Commit Graph

789 Commits

Author SHA1 Message Date
Warner Losh
3d384d51aa Start to reduce the number of #ifdef EFI_ZFS_BOOT
There's a number of EFI_ZFS_BOOT #ifdefs that aren't needed, or can be
eliminated with some trivial #defines. Remove the EFI_ZFS_BOOT ifdefs
that aren't needed. Replace libzfs.h include which is not safe to
include without EFI_ZFS_BOOT with efizfs.h which is and now
conditionally included libzfs.h. Define efizfs_set_preferred away
and define efi_zfs_probe to NULL when ZFS is compiled out.
2019-04-20 05:31:56 +00:00
Warner Losh
16b07b25c4 Add wrapper functions to convert strings to EFI_DEVICE_PATH
In anticipation of new functionality, create routines to convert char *
and a CHAR16 * to a EFI_DEVICE_PATH
	EFI_DEVICE_PATH *efi_name_to_devpath(const char *path);
	EFI_DEVICE_PATH *efi_name_to_devpath16(CHAR16 *path);
	void efi_devpath_free(EFI_DEVICE_PATH *dp);
The first two return an EFI_DEVICE_PATH for the passed in paths. The
third frees up the storage the first two return when the caller is
done with it.

Differential Revision: https://reviews.freebsd.org/D19971
2019-04-19 19:45:19 +00:00
Warner Losh
87818fbe99 Add UEFI definitions related to converting string to DEVICE_PATH
Add definitions from UEFI 2.7 Errata B standards doc for converting a
text string to a device path. Added clearly missing 'e' at the end of
Device to resolve mismatch in that document in
EFI_DEVICE_PATH_FROM_TEXT_PROTOCOL element names.

Differential Revision: https://reviews.freebsd.org/D19971
2019-04-19 19:45:15 +00:00
Warner Losh
40c9957cb7 Add define for CONST.
Newer interfaces take CONST parameters, so define CONST to minimize
differences between our headers and the standards docs.

Differential Revision: https://reviews.freebsd.org/D19971
2019-04-19 19:44:59 +00:00
Warner Losh
375cd3bbaa Minor tweak to the debug
Make it clear we're loading from UFS.
2019-04-18 15:19:19 +00:00
Warner Losh
a13881aff4 Add efi_delenv
Add an interface to remove / delete UEFI variables.
2019-04-18 05:40:50 +00:00
Warner Losh
883d342d38 Add a more generic efi_setenv function.
efi_setenv allows any UEFI variable to be set.
2019-04-18 05:37:18 +00:00
Kyle Evans
2a1e52f347 stand: refactor overlay loading a little bit
It was pointed out that manually loading a .dtb to be used rather than
relying on platform-specific method for loading .dtb will result in overlays
not being applied. This was true because overlay loading was hacked into
fdt_platform_load_dtb, rather than done in a way more independent from how
the .dtb is loaded.

Instead, push overlay loading (for now) out into an
fdt_platform_load_overlays. This method easily allows ubldr to pull in any
fdt_overlays specified in the ub env, and omits overlay-checking on
platforms where they're not tested and/or not desired (e.g. powerpc). If we
eventually stop caring about fdt_overlays from ubenv (if we ever cared),
this method should get chopped out in favor of just calling
fdt_load_dtb_overlays() directly.

Reported by:	Manuel Stühn (freebsdnewbie freenet de)
2019-04-11 13:26:28 +00:00
Toomas Soome
0dc2db13ec loader: command_lsefi: ret can be used uninitialized
MFC after:	1w
2019-04-07 14:07:28 +00:00
Toomas Soome
ed79202682 loader: add file_remove() function to undo file_insert_tail().
346002 did miss the fact that we do not only undo the loadaddr, but also
we need to remove the inserted module. Implement file_remove() to do the job.

MFC after:	1w
2019-04-07 13:36:17 +00:00
Toomas Soome
d7125bb1e2 loader: mod_loadkld() error: we previously assumed 'last_file' could be null
The last_file variable is used to reset the loadaddr variable back to original
value; however, it is possible the last_file is NULL, so we can not blindly
trust it. But then again, we can just save the original loadaddr and use
the saved value for recovery.

MFC after:	1w
2019-04-07 12:20:17 +00:00
Toomas Soome
d28c594669 loader: file_addmetadata() should check for memory allocation
malloc() can return NULL.

