Too many version of UEFI firmware (so far only confirmed on amd64)
don't really support efibootmgr selection of boot. That's the most
reliable, when it works, since there's no guesswork. However, many do
not save, unmolested, the variables that efibootmgr sets, so as a
fallback we also install loader.efi as bootXXX.efi (where XXX is
either aa64 or x64) if it doesn't already exist in /efi/boot on the
ESP. The standard only defines this for removable devices, but it's
almost ubiquitously used as a fallback. Many BIOSes implement a drive
selection feature that takes over the efibootmgr protocol, rendinering
it useless (either generally, or for those vendors not on the short
list). bootxxx.efi works around this. However, we don't install it
unconditionally there, as that breaks some popular multi-boot setups.
MFC After: 1 week
Differential Revision: https://reviews.freebsd.org/D26428
Repeating the default WARNS here makes it slightly more difficult to
experiment with default WARNS changes, e.g. if we did something absolutely
bananas and introduced a WARNS=7 and wanted to try lifting the default to
that.
Drop most of them; there is one in the blake2 kernel module, but I suspect
it should be dropped -- the default WARNS in the rest of the build doesn't
currently apply to kernel modules, and I haven't put too much thought into
whether it makes sense to make it so.
Prune dead mirrors from the list of mirrors in bsdconfig and bsdinstall.
All these return NXDOMAIN when trying to resolve them.
Reviewed by: emaste
Approved by: emaste
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D26535
As of r365829, any given base distribution set will now include the /etc/ssl
symlinks that this rehash would've otherwise installed. This extra step is
no longer required.
MFC after: 1 week
X-MFC-With: r365837
If certctl is installed on the system we're configuring, do a certctl
rehash.
Note that certctl may not be present if the world we've installed was built
either WITHOUT_OPENSSL or WITHOUT_CAROOT. In this scenario, we don't
currently see if the host has a certctl as this may be an indication that
the system *shouldn't* have certs installed into /etc/ssl.
Reviewed by: allanjude, dteske
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D24640
- Mention bootconfig target in TARGETS section.
- Document PARTITIONS variable, which is only mentioned in the examples,
but doesn't have its own point.
Submitted by: arrowd@
Reviewed by: bcr
Approved by: bcr (mentor)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D22927
Includes commentary of when ZFS works well by default (>= 8GB RAM),
and where to go for information on ZFS tuning if required.
Also hoist the options text to the top of script as variables
(will help with future international translations).
Reviewed by: philip, dteske, karels, imp, emaste
Approved by: rgrimes
Differential Revision: https://reviews.freebsd.org/D23224
This resulted in the partitioning step failing if either of the
"Auto (UFS)" or "Manual" options were selected.
Reason: partedit was attempting to open a directory (TMPDIR) read/write,
which resulted in errno(2) 21 - EISDIR - Is a directory.
Reported by: Clay Daniels <clay.daniels.jr@gmail.com>
Reviewed by: Ryan Moeller <ryan@freqlabs.com>
Approved by: emaste, bcran
Differential Revision: https://reviews.freebsd.org/D23232
Pass the list of user selected disks from zfsboot to bootconfig so that
the latter doesn't rely on ESP autodetection that apparently fails for
some cases, e.g. memstick installation with nvme (boot) and sata drives.
While here, fix printing of debug messages in bootconfig.
Reviewed by: bcran, imp, tsoome
Differential Revision: https://reviews.freebsd.org/D21930
installer when installing the system on a ZFS root filesystem.
For arm64, zfs_load="YES" does not add opensolaris.ko as a kld
dependency, so add it explicitly to prevent boot-time failures
out-of-box.
PR: 240478
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC (Netgate)
Summary:
Now that mpc85xx can boot via ubldr, move ubldr to a separate
filesystem, mounted on /boot/uboot, so that a fresh install can boot correctly.
Reviewed By: nwhitehorn
Differential Revision: https://reviews.freebsd.org/D18709
When using a gmirror, entries in /dev can be removed. So instead of using
kern.disks, get the list of disks from "gpart status -sg" instead.
We assume that any 'efi' partition that can't be mounted as msdosfs should
be used as an ESP. However, the ESP on the CD/DVD can't be mounted read-write
and so was being treated as if unformatted. Try the mount as read-only
instead, to catch cases like this.
Relnotes: yes
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D18645
Currently, the installer uses pre-created 800KB FAT12 filesystems that
it dd's onto the ESP partition.
This changeset improves that by having the installer generate a FAT32
filesystem directly onto the ESP using newfs_msdos and then copying
loader.efi into /EFI/freebsd.
For live installs it then runs efibootmgr to add a FreeBSD boot entry
in the BIOS.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D17947
the snapshots directory, not releases.
