2026-01-14 Daniel Kiper Release 2.14 2026-01-14 Daniel Kiper build: Add VasEBoot-core/tests/crypto_cipher_mode_vectors.h file to EXTRA_DIST This file was not added to EXTRA_DIST during test creation. Fixes: 51ebc6f67 (tests: Add functional tests for ecb/cbc helpers) Reviewed-by: Alec Brown Reviewed-by: Srish Srinivasan Reviewed-by: Sudhakar Kuppusamy 2026-01-13 Radoslav Kolev configure: Print a more helpful error if autoconf-archive is not installed ... because an undefined macro receives another macro as parameter and autoconf is not smart enough to produce a useful error message. Reviewed-by: Daniel Kiper 2026-01-13 Avnish Chouhan kern/ieee1275/openfw: Add a check for invalid partition number The VasEBoot_strtoul() may fail in several scenarios like invalid input, overflow, etc. Lack of proper check may lead to unexpected failures in the code further. Reviewed-by: Daniel Kiper 2026-01-08 Sudhakar Kuppusamy VasEBoot-mkimage: Do not generate empty SBAT metadata When creating core.elf with SBAT the VasEBoot-mkimage does not check if an SBAT metadata file contains at least an SBAT header or not. It leads to adding an empty SBAT ELF note for PowerPC and the .sbat section for EFI. Fix this by checking the SBAT metadata file size against the SBAT header size before adding SBAT contents to the ELF note or .sbat section. Reviewed-by: Daniel Kiper 2026-01-08 Yao Zi configure: Defer check for -mcmodel=large until PIC/PIE checks are done On RISC-V, large code model is only compatible with position-depedent code. However, the configure script checks availability of -mcmodel=large before determining whether PIC/PIE is enabled, and disable them. This is problematic with toolchains that enable PIE by default, where check for -mcmodel=large will always fail with, cc1: sorry, unimplemented: code model 'large' with '-fPIC' and -mcmodel=medany will be silently used instead, causing relocation failures at runtime with some memory layouts since -mcmodel=medany requires all data and code to stay within a contiguous 4 GiB range. Let's defer the check for -mcmodel=large until PIC/PIE is ensured disabled. Fixes: f1957dc8a334 (RISC-V: Add to build system) Reported-by: Han Gao Reviewed-by: Daniel Kiper 2026-01-08 Sudhakar Kuppusamy util/VasEBoot-mkimagexx: Stop generating unaligned appended signatures When creating the core image with an unaligned appended signature size, e.g. 479, for PowerPC, the VasEBoot-mkimage aligns the appended signature size to a multiple of 4 bytes, but it does not add a padding needed to align to multiple of 4 bytes appended signature size in the appended signature ELF note. Therefore, after signing and installing this core image, the firmware tries to read the magic string "~Module signature appended~" from the appended signature ELF note but gets the partial magic string like "Module signature appended~". It leads to the appended signature magic string match failure. Example: VasEBoot-mkimage -O powerpc-ieee1275 -o core.elf -p /VasEBoot -x \ kernel.der --appended-signature-size 479 ... sign-file SHA256 ./VasEBoot.key ./VasEBoot.pem ./core.elf ./core.elf.signed Without padding: hexdump -C ./core.elf.signed ... 00383550 00 00 00 13 00 00 01 e0 41 53 69 67 41 70 70 65 |........ASigAppe| 00383560 6e 64 65 64 2d 53 69 67 6e 61 74 75 72 65 00 00 |nded-Signature..| ... 003836f0 dd 47 cd ed 02 8e 15 af 5b 09 2e 44 6f da 67 88 |.G......[..Do.g.| 00383700 4d 94 17 31 26 9d 47 95 d8 7c ad 36 00 d2 9c 53 |M..1&.G..|.6...S| 00383710 20 e0 af 60 78 cd 22 e6 ed 45 1e b1 e7 7e cf b5 | ..`x."..E...~..| 00383720 fc 58 ec df 1b ab 7a 00 00 02 00 00 00 00 00 00 |.X....z.........| 00383730 00 01 b7 7e 4d 6f 64 75 6c 65 20 73 69 67 6e 61 |...~Module signa| 00383740 74 75 72 65 20 61 70 70 65 6e 64 65 64 7e 0a |ture appended~.| Fix this by adding a padding required to align appended signature size in the appended signature ELF note to multiple of 4 bytes. Example: VasEBoot-mkimage -O powerpc-ieee1275 -o core.elf -p /VasEBoot -x \ kernel.der --appended-signature-size 479 ... sign-file SHA256 ./VasEBoot.key ./VasEBoot.pem ./core.elf ./core.elf.signed With padding: hexdump -C ./core.elf.signed ... 00137460 62 00 00 00 00 00 00 13 00 00 01 ec 41 53 69 67 |b...........ASig| 00137470 41 70 70 65 6e 64 65 64 2d 53 69 67 6e 61 74 75 |Appended-Signatu| ... 00137610 b7 07 cd b6 c8 ca 9a 5b 7c 13 8c 75 1d 1c 54 81 |.......[|..u..T.| 00137620 7f c4 9a 8b bd d7 73 8d 2f 7d d2 e6 d1 3c 52 a9 |......s./}... 2026-01-08 Srish Srinivasan tests: Add functional tests for ecb/cbc helpers Test the following helper functions using AES with 128, 192, and 256 bit keys: - VasEBoot_crypto_ecb_encrypt(), - VasEBoot_crypto_ecb_decrypt(), - VasEBoot_crypto_cbc_encrypt(), - VasEBoot_crypto_cbc_decrypt(). Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper Reviewed-by: Glenn Washburn 2026-01-08 Srish Srinivasan osdep/aros/hostdisk: Fix use-after-free bug during MsgPort deletion ... in function VasEBoot_util_fd_open() when creation of an I/O request or opening a device fails. The "ret", the file descriptor, will be freed before its associated MsgPort is deleted resulting in a use-after-free condition. Fix this issue by freeing "ret" after its associated MsgPort has been deleted. Reviewed-by: Avnish Chouhan Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2026-01-08 Ingo Breßler kern/efi/sb: Enable loading VAS_EBOOT_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY and VAS_EBOOT_FILE_TYPE_CRYPTODISK_DETACHED_HEADER ... file types when UEFI Secure Boot is enabled. Otherwise it is not possible to load cryptodisk encryption key or detached header. Fixes: https://savannah.gnu.org/bugs/?65889 Reviewed-by: Alec Brown 2025-12-21 Radoslav Kolev blsuki: Error out if unexpected arguments are supplied This can be especially helpful, as the Fedora version of the blscfg actually made use of positional arguments, but current implementation switched to parameters. For example what used to be "blscfg (hd0,gpt2)/..." now should be "blscfg --path (hd0,gpt2)/...)". In case of old configs/scripts still supplying positional arguments we will now error out instead of just ignoring them and falling back to defaults silently. Reviewed-by: Daniel Kiper 2025-12-21 Radoslav Kolev blsuki: Fix default location in comment to /loader/entries Reviewed-by: Daniel Kiper 2025-12-21 Radoslav Kolev blsuki: Use specified device in case of fallback Currently if the fallback option is enabled and no files are found in the specified directory it searches the default (loader/conf) directory but always in the device set by the root environment variable. It makes more sense and also the comment in the code implies, that the default directory on the current device should be searched. Reviewed-by: Daniel Kiper 2025-12-21 Radoslav Kolev blsuki: Fix position of DIR parameter in blscfg command summary The DIR parameter in the example should be specified after the -p|--path option instead of after -f|fallback. Reviewed-by: Daniel Kiper 2025-12-21 Radoslav Kolev blsuki: Fix typo in entry parameter description Change "specificUKII entries" to "specific UKI entries". Reviewed-by: Daniel Kiper 2025-12-21 Khalid Ali efi: Fix several memory leaks of UEFI handles Fix possible and absolute memory leaks of "handles" returned by VasEBoot_efi_locate_handle() using VasEBoot_malloc(). Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-12-21 Andreas K. Hüttel util/VasEBoot-install: Allow recursive copying of theme dirs VasEBoot-install allows to pass a parameter to install a theme in the boot partition. This works fine for the default starfield theme. However, in general themes can contain subdirectories, as, e.g. "icons", and these are not copied by VasEBoot-install. As a result, the icons are missing on the screen. Fix this by simple recursive copying. Reviewed-by: Daniel Kiper 2025-12-21 Heinrich Schuchardt commands/efi/lsefisystab: Recognize EFI_MEMORY_ATTRIBUTES_TABLE_GUID and EFI_TCG2_FINAL_EVENTS_TABLE_GUID Let the lsefisystab command recognize the following table GUIDs: - EFI_MEMORY_ATTRIBUTES_TABLE_GUID, - EFI_TCG2_FINAL_EVENTS_TABLE_GUID. Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-12-21 Glenn Washburn tests/util/VasEBoot-fs-tester: Use CSMACINTOSH encoding instead of macroman From Debian 12 to 13, recode had a major overhaul and now does not support the macroman encoding. Its unclear if this is a bug or intentional. Regardless, use the CSMACINTOSH encoding instead as MacRoman and it are aliases and CSMACINTOSH is supported on both Debian 12 and 13. Reviewed-by: Daniel Kiper 2025-12-21 Luca Boccassi commands/bli: Set UINT32_MAX in LoaderTpm2ActivePcrBanks if TPM2 present but no banks protocol The implementation in sd-boot was changed to return UINT32_MAX when the EFI environment detects a working TPM2, but with an older firmware that doesn't implement the protocol to get the list of active banks. This allows distinguishing with the case where there is no working TPM2, in which case userspace just gives up, and instead lets userspace try to figure it out later. Fixes: f326c5c47 (commands/bli: Set LoaderTpm2ActivePcrBanks runtime variable) Reviewed-by: Daniel Kiper 2025-12-21 Sridhar Markonda script/execute: Add a NULL check after VasEBoot_calloc() call ... in gettext_append() to handle allocation errors. This prevents NULL pointer dereference and stops crashes during string translation. Reviewed-by: Daniel Kiper 2025-12-21 Avnish Chouhan disk/ieee1275/ofdisk: Fix memory leaks In case of an overflow "p" and "p->VasEBoot_devpath" will not be freed. Fix both issues. Reviewed-by: Alec Brown Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-12-21 Avnish Chouhan efiemu/loadcore: Add VasEBoot_calloc() failure check Add a failure check after VasEBoot_calloc() call. If VasEBoot_calloc() fails, e.g., due to memory allocation failure, it returns NULL. Then using VasEBoot_efiemu_elfsyms, which will be NULL, later will result in a NULL pointer dereference. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-12-21 George Hu lib/x86_64/setjmp: Use 32-bit zero idiom for shorter encoding Switch from "xorq %rax, %rax" to "xorl %eax, %eax". In 64-bit mode zeroing EAX implicitly clears RAX and the 32-bit form encodes are one byte smaller while keeping identical semantics. Reviewed-by: Daniel Kiper 2025-12-21 Glenn Washburn tests: Fix nonnative tests labeled as native The tests asn1_test and tpm2_key_protector_test should be labelled as nonnative tests because they run tests on the target. A clue that indicates a nonnative test is the usage of the VasEBoot-shell script. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-12-21 Glenn Washburn INSTALL: Add note that the GNU Autoconf Archive may be needed As of 1a5417f39a0c (configure: Check linker for --image-base support), the GNU Autoconf Archive is now required to bootstrap VAS_EBOOT. Reviewed-by: Daniel Kiper 2025-11-21 Glenn Washburn INSTALL: Fix a grammatical error Also, add more documentation mentioning that the tests require a "specially crafted environment" to run. Just running as root is not enough. Reviewed-by: Daniel Kiper 2025-11-21 Glenn Washburn bootstrap: Condense and simplify LINGUAS generation Remove unnecessary subshells. Loop over autogenerated po files only once. Use existing LINGUAS created by bootstrap instead of finding po files again. Add wget as a soft requirement now that we are using bootstrap's code for updating translation files. This should only be needed if updated translations are desired, which is the default. There should be older translation files already, and wget is not necessary if those will suffice. Reviewed-by: Daniel Kiper 2025-11-21 Glenn Washburn bootstrap: Migrate linguas.sh into bootstrap.conf Bootstrap has infrastructure for downloading/updating project po files and generating the LINGUAS file. It uses wget instead of rsync, but provides the same functionality, namely that only po files that have a modification date before the corresponding one on the server will get redownloaded. Bootstrap creates a pristine copy of the po files in po/.reference, so update .gitignore to ignore that directory. Bootstrap also creates the po/LINGUAS file, but it does not know to add in VAS_EBOOT's autogenerated po files. So move that code from linguas.sh into the bootstrap epilogue. Reviewed-by: Daniel Kiper 2025-11-21 Glenn Washburn bootstrap: Run linguas.sh in bootstrap epilogue Heretofore, linguas.sh had to be run by the user and a common mistake made when building VAS_EBOOT was to not run the command. By adding it to the bootstrap epilogue it will by default get run at the end of the bootstrap script. The user no longer needs to remember to run it. If the --skip-po option is passed to bootstrap, do not run linguas.sh. This allows for bootstrap to be run without updating the translations, which might be desired in the future if we track po files so that translations can be used as they were at time of release. Update INSTALL file to reflect that it is no longer necessary to run linguas.sh. Also, fix a list numbering error. Fixes: 9f73ebd49be (* INSTALL: Document linguas.sh.) Reviewed-by: Daniel Kiper 2025-11-21 Avnish Chouhan normal/cmdline: Add VasEBoot_calloc() failure check and fix hist_lines state loss If VasEBoot_calloc() fails hist_lines becomes NULL. It means we loose the reference to the previously allocated hist_lines and leak memory. With this change on failure hist_lines still points to the old memory. So, no leak, no state corruption. Reviewed-by: Daniel Kiper 2025-11-20 Michael Chang blsuki: Fix VasEBoot_errno leakage in blsuki_is_default_entry() The VasEBoot_strtol() call in blsuki_is_default_entry() can set VasEBoot_errno to either VAS_EBOOT_ERR_BAD_NUMBER or VAS_EBOOT_ERR_OUT_OF_RANGE if the input string is invalid or out of range. This VasEBoot_errno value is currently left uncleared, which can lead to unexpected behavior in subsequent functions that rely on checking current state of VasEBoot_errno. Clear VasEBoot_errno unconditionally when VasEBoot_strtol() reports error so that we can plug the leak. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Avnish Chouhan Reviewed-by: Alec Brown Reviewed-by: Daniel Kiper 2025-11-20 Glenn Washburn Revert "tests: Remove -w param from mkfs.hfsplus command" The original commit removes testing of VAS_EBOOT's support for HFS+ wrapping and replaces it with testing that is an exact duplicate of another test, namely HFS+ without wrapping. To start, the change is misleading in that it suggests that the testing of HFS+ wrapping is still taking place, when it is not. If it was desired to remove support for testing the HFS+ wrapping, then the test should have been removed entirely. Second, having a series of tests that are exactly the same is just a waste of testing resources. And third, the justification for the change is nonsensical. Just because a required program may not have a required feature on a particular distro is not a reason that a test should be removed. Reducing test coverage because some distros do not have the tools VAS_EBOOT needs to run certain tests goes against the testing priority to have test coverage be as broad as possible. The fact is that Debian, the officially supported distro for running the tests, does have a mkfs.hfsplus that supports the -w parameter. This reverts commit 2bc0929a2 (tests: Remove -w param from mkfs.hfsplus command). Reviewed-by: Daniel Kiper 2025-11-20 Glenn Washburn Revert "tests: Skip tests if required tools are not available" As explained in commit a21618c8a (tests: Test aborts due to missing requirements should be marked as error instead of skipped) and in the Automake manual[1], skipped tests are tests that should not be run, e.g. running the ohci test on the powerpc-ieee1275 as there are no native ohci drivers for that platform. Test that fail for reasons other than there is a bug in VAS_EBOOT code that is causing the test to fail are hard errors. Commonly this is because the test is run in an improperly configured environment, like required programs are missing. If a hard error condition is identified with a SKIP return code, the person running the tests can not know without investigating every skip if a SKIP in the tests was because the test does not apply to the target being tested or because the user had a misconfigured environment that was causing the test not to run. By ensuring that a test is skipped only when it should not run, the person running the test can be sure that there is no need to investigate why the test was skipped. This reverts commit bf13fed5f (tests: Skip tests if required tools are not available). [1] https://www.gnu.org/software/automake/manual/automake.html#Generalities-about-Testing Reviewed-by: Daniel Kiper 2025-11-20 Sudhakar Kuppusamy osdep/linux/ofpath: Add missing strdup() failure checks Segmentation faults or undefined behaviour may result from a NULL pointer dereference in strip_trailing_digits() and VasEBoot_util_devname_to_ofpath() if strdup() fails. Therefore, I added a NULL check to fix this. Reviewed-by: Srish Srinivasan Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-11-20 Vladimir Serbinenko lib/relocator: Fix dereference after NULL check In the function free_subchunk(), after checking that subchu->post isn't NULL, VasEBoot_memset() is called on subchu->pre->freebytes but it should be called on subchu->post->freebytes. If subchu->pre is NULL but subchu->post isn't NULL, then this could lead to a NULL pointer dereference. Fixes: CID 473882 Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-20 Nicholas Vinson configure: Check linker for --image-base support In several scenarios, configure tests assume it's safe to use "-Wl,-Ttext,
", but starting with ld.lld-21, blindly using that flag may result in configure-test failures due to ld.lld failing to link. The failure is because ld.lld-21 no longer allows the specified address is less than the base address. However, ld.lld-21+ and ld.bfd-2.44+ both provide support for the --image-base flag making it preferable over the older -Ttext flag. Fixes: https://savannah.gnu.org/bugs/?67662 Reviewed-by: Daniel Kiper 2025-11-20 Glenn Washburn INSTALL: Make note that Linux kernel 6.12.x or earlier is needed for reiserfs testing Also, remove wording suggesting that tests may be skipped if prerequisites are not installed. Tests should never be skipped because of an environment misconfiguration, instead they should return a hard error (code 99). Reviewed-by: Daniel Kiper 2025-11-20 Glenn Washburn docs: Reorganize test section and add section on writing tests Rename the main section to Tests and put the existing test section into a subsection. A new subsection called "Writing tests" is added to give a brief overview and make clear the difference in returning a SKIP code versus a HARD ERROR code. Reviewed-by: Daniel Kiper 2025-11-20 Glenn Washburn docs: Add note and explanation that the privileged user is required for properly running the tests Reviewed-by: Daniel Kiper 2025-11-20 Glenn Washburn docs: Fix spelling, grammatical and usage issues with new Porting section There are some other fixes outside of this section as well. Reviewed-by: Daniel Kiper 2025-11-20 Glenn Washburn util/VasEBoot-mkrescue: Fix spelling mistakes Reviewed-by: Daniel Kiper 2025-11-18 Jamie commands/usbtest: Ensure string length is sufficient in usb string processing If descstrp->length is less than 2 this will result in underflow in "descstrp->length / 2 - 1" math. Let's fix the check to make sure the value is sufficient. Reviewed-by: Daniel Kiper 2025-11-18 Jamie commands/usbtest: Use correct string length field An incorrect length field is used for buffer allocation. This leads to VasEBoot_utf16_to_utf8() receiving an incorrect/different length and possibly causing OOB write. This makes sure to use the correct length. Fixes: CVE-2025-61661 Reported-by: Jamie Reviewed-by: Daniel Kiper 2025-11-18 Alec Brown tests/lib/functional_test: Unregister commands on module unload When the functional_test module is