Commit Graph

782 Commits

Author SHA1 Message Date
kevans
bd383e74e5 stand: refactor overlay loading a little bit
It was pointed out that manually loading a .dtb to be used rather than
relying on platform-specific method for loading .dtb will result in overlays
not being applied. This was true because overlay loading was hacked into
fdt_platform_load_dtb, rather than done in a way more independent from how
the .dtb is loaded.

Instead, push overlay loading (for now) out into an
fdt_platform_load_overlays. This method easily allows ubldr to pull in any
fdt_overlays specified in the ub env, and omits overlay-checking on
platforms where they're not tested and/or not desired (e.g. powerpc). If we
eventually stop caring about fdt_overlays from ubenv (if we ever cared),
this method should get chopped out in favor of just calling
fdt_load_dtb_overlays() directly.

Reported by:	Manuel Stühn (freebsdnewbie freenet de)
2019-04-11 13:26:28 +00:00
tsoome
76764ecd98 loader: command_lsefi: ret can be used uninitialized
MFC after:	1w
2019-04-07 14:07:28 +00:00
tsoome
c3adce9014 loader: add file_remove() function to undo file_insert_tail().
346002 did miss the fact that we do not only undo the loadaddr, but also
we need to remove the inserted module. Implement file_remove() to do the job.

MFC after:	1w
2019-04-07 13:36:17 +00:00
tsoome
a1f406478d loader: mod_loadkld() error: we previously assumed 'last_file' could be null
The last_file variable is used to reset the loadaddr variable back to original
value; however, it is possible the last_file is NULL, so we can not blindly
trust it. But then again, we can just save the original loadaddr and use
the saved value for recovery.

MFC after:	1w
2019-04-07 12:20:17 +00:00
tsoome
25dc3eaba8 loader: file_addmetadata() should check for memory allocation
malloc() can return NULL.

MFC after:	1w
2019-04-07 12:10:19 +00:00
tsoome
d869e6ca4b loader: remove pointer checks before free() in module.c
free() does check for NULL argument, remove duplicate checks.

MFC after:	1w
2019-04-07 11:55:11 +00:00
tsoome
69eb0fc1bd loader: file_addmodule should check for memory allocation
strdup() can return NULL.

MFC after:	1w
2019-04-07 11:50:41 +00:00
tsoome
e74ee13d37 loader: malloc+bzero is calloc
Replace malloc+bzero in module.c with calloc.

MFC after:	1w
2019-04-07 11:48:41 +00:00
mw
7c5d4b81ab Create kernel module to parse Veriexec manifest based on envs
The current approach of injecting manifest into mac_veriexec is to
verify the integrity of it in userspace (veriexec (8)) and pass its
entries into kernel using a char device (/dev/veriexec).
This requires verifying root partition integrity in loader,
for example by using memory disk and checking its hash.
Otherwise if rootfs is compromised an attacker could inject their own data.

This patch introduces an option to parse manifest in kernel based on envs.
The loader sets manifest path and digest.
EVENTHANDLER is used to launch the module right after the rootfs is mounted.
It has to be done this way, since one might want to verify integrity of the init file.
This means that manifest is required to be present on the root partition.
Note that the envs have to be set right before boot to make sure that no one can spoof them.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D19281
2019-04-03 03:57:37 +00:00
emaste
9f65e84f67 stand: remove CLANG_NO_IAS from zfsldr
Many components under stand/ had CLANG_NO_IAS added when Clang's
Integrated Assembler (IAS) did not handle .codeNN directives.  Clang
gained support quite some time ago, and we can now build stand/ with
IAS.

Note that in some cases there are small differences in the generated
output, so CLANG_NO_IAS should be removed only after testing (or after
finding no differences in the output).  For zfsldr I compared objdump
output between GNU as- and Clang IAS-built zfsldr and .text was
identical (changes were limited to the object's ELF headers and debug
info).

Sponsored by:	The FreeBSD Foundation
2019-03-26 20:32:05 +00:00
kevans
fc39ba5328 lualoader: Fix up some luacheck concerns
- Garbage collect an unused (removed because it was useless) constant
- Don't bother with vararg notation if args will not be used

MFC after:	1 week
2019-03-26 02:35:58 +00:00
kevans
99ce179649 lualoader: Clear the screen before prompting for password
Assuming that the autoboot sequence was interrupted, we've done enough
cursor manipulation that the prompt for the password will be sufficiently
obscured a couple of lines up. Clear the screen and reset the cursor
position here, too.

