Commit Graph

663 Commits

Author SHA1 Message Date
trasz
52a50ff1d3 Improve loader passwords:
1. Be clear about which password is being requested
2. Remove extraneous whitespace between the prompt and the cursor
3. Move the twiddle to where the prompt is, instead of two characters to the right
4. Fix erasing the 'incorrect password' message when retrying; previously it was erased partially
5. Remove the unneeded exclamation mark

Reviewed by:	kevans
Approved by:	re (gjb)
MFC after:	2 weeks
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D17236
2018-09-22 13:14:44 +00:00
tsoome
d4d38833ee libsa: validate tftp_makereq() after we did reset the read
The name check referred in the comment is not the only possible error source,
we need to validate the result.

Reviewed by:	allanjude
Approved by:	re (kib)
Differential Revision:	https://reviews.freebsd.org/D17081
2018-09-09 06:30:15 +00:00
tsoome
e5ee207835 libsa: memory leak in tftp_open()
tftpfile is allocated just above and needs to be freed.

Reviewed by:	imp
Approved by:	re (kib)
Differential Revision:	https://reviews.freebsd.org/D17058
2018-09-08 19:17:22 +00:00
imp
0b498692b3 Be a little conservative about when to force size optimizations.
Reports have come in that there's issue with powerpc and sparc64 since
we've switched to using -Oz / -Os. We don't strictly need them for
!x86, so be conservative about when we enable them.

Approved by: re@ (gjb)
Differential Revision: https://reviews.freebsd.org/D17016
2018-09-05 20:02:23 +00:00
br
2f2449cc1c Enable 'C'-compressed ISA extension.
This was disabled recently due to lack of support in KDB disassembler
and DTrace FBT provider. Support for 'C'-extension to both of these was
added, so we can now enable 'C'-extension.

This reduces size of the kernel important for low-end embedded devices,
and saves cache footprint for high perfomance machines.

Approved by:	re (kib)
Sponsored by:	DARPA, AFRL
2018-09-03 14:43:16 +00:00
rwatson
545428e18d The kernel DTrace audit provider (dtaudit) relies on auditd(8) to load
/etc/security/audit_event to provide a list of audit event-number <->
name mappings.  However, this occurs too late for anonymous tracing.
With this change, adding 'audit_event_load="YES"' to /boot/loader.conf
will cause the boot loader to preload the file, and then the kernel
audit code will parse it to register an initial set of audit event-number
<-> name mappings.  Those mappings can later be updated by auditd(8) if
the configuration file changes.

Reviewed by:	gnn, asomers, markj, allanjude
Discussed with:	jhb
Approved by:	re (kib)
MFC after:	1 week
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D16589
2018-09-03 14:26:43 +00:00
kevans
ee0548d281 lualoader: Handle comma-separated kernels as well
The format for kernels is documented as being space-delimited, but
forthloader was more lenient on this and so people began to depend on it.

A later pass will be made to document all of the fun features that forthloader
allowed that may not be immediately obvious.

Reported by:	mmacy
Approved by:	re (kib)
2018-09-03 03:23:09 +00:00
kevans
4027631224 userboot: handle guest interpreter mismatches more intelligently
The switch to lualoader creates a problem with userboot: the host is
inclined to build userboot with Lua, but the host userboot's interpreter
must match what's available on the guest. For almost all FreeBSD guests in
the wild, Lua is not yet available and a Lua-based userboot will fail.

This revision updates userboot protocol to version 5, which adds a
swap_interpreter callback to request a different interpreter, and tries to
determine the proper interpreter to be used based on how the guest
/boot/loader is compiled. This is still a bit of a guess, but it's likely
the best possible guess we can make in order to get it right. The
interpreter is now embedded in the resulting executable, so we can open
/boot/loader on the guest and hunt that down to derive the interpreter it
was built with.

Using -l with bhyveload will not allow an intepreter swap, even if the
loader specified happens to be a userboot with the wrong interpreter. We'll
simply complain about the mismatch and bail out.

For legacy guests without the interpreter marker, we assume they're 4th.
For new guests with the interpreter marker, we'll read it and swap over
to the proper interpreter if it doesn't match what the userboot we're using
was compiled with.

Both flavors of userboot are installed by default, userboot_4th.so and
userboot_lua.so. This fixes the build WITHOUT_FORTH as a coincidence, which
was broken by userboot being forced to 4th.

Reviewed by:	imp, jhb, araujo (earlier version)
Approved by:	re (gjb)
Differential Revision:	https://reviews.freebsd.org/D16945
2018-09-01 02:23:45 +00:00
kevans
3681342e34 lualoader: Print error messages from command failures at the prompt
Previously lualoader would remain silent, rather than printing
command_errmsg or noting that a command had failed or was not found.

