for counter mode), and AES-GCM. Both of these modes have been added to
the aesni module.
Included is a set of tests to validate that the software and aesni
module calculate the correct values. These use the NIST KAT test
vectors. To run the test, you will need to install a soon to be
committed port, nist-kat that will install the vectors. Using a port
is necessary as the test vectors are around 25MB.
All the man pages were updated. I have added a new man page, crypto.7,
which includes a description of how to use each mode. All the new modes
and some other AES modes are present. It would be good for someone
else to go through and document the other modes.
A new ioctl was added to support AEAD modes which AES-GCM is one of them.
Without this ioctl, it is not possible to test AEAD modes from userland.
Add a timing safe bcmp for use to compare MACs. Previously we were using
bcmp which could leak timing info and result in the ability to forge
messages.
Add a minor optimization to the aesni module so that single segment
mbufs don't get copied and instead are updated in place. The aesni
module needs to be updated to support blocked IO so segmented mbufs
don't have to be copied.
We require that the IV be specified for all calls for both GCM and ICM.
This is to ensure proper use of these functions.
Obtained from: p4: //depot/projects/opencrypto
Relnotes: yes
Sponsored by: FreeBSD Foundation
Sponsored by: NetGate
Initially in_matrote() in_clsroute() in their current state was introduced by
r4105 20 years ago. Instead of deleting inactive routes immediately, we kept them
in route table, setting RTPRF_OURS flag and some expire time. After that, either
GC came or RTPRF_OURS got removed on first-packet. It was a good solution
in that days (and probably another decade after that) to keep TCP metrics.
However, after moving metrics to TCP hostcache in r122922, most of in_rmx
functionality became unused. It might had been used for flushing icmp-originated
routes before rte mutexes/refcounting, but I'm not sure about that.
So it looks like this is nearly impossible to make GC do its work nowadays:
in_rtkill() ignores non-RTPRF_OURS routes.
route can only become RTPRF_OURS after dropping last reference via rtfree()
which calls in_clsroute(), which, it turn, ignores UP and non-RTF_DYNAMIC routes.
Dynamic routes can still be installed via received redirect, but they
have default lifetime (no specific rt_expire) and no one has another trie walker
to call RTFREE() on them.
So, the changelist:
* remove custom rnh_match / rnh_close matching function.
* remove all GC functions
* partially revert r256695 (proto3 is no more used inside kernel,
it is not possible to use rt_expire from user point of view, proto3 support
is not complete)
* Finish r241884 (similar to this commit) and remove remaining IPv6 parts
MFC after: 1 month
The canonical standalone debug directory established by the GNU
toolchain is /usr/lib/debug, and we use it when WITH_DEBUG_FILES is set.
Mention it in the file system hierarchy page.
Reviewed by: bcr
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D1134
r272234, r272236, r272262, r272264, r272269, r272271, r272272,
r272277, r272279, r272376, r272380, r272381, r272392, r272234,
r272412:
r272234:
Initial commit to include virtual machine images as part
of the FreeBSD release builds.
This adds a make(1) environment variable requirement,
WITH_VMIMAGES, which triggers the virtual machine image
targets when not defined to an empty value.
Relevant user-driven variables include:
o VMFORMATS: The virtual machine image formats to create.
Valid formats are provided by running 'mkimg --formats'
o VMSIZE: The size of the resulting virtual machine
image. Typical compression is roughly 140Mb, regardless
of the target size (10GB, 15GB, 20GB, 40GB sizes have been
tested with the same result).
o VMBASE: The prefix of the virtual machine disk images.
The VMBASE make(1) environment variable is suffixed with
each format in VMFORMATS for each individual disk image, as
well as '.img' for the source UFS filesystem passed to
mkimg(1).
This also includes a new script, mk-vmimage.sh, based on how
the VM images for 10.0-RELEASE, 9.3-RELEASE, and 10.1-RELEASE
were created (mk-vmimage.sh in ^/user/gjb/thermite/).