MFC after:	1 week
2019-03-26 02:33:27 +00:00
ian
59f925c4ff Distinguish between "no partition" and "choose best partition" with a constant.
The values of the d_slice and d_partition fields of a disk_devdesc have a
few values with special meanings in the disk_open() routine. Through various
evolutions of the loader code over time, a d_partition value of -1 has
meant both "use the first ufs partition found in the bsd label" and "don't
open a bsd partition at all, open the raw slice."

This defines a new special value of -2 to mean open the raw slice, and it
gives symbolic names to all the special values used in d_slice and
d_partition, and adjusts all existing uses of those fields to use the new
constants.

The phab review for this timed out without being accepted, but I'm still
citing it below because there is useful commentary there.

Differential Revision:	https://reviews.freebsd.org/D19262
2019-03-24 18:51:52 +00:00
emaste
d81c7cfc35 loader: fix loading of kernels with . in path
The loader indended to search the kernel file name (only) for . but
instead searched the entire path, so paths like
"boot/test.elfv2/kernel" would not work.

Submitted by:	alfredo.junior_eldorado.org.br
Reviewed by:	kevans
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D19658
2019-03-20 16:24:47 +00:00
mw
29c1497fb7 Add missing boot.4th verification
During initialization of the forth interpreter
the loader looks for "/boot/boot.4th"
and executes any code found there.
That file was loaded bypassing verification.
Add a call to verify_file to change that.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
2019-03-19 02:45:32 +00:00
kevans
3a3d912cfc stand: Improve some debugging experience
Some of these files using <FOO>_DEBUG defined a DEBUG() macro to serve as a
debug-printf. -DDEBUG is useful to enable some debugging output across
multiple ELF/common parts, so switch the DEBUG-as-printf macros over to
something more like DPRINTF that is more commonly used for this kind of
thing and less likely to conflict.

userboot/elf64_freebsd debugging also assumed %llx for uint64; use PRIx64
instead.

MFC after:	1 week
2019-03-12 16:21:39 +00:00
manu
77a1279eae stand/common/module: Apply style(9) 2019-03-07 18:57:43 +00:00
jhb
ae6222b0c3 Drop "All rights reserved" from my copyright statements.
Reviewed by:	rgrimes
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D19485
2019-03-06 22:11:45 +00:00
mw
330f749452 Extend libsecureboot(old libve) to obtain trusted certificates from UEFI and implement revocation
UEFI related headers were copied from edk2.

A new build option "MK_LOADER_EFI_SECUREBOOT" was added to allow
loading of trusted anchors from UEFI.

Certificate revocation support is also introduced.
The forbidden certificates are loaded from dbx variable.
Verification fails in two cases:

There is a direct match between cert in dbx and the one in the chain.
The CA used to sign the chain is found in dbx.
One can also insert a hash of TBS section of a certificate into dbx.
In this case verifications fails only if a direct match with a
certificate in chain is found.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: sjg
Obtained from: Semihalf
Sponsored by: Stormshield
Differential Revision:	https://reviews.freebsd.org/D19093
2019-03-06 06:39:42 +00:00
bcran
8347d20afe Add retry loop around GetMemoryMap call to fix fragmentation bug
The call to BS->AllocatePages can cause the memory map to become framented,
causing BS->GetMemoryMap to return EFI_BUFFER_TOO_SMALL more than once. For
example this can happen on the MinnowBoard Turbot, causing the boot to stop
with an error. Avoid this by calling GetMemoryMap in a loop.

Reviewed by:	imp, tsoome, kevans
Differential Revision:	https://reviews.freebsd.org/D19341
2019-03-06 05:39:40 +00:00
sjg
56c04b0bcf Add -d flag to load command
When doing load -t manifest -d increments debug level

Reviewed by:	stevek
2019-03-04 19:50:59 +00:00
bcran
a8d6d134df EFI: don't call printf after ExitBootServices, since it uses Boot Services
ExitBootServices terminates all boot services including console access.
Attempting to call printf afterwards can result in a crash, depending on the
implementation.

Move any printf statements to before we call bi_load, and remove any that
depend on calling bi_load first.

