Commit Graph

3202 Commits

Author SHA1 Message Date
emaste
d8f59dccba do not enable userland retpoline if not supported by compiler/linker
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D21101
2019-08-15 12:48:17 +00:00
sjg
399c1cc91c Revert prior change till installworld sorted 2019-08-15 06:00:55 +00:00
sjg
cbeb6e55c6 bsd.files.mk: fix targets to avoid directories
Reintroduce :T when file is used as part of a target name.

Reviewed by:	stevek
2019-08-14 22:33:46 +00:00
andrew
b9c350d8fd Enable BSD_CRTBEGIN on powerpc
In r342974 jhibbits added support to build crtsavres.o. This was the
blocker for BSD_CRTBEGIN to be enabled there. As such enable this
option again.

Reviewed by:	jhibbits
Sponsored by:	DARPA, AFRL
2019-08-14 14:31:17 +00:00
cem
4c8a9e2fb6 r350739 try #2
For some inexplicable reason, C++ compilers reject the -Wno- flag, and also
(ab)use CWARNFLAGS.

Reported by:	imp
2019-08-08 04:29:46 +00:00
cem
6d9426996c Disable useless -Wformat-zero-length
It is part of -Wformat, which is enabled by -Wall.  Empty format strings are
well defined and it is perfectly reasonable to expect them in a formatting
interface.
2019-08-08 03:27:46 +00:00
imp
3a0ba06de1 Enable nvme on aarch64
Don't mark nvme as broken on aarch64. It compiles, at least, and people are
testing it out. This only enables the userland parts of the nvme stack.

Submitted by: greg at unrelenting technologies
Differential Revision: https://reviews.freebsd.org/D21168
2019-08-07 16:19:06 +00:00
jhb
97ae8341d8 Flip REPRODUCIBLE_BUILD back to off by default in head.
Having the full uname output can be useful on head even with
unmodified trees or trees that newvers.sh fails to recognize as
modified.

Reviewed by:	emaste
Differential Revision:	https://reviews.freebsd.org/D20895
2019-08-03 01:06:17 +00:00
asomers
c71b8899d3 Add a CXXWARNFLAGS variable
Some warning flags are valid for C++ but not C. GCC 8 complains if you pass
such flags when building a C file. Using a separate variable for these
flags allows building both C and C++ files in the same directory (such as
the fusefs tests) under GCC.

Reviewed by:	cem, emaste
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D21116
2019-07-30 19:34:39 +00:00
markj
9cea16db08 Remove cap_random(3).
Now that we have a way to obtain entropy in capability mode
(getrandom(2)), libcap_random is obsolete.  Remove it.

Bump __FreeBSD_version in case anything happens to use it, though I've
found no consumers.

Reviewed by:	delphij, emaste, oshogbo
Relnotes:	yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D21033
2019-07-24 22:50:43 +00:00
asomers
204e15916d Add c++14 and c++17 to COMPILER_FEATURES
This will be used to gate the fusefs tests. It's a partial merge of r348281
from projects/fuse2.

Reviewed by:	kib, emaste
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D21044
2019-07-24 15:10:09 +00:00
manu
9ac3984bf7 arm: Use -O2 instead of -O as optimization flag
When using Clang -O is equivalent to -O2, change it -O2 to make it
consistent with other platforms.

Reference: https://clang.llvm.org/docs/ClangCommandLineReference.html#optimization-level

Submitted by:	Daniel Engberg (daniel.engberg.lists@pyret.net)
Reviewed by:	emaste
Differential Revision:	https://reviews.freebsd.org/D21021
2019-07-22 10:17:59 +00:00
brooks
1a4fa32808 Make setting mips endian and ABI less verbose.
Allow ABI to be over ridden to allow (with other changes) programs to be
built targeting ABIs other than the default.  This is used in CheriBSD.

Reviewed by:	imp
Obtained from:	CheriBSD
MFC after:	1 week
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D21001
2019-07-19 23:39:21 +00:00
manu
980d9a0e0a bsd.confs.mk: Test the correct value for the destination package
Reviewed by:	bapt, gjb
Differential Revision:	https://reviews.freebsd.org/D20961
2019-07-19 15:11:32 +00:00
bdrewery
0badd2e290 Rework some multi-output target dependency handling.
This reworks my last commit in r301285 to more closely match what was in
r241298 (but reverted in r294878).

