foundation for invoking efibootmgr as part of new-style EFI booting on
x86. On PS3 and PowerNV, which are booted using Linux kexec from petitboot
rather than by loader(8), install the kernel and the rest of /boot to a
FAT partition and set up the appropriate petitboot configuration file
there.
The new bootconfig installer stage can do platform-dependent modifications
more complex than partition layout and installation of boot blocks and can
be used to (as here) set up some special configuration files, run efibootmgr,
or boot0cfg.
MFC after: 1 month
one of the directories in the filesystem hierarchy is a FAT mountpoint,
settings its times will fail, which would cause installation to abort.
Instead, make this a best-effort thing.
Handling this error is a hack and a better internal scheme for handling
this should be added to libarchive.
Some users, especially those that are new, might be confused when passwd
does not echo anything. Inform users that the password will not be
visible.
PR: 196113
Submitted by: Byron Grobe <grobe0ba@gmail.com>
the installer but not mounted (i.e. with boot1.efifat dd'ed to them
rather than the forthcoming proper filesystem) would get newfs_msdos run
on them immediately after the boot code was copied. This would overwrite
the bootstrap code, causing the EFI system partition to be blanked and
resulting in an unbootable system.
PR: 224562
layer, for example, to specify that the EFI boot partition should be
mounted at /efi and formatted normally with newfs_msdos rather than
splatted to from /boot/boot1.efifat.
This commit adds only the API for this; actual platform use will come later.
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
No functional change intended.
When you install a computer for the first time, the date in the CMOS sometimes
not accurate and you need to ntpdate as ntpd will fail a the time difference
is too big.
Add an option in bsdinstall to enable ntpdate that will do that for us.
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D13149
r309934 cleaned up some cases in bsdinstall to use heredocs but broke
the indentation of the generated output, because <<- heredocs strip
leading tabs.
PR: 221982
Reviewed by: allanjude, dteske
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D13190
Enabling the PID randomization option in bsdinstall(8)'s hardening menu
now randomizes the effective value of kern.randompid on each boot.
Previous behaviour:
When kern.randompid was enabled via the the bsdinstall(8) hardening menu,
a random value was generated and placed in the systems /etc/sysctl.conf as
kern.randompid=value
This makes the value of kern.randompid static across reboots.
New behaviour:
When kern.randompid is enabled via the bsdinstall(8) hardening menu, the
line kern.randompid=1 is placed in the systems /etc/sysctl.conf.
This takes advantage of a new kernel feature and makes the value of
kern.randompid be randomized by the kernel on each reboot.
Submitted by: Marie Helene Kvello-Aune <marieheleneka@gmail.com>
Reviewed by: des
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D12433
warning about a filesystem which doesn't have a mountpoint. Presumably, the
person who wrote the install script knew what they were doing.
Submitted by: Brian Mueller <bmueller@panasas.com>
MFC after: 1 month
Sponsored by: Panasas
Differential Revision: https://reviews.freebsd.org/D12346
This was originally added as "exit $SUCCESS" but with nothing to set the
SUCCESS variable. Thus it became an exit with no argument, which just
exits with the status of the preceding command.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Previously we added an ifconfig_$INTERFACE line to rc.conf for each
unsuccessful DCHP attempt.
PR: 219515
Reviewed by: allanjude
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11967
Since kib's change the stack guard is now ON by default,
this option in hardening menu of bsdinstall is no longer needed.
Submitted by: Bartlomiej Rutkowski <robak@FreeBSD.org>
Reviewed by: bapt
Approved by: bapt
MFC after: 1 day
Sponsored by: Pixeware LTD
Differential Revision: https://reviews.freebsd.org/D11686
The usual case of a mismatched checksum for installer snapshots
(e.g., -CURRENT, -ALPHA*) is that a newer snapshot has been built and
the old install sets have been replaced. Provide a specific error
message for checksum mismatches there that suggests looking for a newer
snapshot.
Submitted by: Guangyuan Yang <yzgyyang@outlook.com>
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11641
This patch adds new bsdinstall option to hardening section that allows users
to change this behaviour to secure one and updates stack guard option so it
would set the value of relevant sysctl to 512 (2MB)
Submitted by: Bartek Rutkowski
Reviewed by: adrian, bapt, emaste
Approved by: bapt, emaste
MFC after: 1 day
Sponsored by: Pixeware LTD
Differential Revision: https://reviews.freebsd.org/D9700
vfs.zfs.min_auto_ashift is a sysctl only not a tunable so updated bsdinstall
to use the correct location /etc/sysctl.conf instead of /boot/loader.conf
Reported by: Aaron Caza
Reviewed by: allanjude
MFC after: 2 days
Sponsored by: Multiplay
Differential Revision: https://reviews.freebsd.org/D11278
- increase arm64 EFI partition to 200M, as x86
- use EFI_BOOTPART_SIZE and EFI_BOOTPART_PATH macros on x86
- increase ZFS EFI partition to 200M
PR: 201898
Reviewed by: allanjude, manu
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11239
- Start new sentences on new lines.
- Separate e.g. (more of an igor thing) with commas, and rewrite some examples
not to be enclosed in parentheses.
Reported by: igor, make manlint
MFC after: 2 weeks
Sponsored by: Dell EMC Isilon
It requires a tty, which might not be available in scripted installs. Instead
extract the sets manually using tar.
Reviewed by: tsoome
Sponsored by: Citrix Systems R&D
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D10736
Because the datasets are already mounted by zfsboot, and the mount script
doesn't know anything about ZFS. Also do not execute the "umount" script for
ZFS for the same reasons.
Reviewed by: dteske, tsoome
Sponsored by: Citrix Systems R&D
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D10738
Use a snprintf to write an environment variable to a fixed-size buffer to
avoid stack overflow.
Reported by: Coverity (CWE-120)
CID: 1238926
Sponsored by: Dell EMC Isilon
As discussed previously, in order to introduce new OS hardening
defaults, we've added them to bsdinstall in 'off by default' mode.
It has been there for a while, so the next step is to change them
to 'on by defaul' mode, so that in future we could simply enable
them in base OS.
Reviewed by: brd
Approved by: adrian
Differential Revision: https://reviews.freebsd.org/D9641
* DISTDIR_IS_UNIONFS is set every time BSDINSTALL_DISTDIR is mounted inside
BSDINSTALL_CHROOT. Use this flag to decide if it needs to be umounted
* BSDINSTALL_CHROOT/dev is mounted when 'bsdinstall mount' is called, there is
no need to mount it again when user goes to shell after installation
Reviewed by: allanjude
Obtained from: pfSense
MFC after: 1 week
Sponsored by: Rubicon Communications (Netgate)
Differential Revision: https://reviews.freebsd.org/D8573