Reviewed by:	imp, tsoome
Differential Revision:	https://reviews.freebsd.org/D19374
2019-03-02 04:02:11 +00:00
sjg
ba2d36703f Enable veriexec for loader
This relies on libbearssl and libsecureboot
to verify files read by loader in a maner equivalent
to how mac_veriexec

Note: disabled by default.
Use is initially expected to be by embeded vendors

Reviewed by:	emaste, imp
Sponsored by:	Juniper Networks
Differential Revision:	D16336
2019-02-26 06:22:10 +00:00
kevans
3bea5f8ce2 stand: Remove unused i386 EFI MD bits
r328169 removed the copy of bootinfo that would've made this somewhat
functional. However, this is irrelevant- earlier work in r292338 was done to
exit boot services in the MI bi_load() rather than having N copies of the
GetMemoryMap/ExitBootServices dance.

i386 never quite caught up to that; ldr_enter was still being called but
the prereq for that, ldr_bootinfo, was no longer. As a consequence, this
ExitBootServices() was being called with a mapkey=0, clearly bogus, and
reportedly breaking the boot in some instances.

Reported by:	bcran
MFC after:	1 week
2019-02-26 03:37:12 +00:00
tsoome
f6f04d1a3a loader: really fix cd9660 dirmatch
The cd9660_open() does pass whole path to dirmatch() and we need to
compare only the current path component, not full path.

Additinally, skip over duplicate / (if any) and check if the last component
in the path was meant to be directory (having trailing /). If it is in fact
a file, error out.
2019-02-20 21:07:09 +00:00
ian
9ac51119a8 Fix the handling of legacy-format devices in the u-boot loaderdev variable.
When I added support for the standard loader(8) disk0s2a: type formats,
the parsing of legacy format was broken because it also contains a colon,
but it comes before the slice and partition. That would cause disk_parsedev()
to return success with the slice and partition set to wildcard values.

This change examines the string first, and if it contains spaces, dots, or
a colon at any position other than the end, it must be a legacy-format
string and we don't even try to use disk_parsedev() on it.

Reported by:	Manuel Stuhn
2019-02-20 03:00:55 +00:00
tsoome
6d5dd527a9 loader: ptable_close() should check its argument
If the passed in table is NULL, just return.
2019-02-18 20:29:19 +00:00
ian
d3280f0f29 Allow the u-boot loaderdev env var to be formatted in the "usual" loader(8)
way: device<unit>[s|p]<slice><partition>.  E.g., disk0s2a or disk3p12.
The code first tries to parse the variable in this format using the
standard disk_parsedev().  If that fails, it falls back to parsing the
legacy format that has been supported by ubldr for years.

In addition to 'disk', all the valid uboot device names can also be used:
mmc, sata, usb, ide, scsi. The 'disk' device serves as an alias for all
those types and will match the Nth storage-type device found (where N is
the unit number).
2019-02-18 17:12:30 +00:00
ian
9573df4bf0 Fix more places to use DEV_TYP_NONE instead of -1 to indicate 'no device'. 2019-02-18 15:28:12 +00:00
ian
866f891019 Use DEV_TYP_NONE instead of -1 to indicate no device was specified.
DEV_TYP_NONE has a value of zero, which makes more sense since the device
type is a bunch of bits describing the device, crammed into an int.
2019-02-18 15:09:19 +00:00
tsoome
cdb7673abf cd9660: dirmatch fails to unmatch when name is prefix for directory record
Loader does fail to properly match the file name in directory record and
does open file based on prefix match.

For fix, we check the name lengths first.

Reviewed by:	allanjude
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D19213
2019-02-18 08:26:18 +00:00
ian
bd09fc3644 Make uboot_devdesc properly alias disk_devdesc, so that parsing the u-boot
loaderdev variable works correctly.

The uboot_devdesc struct is variously cast back and forth between
uboot_devdesc and disk_devdesc as pointers are handed off through various
opaque interfaces.  uboot_devdesc attempted to mimic the layout of
disk_devdesc by having a devdesc struct, followed by a union of some
device-specific stuff that included a struct that contains the same fields
as a disk_devdesc.  However, one of those fields inside the struct is 64-bit
which causes the entire union to be 64-bit aligned -- 32 bits of padding
is added between the struct devdesc and the union, so the whole mess ends
up NOT properly mimicking a disk_devdesc after all.  (In disk_devdesc there
is also 32 bits of padding, but it shows up immediately before the d_offset
field, rather than before the whole collection of d_* fields.)

