Commit Graph

103 Commits

Author SHA1 Message Date
sjg
ba2d36703f Enable veriexec for loader
This relies on libbearssl and libsecureboot
to verify files read by loader in a maner equivalent
to how mac_veriexec

Note: disabled by default.
Use is initially expected to be by embeded vendors

Reviewed by:	emaste, imp
Sponsored by:	Juniper Networks
Differential Revision:	D16336
2019-02-26 06:22:10 +00:00
tsoome
f6f04d1a3a loader: really fix cd9660 dirmatch
The cd9660_open() does pass whole path to dirmatch() and we need to
compare only the current path component, not full path.

Additinally, skip over duplicate / (if any) and check if the last component
in the path was meant to be directory (having trailing /). If it is in fact
a file, error out.
2019-02-20 21:07:09 +00:00
tsoome
cdb7673abf cd9660: dirmatch fails to unmatch when name is prefix for directory record
Loader does fail to properly match the file name in directory record and
does open file based on prefix match.

For fix, we check the name lengths first.

Reviewed by:	allanjude
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D19213
2019-02-18 08:26:18 +00:00
pkelsey
89cc75abcf It turns out r344226 narrowed the overrun bug but did not eliminate it entirely
This commit fixes a remaining output buffer overrun in the
single-sector case when there is a non-zero tail.

Reviewed by:	allanjude, tsoome
MFC after:	3 months
MFC with:	r344226
Differential Revision:	https://reviews.freebsd.org/D19220
2019-02-17 17:47:08 +00:00
pkelsey
50c7f69072 Fix memory corruption bug introduced in r325310
The bug occurred when a bounce buffer was used and the requested read
size was greater than the size of the bounce buffer.  This commit also
rewrites the read logic so that it is easier to systematically verify
all alignment and size cases.

Reviewed by:	allanjude, tsoome
MFC after:	3 months
Differential Revision:	https://reviews.freebsd.org/D19140
2019-02-17 03:35:15 +00:00
imp
82650adfef Regularize the Netflix copyright
Use recent best practices for Copyright form at the top of
the license:
1. Remove all the All Rights Reserved clauses on our stuff. Where we
   piggybacked others, use a separate line to make things clear.
2. Use "Netflix, Inc." everywhere.
3. Use a single line for the copyright for grep friendliness.
4. Use date ranges in all places for our stuff.

Approved by: Netflix Legal (who gave me the form), adrian@ (pmc files)
2019-02-04 21:28:25 +00:00
tsoome
e9b9f14056 libsa: add asprintf()
asprintf() is a nice tool for string processing.

MFC after:	2 weeks
2019-01-17 22:00:02 +00:00
tsoome
faa109bec4 loader should ignore active multi_vdev_crash_dump feature on zpool
Since the loader zfs reader does not need to read the dump zvol, we can
just enable the feature.

illumos issue #9051 https://www.illumos.org/issues/9051

MFC after:	2 weeks
2019-01-17 21:52:41 +00:00
mmacy
139c85ce53 MK_ZFS -> {MK_ZFS|MK_LOADER_ZFS}, this is so we can diable userland / kernel
ZFS but keep the boot-loaders when using ZoL port.

MFC after: 1 week
Reviewed by: rgrimes
Differential Revision: https://reviews.freebsd.org/D18739
2019-01-05 22:45:20 +00:00
bcran
6b6de67f51 Wait a maximum of 300 seconds for network send/recv in libsa
The reason for this change is that currently, a send/recv
takes many hours to time out.
This is suboptimal in the bootloader because it means for example
that NFS will take hours to fail before allowing subsequent access
methods such as gzip to be tried.

Setting MAXWAIT to 300 seconds (5 minutes) still allows slow
connections of 1Mb to be used to download a 30MB kernel file.

Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D18544
2018-12-20 19:27:46 +00:00
tsoome
3e1a7746ae loader: zfs reader should not probe partitionless disks (UEFI case)
With r342151 I did fix the BIOS version of zfs_probe_dev() from accessing
the whole disk, but the fix was not complete - we actually did not check
if the device name was really for whole disk. Since UEFI version
is only calling the zfs_probe_dev() with partitions and not with whole
disk, the UEFI loader was not able to find the zfs pools.

This update does correct the issue by calling archsw.arch_getdev() to
translate the device name back to dev_desc, and we have whole disk when both
partition and slice values are -1.