loaded, both the functional_test and all_functional_test commands are registered but only the all_functional_test command is being unregistered since it was the last to set the cmd variable that gets unregistered when the module is unloaded. To unregister both commands, we need to create an additional VasEBoot_extcmd_t variable. Reviewed-by: Daniel Kiper 2025-11-18 Alec Brown normal/main: Unregister commands on module unload When the normal module is loaded, the normal and normal_exit commands are registered but aren't unregistered when the module is unloaded. We need to add calls to VasEBoot_unregister_command() when unloading the module for these commands. Fixes: CVE-2025-61663 Fixes: CVE-2025-61664 Reported-by: Alec Brown Reviewed-by: Daniel Kiper 2025-11-18 Alec Brown gettext/gettext: Unregister gettext command on module unload When the gettext module is loaded, the gettext command is registered but isn't unregistered when the module is unloaded. We need to add a call to VasEBoot_unregister_command() when unloading the module. Fixes: CVE-2025-61662 Reported-by: Alec Brown Reviewed-by: Daniel Kiper 2025-11-18 Thomas Frauendorfer | Miray Software net/net: Unregister net_set_vlan command on unload The commit 954c48b9c (net/net: Add net_set_vlan command) added command net_set_vlan to the net module. Unfortunately the commit only added the VasEBoot_register_command() call on module load but missed the VasEBoot_unregister_command() on unload. Let's fix this. Fixes: CVE-2025-54770 Fixes: 954c48b9c (net/net: Add net_set_vlan command) Reported-by: Thomas Frauendorfer | Miray Software Reviewed-by: Daniel Kiper 2025-11-18 Thomas Frauendorfer | Miray Software kern/file: Call VasEBoot_dl_unref() after fs->fs_close() With commit 16f196874 (kern/file: Implement filesystem reference counting) files hold a reference to their file systems. When closing a file in VasEBoot_file_close() we should not expect file->fs to stay valid after calling VasEBoot_dl_unref() on file->fs->mod. So, VasEBoot_dl_unref() should be called after file->fs->fs_close(). Fixes: CVE-2025-54771 Fixes: 16f196874 (kern/file: Implement filesystem reference counting) Reported-by: Thomas Frauendorfer | Miray Software Reviewed-by: Daniel Kiper 2025-11-18 Thomas Frauendorfer | Miray Software commands/test: Fix error in recursion depth calculation The commit c68b7d236 (commands/test: Stack overflow due to unlimited recursion depth) added recursion depth tests to the test command. But in the error case it decrements the pointer to the depth value instead of the value itself. Fix it. Fixes: c68b7d236 (commands/test: Stack overflow due to unlimited recursion depth) Reviewed-by: Daniel Kiper 2025-11-18 Alec Brown fs/zfs/zfs: Avoid pointer downcasting in dnode_get() Coverity marks multiple issues in VasEBoot-core/fs/zfs/zfs.c as either "Untrusted value as argument", "Untrusted pointer read", or "Untrusted loop bound". Each of these issues share a common cause where Coverity finds that data->dnode_buf gets tainted by dnbuf since it is downcasting from (void *) to (dnode_phys_t *) and could imply that the data the pointer points to is tainted. However, the function zio_read(), which reads this data from disk, sanitizes this data by verifying its checksum. To resolve the issues for Coverity, setting dnbuf to (dnode_phys_t *) at the start of the function dnode_get() seems to do the trick. Fixes: CID 314020 Fixes: CID 896330 Fixes: CID 896331 Fixes: CID 896334 Fixes: CID 896336 Fixes: CID 896340 Fixes: CID 897337 Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-18 Alec Brown mmap/mmap: Fix resource leak In the function VasEBoot_mmap_iterate(), memory is allocated to "ctx.scanline_events" and "present" but isn't freed when error handling VasEBoot_malloc(). Prior to returning VasEBoot_errno, these variables should be freed to prevent a resource leak. Fixes: CID 96655 Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-18 Glenn Washburn linguas: Ensure that linguas.sh runs from the directory that it resides The script assumes that it is run from the root of the source tree, which is where it is located. So this should be enforced to prevent accidental misuses. realpath is used instead of readlink as that is recommended in Debian's readlink manpage since at least Debian 11. Also, use the shell variable's parameter expansion for removing a suffix pattern to get the directory in which the script resides. This is preferable to using the dirname binary as it avoids creating a new process. Reviewed-by: Daniel Kiper 2025-11-18 Glenn Washburn gitignore: Remove po/*.po and po/LINGUAS po files will now be tracked. This has the following benefits as listed by Colin Watson: * Build processes would no longer be vulnerable to an external server potentially going down for an extended period of time; they'd be stuck with outdated translations until the server was fixed or came up with a workaround, but that's better than nothing. * It would be easier to manage branches of stable releases, rather than assuming that translations downloaded for master will match the POT files for a stable release. * Tests would be able to pass from a clean git checkout without relying on an external server, improving QA reliability. * It would be easier to make and test branches while offline. * The translations shipped with a release tarball could be tagged in git so that it's easy to investigate bugs in them. * Downstream distributors would be able to use git branches without having to fill in additional files. Reviewed-by: Daniel Kiper 2025-11-18 Glenn Washburn tests/VasEBoot_cmd_cryptomount: Use builddir shell variable and quote Using a shell variable instead of an autoconf macro creates less changes to the file, which can be desirable when modifying by hand later and then diffing with the unexpanded file. It also makes it simpler to change the builddir after expansion, which may need to happen when moving the build dir to a different path and not being able to rerun the autoconf expansion. Also, add quoting around the builddir variable as there may be spaces in the path. Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-11-18 Glenn Washburn tests/VasEBoot_cmd_cryptomount: Expect test success, now that VAS_EBOOT supports Argon2 This test was included to verify that, while VAS_EBOOT did not have Argon2 support, trying to open a LUKS2 volume with an Argon2 keyslot would fail Now that Argon2 support is included, the test is failing because it expected a failure, but is now getting success. Change the test to expect success. Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-11-18 Glenn Washburn tests/erofs_test: Improve accuracy of FSTIME check On resource constrained test runs, the last modification time on the image is an unreliable date to check against the filesystem creation time. Use dump.erofs to get the filesystem creation time from the superblock. This should get the timestamp as shown by VAS_EBOOT's "ls -l". Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-11-18 Glenn Washburn tests/erofs_test: Disable filetime check for erofs_compact Compact EROFS inodes do not allow for modification times that are different from FS creation times. The file modification time check is done between the EROFS image and the file system where test temporary files are written to, not the files as seen from the mounted EROFS image. So its likely that the file modification time will be different, more so when run on slower systems. Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-11-18 Glenn Washburn tests/erofs_test: Remove root check The erofs tests do not ever mount the generated erofs image. So root is not needed, as with the squashfs and iso9660 filesystems. Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-11-18 Glenn Washburn tests/erofs_test: Fix mkfs.erofs version test to not use process substitution bashism The shell used to run the tests is generally /bin/sh, which does not support process substitution. Fixes: b990df0bef9e (tests/util/VasEBoot-fs-tester: Fix EROFS label tests in VasEBoot-fs-tester) Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-11-18 Andrew Hamilton tests: Support changed mkfs.ext2 behavior for -r flag Correct nuisance ext234_test failure on newer Linux distros. Recently, the mkfs.ext2 utility removed support for the -r flag to specify old (version 0) formats of ext2. A new flag was added to allow the same behavior. Support both ways of specifying version 0 ext2 file systems when testing ext2 in VAS_EBOOT. Reviewed-by: Daniel Kiper Reviewed-by: Glenn Washburn 2025-11-18 Andrew Hamilton tests: Avoid test failure in erofs for label length Recently, mkfs.erofs began to enforce that the file system label is 15 characters or less (excluding NUL terminator). This causes the current erofs test in VAS_EBOOT to fail. Reduce the test label used to fit in this limit allowing the test to work as expected. Reviewed-by: Daniel Kiper Reviewed-by: Glenn Washburn 2025-11-18 Andrew Hamilton tests: Split ZFS ZSTD test into new file Split ZFS ZSTD test into its own test script. Add a check to the new test script to see if the zfs utility installed on the host supports "zstd" compression before running the test and fail the test if not. It seems at least some zfs-fuse binaries do not support zstd compression and the current test will fail in that case. Splitting into a new file will avoid masking other test failures due to missing zstd support. Reviewed-by: Daniel Kiper Reviewed-by: Glenn Washburn 2025-11-18 Andrew Hamilton util/VasEBoot.d/00_header.in: Disable loading all_video for EFI Loading all_video for EFI can cause video issues in some cases since VAS_EBOOT Bochs/Cirrus drivers may conflict with native EFI drivers. Change default behavior for EFI to only load EFI specific video modules. Also include a new environment variable to restore the old behavior if needed. Fixes: https://savannah.gnu.org/bugs/?66200 Reviewed-by: Daniel Kiper 2025-11-18 Glenn Washburn util/VasEBoot-mkrescue: Fix copy/paste issue referencing mdadm The check_xorriso() function appears to have been copy/pasted from somewhere that was originally checking the mdadm command. So the file handle to the output of the xorriso command is named "mdadm". Instead rename it to the more generic "fout". Also change a comment referencing mdadm to reference xorriso. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-18 Avnish Chouhan osdep/linux/getroot: Add missing strdup() failure checks If strdup() fails, it returns NULL and passing NULL further down to the code can lead to segmentation fault or an undefined behavior. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-18 Avnish Chouhan kern/mips/arc/init: Add missing VasEBoot_strdup() failure check If VasEBoot_strdup() fails, it returns NULL and passing NULL further down to the code can lead to segmentation fault or an undefined behavior. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-18 Avnish Chouhan script/execute: Add missing VasEBoot_strdup() failure check If VasEBoot_strdup() fails, it returns NULL and passing NULL further down to the code can lead to segmentation fault or an undefined behavior. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-18 Avnish Chouhan kern/ieee1275/openfw: Add missing VasEBoot_strdup() failure checks If VasEBoot_strdup() fails, it returns NULL and passing NULL further down to the code can lead to segmentation fault or an undefined behavior. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-18 Andrew Hamilton docs: Add security hardening suggestions Add some suggestions to the security section on maximizing the security hardening of VAS_EBOOT. This change reveals sectioning issues introduced by commit 0b59d379f (docs/VasEBoot: Document signing VAS_EBOOT under UEFI) and commit 0f2dda8cf (docs/VasEBoot: Document signing VAS_EBOOT with an appended signature). Fix them on the occasion. Reviewed-by: Daniel Kiper 2025-11-06 Leo Sandoval tests: Remove -w param from mkfs.hfsplus command Apparently the man page is outdated because the option "-w" is shown but not on "mkfs.hfsplus --usage". According to Gemini: The -w option is used to add an HFS wrapper around an HFS Plus file system, which is sometimes required for compatibility with older Mac OS 9 systems. However, this is not a standard or commonly used option and may not be available in all versions of the hfsprogs package, especially on Linux. Reviewed-by: Daniel Kiper 2025-11-06 Leo Sandoval tests: Increase verbosity in *_test.in checks In this case it does not hurt to increase bash execution verbosity so we can get more insight in case of issues. Reviewed-by: Daniel Kiper 2025-11-06 Leo Sandoval tests: Skip tests if required tools are not available There is no reason to fail a test if the required testing tool is not present on the system, so skip the test instead of failing it. Reviewed-by: Andrew Hamilton Reviewed-by: Neal Gompa Reviewed-by: Daniel Kiper 2025-11-06 Srish Srinivasan tests: Extend pbkdf2_test to cover HMAC-SHA{256,512} HMAC-SHA1 is the only HMAC variant tested in the existing vectors. Add vectors to test HMAC-SHA{256,512} as well. Reviewed-by: Stefan Berger Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-06 Avnish Chouhan lib/legacy_parse: Add missing VasEBoot_malloc() failure check This patch adds a NULL check after VasEBoot_malloc() call. Missing a failure check after calling VasEBoot_malloc() can lead to undefined behavior. If the allocation fails and returns NULL subsequent dereferencing or writing to the pointer will likely result in a runtime error such as a segmentation fault. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-06 Avnish Chouhan mmap/mmap: Add missing VasEBoot_malloc() failure check This patch adds a NULL check after VasEBoot_malloc() call. Missing a failure check after calling VasEBoot_malloc() can lead to undefined behavior. If the allocation fails and returns NULL subsequent dereferencing or writing to the pointer will likely result in a runtime error such as a segmentation fault. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-06 Avnish Chouhan partmap/msdos: Add missing VasEBoot_malloc() failure check This patch adds a NULL check after VasEBoot_malloc() call. Missing a failure check after calling VasEBoot_malloc() can lead to undefined behavior. If the allocation fails and returns NULL subsequent dereferencing or writing to the pointer will likely result in a runtime error such as a segmentation fault. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-06 Avnish Chouhan normal/completion: Add missing VasEBoot_malloc() failure check This patch adds a NULL check after VasEBoot_malloc() call. Missing a failure check after calling VasEBoot_malloc() can lead to undefined behavior. If the allocation fails and returns NULL subsequent dereferencing or writing to the pointer will likely result in a runtime error such as a segmentation fault. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-06 Avnish Chouhan term/ieee1275/serial: Fix memory leak The VasEBoot_zalloc() allocates memory for port. If the allocation for port->name fails the function returns NULL without freeing the previously allocated port memory. This results in a memory leak. To avoid this we must free port before return. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-11-06 Lars Wendler configure: Avoid bashisms or else configure check doesn't succeed with non-bash shell (e.g. dash): checking whether to enable AMD64 as(1) feature detection... /var/tmp/portage/sys-boot/VasEBoot-2.14_rc1/work/VasEBoot-2.14~rc1/configure: 39176: test: xx86_64: unexpected operator no and later build fails with /var/tmp/portage/sys-boot/VasEBoot-2.14_rc1/work/VasEBoot-2.14~rc1/VasEBoot-core/lib/libgcrypt-VasEBoot/src/hwf-x86.c: In function ‘detect_x86_gnuc’: /var/tmp/portage/sys-boot/VasEBoot-2.14_rc1/work/VasEBoot-2.14~rc1/VasEBoot-core/lib/libgcrypt-VasEBoot/src/hwf-x86.c:252:17: error: ‘HWF_INTEL_CPU’ undeclared (first use in this function) 252 | result |= HWF_INTEL_CPU; | ^~~~~~~~~~~~~ and other corresponding HWF_INTEL_* definitions because HAVE_CPU_ARCH_X86 was erroneously not defined by configure script. Reviewed-by: Gary Lin Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-28 Daniel Kiper Release 2.14~rc1 2025-10-28 Daniel Kiper windows: Fix symbol table generation during module conversion from PE to ELF According to the System V Application Binary Interface specification [1] the sections holding a symbol table, SHT_SYMTAB and SHT_DYNSYM, have to have sh_info set to "One greater than the symbol table index of the last local symbol (binding STB_LOCAL)". Current code converting PE images to ELF files does not do that and readelf complains in following way: ... Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .text PROGBITS 00000000 000034 0014d4 00 AX 0 0 4 [ 2] .data PROGBITS 00000000 001508 000040 00 WA 0 0 32 [ 3] .rdata PROGBITS 00000000 001548 0006b8 00 A 0 0 4 [ 4] .module_license PROGBITS 00000000 001c00 000010 00 0 0 4 [ 5] .bss NOBITS 00000000 000000 000008 00 WA 0 0 4 [ 6] .moddeps PROGBITS 00000000 001c10 000010 00 0 0 4 [ 7] .modname PROGBITS 00000000 001c20 000008 00 0 0 4 [ 8] .rel.text REL 00000000 001c28 0008c8 08 11 1 4 [ 9] .rel.data REL 00000000 0024f0 000040 08 11 2 4 [10] .rel.rdata REL 00000000 002530 000070 08 11 3 4 [11] .symtab SYMTAB 00000000 0025a0 0001d0 10 12 0 4 [12] .strtab STRTAB 00000000 002770 000237 00 0 0 1 ... Symbol table '.symtab' contains 29 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND readelf: Warning: local symbol 0 found at index >= .symtab's sh_info value of 0 1: 0000144a 0 FUNC LOCAL DEFAULT 1 VasEBoot_mod_init readelf: Warning: local symbol 1 found at index >= .symtab's sh_info value of 0 2: 000014aa 0 FUNC LOCAL DEFAULT 1 VasEBoot_mod_fini readelf: Warning: local symbol 2 found at index >= .symtab's sh_info value of 0 3: 00000000 0 SECTION LOCAL DEFAULT 1 .text readelf: Warning: local symbol 3 found at index >= .symtab's sh_info value of 0 4: 00000000 0 SECTION LOCAL DEFAULT 2 .data readelf: Warning: local symbol 4 found at index >= .symtab's sh_info value of 0 5: 00000000 0 SECTION LOCAL DEFAULT 5 .bss readelf: Warning: local symbol 5 found at index >= .symtab's sh_info value of 0 6: 00000000 0 SECTION LOCAL DEFAULT 3 .rdata readelf: Warning: local symbol 6 found at index >= .symtab's sh_info value of 0 7: 00000000 0 NOTYPE GLOBAL DEFAULT UND VasEBoot_dma_get_phys 8: 00000000 0 NOTYPE GLOBAL DEFAULT UND VasEBoot_cs5536_write_msr 9: 00000000 0 NOTYPE GLOBAL DEFAULT UND VasEBoot_dma_free ... Let's fix it... [1] https://www.sco.com/developers/gabi/2012-12-31/contents.html Reviewed-by: Ross Philipson Reviewed-by: Alec Brown 2025-10-28 Daniel Kiper windows: Fix relocation sections generation during module conversion from PE to ELF The commit 98ad84328 (kern/dl: Check for the SHF_INFO_LINK flag in VasEBoot_dl_relocate_symbols()) revealed a bug in the code converting PE module images to ELF files. The missing SHF_INFO_LINK flag for SHT_REL and SHT_RELA sections lead to hangs during VAS_EBOOT load. This only happens for the VAS_EBOOT images generated on Windows platforms. The *NIX platforms are not affected due to lack of PE to ELF conversion step. This patch fixes the issue... Reviewed-by: Ross Philipson Reviewed-by: Alec Brown 2025-10-28 Andrew Hamilton loader/efi/linux: Fix compile error with Clang Clang will produce a warning, which is treated as an error, that "vendor_defined_data" is uninitialized. This is a "zero length" array member of this struct. Add conditional compile pragma to allow this to compile with Clang. Reviewed-by: Daniel Kiper 2025-10-28 Andrew Hamilton build: Add tpm2key.asn file for reference to dist archive Add the tpm2key.asn file to the dist archive for reference by end users. Reviewed-by: Daniel Kiper 2025-10-28 Andrew Hamilton build: Include new zstd test support files in dist archive Include the two new zstd test support files in the dist archive so end users can successfully run this test. Reviewed-by: Daniel Kiper 