This is a WIP tool I'm using to figure out why ANI is weirdly busted in my
home FreeBSD AP/STA setup. Although athstats (mostly) gets the ANI statistics
correct, ANI is making the radio deaf it doesn't recover without being disabled.
It's very WIP.
Tested:
* Carambola 2, (AR9331), AP/STA mode.
UEFI related headers were copied from edk2.
A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.
Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:
There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.
Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19093
The send_packets() function was using ring->cur as index to scan
the transmit ring. This function may also set ring->cur ahead of
ring->head, in case no more slots are available. However, the function
also uses nm_ring_space() which looks at ring->head to check how many
slots are available. If ring->head and ring->cur are different, this
results in pkt-gen advancing ring->cur beyond ring->tail.
This patch fixes send_packets() (and similar source locations) to
use ring->head as a index, rather than using ring->cur.
MFC after: 1 week
It is protected by MK_NLS. If it should really be optional then
it needs to be documented as such in share/mk/bsd.README and
.sinclude used where needed.
This fixes a regression from r335011.
PR: 232527
Submitted by: jarrod@downtools.com.au
Reported by: ktullavik@gmail.com
MFC after: 3 days
These libraries don't compile on non-C++-11 capable compilers, e.g., g++ 4.2.1
and its corresponding implementation of the c++ library, i.e., libstdc++.
Blacklist compilation on all non-C++-11 capable compilers and give others the
option of opting out of building/installing gmock/gtest via MK_GOOGLETEST.
This option is controlled by MK_CXX and MK_TESTS, as ATF compilation is.
- Drop profile libraries; MK_PROFILE=no is set in all Makefile's.
- Correct library path to libmlx5.so.1 and libibverbs.so.1
MFC after: 5 days
MFC with: 344207
- Add missing /usr/sbin/pmc, pmcformat.h, libpmcstat.h and pmc.haswellxeon.3
to the list.
- Correct man page section for pmcstudy.8.
- Include recently added libipt and libopencsd for corresponding TARGET_ARCH
MFC after: 5 days
OptionalObsoleteFiles.inc
Note: only files with conditional installation logic were
included from the PR.
PR: 233046
Submitted by: <rozhuk.im@gmail.com>
MFC after: 5 days
Building binaries as PIE allows the executable itself to be loaded at a
random address when ASLR is enabled (not just its shared libraries).
With this change PIE objects have a .pieo extension and INTERNALLIB
libraries libXXX_pie.a.
MK_PIE is disabled for some kerberos5 tools, Clang, and Subversion, as
they explicitly reference .a libraries in their Makefiles. These can
be addressed on an individual basis later. MK_PIE is also disabled for
rtld-elf because it is already position-independent using bespoke
Makefile rules.
Currently only dynamically linked binaries will be built as PIE.
Discussed with: dim
Reviewed by: kib
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18423
This commit essentially has three parts:
* Add the AES-CCM encryption hooks. This is in and of itself fairly small,
as there is only a small difference between CCM and the other ICM-based
algorithms.
* Hook the code into the OpenCrypto framework. This is the bulk of the
changes, as the algorithm type has to be checked for, and the differences
between it and GCM dealt with.
* Update the cryptocheck tool to be aware of it. This is invaluable for
confirming that the code works.
This is a software-only implementation, meaning that the performance is very
low.
Sponsored by: iXsystems Inc.
Differential Revision: https://reviews.freebsd.org/D19090
It's installed to /usr/sbin, not to /usr/bin (and was always here).
While here, add missing manpages and /var/yp directory to the list.
MFC after: 1 week
tinybsd offers two choices when prompting user for MFSROOT: 'YES'
and 'NO'. Script logic only handles 'yes'. Change offered values
to lower case.
PR: 131059
Submitted by: Brock Williams <brock@cotcomsol.com>
MFC after: 1 week
Add all the files under /usr/share/examples to the MK_EXAMPLES
section. OLD_DIRS entries are not removed if they're not empty so
prior to this change WITHOUT_EXAMPLES didn't have significant effect
on the updated system.