Reported by:	alvisen_gmail.com
Differential Revision:	https://reviews.freebsd.org/D18558
2018-12-17 07:43:29 +00:00
tsoome
22ed422b25 loader: zfs reader should not probe partitionless disks
First of all, normal setups can not boot such pools as the tools
do not support installing boot programs.

Secondly, for proper pool configuration detection, we need to checks all
four label copies on disk, 2 from front and 2 from the end of the disk,
but zfs label does not contain the size of the disk - so we depend on
firmware to report the correct disk size or use information from the
partition table.

Without partition table, we only can rely on firmware to report and support
disk IO properly.

There is a specific case: 8TB disks are reported by BIOS to have 4294967295
sectors (0x00000000ffffffff), the sectors reported by OS is 15628053168
(0x00000003a3812ab0), so the reported size is less than actual but is hitting
32-bit max. Unfortuantely the real limit must be even lower because probing
this disk in this system will wnd up with hung system.

UEFI boot of this system seems not to be affected.

Reviewed by:	imp
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D18558
2018-12-16 08:58:14 +00:00
mckusick
2c9178edde Normally when an attempt is made to mount a UFS/FFS filesystem whose
superblock has a check-hash error, an error message noting the
superblock check-hash failure is printed and the mount fails. The
administrator then runs fsck to repair the filesystem and when
successful, the filesystem can once again be mounted.

This approach fails if the filesystem in question is a root filesystem
from which you are trying to boot. Here, the loader fails when trying
to access the filesystem to get the kernel to boot. So it is necessary
to allow the loader to ignore the superblock check-hash error and make
a best effort to read the kernel. The filesystem may be suffiently
corrupted that the read attempt fails, but there is no harm in trying
since the loader makes no attempt to write to the filesystem.

Once the kernel is loaded and starts to run, it attempts to mount its
root filesystem. Once again, failure means that it breaks to its prompt
to ask where to get its root filesystem. Unless you have an alternate
root filesystem, you are stuck.

Since the root filesystem is initially mounted read-only, it is
safe to make an attempt to mount the root filesystem with the failed
superblock check-hash. Thus, when asked to mount a root filesystem
with a failed superblock check-hash, the kernel prints a warning
message that the root filesystem superblock check-hash needs repair,
but notes that it is ignoring the error and proceeding. It does
mark the filesystem as needing an fsck which prevents it from being
enabled for writing until fsck has been run on it. The net effect
is that the reboot fails to single user, but at least at that point
the administrator has the tools at hand to fix the problem.

Reported by:    Rick Macklem (rmacklem@)
Discussed with: Warner Losh (imp@)
Sponsored by:   Netflix
2018-12-06 00:09:39 +00:00
ian
a4a2c9607b Eliminate duplicated code and struct member definitions in the handoff
of args data between gptboot/zfsboot and loader(8).

Despite what seems like a lot of changes here, there are no actual
changes in behavior, or in the data layout in the structures involved.
This is just eliminating identical code pasted into multiple locations.

In detail, the changes are...

- Move struct zfs_boot_args definition from libsa/zfs/libzfs.h to
  i386/common/bootargs.h because it is specific to x86 booting and the
  handoff between zfsboot and loader, and has no relation to the zfs
  library code in general.

- The geli_boot_args and zfs_boot_args structs both contain an identical
  set of member variables containing geli information.  Extract this out
  to a new geli_boot_data struct, and embed it in the arg-passing structs.

- Provide new routines geli_import_boot_data() and geli_export_boot_data()
  that can be shared between gptboot, zfsboot, and loader instead of
  pasting identical code into several different .c files.

- Remove some checks for a NULL pointer that can never be true because the
  pointer being tested was set using pointer math (kargs + 1) and that can
  never result in NULL in this code.
2018-12-03 03:58:30 +00:00
sobomax
0f619cdfee The libstand's panic() appends its own '\n' to the message, so that users of the API
don't need to supply one.

MFC after:	2 weeks
2018-11-29 18:37:48 +00:00
tsoome
40d6f96f88 libsa: cstyle cleanup tftp.c
No functinal changes intended.
2018-11-01 22:13:18 +00:00
tsoome
eb1e430dfc libsa: tftp should use calloc
instead of malloc() memset(), use calloc().
2018-11-01 13:29:55 +00:00
tsoome
04753f99aa libsa: tftp should not read past file end
When we have the file size via tsize option, use it to make sure we
will not attempt to read past file end.
2018-11-01 13:12:05 +00:00
glebius
465089cc01 Remove unnecessary include from libstand. 2018-10-31 19:59:20 +00:00
kib
82e4a855df Fix stand/ build after r339671.
ffs_subr.c requires calculate_crc32c() from libkern.  Unfortunately we
cannot just add libkern/crc32.c to libstand because crc32.o is already
compiled from contrib/zlib/crc32.c. Use the include trick to rename
the source.