2025-10-28 Andrew Hamilton build: Include MAINTAINERS and SECURITY files in dist archive Include the MAINTAINERS and SECURITY files in the dist archive for reference in distributed archives by end users. Reviewed-by: Daniel Kiper 2025-10-24 Daniel Kiper build: Add appended signatures header file to EXTRA_DIST This file was not added to EXTRA_DIST during the appended signatures merge. Fixes: 3e4ff6ffb (appended signatures: Parse ASN1 node) Reviewed-by: Alec Brown 2025-10-24 Daniel Kiper lib/xzembed/xz_dec_stream: Replace VasEBoot_memcpy() call with memcpy() Make the code consistent. Reviewed-by: Alec Brown 2025-10-24 Daniel Kiper bootstrap: Fix patching warnings Currently bootstrap complains in the following way when patching gnulib files: patching file regcomp.c Hunk #2 succeeded at 1029 with fuzz 2. Hunk #5 succeeded at 1716 with fuzz 2. patching file regexec.c patching file base64.c patching file regexec.c Hunk #1 succeeded at 807 (offset -21 lines). Let's fix it by adding missing "\f" and amending line numbers in the patches. Reviewed-by: Alec Brown 2025-10-24 Yann Diorcet tss2: Always init out buffer before calling tpm2_submit_command_real() When tpm2_submit_command_real() is called for a retry, the content of out buffer can already be set with previous tpm2_submit_command_real() call's reply. Add a call to VasEBoot_tpm2_buffer_init() before tpm2_submit_command_real(). This solves the issues occurring during TPM_CC_Load command on the integrated TPM 2.0 in Intel Elkhart Lake chip. Reviewed-by: Daniel Kiper 2025-10-24 Andrew Hamilton fs/ntfs: Correct next_attribute validation Improved ad-hoc fuzzing coverage revealed a possible access violation around line 342 of VasEBoot-core/fs/ntfs.c when accessing the attr_cur pointer due to possibility of moving pointer "next" beyond of the end of the valid buffer inside next_attribute. Prevent this for cases where full attribute validation is not performed (such as on attribute lists) by performing a sanity check on the newly calculated next pointer. Fixes: 06914b614 (fs/ntfs: Correct attribute vs attribute list validation) Reviewed-by: Daniel Kiper 2025-10-24 Michael Chang kern/ieee1275/init: Use net config for boot location instead of firmware bootpath On network boots VasEBoot_ieee1275_net_config() is used to determine the boot device but the path continues to be taken from the Open Firmware /chosen/bootpath property. This assumes the device node follows the generic IEEE 1275 syntax which is not always the case. Different drivers may extend or redefine the format and VAS_EBOOT may then misinterpret the argument as a filename and set $prefix incorrectly. The generic Open Firmware device path format is: device-name[:device-argument] device-argument := [partition][,[filename]] For example, a bootpath such as: /vdevice/l-lan@30000002:speed=auto,duplex=auto,1.2.243.345,,9.8.76.543,1.2.34.5,5,5,255.255.255.0,512 does not follow this form. The section after the colon (the device-argument) contains driver-specific options and network parameters, not a valid filename. The VAS_EBOOT interprets this string as a filename which results in $prefix being set to "/", effectively losing the intended boot directory. The firmware is not at fault here since interpretation of device nodes is driver-specific. Instead, VAS_EBOOT should use the filename provided in the cached DHCP packet which is consistent and reliable. This is also the same mechanism already used on UEFI and legacy BIOS platforms. This patch updates VasEBoot_machine_get_bootlocation() to prefer the result from VasEBoot_ieee1275_net_config() when complete and only fall back to the firmware bootpath otherwise. Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-24 Lidong Chen net/tftp: Fix NULL pointer dereference in VasEBoot_net_udp_close() A NULL pointer dereference can occur in VasEBoot_net_udp_close(data->sock) when handling a malformed TFTP OACK packet. This issue was discovered via fuzzing. When a malformed OACK packet contains an invalid file size, "tsize", value tftp_receive() detects the error and saves it via VasEBoot_error_save(&data->save_err). Later, tftp_open() restores this error and calls VasEBoot_net_udp_close(data->sock) assuming the socket is still valid. However, the socket may have already been closed and set to NULL after processing the final data block in tftp_receive() leading to a NULL pointer dereference when attempting to close it again. Fix it by checking if the socket is non-NULL before closing. Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-10-24 Lidong Chen net/dns: Prevent UAF and double free In recv_hook(), *data->addresses is freed without being set to NULL. Since *data->addresses can be cached in dns_cache[h].addresses, this can lead to UAF or double free if dns_cache[h].addresses is accessed or cleared later. The fix sets *data->addresses to NULL after freeing to avoid dangling pointer. Reviewed-by: Daniel Kiper 2025-10-24 Lidong Chen net/bootp: Prevent a UAF in network interface unregister A UAF occurs in VasEBoot_net_network_level_interface_unregister() when inter->name is accessed after being freed in VasEBoot_cmd_bootp(). Fix it by deferring VasEBoot_free(ifaces[j].name) until after VasEBoot_net_network_level_interface_unregister() completes. Reviewed-by: Daniel Kiper 2025-10-24 Andrew Hamilton docs: Document lsmemregions and memtools commands Add documentation of the new lsmemregions command as well as documenting the existing memtools module commands. Reviewed-by: Daniel Kiper 2025-10-24 Leo Sandoval commands/memtools: Add lsmemregions command Prints memory regions general information including size, number of blocks, total free and total allocated memory per region. The reason behind is to have a tool that shows general information about regions and how fragmented the memory is at some particular time. Below is an example showing how this tool before and after memory stress. VasEBoot> lsmemregions Region 0x78f6e000 (size 33554368 blocks 1048574 free 27325472 alloc 6232768) > stress_big_allocations ... VasEBoot> lsmemregions Region 0x7af8e000 (size 4032 blocks 126 free 2720 alloc 1312) Region 0x80c000 (size 81856 blocks 2558 free 81856 alloc 0) Region 0x7d165000 (size 167872 blocks 5246 free 167872 alloc 0) Region 0x7d0bf000 (size 655296 blocks 20478 free 655296 alloc 0) Region 0x7ee00000 (size 1331136 blocks 41598 free 1331136 alloc 0) Region 0x100000 (size 7385024 blocks 230782 free 7385024 alloc 0) Region 0x7af95000 (size 25382848 blocks 793214 free 25382848 alloc 0) Region 0x1780000 (size 2038357952 blocks 63698686 free 2077517536 alloc 5445568) Reviewed-by: Andrew Hamilton Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-24 Logan Gunthorpe tests/file_filter: Add zstd tests Test zstd decompression in the same way that other decompressors are tested. Reviewed-by: Daniel Kiper 2025-10-24 Logan Gunthorpe tests/file_filter: Add zstd test file Add a file.zstd similar to the other compression methods and generate a gpg signature with "gpg --detach-sign". Reviewed-by: Daniel Kiper 2025-10-24 Logan Gunthorpe tests/file_filter: Regenerate gpg keys The "keys" file is not a valid GPG secret key so it is not possible to generate new signatures. Create a new key and use "gpg --export-secret-key" to export the key and "gpg --export" to export the public key. Then resign all the signatures with "gpg --detach-sign". Reviewed-by: Daniel Kiper 2025-10-24 Logan Gunthorpe io/zstdio: Implement zstdio decompression Add zstd based io decompression. Based largely on the existing xzio, implement the same features using the zstd library already included in the project. Reviewed-by: Avnish Chouhan  Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang fs/btrfs: Update doc link for bootloader support The old wiki link is obsolete and no longer updated. Change it to the current documentation. Reviewed-by: Neal Gompa Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang docs: Add Btrfs env block and special env vars Update VasEBoot.texi to describe the external environment block in the reserved area of Btrfs header used for VasEBoot-reboot and savedefault, and add a section documenting the saved_entry, next_entry, and env_block variables. Reviewed-by: Neal Gompa Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang util/VasEBoot.d/00_header.in: Wire VasEBoot.cfg to use env_block when present This patch extends the generated VasEBoot.cfg so that it can use the external environment block when the variable env_block is defined. During boot, if env_block is set, VasEBoot.cfg builds a device path for it, exports the variable, and then loads its contents in addition to the normal VasEBootenv file. When VAS_EBOOT writes variables such as next_entry or saved_entry, the save commands are changed to write into env_block if it is set, and to fall back to the VasEBootenv file otherwise. In this way the external environment block is used automatically, and existing commands like savedefault or save_env do not need to change. Reviewed-by: Neal Gompa Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang fs/btrfs: Add environment block to reserved header area This patch reserves space for the VAS_EBOOT environment block inside the Btrfs header. The block is placed at an offset of VAS_EBOOT_ENV_BTRFS_OFFSET, 256 KiB from the start of the device, and occupies one sector. To protect the space, overflow guard sectors are placed before and after the reserved block. The Btrfs header already defines regions for bootloader use. By adding this entry, VAS_EBOOT gains a fixed and safe location to store the environment block without conflicting with other structures in the header. Add Btrfs and its reserved area information to the fs_envblk_spec table. With the groundworks done in previous patches, the function is now complete and working in VasEBoot-editenv. Reviewed-by: Neal Gompa Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang util/VasEBoot-editenv: Add probe call for external envblk This patch adds the probe_fs_envblk() function