PR: 228484
Submitted by: Dmitry Wagin <dmitry.wagin@ya.ru> (original patch)
MFC after: 1 week
Add two more entries for WITHOUT_SENDMAIL install. The /var/spool/clientmqueue
entry would be deleted only if there are no files/dirs in it, so the
content generated during previous lifecycle of the system is safe
PR: 228484
Submitted by: Dmitry Wagin <dmitry.wagin@ya.ru>
MFC after: 1 week
Add asn1_compile, make-roken, kcc, and slc to the OptionalObsoleteFiles.inc
so they would be removed during delete-old stage if the new world is built
without Kerberos support.
PR: 230725
Submitted by: Dmitry Wagin <dmitry.wagin@ya.ru>
MFC after: 1 week
devices like mice, keyboards, bt-audio, ...
This script currently allows scanning for nearby devices, adds one to
/etc/bluetooth/hosts, adds an entry to hcsecd's conf and if it is a HID, add an
entry to bthidd's configs, as well.
Submitted by: erdgeist <erdgeist@erdgeist.org>
Approved by: bapt
MFC after: 2 weeks
Differential Revision: D3778
Reviewers: bapt, emax
usr/share/dict/eign is removed unconditionally as of r319664, so it no
longer needs to be in OptionalObsoleteFiles.
PR: 230353
Reported by: philippe.michel7 sfr.fr
This is primarily aimed at failed updates due to package conflicts, and
affects treatment of failed updates. Whereas before potentially a large
number of packages would need to be synced for each attempt, they can now
be persisted. Requires rsync. There may be better ways to implement this,
e.g. using secondary cache path that is only used on followup attempts and
then wiped on success, which avoids polluting current cache.
Small modifications to the nmreplay man page.
Used igor and mandoc tools to fix warnings and errors.
Reviewed by: bcr
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D18629
Changelist:
- General reformatting
- Fix packet duplication in cons(). Whenever cons() reached the
burst limit it would send all pending packets without advancing
head. This caused the last injected packet to be sent again in
the next round.
- Fix full-speed transmissions after first loop.
MFC after: 3 days
Currently, the installer uses pre-created 800KB FAT12 filesystems that
it dd's onto the ESP partition.
This changeset improves that by having the installer generate a FAT32
filesystem directly onto the ESP using newfs_msdos and then copying
loader.efi into /EFI/freebsd.
For live installs it then runs efibootmgr to add a FreeBSD boot entry
in the BIOS.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D17947
MK_AUDIT already controls auditd(8), praudit(1), etc. It should also control
the audit test suite.
Submitted by: ngie
MFC after: 2 weeks
Pull Request: https://github.com/freebsd/freebsd/pull/240
/usr/sbin/audit(dist)?d are only installed if ${MK_AUDIT} == yes. Their
supporting scripts should only be installed in those instances as well.
Submitted by: ngie
Reviewed by: emaste
MFC after: 2 weeks
Pull Request: https://github.com/freebsd/freebsd/pull/242
The removal (and creation of a port) has been pre-announced in UPDATING
1 month ago. Packages are available for all supported FreeBSD vesions.
I did not think that another entry in UPDATING is required to note the
actual removal.
No MFC is planned - CTM shall be kept in base for all releases up to 12.x.
Reviewed by: rgrimes
Approved by: imp, bcr (manpages)
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D17935
Validate the value of the -l argument (packet length) against the MTU of the netmap port.
In case the netmap port does not refer to a physical interface (e.g. VALE port or pipe), then
the netmap buffer size is used as MTU.
This change also sets a better default value for the -M option, so that pkt-gen uses
the largest possible fragments in case of multi-slot packets.
Differential Revision: https://reviews.freebsd.org/D18436
GNU binutils ld.bfd 2.17.50 does not support ifuncs and produces broken
binaries when ifuncs are in use. When LLD_IS_LD is default we have an
ifunc-capable system linker and can just avoid installing ld.bfd.