This is addressing "missing .meta file" rebuilds but also ensuring that
files are always generated when needed in each case.

Note that this is not a complete rework of the problem areas identified
in r301285 as most are "good enough" right now as the new pattern
is too verbose. It's only worth making this current change where headers
may be generated in the INCS list; where missing .meta file rebuilds are
spotted.

--- Technical details follow ---

Several attempts to deal with this problem of multi-output targets, with and
without META MODE, were explained in r241298, r294878, and r301285.

The general problem is with multi-output targets such as:
        foo.c foo.h:
                touch foo.c foo.h
        foo.c foo.h:
                touch foo.c
                touch foo.h
        foo.c foo.h: foo.in
                ./generator ${.ALLSRC}

This pattern is problematic in jobs mode as both files end up being
built concurrently and leads to races. With META MODE it is worse
as both targets end up rebuilding if they lack a .meta file. So the
generator is force built twice even though it is only needed once.
There are also problems in that 'make foo.h' may be ran before 'make foo.c';
The order of make generating the targets is not guaranteed.

An older attempted workaround to this (discussed in r294878) was:
        foo.h: foo.c
        foo.c: foo.in
                ./generator ${.ALLSRC}
This appears fine except that if foo.h is missing and foo.c exists then
foo.h will never be regenerated. This pattern is close to the solution
in this commit though:

        foo.h: foo.c .NOMETA
        .if !exists(foo.h)
        foo.c: .PHONY .META
        .endif
        foo.c: foo.in
                ./generator ${.ALLSRC}

There's 2 differences here:
1. foo.h will never expect to have a .meta file since the foo.c target
   will generate both and own the .meta file.
2. If foo.h does not exist then it needs to force foo.c to be rebuilt
   with .PHONY. That normally disables META MODE though so .META is
   given to tell bmake we do really expect a .meta file.

This pattern cannot work with implicit suffix rules since the .c and .h files
may be generated at different times (buildincludes vs depend/all).

Sponsored by:	Dell EMC
MFC after:	2 weeks
2019-07-19 00:15:25 +00:00
bdrewery
3f7167a6b6 Consider *clean targets as non-build targets as well.
MFC after:	2 weeks
Sponsored by:	DellEMC
2019-07-04 14:51:44 +00:00
luporl
7eebf50989 Fix missing powerpc64 in _LLVM_TARGET_FILT
This change was originally in D20378. Making it in a new diff since it's a
bugfix.

Submitted by:	alfredo.junior_eldorado.org.br
Reviewed by:	emaste, luporl
Differential Revision:	https://reviews.freebsd.org/D20756
2019-06-28 15:49:14 +00:00
imp
0ea6c510f8 Remove NAND and NANDFS support
NANDFS has been broken for years. Remove it. The NAND drivers that
remain are for ancient parts that are no longer relevant. They are
polled, have terrible performance and just for ancient arm
hardware. NAND parts have evolved significantly from this early work
and little to none of it would be relevant should someone need to
update to support raw nand. This code has been off by default for
years and has violated the vnode protocol leading to panics since it
was committed.

Numerous posts to arch@ and other locations have found no actual users
for this software.

Relnotes:	Yes
No Objection From: arch@
Differential Revision: https://reviews.freebsd.org/D20745
2019-06-25 04:50:09 +00:00
jhibbits
f902a2f35a powerpc: Transition to Secure-PLT, like most other OSs (Toolchain part)
Summary:
Toolchain follow-up to r349350.  LLVM patches will be submitted upstream for
9.0 as well.

The bsd.cpu.mk change is required because GNU ld assumes BSS-PLT if it
cannot determine for certain that it needs Secure-PLT, and some binaries do
not compile in such a way to make it know to use Secure-PLT.

Reviewed By: nwhitehorn, bdragon, pfg
Differential Revision: https://reviews.freebsd.org/D20598
2019-06-25 02:35:22 +00:00
bdrewery
3e2dcc642a Follow-up r349065: Fix .TARGET flag ambiguity with PROGS which broke MK_TESTS.
X-MFC-With:	r349065
Sponsored by:	DellEMC
2019-06-19 19:19:37 +00:00
bdrewery
dc927a012f Rework r349061: Don't apply guessed dependencies if there is a custom target.
This is still targeting bin/sh cyclic dependency issues.  Only apply
guessed dependencies that are explicitly set for an object (which
gnu/lib/cc/cc_tools needs) and if no custom target exists with its
own dependencies.

