __stack_chk_guard
slightly less predictable (from delphij@ and mjg@); those suggestions are
left for a future revision.  I think it may also be plausible to move stack
guard initialization far later in the boot process; potentially it could be
moved all the way to just before userspace is started.

Reported by:	many
Reviewed by:	delphij, emaste, imp (all w/ caveat: this is a stopgap fix)
Security:	yes
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D19927
2019-04-16 18:47:20 +00:00
Conrad Meyer
f3d2512db6 random(4): Add is_random_seeded(9) KPI
The imagined use is for early boot consumers of random to be able to make
decisions based on whether random is available yet or not.  One such
consumer seems to be __stack_chk_init(), which runs immediately after random
is initialized.  A follow-up patch will attempt to address that.

Reported by:	many
Reviewed by:	delphij (except man page)
Approved by:	secteam(delphij)
Differential Revision:	https://reviews.freebsd.org/D19926
2019-04-16 17:12:17 +00:00
Andrew Gallatin
2866548c8a Replace cosqos with numa_domain in mbuf pkthdr
The cosqos field was added nearly 6 years ago in r254804, and it is
still unused by any in-tree consumers.  I have a patchset that I'm
working on which aligns many network resources by NUMA domain,
including inps, inpcb lb group, tcp pacing, lagg output link
selection, backing pages for sendfile, and more.  It reduces
cross-domain traffic by roughly 50% for a real web workload.

This patchset relies on being able to store the numa domain in the
mbuf, and grabbing the unused cosqos field for this purpose is the
first step in starting to usptream it.

Reviewed by:	kib, markj
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D19862
2019-04-16 16:49:34 +00:00
Bruce Evans
c0643d9011 Sigh, r346279 was also a test version with the reduced size doubled (so
it was actually double the full size in current kernels where the reduction
is null, so overran the mmapped() buffer).
2019-04-16 15:52:04 +00:00
Bruce Evans
6ec0606616 Oops, r346278 committed a test version with the change annulled. 2019-04-16 15:41:45 +00:00
Bruce Evans
63df3a344e Quick fix for slow clearing and context switches of large frame buffers
with old kernels, by breaking the support for large frame buffers in the
same way as for current kernels.

Large frame buffers may be too large to map into kva, and the kernel
(syscons) only uses the first screen page anyway, so r203535, r205557
and 248799 limit the buffer size in VESA modes to the first screen
page, apparently without noticing that this breaks applications by
using the same limit for user mappings as for kernel mappings.  In
vgl, this makes the virtual screen the same as the physical screen.

However, this is almost a feature since clearing and switching large
(usually mostly unused) frame buffers takes too long.  E.g., on a 16
year old low-end AGP card it takes about 12 seconds to clear the 128MB
frame buffer in old kernels that map it all and also map it with slow
attributes (e.g., uncacheable).  Older PCI cards are even slower, but
usually have less memory.  Newer PCIe cards are faster, but may have
many GB of memory.  Also, vgl malloc()s a shadow buffer with the same
size as the frame buffer, so large frame buffers are even more wasteful
in applications than in the kernel.

Use the same limit in vgl as in newer kernels.

Virtual screens and panning still work in non-VESA modes that have
more than 1 page.  The reduced buffer size in the kernel also breaks
mmap() of the last physical page in modes where the reduced size is
not a multiple of the physical page size.  The same reduction in vgl
only reduces the virtual screen size.
2019-04-16 15:31:23 +00:00