With the order in which the stages need to occur, as well as
sanity-checking error cases, it makes much more sense to
execute a shell script called from make(1), using env(1) to
set specific parameters for the target image than it does to
do this in make(1) directly.
r272236:
Use VMBASE in place of a hard-coded filename in the CLEANFILES
list.
r272262:
Remove a 'set -x' that snuck in during testing.
r272264:
release/Makefile:
Connect the virtual machine image build to the release
target if WITH_VMIMAGES is set to a non-empty value.
release/release.sh:
Add WITH_VMIMAGES to RELEASE_RMAKEFLAGS.
release/release.conf.sample:
Add commented entries for tuning the release build if the
WITH_VMIMAGES make(1) environment variable is set to
a non-empty value.
r272269:
release/Makefile:
Include .OBJDIR in DESTDIR in the vm-base target.
release/release.sh:
Provide the full path to mddev.
r272271:
Fix UFS label for the root filesystem.
r272272:
Remove comments left in accidentally while testing, so the
VM /etc/fstab is actually created.
r272277:
Remove the UFS label from the root filesystem since it is added
by mkimg(1) as a gpt label, consistent with the fstab(5) entry.
r272279:
Comment cleanup in panic() message when mkimg(1) does not support
the requested disk image format.
r272376:
Separate release/scripts/mk-vmimage.sh to machine-specific
scripts, making it possible to mimic the functionality for
non-x86 targets.
Move echo output if MAKEFLAGS is empty outside of usage().
Remove TARGET/TARGET_ARCH evaluation.
r272380:
Avoid using env(1) to set values passed to mk-vmimage.sh,
and instead pass the values as arguments to the script,
making it easier to run this by hand, without 'make release'.
Add usage_vm_base() and usage_vm_image() usage helpers.
r272381:
After evaluating WITH_VMIMAGES is non-empty, ensure
the mk-vmimage.sh script exists before running it.
r272392:
Add WITH_COMPRESSED_VMIMAGES variable, which when set enables
xz(1) compression of the virtual machine images.
This is intentionally separate to allow more fine-grained
tuning over which images are compressed, especially in cases
where compressing 20GB sparse images can take hours.
r272412:
Document the new 'vm-image' target, and associated release.conf
variables.
r272413:
Remove two stray comments added during the initial iterations
of testing, no longer needed.
MFC after: 5 days
X-MFC-10.1: yes
Tested on: r272269, r272272, r272279, r272380, r272392
Sponsored by: The FreeBSD Foundation
tree support includes a device tree source compiler dtc(8) which
converts .dts files into .dtb files. /boot/loader will load dtb files
from this directory by default, allowing for fewer differences between
images for different SoCs. Compiled dts files will wind up here
eventually as an alternative to embedding them into the kernel.
Document this in hier(7), as well as add missing entries for
/boot/firmware and /boot/zfs, though the latter two should only be
considered place holders if someone wants to make them better.
appropriate (i.e. where syscons was already mentioned and vt supports the
feature). Comments in defaults/rc.conf are updated to match the contents
of the modified man-page rc.conf(5).
Reviewed by: pluknet, emaste
MFC after: 3 days
This is not a comprehensive list, as the variables themselves are spread
out over multiple files, but it is a start.
Add a section to make.conf noting that variables may be set there that
affect ports builds, but refer to ports.7 and elsewhere for the actual
listing; any listing in make.conf.5 would likely become out of date
fairly quickly.
PR: docs/189199
Reviewed by: bdrewery (previous version)
Approved by: hrs (mentor)
As part of this, install the tests(7) manual page unconditionally (not only
when WITH_TESTS=yes) so that users that have not yet enabled the build of
the test suite can read details on how to do so.
variables. These are intended to allow bypassing the
'svn co /usr/{src,doc,ports}' step in the chroot when the
tree exists from external means.
The use case here is that /usr/src, /usr/doc, and /usr/ports
in the chroot exist as result of zfs dataset clones, so it
is possible (and happens quite often) that the included
distributions may not be consistent. (This is not the case
for -RELEASE builds, but does happen for snapshot builds.)
Tested on: stable/9@r264319
MFC After: 3 days
Sponsored by: The FreeBSD Foundation
when WITH_COMPRESSED_IMAGES is used.
Requested by: delphij, brooks, Nikolai Lifanov
MFC After: 1 week
X-MFC-With: r264027,r264028,r264029,r264030
Sponsored by: The FreeBSD Foundation
When set to a non-empty value, the installation medium is
compressed with gzip(1) as part of the 'install' target in
the release/ directory.
With gzip(1) compression, downloadable image are reduced in
size quite significantly. Build test against head@263927
shows the following:
bootonly.iso: 64% smaller
disc1.iso: 44% smaller
memstick.img: 47% smaller
mini-memstick.img: 65% smaller
dvd1.iso: untested
This option is off by default, I would eventually like to
turn it on by default, and remove the '-k' flag to gzip(1)
so only compressed images are published on FTP.
Requested by: wkoszek
MFC After: 1 week
Sponsored by: The FreeBSD Foundation
Added a section on test suite configuration, and cleaned up up
grammar errors and awkward prose. The config variables were
discussed on freebsd-testing.