Reported by: David Marec david.marec _at_ davenulle _dot_ org
Approved by: re (rgrimes)
Sponsored by: The FreeBSD Foundation
Reported by: Jose Luis Duran
Reviewed by: bcr
Approved by: re (gjb), krion (mentor, implicit), mat (mentor, implicit)
Differential Revision: https://reviews.freebsd.org/D17409
- Extend the bsdinstall(8) man page with ZFS installation scripting
details. [1]
- Extend the bsdinstall(8) man page with the description of all the ZFS
variables involved in a scripted installation of ZFS-based systems. [1]
- Extend the SCRIPTING section with an example for a ZFS-based scripted
installation. [1]
- Create a new section explaining how ZFS datasets must be written into
a variable to get them set on the final system. [1]
While here:
- Add Roberto to the copyrights for recognition as changes to the manual
page are huge.
- Use "Dq" for default values.
- Use sysrc(8) instead of echo in examples.
Submitted by: Roberto Fernandez Cueto <roberfern@gmail.com> [1]
Reviewed by: dteske
Approved by: re (gjb), krion (mentor, implicit), mat (mentor, implicit)
Differential Revision: https://reviews.freebsd.org/D14169
After r336252 it is no longer necessary to have a separate bootpool when
booting from an encrypted disk with UEFI.
This change also switches the EFI System Partition contents from
the 800 KB boot1.efifat to a new 200 MB filesystem created with newfs_msdos
and uses loader.efi directly, instead of boot1.efi.
PR: 228916
Reviewed by: dteske
MFC after: 1 month
Relnotes: yes
Sponsored by: Klara Systems
Differential Revision: https://reviews.freebsd.org/D12315
Some mpc85xx devices with u-boot need MBR partitioning with a FAT boot
partition. Since the infrastructure is already in place to have a dedicated
boot partition, this adds the necessary bits to use that infrastructure with
mpc85xx boards.
Reviewed By: nwhitehorn
Differential Revision: https://reviews.freebsd.org/D15664
Summary:
The kernel reads 'kernelname' to set the kern.bootfile sysctl. By setting this,
'make installkernel' will backup the running kernel as appropriate.
Reviewed by: nwhitehorn
Differential Revision: https://reviews.freebsd.org/D15660
SUJ + cg checksums produce spurious warnings after an unclean shutdown
(e.g. a crash). For now disable SUJ for UFS installs so installing from
a FreeBSD 12 snapshot results in a usable filesystem, until this can be
fixed.
PR: 225110
Submitted by: Arshan Khanifar <arshankhanifar gmail.com>
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D13890
foundation for invoking efibootmgr as part of new-style EFI booting on
x86. On PS3 and PowerNV, which are booted using Linux kexec from petitboot
rather than by loader(8), install the kernel and the rest of /boot to a
FAT partition and set up the appropriate petitboot configuration file
there.
The new bootconfig installer stage can do platform-dependent modifications
more complex than partition layout and installation of boot blocks and can
be used to (as here) set up some special configuration files, run efibootmgr,
or boot0cfg.
MFC after: 1 month
one of the directories in the filesystem hierarchy is a FAT mountpoint,
settings its times will fail, which would cause installation to abort.
Instead, make this a best-effort thing.
Handling this error is a hack and a better internal scheme for handling
this should be added to libarchive.
Some users, especially those that are new, might be confused when passwd
does not echo anything. Inform users that the password will not be
visible.
PR: 196113
Submitted by: Byron Grobe <grobe0ba@gmail.com>
the installer but not mounted (i.e. with boot1.efifat dd'ed to them
rather than the forthcoming proper filesystem) would get newfs_msdos run
on them immediately after the boot code was copied. This would overwrite
the bootstrap code, causing the EFI system partition to be blanked and
resulting in an unbootable system.
PR: 224562
layer, for example, to specify that the EFI boot partition should be
mounted at /efi and formatted normally with newfs_msdos rather than
splatted to from /boot/boot1.efifat.
This commit adds only the API for this; actual platform use will come later.
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
No functional change intended.
When you install a computer for the first time, the date in the CMOS sometimes
not accurate and you need to ntpdate as ntpd will fail a the time difference
is too big.
Add an option in bsdinstall to enable ntpdate that will do that for us.
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D13149
r309934 cleaned up some cases in bsdinstall to use heredocs but broke
the indentation of the generated output, because <<- heredocs strip
leading tabs.
PR: 221982
Reviewed by: allanjude, dteske
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D13190
Enabling the PID randomization option in bsdinstall(8)'s hardening menu
now randomizes the effective value of kern.randompid on each boot.
Previous behaviour:
When kern.randompid was enabled via the the bsdinstall(8) hardening menu,
a random value was generated and placed in the systems /etc/sysctl.conf as
kern.randompid=value
This makes the value of kern.randompid static across reboots.
New behaviour:
When kern.randompid is enabled via the bsdinstall(8) hardening menu, the
line kern.randompid=1 is placed in the systems /etc/sysctl.conf.
This takes advantage of a new kernel feature and makes the value of
kern.randompid be randomized by the kernel on each reboot.