MFC after:	1w
2019-04-07 12:10:19 +00:00
Toomas Soome
1d28f39d20 loader: remove pointer checks before free() in module.c
free() does check for NULL argument, remove duplicate checks.

MFC after:	1w
2019-04-07 11:55:11 +00:00
Toomas Soome
db7599e9e5 loader: file_addmodule should check for memory allocation
strdup() can return NULL.

MFC after:	1w
2019-04-07 11:50:41 +00:00
Toomas Soome
cef2742e20 loader: malloc+bzero is calloc
Replace malloc+bzero in module.c with calloc.

MFC after:	1w
2019-04-07 11:48:41 +00:00
Marcin Wojtas
b0fefb25c5 Create kernel module to parse Veriexec manifest based on envs
The current approach of injecting manifest into mac_veriexec is to
verify the integrity of it in userspace (veriexec (8)) and pass its
entries into kernel using a char device (/dev/veriexec).
This requires verifying root partition integrity in loader,
for example by using memory disk and checking its hash.
Otherwise if rootfs is compromised an attacker could inject their own data.

This patch introduces an option to parse manifest in kernel based on envs.
The loader sets manifest path and digest.
EVENTHANDLER is used to launch the module right after the rootfs is mounted.
It has to be done this way, since one might want to verify integrity of the init file.
This means that manifest is required to be present on the root partition.
Note that the envs have to be set right before boot to make sure that no one can spoof them.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19281
2019-04-03 03:57:37 +00:00
Ed Maste
698194ab24 stand: remove CLANG_NO_IAS from zfsldr
Many components under stand/ had CLANG_NO_IAS added when Clang's
Integrated Assembler (IAS) did not handle .codeNN directives.  Clang
gained support quite some time ago, and we can now build stand/ with
IAS.

Note that in some cases there are small differences in the generated
output, so CLANG_NO_IAS should be removed only after testing (or after
finding no differences in the output).  For zfsldr I compared objdump
output between GNU as- and Clang IAS-built zfsldr and .text was
identical (changes were limited to the object's ELF headers and debug
info).

Sponsored by:	The FreeBSD Foundation
2019-03-26 20:32:05 +00:00
Kyle Evans
8f7f3d08ae lualoader: Fix up some luacheck concerns
- Garbage collect an unused (removed because it was useless) constant
- Don't bother with vararg notation if args will not be used

MFC after:	1 week
2019-03-26 02:35:58 +00:00
Kyle Evans
c206dd4d81 lualoader: Clear the screen before prompting for password
Assuming that the autoboot sequence was interrupted, we've done enough
cursor manipulation that the prompt for the password will be sufficiently
obscured a couple of lines up. Clear the screen and reset the cursor
position here, too.

MFC after:	1 week
2019-03-26 02:33:27 +00:00
Ian Lepore
14243f8de7 Distinguish between "no partition" and "choose best partition" with a constant.
The values of the d_slice and d_partition fields of a disk_devdesc have a
few values with special meanings in the disk_open() routine. Through various
evolutions of the loader code over time, a d_partition value of -1 has
meant both "use the first ufs partition found in the bsd label" and "don't
open a bsd partition at all, open the raw slice."

This defines a new special value of -2 to mean open the raw slice, and it
gives symbolic names to all the special values used in d_slice and
d_partition, and adjusts all existing uses of those fields to use the new
constants.

The phab review for this timed out without being accepted, but I'm still
citing it below because there is useful commentary there.

Differential Revision:	https://reviews.freebsd.org/D19262
2019-03-24 18:51:52 +00:00
Ed Maste
fe6ee08134 loader: fix loading of kernels with . in path
The loader indended to search the kernel file name (only) for . but
instead searched the entire path, so paths like
"boot/test.elfv2/kernel" would not work.