Discussed with: Garrett Cooper, jmmv
MFC after: 2 weeks
Sponsored by: Spectra Logic Corporation
AppleTalk was a network transport protocol for Apple Macintosh devices
in 80s and then 90s. Starting with Mac OS X in 2000 the AppleTalk was
a legacy protocol and primary networking protocol is TCP/IP. The last
Mac OS X release to support AppleTalk happened in 2009. The same year
routing equipment vendors (namely Cisco) end their support.
Thus, AppleTalk won't be supported in FreeBSD 11.0-RELEASE.
IPX was a network transport protocol in Novell's NetWare network operating
system from late 80s and then 90s. The NetWare itself switched to TCP/IP
as default transport in 1998. Later, in this century the Novell Open
Enterprise Server became successor of Novell NetWare. The last release
that claimed to still support IPX was OES 2 in 2007. Routing equipment
vendors (e.g. Cisco) discontinued support for IPX in 2011.
Thus, IPX won't be supported in FreeBSD 11.0-RELEASE.
After several months of testing and fixing (and breaking)
various parts of release/release.sh changes, it is now
possible to build FreeBSD/arm images as part of the release
process.
When EMBEDDEDBUILD is set in the release.conf file, release.sh
will create the build environment, then run a separate script
in release/${XDEV}/release.sh [1]. Currently, only arm is
supported.
The release/${XDEV}/release.sh configures the build environment
specific for the target image, such as installing gcc(1),
installing additional third-party software from the ports tree,
and fetching external sources.
Once the build environment is set up, release/${XDEV}/release.sh
runs Crochet, written by Tim Kientzle, which builds the userland
and kernel, and creates an image that can be written to an SD
card with dd(1). Many thanks to Tim for his work on Crochet.
Sample configurations for FreeBSD/arm boards are in the
release/arm/ directory, and Crochet configuration files for each
board are located in release/tools/arm/. Supported boards at this
time are: BEAGLEBONE, PANDABOARD, RPI-B, and WANDBOARD-QUAD.
Adding support for additional boards will continue in the
projects/release-embedded/ branch, and incrementally merged back
to head/.
Many thanks to the FreeBSD Foundation for the support and
sponsorship of this project.
[1] XDEV is used in order to keep the various configurations
organized by architecture, but since TARGET and TARGET_ARCH
are used to build the chroot, the values of those variables
cannot be used.
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
- Add a VCSCMD variable that defaults to 'svn checkout',
and update places 'svn co' is used directly.
- After sourcing a configuration file, prefix SRCBRANCH,
PORTBRANCH, and DOCBRANCH with the SVNROOT.
- Properly capitalize 'FreeBSD.org' in the default SVNROOT.
- Update Copyright.
release.conf.sample:
- Add an example to use git instead of svn, by nullifying
SVNROOT, and setting SRCBRANCH, DOCBRANCH, and PORTBRANCH
to the URL fo a git repository.
release.7:
- Document VCSCMD.
Submitted by: Rick Miller (based on)
Sponsored by: The FreeBSD Foundation
specifying 'WITH_DVD=1' during 'make release'.
This caused some problems during the freebsd-update builds for
10.0-BETA4.
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
This manual page intends to describe the structure and behavior of
the FreeBSD test suite installed in /usr/tests. The contents have
been inherited from the NetBSD manual page.
As a side effect, this also updates the hier(7) manual page to
mention /usr/tests and points at tests(7) for more details.
Submitted by: Julio Merino jmmv google.com
Reviewed by: sjg
MFC after: 2 weeks
- Note that WORLD_FLAGS and KERNEL_FLAGS set the number of
make(1) jobs only on SMP-capable systems.
MFC after: 3 days
X-MFC-With: r254224
X-MFC-To: stable/9, releng/9.2
Release Engineering Team as of 9.2-RELEASE.
- Document that a cross-build release is possible by setting the
TARGET and TARGET_ARCH variables.
- Include an example of using release.sh with and without the
optional configuration file.
- Document the supported release.sh configuration file variables.
- Update the 'cdrom' target output file to disc1.iso.
- Update the 'memstick' target output file to memstick.img.
- Add attributions for the last major updates to this manual page.
- Fix some mdoc(7) style nits:
- Sentences should begin on a new line
- Use .Pq to enclose full lines in parenthesis
- Use ln -fs to create a symlink.
- Remove pkgadd for docports.
- Use WITHOUT_JADETEX=yes instead of WITH_JADETEX=no.
- Add {WORLD,KERNEL}_FLAGS to [BTWK]MAKE.
- Use makefs(8) and gpart(8) for sparc64 ISO image[2].
- Add publisher option to makefs(8)[2].
Based on work by: gjb[1]
Discussed with: marius, nwhitehorn[2]