Reported by: theraven
Reviewed by: bz
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18340
Some WITH_/WITHOUT_ defaults will likey change in the future (e.g. as we
migrate to copyfree base system components).
Add non-default descriptions for the benefit of WIP branches.
This should provide more complete coverage of currently defined Unicode
characters as compared to manually assembled one we use currently.
Comparison of original and new UTF-8 ctype maps by character class:
TYPE ORIG NEW
alnum 94229 126029
alpha 93557 125419
blank 4 2
cntrl 73 137685
digit 469 622
graph 109615 137203
lower 1478 2145
print 109641 137222
punct 3428 797
rune 110481 274907
space 33 24
upper 983 1781
xdigit 469 622
Large number of added cntrl definitions is due to the fact that private-use
planes are currently defined as such, this can change in the future.
Discussed with: bapt
Approved by: kib (mentor, implicit)
MFC after: 1 month
Differential revision: https://reviews.freebsd.org/D17842
document the libufs interface for fetching and storing inodes.
The undocumented getino / putino interface has been replaced
with a new getinode / putinode interface.
Convert the utilities that had been using the undocumented
interface to use the new documented interface.
No functional change (as for now the libufs library does not
do inode check-hashes).
Reviewed by: kib
Tested by: Peter Holm
Sponsored by: Netflix
Various improvements to the netmap pkt-gen program:
- indentation fixes
- support for IPV6
- fixes to checksum computation
- support for NS_MOREFRAG
- rate limiting in ping mode
Reviewed by: bcr, 0mp
Approved by: gnn (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D17698
llvm-profdata is used with llvm-cov for code coverage (although llvm-cov
can also operate independently in a gcov-compatible mode).
Although llvm-profdata can be used independently of llvm-cov it makes
sense to group these under one option.
Also handle these in OptionalObsoleteFiles.inc while here.
Sponsored by: The FreeBSD Foundation
llvm-cov provides a gcov-compatible interface when invoked as gcov.
Reviewed by: dim, markj
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17923
Add the lb program, which is able to load-balance input traffic
received from a netmap port over M groups, with N netmap pipes in
each group. Each received packet is forwarded to one of the pipes
chosen from each group (using an L3/L4 connection-consistent hash function).
This also adds a man page for lb and some cross-references in related
man pages.
Reviewed by: bcr, 0mp
Approved by: gnn (mentor)
Differential Revision: https://reviews.freebsd.org/D17735
- Simplify the source dir specification, and update README
appropriately
- Drop the LC (doonly) processing, it's broken, and even if fixed, not
really useful
- Don't remove the target directories while installing new data as it
removes Makefile.depend which we don't manage; only rm the files we
are going to add/replace/delete instead
- Restrict adding bsd.endian.mk to colldef and ctypedef Makefiles, it's
not needed in other (text-only) categories
- GC unused scripts; they don't seem to be particularly helpful standalone
as well
Reviewed by: bapt
Approved by: kib (mentor, implicit)
Differential Revision: https://reviews.freebsd.org/D17858
The linker's -z now flag sets the DF_BIND_NOW flag, which signals to the
runtime loader that all relocation processing should be performed at
process startup rather than on demand. In combination with lld's
default of enabling relro this causes the GOT to be made read-only when
the process starts, preventing straightforward GOT overwrite attacks.
Shawn Webb discovered a failure on HardenedBSD with BIND_NOW and ifunc
use, which resulted in my rtld fix in r340137. Add a BIND_NOW knob as
it is trivial to do so and is a useful ELF hardening feature. This
change is equivalent to HardenedBSD's but not identical as there are
other diffs/conflicts nearby.
Note that our ELF Tool Chain readelf does not currently decode the
DF_BIND_NOW flag - see PR232983.
Reviewed by: brooks
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17846
Inheriting $PATH during the build phase can cause the build to fail when
compiling on a different system due to missing build tools or incompatible
versions somewhere in $PATH. This has cause build failures for us before
due to the jenkins slaves still running FreeBSD 10.