Submitted by:	alfredo.junior_eldorado.org.br
Reviewed by:	kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D19658
2019-03-20 16:24:47 +00:00
Marcin Wojtas
c42e554dc9 Add missing boot.4th verification
During initialization of the forth interpreter
the loader looks for "/boot/boot.4th"
and executes any code found there.
That file was loaded bypassing verification.
Add a call to verify_file to change that.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
2019-03-19 02:45:32 +00:00
Kyle Evans
7325df02c5 stand: Improve some debugging experience
Some of these files using <FOO>_DEBUG defined a DEBUG() macro to serve as a
debug-printf. -DDEBUG is useful to enable some debugging output across
multiple ELF/common parts, so switch the DEBUG-as-printf macros over to
something more like DPRINTF that is more commonly used for this kind of
thing and less likely to conflict.

userboot/elf64_freebsd debugging also assumed %llx for uint64; use PRIx64
instead.

MFC after:	1 week
2019-03-12 16:21:39 +00:00
Emmanuel Vadot
73a41ff81c stand/common/module: Apply style(9) 2019-03-07 18:57:43 +00:00
John Baldwin
2e43efd0bb Drop "All rights reserved" from my copyright statements.
Reviewed by:	rgrimes
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D19485
2019-03-06 22:11:45 +00:00
Marcin Wojtas
13ea0450a9 Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation
UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.

Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:

There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision:	https://reviews.freebsd.org/D19093
2019-03-06 06:39:42 +00:00
Rebecca Cran
ce37b71e68 Add retry loop around GetMemoryMap call to fix fragmentation bug
The call to BS->AllocatePages can cause the memory map to become framented,
causing BS->GetMemoryMap to return EFI_BUFFER_TOO_SMALL more than once. For
example this can happen on the MinnowBoard Turbot, causing the boot to stop
with an error. Avoid this by calling GetMemoryMap in a loop.

Reviewed by:	imp, tsoome, kevans
Differential Revision:	https://reviews.freebsd.org/D19341
2019-03-06 05:39:40 +00:00
Simon J. Gerraty
fd1d7567d8 Add -d flag to load command
When doing load -t manifest -d increments debug level

Reviewed by:	stevek
2019-03-04 19:50:59 +00:00
Rebecca Cran
ea7796a9ae EFI: don't call printf after ExitBootServices, since it uses Boot Services
ExitBootServices terminates all boot services including console access.
Attempting to call printf afterwards can result in a crash, depending on the
implementation.

Move any printf statements to before we call bi_load, and remove any that
depend on calling bi_load first.

Reviewed by:	imp, tsoome
Differential Revision:	https://reviews.freebsd.org/D19374
2019-03-02 04:02:11 +00:00
Simon J. Gerraty
8df8b2d3e5 Enable veriexec for loader
This relies on libbearssl and libsecureboot
to verify files read by loader in a maner equivalent
to how mac_veriexec

Note: disabled by default.
Use is initially expected to be by embeded vendors

Reviewed by:	emaste, imp
Sponsored by:	Juniper Networks
Differential Revision:	D16336
2019-02-26 06:22:10 +00:00
Kyle Evans
e5a24fa137 stand: Remove unused i386 EFI MD bits
r328169 removed the copy of bootinfo that would've made this somewhat
functional. However, this is irrelevant- earlier work in r292338 was done to
exit boot services in the MI bi_load() rather than having N copies of the
GetMemoryMap/ExitBootServices dance.

i386 never quite caught up to that; ldr_enter was still being called but
the prereq for that, ldr_bootinfo, was no longer. As a consequence, this
ExitBootServices() was being called with a mapkey=0, clearly bogus, and
reportedly breaking the boot in some instances.

Reported by:	bcran
MFC after:	1 week
2019-02-26 03:37:12 +00:00
Toomas Soome
6cea60aef5 loader: really fix cd9660 dirmatch
The cd9660_open() does pass whole path to dirmatch() and we need to
compare only the current path component, not full path.

Additinally, skip over duplicate / (if any) and check if the last component
in the path was meant to be directory (having trailing /). If it is in fact
a file, error out.
2019-02-20 21:07:09 +00:00
Ian Lepore
98934c6843 Fix the handling of legacy-format devices in the u-boot loaderdev variable.
When I added support for the standard loader(8) disk0s2a: type formats,
the parsing of legacy format was broken because it also contains a colon,
but it comes before the slice and partition. That would cause disk_parsedev()
to return success with the slice and partition set to wildcard values.

This change examines the string first, and if it contains spaces, dots, or
a colon at any position other than the end, it must be a legacy-format
string and we don't even try to use disk_parsedev() on it.