Approved by:	re (gjb)
2018-08-31 15:02:53 +00:00
kevans
660af80636 lualoader: fix color usage
Resetting to the default color scheme was done prior to reading the config.
This is bogus; colors may only be declined by the user with the
loader.conf(5) variable "loader_color", so such a request for no color will
not be completely honored as we reset to the default color scheme
unconditionally.

Approved by:	re (rgrimes)
2018-08-30 13:29:32 +00:00
markj
b52c775fe2 Document the cpu_microcode_* tunables.
Reviewed by:	bcr (previous version), kib
Approved by:	re (gjb)
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D16923
2018-08-28 17:14:46 +00:00
andrew
abf44e17e8 Ensure we have a large enough stack for the lua loader
Lua has a few places where it allocates a large buffer on the stack. This
is normally fine, except there are a few places where there can be multiple
frames with this buffer. This can cause a stack overflow on some arm64 SoCs.

Fix this by allocating our own stack in loader.efi large enough for these
objects. The required size has been found by tracing how the stack pointer
changes in a virtual machine and found to be no larger than 50kB. A
larger stack is allocated to reduce the likelihood of overflow from future
changes.

Reviewed by:	kevans
Approved by:	re (kib)
Differential Revision:	https://reviews.freebsd.org/D16886
2018-08-27 11:14:49 +00:00
kevans
a0b1360ff4 lualoader: Fix override of module_path on loader prompt
Earlier changes setup a config.module_path variable that was populated upon
reading of loader.conf(5) and used for restoring module_path to pristine
condition if multiple kernels are attempted. This broke the ability to
override module_path at the loader prompt in case of emergency.

Approved by:	re (rgrimes)
2018-08-25 04:28:02 +00:00
kevans
f724405d78 stand: fdt: Drop some write-only assignments/variables and leaked bits
Generally straightforward enough; a copy of argv[1] was being made in
command_fdt_internal, solely used for a comparison within the
handler-search, then promptly leaked.

Reported by:	ports gcc and clang's static analyzer
2018-08-23 18:01:34 +00:00
kevans
4f1ff0bd70 lualoader: Accept that people use unquoted values in loader.conf
While loader.conf(5) suggests that all values should be quoted, reality is
that this was never strictly enforced and it is used. We already make some
concession to this in number values, which aren't strictly quoted either.

The compromise here is that multi-word values must be quoted. This lets
things like `foo_load=YES` work, while denying more complex expressions on
the right hand side. This likely catches the vast majority of current usage.

A bit of a kludge is needed to accomplish this since Lua regex doesn't
support branching. I had considered splitting up expressions and generating
the right-hand side of the expressions completely in config.parse, but
deemed this too large of an overhaul to take given the current timing. This
should be re-worked shortly after the thaw.

Reported by:	royger
2018-08-23 17:27:02 +00:00
kevans
5a7b66a89e lualoader: Fix (add) Xen support
lualoader was not respecting the 'xen_kernel' environment variable, which
hints to the interpreter that it should load a Xen kernel prior to loading
any other kernel that might be specified. If a Xen kernel is specified and
we fail to load it, we should not proceed to boot.

Reported by:	royger
Tested by:	royger
2018-08-23 16:26:03 +00:00
kevans
7da48f51ef efiloader: Setup FDT in autoload to fix overlays clobbering kenv
manu found in the noted PR that overlays seemed to be clobbering the kenv
and killing the boot. Further inspection revealed that one can `fdt ls` at
the loader prompt for a successful boot, but autoboot breaks it.

In the autoboot case, first setup of FDT is happening in the middle of
bi_load, which triggers loading of the DTBO from /boot.

This is bad, bad, bad. Files in the loader are loaded somewhere in the
middle of the address space one after another. bi_load starts building the
needed kernel bootinfo immediately after the highest-addr loaded file. File
loads in the middle of bi_load suddenly clobber bootinfo and everything goes
off the rails.

The solution to this is to use take advantage of arch_autoload to setup FDT
in efiloader compiled with LOADER_FDT_SUPPORT. This matches how it works in
ubldr land, and is how it should have worked when overlay support was added
to efiloader since fdt_setup_fdtp now has the potential to load files
(courtesy of fdt_platform_load_dtb).

PR:		230804
Discussed with:	imp
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D16858
2018-08-23 13:38:38 +00:00
kevans
fea99832f5 fdt_fixups: relocate the /chosen node after applying fixups
As indicated by the comment, any fixups applied (which might include
overlays) can invalidate the previously located node by adding nodes or
setting/adding properties. The later fdt_setprop of fixup-applied property
would then fail because of the bad/wrong node offset.

This would have generally been harmless, but potentially caused multiple
applications of fixups and caused a little bit of bloat.