Note that libstand also provides crc32.c which seems to be unused.

Reviewed by:	imp
Sponsored by:	The FreeBSD Foundation
Differential revision:	https://reviews.freebsd.org/D17677
2018-10-23 23:11:38 +00:00
tsoome
ec6cc1f233 libsa: re-send ACK for older data packets in tftp
In current tftp code we drop out-of-order packets; however, we should play
nice and re-send ACK for older data packets we are receiving. This will
hopefully stop server repeating those packets we already have received.
Note we do not answer duplicates from "previous" session (that is, session
with different port number), those will eventually time out.

Differential Revision:	https://reviews.freebsd.org/D17087
2018-10-23 13:38:39 +00:00
tsoome
d4d38833ee libsa: validate tftp_makereq() after we did reset the read
The name check referred in the comment is not the only possible error source,
we need to validate the result.

Reviewed by:	allanjude
Approved by:	re (kib)
Differential Revision:	https://reviews.freebsd.org/D17081
2018-09-09 06:30:15 +00:00
tsoome
e5ee207835 libsa: memory leak in tftp_open()
tftpfile is allocated just above and needs to be freed.

Reviewed by:	imp
Approved by:	re (kib)
Differential Revision:	https://reviews.freebsd.org/D17058
2018-09-08 19:17:22 +00:00
kevans
c1005d8399 libsa: Add lshrdi3.c for powerpc* and mips 2018-08-19 14:48:32 +00:00
imp
7f0382cf78 Add ashldi3 and ashrdi3 to mips.
Now that we're using -Os, mips needs these routines.
2018-08-16 19:39:02 +00:00
tsoome
e1a53119d9 libsa: zfs_probe() needs to set spa to NULL
Silence the warning about possibly uninitialized use of spa.
2018-08-15 21:38:06 +00:00
kevans
9d1c06e31e pkgfs_init: Initialize pkg
new_package may not set *pp if it errors out, leaving pkg uninitialized.

Reported by:	GCC
2018-08-15 21:13:10 +00:00
kevans
d8e33fe91d libsa: exit on EOF in ngets
It was possible in some rare circumstances for ngets to behave terribly with
bhyveload and some form of redirecting user input over a pipe.

PR:		198706
Submitted by:	Ivan Krivonos <int0dster@gmail.com>
MFC after:	1 week
2018-08-09 02:55:48 +00:00
tsoome
d48c06ada5 libsa: gzipfs.c converts pointers to integer types with different sign
Signed versus unsigned char.
2018-08-07 10:53:51 +00:00
tsoome
c49aa2b6ca libsa: dos_checksum() should take unsigned chars
Fix pointers to integers with different sign issue.
2018-08-07 10:48:36 +00:00
tsoome
7510485493 libsa: dereferencing type-punned pointer in cd9660
The warning is given by gcc build, but it is good to fix anyhow.
use bcopy instead of direct assignment.
2018-08-02 06:22:10 +00:00
tsoome
d97a81a67a libsa: assignment to char * from u_char *
Cast to char * instead of u_char *
2018-08-01 12:14:10 +00:00
tsoome
83a8c28d71 libsa: bootp is using pointers with different sign
Just change bp_file to char and same for variable s.
2018-08-01 12:06:39 +00:00
tsoome
980e1176c2 libsa: pointer differs in signedness
A small cleanup, fix the argument type and while there, replace (char *)0 with
NULL.
2018-08-01 11:40:52 +00:00
imp
09452ba33e Use if rather than case for a simple boolean. gcc thinks blks is
undefined sometimes with the case, but enc is always 0 or 1, so
and if / else is better anyway.
2018-07-13 18:19:33 +00:00
ian
ee0f4764cc Extend loader(8) geli support to all architectures and all disk-like devices.
This moves the bulk of the geli support from lib386/biosdisk.c into a new
geli/gelidev.c which implements a devsw-type device whose dv_strategy()
function handles geli decryption. Support for all arches comes from moving
the taste-and-attach code to the devopen() function in libsa.

After opening any DEVT_DISK device, devopen() calls the new function
geli_probe_and_attach(), which will "attach" the geli code to the open_file
struct by creating a geli_devdesc instance to replace the disk_devdesc
instance in the open_file. That routes all IO for the device through the
geli code.