This was manifesting as a missing yacc.h in usr.bin/mkesdb_static when
built without -j (or -B). No actual yacc.h dependency ordering was
defined but with -j it got lucky and built fine.

Before r349061 the behavior was different for META_MODE but that logic
difference isn't needed.

X-MFC-With:	r349061
Sponsored by:	DellEMC
2019-06-18 22:00:38 +00:00
bdrewery
08ae9367c4 Allow DEPENDOBJS/DEPENDSRCS to work with only OBJS set and no SRCS.
Default to tracking .depend.* for OBJS rather than SRCS.

This helps cover some special case builds like gnu/lib/csu which
do more of a PROGS-like thing with bsd.prog.mk.

It is possible this causes out-of-tree Makefiles to have problems if they use
this pattern:
	foo.o: foo.c
		${CC} -o ${.TARGET} ${.ALLSRC}
This may cause multiple source files to be compiled due to finding the
'foo.o: foo.c' dependency both in the Makefile at the .depend file. Or
it may try compiling headers. This can be worked around by either of these:
	foo.o: foo.c
		${CC} -o ${.TARGET} ${.ALLSRC:N*.h:[1]}
Or
	foo.o: foo.c
		${CC} -o ${.TARGET} ${.CURDIR}/foo.c
In the latter case the ${.CURDIR} may need to be a different path. The
first case covers automatically using .PATH.

Sponsored by:	DellEMC
2019-06-15 17:08:35 +00:00
bdrewery
a7e487652a META_MODE: Delete build targets that fail.
If a meta mode change is triggered but then the build fails then the
next build will not retrigger meta mode. This only prevented by
removing the target on rebuild or on the failure to rebuild.

Sponsored by:	DellEMC
2019-06-15 17:08:28 +00:00
bdrewery
9e176e98e6 Add various CFLAGS/LDADD overrides for the output target file.
Sponsored by:	DellEMC
2019-06-15 17:08:24 +00:00
bdrewery
b01b16b077 Avoid generating DEPENDFILES='.depend.' when there's no DEPENDOBJS.
MFC after:	2 weeks
Sponsored by:	DellEMC
2019-06-15 17:08:21 +00:00
bdrewery
fae321157c Similar to r335710 avoid ccache when linking a .cc file directly.
Sponsored by:	DellEMC
2019-06-15 17:08:18 +00:00
bdrewery
e543aab538 Don't force OBJS_DEPEND_GUESS headers onto all objects.
This is in the case of not having any .depend.foo.o yet.  Don't force add *.h
as a dependency for those. They are built in beforebuild already when in
SRCS/DPSRCS.

This change allows custom rules, like in bin/sh/Makefile for mksyntax, to not
have cyclic dependency problems when connected to the .depend.* handling.

This is purposely not copied to sys/conf/kern.post.mk as it handles
generating headers slightly differently.

MFC after:	2 weeks
Sponsored by:	DellEMC
2019-06-15 17:08:02 +00:00
bdrewery
11834ac048 DPSRCS need to be built before recursing.
MFC after:	2 weeks
Sponsored by:	DellEMC
2019-06-10 19:38:35 +00:00
ngie
fc00834974 Fix up CXXSTD support originally added in r345708
r345708 worked for the base system, but unfortunately, caused a lot of
disruption for third-party packages that relied on C++, since bsd.sys.mk is
used by applications outside the base system. The defaults picked didn't match
the compiler's defaults and broke some builds that didn't specify a standard,
as well as some that overrode the value by setting `-std=gnu++14` (for
example) manually.

This change takes a more relaxed approach to appending `-std=${CXXSTD}` to
CXXFLAGS, by only doing so when the value is specified, as opposed to
overriding the standard set by an end-user. This avoids the need for having
to bake NOP default into bsd.sys.mk for supported compiler-toolchain
versions.

In order to make this change possible, add CXXSTD to Makefile snippets which
relied on the default value (c++11) added in r345708.