MFC after:	1 week
2018-08-23 01:22:13 +00:00
lidl
6a4dac1ebf Increase the size of the heap size available on sparc64 during
operation of "loader".  The dramatic increase in size of
SPA_MAXBLOCKSIZE in r304321 causes the heap space to be exhausted,
so malloc() fails, ultimately leading to a memcpy() with a
destination of 0x0.

MFC after:	3 days
2018-08-22 14:33:57 +00:00
tsoome
270d043936 loader: bios loader should allow to chain load a file
The current chain command does accept only device, allow also a file to be used,
such as /boot/pmbr or /boot/mbr (or stored third party MBR/VBR block).

Also fix file descriptor leak.
2018-08-22 10:04:42 +00:00
kevans
42ea4d4b08 lualoader: Fix loader.conf(5) EOL validation for 'exec' lines
This includes some light rework to simplify the line parsing, as well.  If
we hit a line match, we'll always either use the line and move on to the
next line, or we'll spew out malformed line errors.

We had multiple spots to output the error and set the status based on
whether we had a non-nil first capture group or failed EOL validation, but
it was always the same error.  Light rework entails a small label jump to
skip error handling and elimination of 'found' local.
2018-08-22 01:52:55 +00:00
kevans
df8ad87d80 lualoader: Refactor config line expressions
A couple of issues addressed:

1.) Modules with - in the name were not recognized as modules
2.) The module regex was repeated for each place a module name may appear
3.) The 'strip leading space' bits were repeated for each expression
4.) The trailing 'comment validation' stuff was repeated every expression

#4 still has some more work to be done. exec lines, for instance, don't
capture a 'value' -- there's only one capture pattern. This throws off the
'c' value that we match, so the trailing bits aren't *actually* being
validated. This isn't a new issue, though, so a future comit will address
this.
2018-08-21 23:42:20 +00:00
kevans
0667178ab4 lualoader: Just compare expression directly 2018-08-21 23:34:30 +00:00
imp
c20d29cee4 Serial console menus for lua.
Remove a bunch of special cases for UEFI and serial consoles.  We do
want to do curses and menu things here. This makes us match what we do
in FORTH, with the possible exception of boxes around menus.

Differential Revision:  https://reviews.freebsd.org/D16816
2018-08-20 16:44:09 +00:00
kevans
084927a67a lualoader: Install all manpages
Now that a complete set is written, save for one describing loader.lua,
install all of them. This was not previously done as they were written to
hopefully avoid confusion as bits and pieces of the overall system were
undocumented.
2018-08-20 02:40:10 +00:00
kevans
53681c14ad Add color.lua(8), password.lua(8), and screen.lua(8) 2018-08-20 02:37:24 +00:00
kevans
b52c6d749e Add drawer.lua(8) 2018-08-20 02:08:39 +00:00
kevans
de3fd6a503 lualoader: Add drawer-exported variables for default logodefs
Uncovered while writing the documentation from this, we previously
explicitly fell back to orb or orbbw if an invalid or incompatible logodef
was selected -- in contrast to branddefs, which have an exported variable
that one can whip up a quick local.lua to override in a safe manner that
works regardless of whether or not loader.conf(5) successfully loads.
2018-08-19 18:43:10 +00:00
kevans
95d2dce911 lualoader: Hide the rest of the private interfaces
These are less controversial than the others, thus done in a separate
commit. These are all used internally and ways to override are provided via
soon-to-be-documented API or loader.conf(5) variables.
2018-08-19 18:37:33 +00:00
kevans
6281b5762f lualoader: Hide most of the internal drawing functions
Ideally, all of the functionality to revamp the loader screen has associated
APIs that are flexible enough that third-party scripts wouldn't need to
override these.
2018-08-19 18:22:01 +00:00
imp
4a0a4907ec Turn back the clock just a little: make userboot.so always be 4th
Turns out there was a hidden dependency we hasn't counted upon.  The
host load /boot/userboot.so to boot the VMs it runs. This means that
the change to lua meant suddently that nobody could run their older
VMs because LUA wasn't in 10.0, last month's HardenedBSD, 11.2 or
whatever.  Even more than for the /boot/loader* binaries, we need a
good coexistance strategy for this. While that's being designed and
implemented, drop back to always 4th for userboot.so. This will fail
safe in all but the most extreme environments (but lua-only hacks
to .lua files won't be processes in VMs until we fix it).