Reported by:	Manuel Stuhn
2019-02-20 03:00:55 +00:00
Toomas Soome
63f582e0f5 loader: ptable_close() should check its argument
If the passed in table is NULL, just return.
2019-02-18 20:29:19 +00:00
Ian Lepore
28ef0240e0 Allow the u-boot loaderdev env var to be formatted in the "usual" loader(8)
way: device<unit>[s|p]<slice><partition>.  E.g., disk0s2a or disk3p12.
The code first tries to parse the variable in this format using the
standard disk_parsedev().  If that fails, it falls back to parsing the
legacy format that has been supported by ubldr for years.

In addition to 'disk', all the valid uboot device names can also be used:
mmc, sata, usb, ide, scsi. The 'disk' device serves as an alias for all
those types and will match the Nth storage-type device found (where N is
the unit number).
2019-02-18 17:12:30 +00:00
Ian Lepore
e5c0d6a0ca Fix more places to use DEV_TYP_NONE instead of -1 to indicate 'no device'. 2019-02-18 15:28:12 +00:00
Ian Lepore
85c7139a76 Use DEV_TYP_NONE instead of -1 to indicate no device was specified.
DEV_TYP_NONE has a value of zero, which makes more sense since the device
type is a bunch of bits describing the device, crammed into an int.
2019-02-18 15:09:19 +00:00
Toomas Soome
61250f78c4 cd9660: dirmatch fails to unmatch when name is prefix for directory record
Loader does fail to properly match the file name in directory record and
does open file based on prefix match.

For fix, we check the name lengths first.

Reviewed by:	allanjude
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D19213
2019-02-18 08:26:18 +00:00
Ian Lepore
5a75fc4b11 Make uboot_devdesc properly alias disk_devdesc, so that parsing the u-boot
loaderdev variable works correctly.

The uboot_devdesc struct is variously cast back and forth between
uboot_devdesc and disk_devdesc as pointers are handed off through various
opaque interfaces.  uboot_devdesc attempted to mimic the layout of
disk_devdesc by having a devdesc struct, followed by a union of some
device-specific stuff that included a struct that contains the same fields
as a disk_devdesc.  However, one of those fields inside the struct is 64-bit
which causes the entire union to be 64-bit aligned -- 32 bits of padding
is added between the struct devdesc and the union, so the whole mess ends
up NOT properly mimicking a disk_devdesc after all.  (In disk_devdesc there
is also 32 bits of padding, but it shows up immediately before the d_offset
field, rather than before the whole collection of d_* fields.)

This fixes the problem by using an anonymous union to overlay the devdesc
field uboot network devices need with the disk_devdesc that uboot storage
devices need.  This is a different solution than the one contributed with
the PR (so if anything goes wrong, the blame goes to me), but 95% of the
credit for this fix goes to Pawel Worach and Manuel Stuhn who analyzed the
problem and proposed a fix.

PR:		233097
2019-02-18 04:44:52 +00:00
Kyle Evans
d61897abea lualoader: only clear the screen before first password prompt
This was previously an unconditional screen clear, regardless of whether or
not we would be prompting for any passwords. This is pointless, given that
the screen clear is only there to put our screen into a consistent state
before we draw the prompts and do cursor manipulation.

This is also the only screen clear besides that to draw the menu.  One can
now see early pre-loader and loader output with the menu disabled, which may
be useful for diagnostics.

Reported by:	ian
MFC after:	3 days
2019-02-18 02:59:47 +00:00
Justin Hibbits
bc4d122db0 powerpc/boot: Move ubldr to /boot/uboot, and make this a separate filesystem
Summary:
Now that mpc85xx can boot via ubldr, move ubldr to a separate
filesystem, mounted on /boot/uboot, so that a fresh install can boot correctly.

Reviewed By: nwhitehorn
Differential Revision: https://reviews.freebsd.org/D18709
2019-02-18 01:57:47 +00:00
Ian Lepore
7827bb1c2c Garbage collection no-longer-used constant. 2019-02-17 23:48:51 +00:00
Ian Lepore
5b777dbfa5 Make lsdev -v output line up in neat columns by using a fixed width for
the size field and a tab between the partition type and the size.