This fixes the problem by using an anonymous union to overlay the devdesc
field uboot network devices need with the disk_devdesc that uboot storage
devices need.  This is a different solution than the one contributed with
the PR (so if anything goes wrong, the blame goes to me), but 95% of the
credit for this fix goes to Pawel Worach and Manuel Stuhn who analyzed the
problem and proposed a fix.

PR:		233097
2019-02-18 04:44:52 +00:00
kevans
acc6aa1475 lualoader: only clear the screen before first password prompt
This was previously an unconditional screen clear, regardless of whether or
not we would be prompting for any passwords. This is pointless, given that
the screen clear is only there to put our screen into a consistent state
before we draw the prompts and do cursor manipulation.

This is also the only screen clear besides that to draw the menu.  One can
now see early pre-loader and loader output with the menu disabled, which may
be useful for diagnostics.

Reported by:	ian
MFC after:	3 days
2019-02-18 02:59:47 +00:00
jhibbits
873314cd7b powerpc/boot: Move ubldr to /boot/uboot, and make this a separate filesystem
Summary:
Now that mpc85xx can boot via ubldr, move ubldr to a separate
filesystem, mounted on /boot/uboot, so that a fresh install can boot correctly.

Reviewed By: nwhitehorn
Differential Revision: https://reviews.freebsd.org/D18709
2019-02-18 01:57:47 +00:00
ian
db228ed3b9 Garbage collection no-longer-used constant. 2019-02-17 23:48:51 +00:00
ian
021331dbf4 Make lsdev -v output line up in neat columns by using a fixed width for
the size field and a tab between the partition type and the size.

Changes this

  disk devices:
        disk0 (MMC)
        disk0s1: DOS/Windows            49MB
        disk0s2: FreeBSD                14GB
        disk0s2a: FreeBSD UFS         14GB
        disk0s2b: Unknown             2048KB
        disk0s2d: FreeBSD UFS         2040KB

to this

  disk devices:
        disk0 (MMC)
        disk0s1: DOS/Windows      49MB
        disk0s2: FreeBSD          14GB
        disk0s2a: FreeBSD UFS     14GB
        disk0s2b: Unknown       2048KB
        disk0s2d: FreeBSD UFS   2040KB
2019-02-17 23:46:11 +00:00
ian
1eaf4e2306 Use a couple local variables to avoid repetitive long expressions that
cause line-wrapping.
2019-02-17 23:38:17 +00:00
ian
7725b935ee Restore loader(8)'s ability for lsdev to show partitions within a bsd slice.
I'm pretty sure this used to work at one time, perhaps long ago.  It has
been failing recently because if you call disk_open() with dev->d_partition
set to -1 when d_slice refers to a bsd slice, it assumes you want it to
open the first partition within that slice.  When you then pass that open
dev instance to ptable_open(), it tries to read the start of the 'a'
partition and decides there is no recognizable partition type there.

This restores the old functionality by resetting d_offset to the start
of the raw slice after disk_open() returns.  For good measure, d_partition
is also set back to -1, although that doesn't currently affect anything.

I would have preferred to make disk_open() avoid such rude assumptions and
if you ask for partition -1 you get the raw slice.  But the commit history
shows that someone already did that once (r239058), and had to revert it
(r239232), so I didn't even try to go down that road.
2019-02-17 23:32:09 +00:00
pkelsey
89cc75abcf It turns out r344226 narrowed the overrun bug but did not eliminate it entirely
This commit fixes a remaining output buffer overrun in the
single-sector case when there is a non-zero tail.

Reviewed by:	allanjude, tsoome
MFC after:	3 months
MFC with:	r344226
Differential Revision:	https://reviews.freebsd.org/D19220
2019-02-17 17:47:08 +00:00
pkelsey
3740d94caf Remove whole-disk vdev support from zfsboot
This is consistent with the removal of whole-disk vdev support from
libsa/zfs/zfs.c in r342151, and is part way to having the LBAs read
during probe be fully constrained by partition tables when present.

Reviewed by:	tsoome
MFC after:	3 months
Differential Revision:	https://reviews.freebsd.org/D19142
2019-02-17 03:52:44 +00:00
pkelsey
50c7f69072 Fix memory corruption bug introduced in r325310
The bug occurred when a bounce buffer was used and the requested read
size was greater than the size of the bounce buffer.  This commit also
rewrites the read logic so that it is easier to systematically verify
all alignment and size cases.