Listing the tools we depend on explicitly instead of just using whatever
happens to be in $PATH allows us to check that we don't accidentally add a
new build dependency.
All tools that do no need to be bootstrapped will now be symlinked to
${WORLDTMP}/legacy/bin and during the build phase $PATH will only contain
${WORLDTMP}. There is also a new variable "BOOTSTRAP_ALL_TOOLS" which can
be set to force compiling almost all bootstrap tools instead of symlinking
them. This will not bootstrap tools such as cp,mv, etc. since they may be
used during the build and for those we should really only be using POSIX
compatible options.
Furthermore, this change is required in order to be able to build on
non-FreeBSD hosts. While the same binaries may exist on Linux/MacOS they
often accept different flags or produce incompatible output.
Approved By: brooks (mentor)
Differential Revision: https://reviews.freebsd.org/D16815
that it uses the same ctype maps and functions as other UTF-8 locales.
Reviewed by: bapt, cem, eadler
Approved by: kib (mentor, implicit)
Differential Revision: https://reviews.freebsd.org/D17833
You should not be using DES. You should not have been using DES for the
past 30 years.
The ed DES-CBC scheme lacked several desirable properties of a sealed
document system, even ignoring DES itself. In particular, it did not
provide the "integrity" cryptographic property (detection of tampering), and
it treated ASCII passwords as 64-bit keys (instead of using a KDF like
scrypt or PBKDF2).
Some general approaches ed(1) users might consider to replace the removed
DES mode:
1. Full disk encryption with something like AES-XTS. This is easy to
conceptualize, design, and implement, and it provides confidentiality for
data at rest. Like CBC, it lacks tampering protection. Examples include
GELI, LUKS, FileVault2.
2. Encrypted overlay ("stackable") filesystems (EncFS, PEFS?, CryptoFS,
others).
3. Native encryption at the filesystem layer. Ext4/F2FS, ZFS, APFS, and
NTFS all have some flavor of this.
4. Storing your files unencrypted. It's not like DES was doing you much
good.
If you have DES-CBC scrambled files produced by ed(1) prior to this change,
you may decrypt them with:
openssl des-cbc -d -iv 0 -K <key in hex> -in <inputfile> -out <plaintext>
Reviewed by: allanjude, bapt, emaste
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D17829
r235274 added a sort regression test (it operates by comparing output
against GNU sort). The commit included a number of 0-byte files, one
of which ends in a trailing . which reportedly breaks svn/git checkouts
on Windows.
It appears these were added accidentally, so just remove them.
PR: 232479
MFC after: 1 month
In the last decade(s) we have seen both short term or long term projects
committed to the tree which were considered or even marked "experimental".
While out-of-tree development has become easier than it used to be in
CVS times, there still is a need to have the code shipping with HEAD but
not enabled by default.
While people may think about VIMAGE as one of the recent larger, long term
projects, early protocol implementations (before they are standardised)
are others. (Free)BSD historically was one of the operating systems
which would have running code at early stages and help develop and
influence standardisation and the industry.
Give developers an opportunity to be more pro-active for early adoption
or running large scale code changes stumbling over each others but not
the user's feet. I have not added the option to NOTES in order to avoid
breaking supported option builds, which require constant compile testing.
Discussed with: people in the corridor
This driver was marked as gone in 12. We're at 13 now. Remove it.
Data from nycbug's dmesg cache shows only one potential user,
suggesting it never was used much. However, even though this device
has been obsolete for 15 years at least, sys/joystick.h is included in
a number of graphics packages still, so that remains. A full exprun
is needed before that can be removed.
RelNotes: yes
Differential Revision: https://reviews.freebsd.org/D17629
I held the mistaken belief this was completely unused. While the
driver is unused and likely not relevant for a long time,
sys/joystick.h lives on in maybe half a dozen ports, even though
hardware to use it hasn't been widely used in maybe 15 years.