Changes this

  disk devices:
        disk0 (MMC)
        disk0s1: DOS/Windows            49MB
        disk0s2: FreeBSD                14GB
        disk0s2a: FreeBSD UFS         14GB
        disk0s2b: Unknown             2048KB
        disk0s2d: FreeBSD UFS         2040KB

to this

  disk devices:
        disk0 (MMC)
        disk0s1: DOS/Windows      49MB
        disk0s2: FreeBSD          14GB
        disk0s2a: FreeBSD UFS     14GB
        disk0s2b: Unknown       2048KB
        disk0s2d: FreeBSD UFS   2040KB
2019-02-17 23:46:11 +00:00
Ian Lepore
71c96def1c Use a couple local variables to avoid repetitive long expressions that
cause line-wrapping.
2019-02-17 23:38:17 +00:00
Ian Lepore
4d02caf7cb Restore loader(8)'s ability for lsdev to show partitions within a bsd slice.
I'm pretty sure this used to work at one time, perhaps long ago.  It has
been failing recently because if you call disk_open() with dev->d_partition
set to -1 when d_slice refers to a bsd slice, it assumes you want it to
open the first partition within that slice.  When you then pass that open
dev instance to ptable_open(), it tries to read the start of the 'a'
partition and decides there is no recognizable partition type there.

This restores the old functionality by resetting d_offset to the start
of the raw slice after disk_open() returns.  For good measure, d_partition
is also set back to -1, although that doesn't currently affect anything.

I would have preferred to make disk_open() avoid such rude assumptions and
if you ask for partition -1 you get the raw slice.  But the commit history
shows that someone already did that once (r239058), and had to revert it
(r239232), so I didn't even try to go down that road.
2019-02-17 23:32:09 +00:00
Patrick Kelsey
a070559721 It turns out r344226 narrowed the overrun bug but did not eliminate it entirely
This commit fixes a remaining output buffer overrun in the
single-sector case when there is a non-zero tail.

Reviewed by:	allanjude, tsoome
MFC after:	3 months
MFC with:	r344226
Differential Revision:	https://reviews.freebsd.org/D19220
2019-02-17 17:47:08 +00:00
Patrick Kelsey
861729a32e Remove whole-disk vdev support from zfsboot
This is consistent with the removal of whole-disk vdev support from
libsa/zfs/zfs.c in r342151, and is part way to having the LBAs read
during probe be fully constrained by partition tables when present.

Reviewed by:	tsoome
MFC after:	3 months
Differential Revision:	https://reviews.freebsd.org/D19142
2019-02-17 03:52:44 +00:00
Patrick Kelsey
07362361e0 Fix memory corruption bug introduced in r325310
The bug occurred when a bounce buffer was used and the requested read
size was greater than the size of the bounce buffer.  This commit also
rewrites the read logic so that it is easier to systematically verify
all alignment and size cases.

Reviewed by:	allanjude, tsoome
MFC after:	3 months
Differential Revision:	https://reviews.freebsd.org/D19140
2019-02-17 03:35:15 +00:00
Ed Maste
bcf99d2d99 Add WITH_PIE knob to build Position Independent Executables
Building binaries as PIE allows the executable itself to be loaded at a
random address when ASLR is enabled (not just its shared libraries).

With this change PIE objects have a .pieo extension and INTERNALLIB
libraries libXXX_pie.a.

MK_PIE is disabled for some kerberos5 tools, Clang, and Subversion, as
they explicitly reference .a libraries in their Makefiles.  These can
be addressed on an individual basis later.  MK_PIE is also disabled for
rtld-elf because it is already position-independent using bespoke
Makefile rules.

Currently only dynamically linked binaries will be built as PIE.

Discussed with:	dim
Reviewed by:	kib
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D18423
2019-02-15 22:22:38 +00:00
Kyle Evans
e49f2c66d1 stand: dev_net: correct net_open's interpretation of params
net_open previously casted the first vararg to a char * and this was
half-OK: at first, it is passed to netif_open, which would cast it back to
the struct devdesc * that it really is and use it properly. It is then
strdup()d and used as the netdev_name, which is objectively wrong.

Correct it so that the first vararg is properly casted to a struct devdesc *
and the netdev_name gets set properly to make it more clear at a glance that
it's not doing something horribly wrong.

Reported by:	mmel
Reviewed by:	imp, mmel, tsoome
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D19206
2019-02-15 18:28:51 +00:00