Reviewed by:	allanjude, tsoome
MFC after:	3 months
Differential Revision:	https://reviews.freebsd.org/D19140
2019-02-17 03:35:15 +00:00
emaste
33a9dab77f Add WITH_PIE knob to build Position Independent Executables
Building binaries as PIE allows the executable itself to be loaded at a
random address when ASLR is enabled (not just its shared libraries).

With this change PIE objects have a .pieo extension and INTERNALLIB
libraries libXXX_pie.a.

MK_PIE is disabled for some kerberos5 tools, Clang, and Subversion, as
they explicitly reference .a libraries in their Makefiles.  These can
be addressed on an individual basis later.  MK_PIE is also disabled for
rtld-elf because it is already position-independent using bespoke
Makefile rules.

Currently only dynamically linked binaries will be built as PIE.

Discussed with:	dim
Reviewed by:	kib
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D18423
2019-02-15 22:22:38 +00:00
kevans
3e89fd24ea stand: dev_net: correct net_open's interpretation of params
net_open previously casted the first vararg to a char * and this was
half-OK: at first, it is passed to netif_open, which would cast it back to
the struct devdesc * that it really is and use it properly. It is then
strdup()d and used as the netdev_name, which is objectively wrong.

Correct it so that the first vararg is properly casted to a struct devdesc *
and the netdev_name gets set properly to make it more clear at a glance that
it's not doing something horribly wrong.

Reported by:	mmel
Reviewed by:	imp, mmel, tsoome
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D19206
2019-02-15 18:28:51 +00:00
mw
15fd10a41e Allow reading the UEFI variable size
When loading bigger variables form UEFI it is necessary to know their
size beforehand, so that an appropriate amount of memory can be
allocated. The easiest way to do this is to try to read the variable
with buffer size equal 0, expecting EFI_BUFFER_TOO_SMALL error to be
returned. Allow such possible approach in efi_getenv routine.

Extracted from a bigger patch as suggested by imp.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Obtained from: Semihalf
Sponsored by: Stormshield
2019-02-08 14:56:28 +00:00
imp
82650adfef Regularize the Netflix copyright
Use recent best practices for Copyright form at the top of
the license:
1. Remove all the All Rights Reserved clauses on our stuff. Where we
   piggybacked others, use a separate line to make things clear.
2. Use "Netflix, Inc." everywhere.
3. Use a single line for the copyright for grep friendliness.
4. Use date ranges in all places for our stuff.

Approved by: Netflix Legal (who gave me the form), adrian@ (pmc files)
2019-02-04 21:28:25 +00:00
gonzo
27f593f6fc Unbreak mip64 build after r328437
Add exit and getchar functions to beri/boot2 code. They are required by
panic_action functin introduced in r328437
2019-01-20 21:09:44 +00:00
tsoome
e9b9f14056 libsa: add asprintf()
asprintf() is a nice tool for string processing.

MFC after:	2 weeks
2019-01-17 22:00:02 +00:00
tsoome
faa109bec4 loader should ignore active multi_vdev_crash_dump feature on zpool
Since the loader zfs reader does not need to read the dump zvol, we can
just enable the feature.

illumos issue #9051 https://www.illumos.org/issues/9051

MFC after:	2 weeks
2019-01-17 21:52:41 +00:00
mckusick
72a21ba0f6 Create new EINTEGRITY error with message "Integrity check failed".
An integrity check such as a check-hash or a cross-correlation failed.
The integrity error falls between EINVAL that identifies errors in
parameters to a system call and EIO that identifies errors with the
underlying storage media. EINTEGRITY is typically raised by intermediate
kernel layers such as a filesystem or an in-kernel GEOM subsystem when
they detect inconsistencies. Uses include allowing the mount(8) command
to return a different exit value to automate the running of fsck(8)
during a system boot.

These changes make no use of the new error, they just add it. Later
commits will be made for the use of the new error number and it will
be added to additional manual pages as appropriate.

Reviewed by:    gnn, dim, brueffer, imp
Discussed with: kib, cem, emaste, ed, jilles
Differential Revision: https://reviews.freebsd.org/D18765
2019-01-17 06:35:45 +00:00
gonzo
6d95bc4040 Add Dell Chromebook to the list of devices with E820 extmem quirk enabled
Just like for Acer C270 chromebook the E820 extmem workaround is required for
FreeBSD to boot on Dell chromebook.

PR:		204916
Submitted by:	Keith White <kwhite@site.uottawa.ca>
MFC after:	1 week
2019-01-14 01:30:48 +00:00