A new public geli_add_key() function is added, to allow arch/vendor-specific
code to add keys obtained from custom hardware or other sources.

With these changes, geli support will be compiled into all variations of
loader(8) on all arches because the default is WITH_LOADER_GELI.

Relnotes:	yes
Sponsored by:	Microchip Technology Inc
Differential Revision:	https://reviews.freebsd.org/D15743
2018-07-13 17:50:25 +00:00
imp
fae0b9c609 There's two files in the sys tree named inflate.c, in addition
to it being a common name elsewhere. Rename the old kzip one
to subr_inflate.c.

This actually fixes the build issues on sparc64 that my inclusion of
.PATH ${SYSDIR}/kern created in r336244, so also revert the broken
workaround I committed in r336249.

This slipped passed me because apparently, I never did a clean build.
2018-07-13 17:41:28 +00:00
imp
05806beb50 Fix sparc64 builds
gcc is complaining about struct infate being defined in a parameter
list. It's inclear how long this has been broken, but the fix is
simple enough.
2018-07-13 17:15:14 +00:00
imp
9b7d97ffbe Create helper functions for parsing boot args.
boot_parse_arg		to parse a single arg
boot_parse_cmdline	to parse a command line string
boot_parse_args		to parse all the args in a vector
boot_howto_to_env	Convert howto bits to env vars
boot_env_to_howto	Return howto mask mased on what's set in the environment.

All these routines return an int that's the bitmask of the args
translated to RB_* flags. As a special case, the 'S' flag sets the
comconsole_speed env var. Any arg that looks like a=b will set the env
key 'a' to value 'b'. If =b is omitted, 'a' is set to '1'.  This
should help us reduce the number of redundant copies of these routines
in the tree.  It should also give a more uniform experience between
platforms.

Also, invent a new flag RB_PROBE that's set when 'P' is parsed.  On
x86 + BIOS, this means 'probe for the keyboard, and if it's not there
set both RB_MULTIPLE and RB_SERIAL (which means show the output on
both video and serial consoles, but make serial primary).  Others it
may be some similar concept of probing, but it's loader dependent
what, exactly, it means.

These routines are suitable for /boot/loader and/or the kernel,
though they may not be suitable for the tightly hand-rolled-for-space
environments like boot2.

Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D16205
2018-07-13 16:43:05 +00:00
imp
d40de35aa0 Move ZFS files into libsa
Move the libzfs stuff into libsa. There's no need for it to be a
separate library. The separate library adds to the issues of build
ordering that we see from time to time. Move the filesystem support
into libsa, like all the other filesystem support rather than making
zfs the odd-duck out.

Discussed with: allanjude@
2018-07-08 07:42:49 +00:00
imp
09b107a938 Remove stray debugging line.
Noticed by: ian@
2018-06-18 19:53:11 +00:00
imp
9a782459e8 stand: move libgeliboot into libsa.
Reduce by 1 the number of crazy libraries we need in stand by moving
geli into libsa (where architecturally it belonged all along). This
just moves things around without any code changes.
2018-06-18 16:24:42 +00:00
tsoome
6dd6964074 libsa: open() should use NULL instead of typecasted 0 2018-06-14 16:11:50 +00:00
tsoome
42f17407d0 libsa: remobe unneeded check before free()
free() is checking for NULL, remove duplicate check.
2018-06-14 09:10:34 +00:00
tsoome
778e422fbf libsa: f_rabuf could be NULL
It is possible that we will not get RA buffer from open(), therefore
we must validate RA.
2018-06-14 09:06:53 +00:00
tsoome
08a8304a34 libsa: cstyle cleanup for open/close/read/write sources 2018-06-14 08:58:10 +00:00
imp
65dddec4e9 Initialize variables we later free so they aren't used
uninitialized in the error path.
Remove unused variables.

Sponsored by: Netflix
2018-06-13 17:42:55 +00:00
imp
95b147d0db Remove unused variables.
Sponsored by: Netflix
2018-06-13 17:42:50 +00:00
imp
fb7923fe37 Remove fail: label. It's unused.
Sponsored by: Netflix
2018-06-13 17:28:06 +00:00
kevans
ebaaba971c libsa(3): Correct statement about FS Write-support, name change
- jhb implemented UFS write support a little over 16 years ago.
- Update the library name while we're here.

Reviewed by:	jhb, rpokala
Differential Revision:	https://reviews.freebsd.org/D14476
2018-06-09 14:24:16 +00:00