Differential Review: https://reviews.freebsd.org/D16805
2018-08-19 18:18:19 +00:00
kevans
52441319cb lualoader: Stop exporting drawer.draw
drawer.draw is the back-end for drawlogo and drawbrand and should not be
used directly.
2018-08-19 18:12:11 +00:00
kevans
580c98caaf Add config.lua(8) to the tree
Reviewed by:	0mp, rpokala (earlier version)
Differential Revision:	https://reviews.freebsd.org/D14819
2018-08-19 15:07:39 +00:00
kevans
c1005d8399 libsa: Add lshrdi3.c for powerpc* and mips 2018-08-19 14:48:32 +00:00
kevans
1842b58bae stand: Flip the default interpreter to Lua
After years in the making, lualoader is ready to make its debut. Both
flavors of loader are still built by default, and may be installed as
/boot/loader or /boot/loader.efi as appropriate either by manually creating
hard links or using LOADER_DEFAULT_INTERP as documented in build(7).

Discussed with:	imp
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16795
2018-08-19 14:26:33 +00:00
jhb
46b97c17ea Fix casts between 64-bit physical addresses and pointers in EFI.
Compiling FreeBSD/i386 with modern GCC triggers warnings for various
places that convert 64-bit EFI_ADDRs to pointers and vice versa.
- Cast pointers to uintptr_t rather than to uint64_t when assigning
  to a 64-bit integer.
- Cast 64-bit integers to uintptr_t before a cast to a pointer.

Reviewed by:	kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D16586
2018-08-18 20:28:25 +00:00
imp
7f0382cf78 Add ashldi3 and ashrdi3 to mips.
Now that we're using -Os, mips needs these routines.
2018-08-16 19:39:02 +00:00
imp
a20a4ca0b5 Install links for loader.efi.
Submitted by: ben wilber
2018-08-16 16:30:23 +00:00
tsoome
85ea1cca59 libi386: bd_io_workaround() is to be called for reads only
bd_io() can perform either reads or writes, we only need bd_io_workaround()
for reads.
2018-08-16 07:13:36 +00:00
tsoome
5f733d0b6a libi386: small style updates in biosdisk
Use break instead of return in for loop, as done earlier. Insert and remove
some blank lines. No functional changes intended.
2018-08-16 06:50:53 +00:00
tsoome
ecf384bbd6 libi386: use BD_RD and BR_WR constants
Use BD_RD and BD_WR instead of 0 and 1.

Reported by:	ian
2018-08-15 22:40:09 +00:00
tsoome
c4cf1c885f libi386: remove bd_read() and bd_write() wrappers
Those wroappers are nice, but do not really add much value.
2018-08-15 22:25:05 +00:00
tsoome
e1a53119d9 libsa: zfs_probe() needs to set spa to NULL
Silence the warning about possibly uninitialized use of spa.
2018-08-15 21:38:06 +00:00
tsoome
56f6287638 libi386: remove BD_SUPPORT_FRAGS
BD_SUPPORT_FRAGS is preprocessor knob to allow partial reads in bioscd/biosdisk
level. However, we already have support for partial reads in bcache, and there
is no need to have duplication via preprocessor controls.

Note that bioscd/biosdisk interface is assumed to perform IO in 512B blocks,
so the only translation we have to do is 512 <-> native block size.

Differential Revision:	https://reviews.freebsd.org/D16600
2018-08-15 21:21:16 +00:00
kevans
9d1c06e31e pkgfs_init: Initialize pkg
new_package may not set *pp if it errors out, leaving pkg uninitialized.

Reported by:	GCC
2018-08-15 21:13:10 +00:00
imp
a8e5869402 stand: Use -Oz/-Os for all loader/stand builds.
While we're not super size constrained, the x86 BIOS /boot/loader has
to be less than about 520k-530k to be reliable. The LUA loader is at
this size today. -Oz saves 15-20% on the size, keeping us safely small
enough (comparable to where we were with the 4th loader). This will
also help with sjg's work on bringing in bearssl, though we may again
be looking for space in the LUA loader.

Size table for clang 6.0.0:
	default		-O1		-Os		-Oz
4th	442368		417792		389120		376832
lua	524288		479232		446464		430080

Tested by: kevans91@ (ubldr on armv7), dhw@ (loader on amdy64)
Differential Revision: https://reviews.freebsd.org/D16724
2018-08-15 20:31:11 +00:00
trasz
3b18d1be16 Improve formatting.
MFC after:	2 weeks
Sponsored by:	DARPA, AFRL
2018-08-15 11:39:13 +00:00
trasz
dc5962723e Add SECURITY section to loader(8).
Reviewed by:	bcr, jilles, imp (earlier version)
MFC after:	2 weeks
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D16700
2018-08-15 08:45:05 +00:00
kevans
48babfba2e MFV r337586: lua: Update to 5.3.5
Bugfix release, nothing too major.

Tested with:	lualoader via userboot, lualoader live
Differential Revision:	https://reviews.freebsd.org/D16665
2018-08-14 18:58:01 +00:00
imp
0c28afb46f For our INT64 implementation, we can compare integers and numbers
directly because they are the same thing.

Reviewed by: kevans@
2018-08-14 18:45:25 +00:00