MFC after:      2 weeks
MFC with:       r345708, r346574
Reviewed by:    emaste
Reported by:    jbeich
Differential Revision: https://reviews.freebsd.org/D19895 (as part of a larger change)
2019-04-22 18:40:46 +00:00
mhorne
812de85df2 Add option to build LLVM RISC-V target
Reviewed by:	emaste, dim
Approved by:	markj (mentor)
MFC after:	3 weeks
Differential Revision:	https://reviews.freebsd.org/D19759
2019-04-07 18:24:26 +00:00
mw
7c5d4b81ab Create kernel module to parse Veriexec manifest based on envs
The current approach of injecting manifest into mac_veriexec is to
verify the integrity of it in userspace (veriexec (8)) and pass its
entries into kernel using a char device (/dev/veriexec).
This requires verifying root partition integrity in loader,
for example by using memory disk and checking its hash.
Otherwise if rootfs is compromised an attacker could inject their own data.

This patch introduces an option to parse manifest in kernel based on envs.
The loader sets manifest path and digest.
EVENTHANDLER is used to launch the module right after the rootfs is mounted.
It has to be done this way, since one might want to verify integrity of the init file.
This means that manifest is required to be present on the root partition.
Note that the envs have to be set right before boot to make sure that no one can spoof them.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19281
2019-04-03 03:57:37 +00:00
ngie
65f9986463 Allow programs to set NO_SHARED on a per-PROG basis
This is particularly useful when installing programs for tests that need to be
linked statically, e.g., mini-me from capsicum-test, which is linked statically
to avoid the dynamic library lookup in the upstream project.

Reviewed by:	emaste
Approved by:	emaste (mentor)
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D19756
2019-03-30 17:23:15 +00:00
ngie
788de78ff2 PROG_OVERRIDE_VARS should override default values if specified
The behavior prior to this change would not override default values if set in
`bsd.own.mk`, or (in the more general case) globally before `bsd.progs.mk` was
included. This affected `bsd.test.mk` as well, since it consumes
`bsd.progs.mk`.

Some examples of this failing behavior are as follows:

* `BINMODE` defaults to 0555 per `bsd.own.mk`. If someone wanted to set the
  `BINMODE` to `NOBINMODE` (0444) for `prog`, for example, like
  `BINMODE.prog= ${NOBINMODE}`, `bsd.progs.mk` would not honor the per-PROG
  setting.
* An application, `prog`, does not build at `WARNS?= 6`. Before this change,
  setting to a lower `WARNS` value, e.g., `WARNS.prog= 3`, would have been
  impossible, requiring that `prog` be built from another directory,
  the global `WARNS` be lowered, or a per-PROG value needing to be set
  across the board. None of the above workarounds is desirable.

This change unbreaks variables defined in `PROG_OVERRIDE_VARS` which have
defaults set before `bsd.progs.mk` is included, by setting them to their
defined values if set on a per-PROG basis.

Reviewed by:	asomers
Approved by:	emaste (mentor)
MFC after:	1 month
Differential Revision: https://reviews.freebsd.org/D19755
2019-03-30 00:57:33 +00:00
ngie
0b0688a91c Allow users to override CSTD/CXXSTD on a per-prog basis
The current logic for CSTD/CXXSTD requires homogenity as far as the
supported C/C++ standards, which is a sensible default. However, when
dealing with differing versions of C++, some code may compile with C++11, but
not C++17 (for instance). So in order to avoid having people convert over their
code to the new standard, give the users the ability to specify the standard on
a per-program basis.

This will allow a user to override the supporting standard for a set of
programs, mixing C++11 with C++14 (for instance).

Reviewed by:	asomers
Apprved by:	emaste (mentor)
MFC after:	1 month
MFC with:	r345708
Differential Revision: https://reviews.freebsd.org/D19738
2019-03-29 18:49:08 +00:00
ngie
777d26ce52 Standardize -std=c++* as CXXSTD`
CXXSTD was added as the C++ analogue to CSTD.

CXXSTD defaults to `-std=c++11` with supporting compilers; `-std=gnu++98`,
otherwise for older versions of g++.

This change standardizes the CXXSTD variable, originally added to
googletest.test.inc.mk as part of r345203.

As part of this effort, convert all `CXXFLAGS+= -std=*` calls to use `CXXSTD`.