Submitted by: Marie Helene Kvello-Aune <marieheleneka@gmail.com>
Reviewed by: des
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D12433
warning about a filesystem which doesn't have a mountpoint. Presumably, the
person who wrote the install script knew what they were doing.
Submitted by: Brian Mueller <bmueller@panasas.com>
MFC after: 1 month
Sponsored by: Panasas
Differential Revision: https://reviews.freebsd.org/D12346
This was originally added as "exit $SUCCESS" but with nothing to set the
SUCCESS variable. Thus it became an exit with no argument, which just
exits with the status of the preceding command.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Previously we added an ifconfig_$INTERFACE line to rc.conf for each
unsuccessful DCHP attempt.
PR: 219515
Reviewed by: allanjude
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11967
Since kib's change the stack guard is now ON by default,
this option in hardening menu of bsdinstall is no longer needed.
Submitted by: Bartlomiej Rutkowski <robak@FreeBSD.org>
Reviewed by: bapt
Approved by: bapt
MFC after: 1 day
Sponsored by: Pixeware LTD
Differential Revision: https://reviews.freebsd.org/D11686
The usual case of a mismatched checksum for installer snapshots
(e.g., -CURRENT, -ALPHA*) is that a newer snapshot has been built and
the old install sets have been replaced. Provide a specific error
message for checksum mismatches there that suggests looking for a newer
snapshot.
Submitted by: Guangyuan Yang <yzgyyang@outlook.com>
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11641
This patch adds new bsdinstall option to hardening section that allows users
to change this behaviour to secure one and updates stack guard option so it
would set the value of relevant sysctl to 512 (2MB)
Submitted by: Bartek Rutkowski
Reviewed by: adrian, bapt, emaste
Approved by: bapt, emaste
MFC after: 1 day
Sponsored by: Pixeware LTD
Differential Revision: https://reviews.freebsd.org/D9700
vfs.zfs.min_auto_ashift is a sysctl only not a tunable so updated bsdinstall
to use the correct location /etc/sysctl.conf instead of /boot/loader.conf
Reported by: Aaron Caza
Reviewed by: allanjude
MFC after: 2 days
Sponsored by: Multiplay
Differential Revision: https://reviews.freebsd.org/D11278
- increase arm64 EFI partition to 200M, as x86
- use EFI_BOOTPART_SIZE and EFI_BOOTPART_PATH macros on x86
- increase ZFS EFI partition to 200M
PR: 201898
Reviewed by: allanjude, manu
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11239
- Start new sentences on new lines.
- Separate e.g. (more of an igor thing) with commas, and rewrite some examples
not to be enclosed in parentheses.
Reported by: igor, make manlint
MFC after: 2 weeks
Sponsored by: Dell EMC Isilon
It requires a tty, which might not be available in scripted installs. Instead
extract the sets manually using tar.
Reviewed by: tsoome
Sponsored by: Citrix Systems R&D
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D10736
Because the datasets are already mounted by zfsboot, and the mount script
doesn't know anything about ZFS. Also do not execute the "umount" script for
ZFS for the same reasons.
Reviewed by: dteske, tsoome
Sponsored by: Citrix Systems R&D
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D10738
Use a snprintf to write an environment variable to a fixed-size buffer to
avoid stack overflow.
Reported by: Coverity (CWE-120)
CID: 1238926
Sponsored by: Dell EMC Isilon
As discussed previously, in order to introduce new OS hardening
defaults, we've added them to bsdinstall in 'off by default' mode.
It has been there for a while, so the next step is to change them
to 'on by defaul' mode, so that in future we could simply enable
them in base OS.
Reviewed by: brd
Approved by: adrian
Differential Revision: https://reviews.freebsd.org/D9641
* DISTDIR_IS_UNIONFS is set every time BSDINSTALL_DISTDIR is mounted inside
BSDINSTALL_CHROOT. Use this flag to decide if it needs to be umounted
* BSDINSTALL_CHROOT/dev is mounted when 'bsdinstall mount' is called, there is
no need to mount it again when user goes to shell after installation
Reviewed by: allanjude
Obtained from: pfSense
MFC after: 1 week
Sponsored by: Rubicon Communications (Netgate)
Differential Revision: https://reviews.freebsd.org/D8573
process the range of country labels which appear as columnar list from the
"ifconfig DEV list countries" command. Not only improving maintainability,
but also properly encapsulating arguments in single-quotes instead of
trying to escape whitespace. It is also completely unnecessary to collapse
newlines into whitespace (shell will do this for you automatically upon
expansion of the contents where necessary).
NB: This also changes the sorting algorithm to sort on the country code,
not the country name. The type-ahead feature of dialog is destroyed if the
tags are not sorted properly.
Without quotes, $@ loses its special meanining (see below)
% sh -c 'echo $@' /bin/sh " 1 " " 2 "
1 2
% sh -c 'echo "$@"' /bin/sh " 1 " " 2 "
1 2
The quotes are required to get ARGV to be unperterped