Notes:

This value is not sanity checked in bsd.sys.mk, however, given the two
most used C++ compilers on FreeBSD (clang++ and g++) support both modes, it is
likely to work with both toolchains. This method will be refined in the future
to support more variants of C++, as not all versions of clang++ and g++ (for
instance) support C++14, C++17, etc.

Any manual appending of `-std=*` to `CXXFLAGS` should be replaced with CXXSTD.
Example:

Before this commit:
```
CXXFLAGS+=	-std=c++14
```

After this commit:
```
CXXSTD=	c++14
```

Reviewed by:	asomers
Approved by:	emaste (mentor)
MFC after:	1 month
MFC with:	r345203, r345704, r345705
Relnotes:	yes
Tested with:	make tinderbox
Differential Revision:	https://reviews.freebsd.org/D19732
2019-03-29 18:45:27 +00:00
ngie
c702cbc7f9 Revert r345706: the third time will be the charm
When a review is closed via Phabricator it updates the patch attached to the
review. I downloaded the raw patch from Phabricator, applied it, and repeated
my mistake from r345704 by accident mixing content from D19732 and D19738.

For my own personal sanity, I will try not to mix reviews like this in the
future.

MFC after:	1 month
MFC with:	r345706
Approved by:	emaste (mentor, implicit)
2019-03-29 18:43:46 +00:00
ngie
04346017b4 Standardize -std=c++* as CXXSTD`
CXXSTD was added as the C++ analogue to CSTD.

CXXSTD defaults to `-std=c++11` with supporting compilers; `-std=gnu++98`,
otherwise for older versions of g++.

This change standardizes the CXXSTD variable, originally added to
googletest.test.inc.mk as part of r345203.

As part of this effort, convert all `CXXFLAGS+= -std=*` calls to use `CXXSTD`.

Notes:

This value is not sanity checked in bsd.sys.mk, however, given the two
most used C++ compilers on FreeBSD (clang++ and g++) support both modes, it is
likely to work with both toolchains. This method will be refined in the future
to support more variants of C++, as not all versions of clang++ and g++ (for
instance) support C++14, C++17, etc.

Any manual appending of `-std=*` to `CXXFLAGS` should be replaced with CXXSTD.
Example:

Before this commit:
```
CXXFLAGS+=	-std=c++14
```

After this commit:
```
CXXSTD=	c++14
```

Reviewed by:	asomers
Approved by:	emaste (mentor)
MFC after:	1 month
MFC with:	r345203, r345704, r345705
Relnotes:	yes
Tested with:	make tinderbox
Differential Revision:	https://reviews.freebsd.org/D19732
2019-03-29 18:31:48 +00:00
ngie
feb0a2664c Revert r345704
I accidentally committed code from two reviews. I will reintroduce the code to
bsd.progs.mk as part of a separate commit from r345704.

Approved by:	emaste (mentor, implicit)
MFC after:	2 months
MFC with:	r345704
2019-03-29 18:16:33 +00:00
ngie
aeeceba42b CXXSTD is the C++ analogue to CSTD.
CXXSTD defaults to `-std=c++11` with supporting compilers; `-std=gnu++98`,
otherwise for older versions of g++.

This change standardizes the CXXSTD variable, originally added to
googletest.test.inc.mk as part of r345203.

As part of this effort, convert all `CXXFLAGS+= -std=*` calls to use `CXXSTD`.

Notes:

This value is not sanity checked in bsd.sys.mk, however, given the two
most used C++ compilers on FreeBSD (clang++ and g++) support both modes, it is
likely to work with both toolchains. This method will be refined in the future
to support more variants of C++, as not all versions of clang++ and g++ (for
instance) support C++14, C++17, etc.

Any manual appending of `-std=*` to `CXXFLAGS` should be replaced with CXXSTD.
Example:

Before this commit:
```
CXXFLAGS+=	-std=c++14
```

After this commit:
```
CXXSTD=	c++14
```

Reviewed by:	asomers
Approved by:	emaste (mentor)
MFC after:	1 month
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D19732
2019-03-29 18:13:44 +00:00
ngie
bc27d36f90 Spam CXXFLAGS with -I${DESTDIR}/usr/include/private, instead of GTEST_CXXFLAGS
This makes it easier for googletest users to leverage googletest, instead of
forcing them to plug GTEST_CXXFLAGS into CXXFLAGS manually (resulting in
unnecessary duplication).

I will be following this up with a more proper fix in src.libnames.mk, as
src.libnames.mk should be automatically adding this directory to
CFLAGS/CXXFLAGS when private libraries are referenced. Not doing so can result
in mismatches between base-provided private library's and ports-provided
library's headers.

While here, tweak the comment to clarify what the intent is behind spamming
CXXFLAGS.

MFC after:	5 weeks
MFC with:	r345203
Reported by:	asomers
Reviewed by:	asomers
Approved by:	emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D19731
2019-03-28 17:22:31 +00:00
jhb
c5ea5db9ec Remove the TIMED src option from the list of options.
This was missed in r342139 when timed(8) was removed and fixes a
warning when running makeman to regenerate src.conf.5.

Differential Revision:	https://reviews.freebsd.org/D19486
2019-03-26 20:44:02 +00:00
jkim
434f008798 Catch up with Clang 8.0. 2019-03-21 21:45:02 +00:00
jkim
41233d02e9 Catch up with Clang 7.0.
MFC after:	3 days
2019-03-21 21:43:23 +00:00
dim
e267a9c7af Turn on MK_OPENMP for i386 by default, now that it can build.
Noticed by:	jbeich
PR:		236062, 236582
MFC after:	1 month
X-MFC-With:	r344779
2019-03-19 06:58:28 +00:00
dim
4c7b570576 Connect lib/libomp to the build.
* Set MK_OPENMP to yes by default only on amd64, for now.
* Bump __FreeBSD_version to signal this addition.
* Ensure gcc's conflicting omp.h is not installed if MK_OPENMP is yes.
* Update OptionalObsoleteFiles.inc to cope with the conflicting omp.h.
* Regenerate src.conf(5) with new WITH/WITHOUT fragments.

Relnotes:	yes
PR:		236062
MFC after:	1 month
X-MFC-With:	r344779
2019-03-16 15:45:15 +00:00
ngie
3c7fe6eece Initial googlemock/googletest integration into the build/FreeBSD test suite
This initial integration takes googlemock/googletest release 1.8.1, integrates
the library, tests, and sample unit tests into the build.

googlemock/googletest's inclusion is optionally available via `MK_GOOGLETEST`.
`MK_GOOGLETEST` is dependent on `MK_TESTS` and is enabled by default when
built with a C++11 capable toolchain.

Google tests can be specified via the `GTESTS` variable, which, in comparison
with the other test drivers, is more simplified/streamlined, as Googletest only
supports C++ tests; not raw C or shell tests (C tests can be written in C++
using the standard embedding methods).

No dependent libraries are assumed for the tests. One must specify `gmock`,
`gmock_main`, `gtest`, or `gtest_main`, via `LIBADD` for the program.

More information about googlemock and googletest can be found on the
Googletest [project page](https://github.com/google/googletest), and the
[GoogleMock](https://github.com/google/googletest/blob/v1.8.x/googlemock/docs/Documentation.md)
and
[GoogleTest](https://github.com/google/googletest/tree/v1.8.x/googletest/docs)
docs.

These tests are originally integrated into the build as plain driver tests, but
will be natively integrated into Kyua in a later version.

Known issues/Errata:
* [WhenDynamicCastToTest.AmbiguousCast fails on FreeBSD](https://github.com/google/googletest/issues/2172)

Reviewed by:	asomers
Approved by:	emaste (mentor)
MFC after:	2 months
Differential Revision: https://reviews.freebsd.org/D19551
2019-03-15 21:43:52 +00:00
ngie
4cb64feca8 MFhead@r344996 2019-03-11 03:02:58 +00:00
jhb
0081e5869e Divorce MK_GDB from MK_BINUTILS.
This permits legacy GDB to still be built and installed if
WITHOUT_BINUTILS is set (e.g. if base/binutils is installed).

Reviewed by:	emaste
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D19480
2019-03-06 20:13:02 +00:00
mw
330f749452 Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation
UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.

Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:

There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision:	https://reviews.freebsd.org/D19093
2019-03-06 06:39:42 +00:00
ngie
27c30212da MFhead@r344786 2019-03-05 01:00:38 +00:00