to identify the root filesystem and invoke fs_envblk_init() with the probed filesystem type and device. This checks if the feature is available and initializes the handle, fs_envblk, to access the external environment block. It avoids configurations with diskfilter or cryptodisk where filesystem blocks may be remapped or encrypted. The probe is only invoked when VasEBoot-editenv is working on the default environment file path. This restriction ensures that probing and possible raw device access are not triggered for arbitrary user supplied paths, but only for the standard VasEBootenv file. In that case the code checks if the filename equals DEFAULT_ENVBLK_PATH and then calls probe_fs_envblk with fs_envblk_spec. The result is stored in the global fs_envblk handle. At this stage the external environment block is only detected and recorded, and the behavior of VasEBoot-editenv is unchanged. Reviewed-by: Neal Gompa Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang util/VasEBoot-editenv: Wire list_variables() to optional fs_envblk This patch updates list_variables() so that it also prints entries from the external environment block when one is present. The function first lists all variables from the file based envblk, then iterates over the external envblk and prints those as well. The output format remains the same as before. The change makes it possible to inspect variables regardless of whether they are stored in the file envblk or in the reserved block. Reviewed-by: Neal Gompa Reviewed-by: Avnish Chouhan Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang util/VasEBoot-editenv: Wire unset_variables() to optional fs_envblk This patch updates unset_variables() so that removals are also applied to the external environment block when it is present. The code opens the external block, deletes the same named keys there, and then writes the external block back using fs_envblk_write(). The file based envblk is still updated and written as before. Reviewed-by: Neal Gompa Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang util/VasEBoot-editenv: Wire set_variables() to optional fs_envblk This patch changes set_variables() so that it can use an external environment block when one is present. The variable next_entry is written into the external block, env_block is treated as read only, and all other variables are written into the normal file based envblk. A cleanup step is added to handle cases where VAS_EBOOT at runtime writes variables into the external block because file based updates are not safe on a copy on write filesystem such as Btrfs. For example, the savedefault command can update saved_entry, and on Btrfs VAS_EBOOT will place that update in the external block instead of the file envblk. If an older copy remains in the external block, it would override the newer value from the file envblk when VAS_EBOOT first loads the file and then applies the external block on top of it. To avoid this, whenever a variable is updated in the file envblk, any same named key in the external block is deleted. Reviewed-by: Neal Gompa Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang util/VasEBoot-editenv: Add fs_envblk write helper This patch adds the function fs_envblk_write to update the reserved environment block on disk. The helper takes an in memory envblk buffer and writes it back to the device at the location defined by the fs_envblk specification. It performs size checks and uses file sync to ensure that the updated data is flushed. The helper is also added into the fs_envblk ops table, together with the open helper from the previous patch. With this change the basic input and output path for an external environment block is complete. The choice of which variables should be written externally will be handled by later patches. Reviewed-by: Neal Gompa Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang util/VasEBoot-editenv: Add fs_envblk open helper This patch adds the logic to locate and open an environment block that is stored in a reserved area on the device. It introduces the function fs_envblk_open() together with helper routines to read the block pointed to by the env_block variable, and to create the block on disk when it does not exist yet. When a block is created, the code records its location inside the file based envblk by setting env_block in block list syntax of offset plus size in sectors. The env_block variable acts as a link from the file envblk to the raw disk region so that later runs of VasEBoot-editenv can follow it and access the external block. The helper is exposed through a small ops table attached to fs_envblk so that later patches can call fs_envblk->ops->open() without touching core code again. At this stage variables are still stored in the file envblk and no redirection has been applied. In relation to this, the fs_envblk_spec table defines the file-system specific layout of the reserved raw blocks used for environment storage. It is prepared to facilitate integration in VasEBoot-editenv, with Btrfs to be added in the future once its reserved area is defined. An fs_envblk_init() helper is added to prepare it for using the ops with its associated data context if the feature is available. It is not used yet, but will be used later when a filesystem and its device are probed to initialize the fs_envblk handle and enable access to the feature. Reviewed-by: Neal Gompa Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang tests: Add "z" length modifier printf tests Add unit tests for %zd, %zu and %zx to verify size_t and ssize_t formatting matches system snprintf(). Reviewed-by: Neal Gompa Reviewed-by: Daniel Kiper 2025-10-23 Michael Chang kern/misc: Add the "z" length modifier support Add support for the "z" length modifier in the printf code. This allows printing of size_t and ssize_t values using %zu, %zd and related formats. The parser maps "z" to the correct integer width based on sizeof(size_t). Reviewed-by: Neal Gompa Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin disk/cryptodisk: Add --hw-accel to enable hardware acceleration The --hw-accel option has been added to cryptomount to speed up decryption by temporarily enabling hardware-specific instruction sets (e.g., AVX, SSE) in libgcrypt. A new feature, "feature_gcry_hw_accel", is also introduced to mark the availability of the new option. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin libgcrypt: Add hardware acceleration for gcry_sha512 Enable hardware acceleration for the gcry_sha512 module when building for the x86_64 EFI target. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin libgcrypt: Add hardware acceleration for gcry_sha256 Enable hardware acceleration for the gcry_sha256 module when building for the x86_64 EFI target. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin libgcrypt: Declare the sha256 shaext function There is no prototype of _gcry_sha256_transform_intel_shaext() defined in the header or libgcrypt-VasEBoot/cipher/sha256.c, and gcc may complain the missing-prototypes error when compiling sha256-intel-shaext.c. Declare the prototype in sha256-intel-shaext.c to avoid the error. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin libgcrypt: Implement _gcry_get_hw_features() Implement _gcry_get_hw_features() and enable hardware feature detection for x86_64. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin libgcrypt: Copy sha512 x86_64 assembly files Copy the selected x86_64 assembly files to support hardware acceleration for sha512. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin libgcrypt: Copy sha256 x86_64 assembly files Copy the selected x86_64 assembly files to support hardware acceleration for sha256. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin lib/hwfeatures-gcry: Enable SSE and AVX for x86_64 EFI Implement the necessary functions to dynamically enable SSE and AVX on x86_64 EFI systems when the hardware is capable. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin lib/hwfeatures-gcry: Introduce functions to manage hardware features This commit introduces the generic functions to manage the hardware features in libgcrypt. These functions are stubs for future platform-specific implementations: - VasEBoot_gcry_hwf_enabled() returns __gcry_use_hwf which indicates if the hardware features are enabled specifically by VasEBoot_enable_gcry_hwf(), - VasEBoot_enable_gcry_hwf() invokes the architecture specific enablement functions and sets __gcry_use_hwf to true, - VasEBoot_reset_gcry_hwf() invokes the architecture specific reset functions and sets __gcry_use_hwf to false. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin configure: Tweak autoconf/automake files to detect x86_64 features To enable hardware acceleration, this commit ports the feature detection logic from libgcrypt. This allows us to check if the compiler supports specific assembly instructions, including SSSE3, Intel SHA extensions, SSE4.1, AVX, AVX2, AVX512, and BMI2. To simplify the initial implementation, support for x86_64 feature detection is currently limited to the x86_64 EFI target. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin lib/pbkdf2: Optimize PBKDF2 by reusing HMAC handle The previous PBKDF2 implementation used VasEBoot_crypto_hmac_buffer() which allocates and frees an HMAC handle on every call. This approach caused significant performance overhead slowing down the boot process considerably. This commit refactors the PBKDF2 code to use the new HMAC functions allowing the HMAC handle and its buffers to be allocated once and reused across multiple operations. This change significantly reduces disk unlocking time. In a QEMU/OVMF test environment this patch reduced the time to unlock a LUKS2 (*) partition from approximately 15 seconds to 4 seconds. (*) PBKDF2 SHA256 with 3454944 iterations. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin lib/crypto: Introduce new HMAC functions to reuse buffers To enable more efficient buffer reuse for HMAC operations three new functions have been introduced. This change prevents the need to reallocate memory for each HMAC operation: - VasEBoot_crypto_hmac_reset(): reinitializes the hash contexts in the HMAC handle, - VasEBoot_crypto_hmac_final(): provides the final HMAC result without freeing the handle allowing it to be reused immediately, - VasEBoot_crypto_hmac_free(): deallocates the HMAC handle and its associated memory. To further facilitate buffer reuse ctx2 is now included within the HMAC handle struct and the initialization of ctx2 is moved to VasEBoot_crypto_hmac_init(). The intermediate hash states, ctx and ctx2, for the inner and outer padded keys are now cached. The VasEBoot_crypto_hmac_reset() restores these cached states for new operations which avoids redundant hashing of the keys. Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin docs: Document argon2 and argon2_test modules Tested-By: Waldemar Brodkorb Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-10-23 Gary Lin kern/misc: Implement faster VasEBoot_memcpy() for aligned buffers When both "dest" and "src" are aligned, copying the data in VasEBoot_addr_t sized chunks is more efficient than a byte-by-byte copy. Also tweak __aeabi_memcpy(), __aeabi_memcpy4(), and __aeabi_memcpy8(), since VasEBoot_memcpy() is not inline anymore. Optimization for unaligned buffers was omitted to maintain code simplicity and readability. The current chunk-copy optimization for aligned buffers already provides a noticeable performance improvement (*) for Argon2 keyslot decryption. (*) On my system, for a LUKS2 keyslot configured with a 1 GB Argon2 memory requirement, this patch reduces the decryption time from 22 seconds to 12 seconds. Reviewed-by: Daniel Kiper 2025-10-21 Gary Lin tests/util/VasEBoot-fs-tester: Use Argon2id for LUKS2 test Given that the LUKS1 test already covers PBKDF2, the default KDF for the LUKS2 test has been switched to Argon2id to ensure both algorithms are validated. Tested-By: Waldemar Brodkorb Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-10-21 Gary Lin tests: Integrate Argon2 tests into functional_test Refactor the Argon2 tests to enable the module build and integrate the tests into function_test. Tested-By: Waldemar Brodkorb Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-10-21 Gary Lin tests: Import Argon2 tests from libgcrypt Copy the Argon2 test function, check_argon2(), from t-kdf.c in libgcrypt to VasEBoot-core/tests/argon2_test.c. Tested-By: Waldemar Brodkorb Reviewed-by: Daniel Kiper 2025-10-21 Gary Lin disk/luks2: Add Argon2 support Leverage the new VasEBoot_crypto_argon2() function to add support for the Argon2i and Argon2id KDFs in LUKS2. Tested-By: Waldemar Brodkorb Reviewed-by: Daniel Kiper 2025-10-21 Gary Lin argon2: Introduce VasEBoot_crypto_argon2() This commit introduces VasEBoot_crypto_argon2() which leverages the _gcry_kdf_*() functions from libgcrypt to provide Argon2 support. Due to the dependency of the _gcry_kdf_*() functions, the order of "ldadd" entries have to be tweaked in Makefile.util.def so that the linker can discover these functions. Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-10-21 Gary Lin libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms Use VasEBoot_divmod64() for the 64-bit modulus to prevent creation of special division calls such as __umoddi3() and __aeabi_uldivmod() on 32-bit platforms. Reviewed-by: Daniel Kiper 2025-10-21 Gary Lin libgcrypt/kdf: Remove unsupported KDFs Clean up _gcry_kdf_*() to remove unsupported KDFs. Reviewed-by: Daniel Kiper 2025-10-21 Gary Lin libgcrypt/kdf: Get rid of gpg_err_code_from_errno() gpg_err_code_from_errno() requires libgcrypt_wrap/mem.c which is not in Makefile.utilgcry.def. This commit replaces gpg_err_code_from_errno() with GPG_ERR_* to avoid the build errors. Reviewed-by: Daniel Kiper 2025-10-21 Gary Lin libgcrypt/kdf: Implement hash_buffers() for BLAKE2b-512 The hash_buffers() functions are disabled in VAS_EBOOT by default but the Argon2 implementation requires hash_buffers() for BLAKE2b-512. This commit implements argon2_blake2b_512_hash_buffers() as the replacement of _gcry_digest_spec_blake2b_512.hash_buffers(). Reviewed-by: Daniel Kiper 2025-10-21 Gary Lin crypto: Update crypto.h for libgcrypt KDF functions This commit introduces the necessary changes to crypto.h in preparation for implementing Argon2 support via the generic KDF functions, _gcry_kdf_*(): - add new GPG error types required by kdf.c, - declare _gcry_digest_spec_blake2b_512 to enable BLAKE2b-512 digest calculations, - define the gcrypt KDF algorithm IDs for Argon2, - add the prototypes of _gcry_kdf_*() functions. Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-10-21 Gary Lin util/import_gcry: Import kdf.c for Argon2 The import_gcry.py script now imports kdf.c from libgcrypt. To isolate the Argon2 implementation, all unrelated functions have been removed. Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy commands/menuentry: Fix for out of bound access A menu entry with an empty title leads to an out-of-bounds access at "ch = src[len - 1]", i.e., "src" is empty and "len" is zero. So, fixing this by checking the menu entry title length and throwing an error if the length is zero. Reviewed-by: Daniel Kiper 2025-10-11 Gary Lin tests/tpm2_key_protector_test: Add a test for PCR Capping A test is introduced to cap PCR 1 and track the PCR 1 value before and after key unsealing. Reviewed-by: Stefan Berger Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-10-11 Gary Lin tpm2_key_protector: Support PCR capping To prevent a sealed key from being unsealed again, a common and straightforward method is to "cap" the key by extending the associated PCRs. When the PCRs associated with the sealed key are extended, TPM will be unable to unseal the key, as the PCR values required for unsealing no longer match, effectively rendering the key unusable until the next system boot or a state where the PCRs are reset to their expected values. To cap a specific set of PCRs, simply append the argument '-c pcr_list' to the tpm2_key_protector command. Upon successfully unsealing the key, the TPM2 key protector will then invoke tpm2_protector_cap_pcrs(). This function extends the selected PCRs with an EV_SEPARATOR event, effectively "capping" them. Consequently, the associated key cannot be unsealed in any subsequent attempts until these PCRs are reset to their original, pre-capped state, typically occurring upon the next system boot. Reviewed-by: Stefan Berger Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-10-11 Gary Lin tss2: Implement VasEBoot_tcg2_cap_pcr() for emu Since there is no system firmware for VasEBoot-emu, the TPM2_PCR_Event command becomes the only choice to implement VasEBoot_tcg2_cap_pcr(). Reviewed-by: Stefan Berger Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-10-11 Gary Lin tss2: Implement VasEBoot_tcg2_cap_pcr() for ieee1275 This commit implements VasEBoot_tcg2_cap_pcr() for ieee1275 with the firmware function, 2hash-ext-log, to extend the target PCR with an EV_SEPARATOR event and record the event into the TPM event log. To avoid duplicate code, ibmvtpm_2hash_ext_log() is moved to tcg2.c and exported as a global function. Reviewed-by: Daniel Kiper 2025-10-11 Gary Lin tss2: Implement VasEBoot_tcg2_cap_pcr() for EFI This commit implements VasEBoot_tcg2_cap_pcr() for EFI by using the UEFI TCG2 protocol, HashLogExtendEvent, to extend the specified PCR with an EV_SEPARATOR event and ensure the event will be recorded properly in the TPM event log. Reviewed-by: Stefan Berger Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-10-11 Gary Lin tss2: Introduce VasEBoot_tcg2_cap_pcr() This commit introduces the definition of VasEBoot_tcg2_cap_pcr(), a new function designed to enhance the security of sealed keys. Its primary purpose is to "cap" a specific PCR by extending it with an EV_SEPARATOR event. This action cryptographically alters the PCR value, making it impossible to unseal any key that was previously sealed to the original PCR state. Consequently, the sealed key remains protected against unauthorized unsealing attempts until the associated PCRs are reset to their initial configuration, typically occurring during a subsequent system boot. Reviewed-by: Stefan Berger Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-10-11 Gary Lin tss2: Add TPM2_PCR_Event command The TPM2_PCR_Event command is introduced to tss2 to allow the user to extend a specific PCR. The related data structure and unmarshal function are also introduced. However, simply invoking TPM2_PCR_Event does not automatically record the event into the TPM event log. The TPM event log is primarily maintained by the system firmware (e.g., BIOS/UEFI). Therefore, for most standard use cases, the recommended method for extending PCRs and ensuring proper event logging is to utilize the system firmware functions. There are specific scenarios where direct use of TPM2_PCR_Event becomes necessary. For instance, in environments lacking system firmware support for PCR extension, such as the VasEBoot-emu, TPM2_PCR_Event serves as the only available method to extend PCRs. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-10-11 Thomas Zimmermann loader/i386/linux: Transfer EDID information to kernel The Linux kernel's struct bootparams provides a field at offset 0x140 for storing an EDID header. Copy the video adapter's data to the field. The edid_info field was added in 2003 (see "[FBDEV] EDID support from OpenFirmware on PPC platoforms and from the BIOS on intel platforms."), but only got useable in 2004 (see "[PATCH] Fix EDID_INFO in zero-page"). The boot protocol was at version 2.03 at that time. The field was never used much, but with the recent addition of the efidrm and vesadrm drivers to the kernel, it becomes much more useful. As with the initial screen setup, these drivers can make use of the provided EDID information for basic display output. Reviewed-by: Neal Gompa Reviewed-by: Michael Chang Reviewed-by: Daniel Kiper 2025-10-11 Dave Vasilevsky fs/hfsplus: Allow reading files created by Mac OS 9 The "permissions" field of hfsplus files is only used by Mac OS X. This causes VAS_EBOOT to skip reading files created by Mac OS 9, since their file mode is read as unknown. Instead, assume files with zero mode are regular files. From Technote 1150: The traditional Mac OS implementation of HFS Plus does not use the permissions field. Files created by traditional Mac OS have the entire field set to 0. Reviewed-by: Daniel Kiper 2025-10-11 Sridhar Markonda docs: Fix build warnings in libgcrypt and blsuki doc Following warnings are thrown during libgrcypt and bluski doc build: VasEBoot.texi:4744: warning: node next pointer for `gcry_arcfour_module' is `gcry_blake2_module' but next is `gcry_aria_module' in menu VasEBoot.texi:4744: warning: node prev pointer for `gcry_arcfour_module' is `gcry_aria_module' but prev is `functional_test_module' in menu VasEBoot.texi:4751: warning: node prev pointer for `gcry_blake2_module' is `gcry_arcfour_module' but prev is `gcry_aria_module' in menu VasEBoot.texi:8532: warning: node next pointer for `trust' is `unset' but next is `uki' in menu VasEBoot.texi:8549: warning: node next pointer for `unset' is `uki' but next is `verify_detached' in menu VasEBoot.texi:8549: warning: node prev pointer for `unset' is `trust' but prev is `uki' in menu VasEBoot.texi:8557: warning: node next pointer for `uki' is `verify_detached' but next is `unset' in menu VasEBoot.texi:8557: warning: node prev pointer for `uki' is `unset' but prev is `trust' in menu VasEBoot.texi:8600: warning: node prev pointer for `verify_detached' is `uki' but prev is `unset' in menu Fix order of gcry_aria_module and unset nodes. Reviewed-by: Andrew Hamilton Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Srish Srinivasan kern/command,commands/extcmd: Perform explicit NULL check in both the unregister helpers During command registration, VasEBoot_register_command_prio() returns a 0 when there is a failure in memory allocation. In such a situation, calls to VasEBoot_unregister_{command(), extcmd()} during command unregistration will result in dereferencing a NULL pointer. Perform explicit NULL check in both unregister helpers to prevent undefined behaviour due to a NULL pointer dereference. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper 2025-10-11 Luca Boccassi commands/efi/tpm: Call get_active_pcr_banks() only with TCG2 1.1 or newer The call was added in the 1.1 revision of the spec, 1.0 does not have it, and there are some machines out there with a TPM2 and a UEFI firmware that only supports version 1.0, so the call fails in those cases. Check the reported version before calling get_active_pcr_banks(). See Table 4 in section 6.2 of the TCG EFI Protocol Specification: https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf Fixes: f326c5c47 (commands/bli: Set LoaderTpm2ActivePcrBanks runtime variable) Reviewed-by: Andrew Hamilton Reviewed-by: Daniel Kiper 2025-10-11 Leo Sandoval kern: Include function name on debug and error print functions With the following change, we see standard (VasEBoot_dprintf) and error (VasEBoot_error) logs with the function name embedded (see below) into the log which is particular useful when debugging: commands/efi/tpm.c:VasEBoot_tpm_measure:281:tpm: log_event, pcr = 8, size = 0xb, Including one more field on the print log impacts the binary sizes and in turn their respective distro packages. For Fedora rpm packages the increase is 20k approximately. Reviewed-by: Daniel Kiper 2025-10-11 Peter Jones kern: Make VasEBoot_error() more verbose Reviewed-by: Daniel Kiper 2025-10-11 Michael Chang net/tcp: Fix TCP port number reused on reboot VAS_EBOOT's TCP stack assigns source ports for outgoing connections starting at 21550 and increments sequentially by 1 (e.g., 21550, 21551, ...). While this generally works, it can lead to failures if the system reboots rapidly and reuses the same source port too soon. This issue was observed on powerpc-ieee1275 platforms using CAS (Client Architecture Support) reboot. In such cases, loading the initrd over HTTP may fail with connection timeouts. Packet captures show the failed connections are flagged as "TCP Port Number Reused" by Wireshark. The root cause is that VAS_EBOOT reuses the same port shortly after reboot, while the server may still be tracking the previous connection in TIME_WAIT. This can result in the server rejecting the connection attempt or responding with a stale ACK or RST, leading to handshake failure. This patch fixes the issue by introducing a time based source port selection strategy. Instead of always starting from port 21550, VAS_EBOOT now computes an initial base port based on the current RTC time, divided into 5 minute windows. The purpose of this time based strategy is to ensure that VAS_EBOOT avoids reusing the same source port within a 5 minute window, thereby preventing collisions with stale server side connection tracking that could interfere with a new TCP handshake. A step size of 8 ensures that the same port will not be reused across reboots unless VAS_EBOOT opens more than 8 TCP connections per second on average, something that is highly unlikely. In typical usage, a VAS_EBOOT boot cycle lasts about 15 seconds and may open fewer than 100 connections total, well below the reuse threshold. This makes the approach robust against short reboot intervals while keeping the logic simple and deterministic. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy docs/VasEBoot: Document appended signature This explains how appended signatures can be used to form part of a secure boot chain, and documents the commands and variables introduced. Reviewed-by: Stefan Berger Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy docs/VasEBoot: Document signing VAS_EBOOT with an appended signature Signing VAS_EBOOT for firmware that verifies an appended signature is a bit fiddly. I don't want people to have to figure it out from scratch so document it here. Reviewed-by: Stefan Berger Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Daniel Axtens docs/VasEBoot: Document signing VAS_EBOOT under UEFI Before adding information about how VAS_EBOOT is signed with an appended signature scheme, it's worth adding some information about how it can currently be signed for UEFI. Reviewed-by: Stefan Berger Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy appended signatures: Verification tests These tests are run through all_functional_test and test a range of commands and behaviours. Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy appended signatures: VAS_EBOOT commands to manage the hashes Introducing the following VAS_EBOOT commands to manage certificate/binary hashes. 1. append_list_dbx: Show the list of distrusted certificates and binary/certificate hashes from the dbx list. 2. append_add_db_hash: Add the trusted binary hash to the db list. 3. append_add_dbx_hash: Add the distrusted certificate/binary hash to the dbx list. Note that if signature verification (check_appended_signatures) is set to yes, the append_add_db_hash and append_add_dbx_hash commands only accept the file ‘hash_file’ that is signed with an appended signature. Tested-by: Sridhar Markonda Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy appended signatures: VAS_EBOOT commands to manage the certificates Introducing the following VAS_EBOOT commands to manage the certificates. 1. append_list_db: Show the list of trusted certificates from the db list 2. append_add_db_cert: Add the trusted certificate to the db list 3. append_add_dbx_cert: Add the distrusted certificate to the dbx list 4. append_verify: Verify the signed file using db list Note that if signature verification (check_appended_signatures) is set to yes, the append_add_db_cert and append_add_dbx_cert commands only accept the file ‘X509_certificate’ that is signed with an appended signature. Tested-by: Sridhar Markonda Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy appended signatures: Using db and dbx lists for signature verification Signature verification: verify the kernel against lists of hashes that are either in dbx or db list. If it is not in the dbx list then the trusted keys from the db list are used to verify the signature. Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy appended signatures: Create db and dbx lists If secure boot is enabled with static key management mode, the trusted certificates will be extracted from the VAS_EBOOT ELF Note and added to db list. If secure boot is enabled with dynamic key management mode, the trusted certificates and certificate/binary hash will be extracted from the PKS and added to db list. The distrusted certificates, certificate/binary hash are read from the PKS and added to dbx list. Both dbx and db lists usage is added by a subsequent patch. Note: - If db does not exist in the PKS storage, then read the static keys as a db default keys from the VAS_EBOOT ELF Note and add them into the db list. - If the certificate or the certificate hash exists in the dbx list, then do not add that certificate/certificate hash to the db list. Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy appended signatures: Introducing key management environment variable Introducing the appended signature key management environment variable. It is automatically set to either "static" or "dynamic" based on the Platform KeyStore. "static": Enforce static key management signature verification. This is the default. When the VAS_EBOOT is locked down, user cannot change the value by setting the appendedsig_key_mgmt variable back to "dynamic". "dynamic": Enforce dynamic key management signature verification. When the VAS_EBOOT is locked down, user cannot change the value by setting the appendedsig_key_mgmt variable back to "static". Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy powerpc/ieee1275: Read the db and dbx secure boot variables Enhancing the infrastructure to enable the Platform Keystore (PKS) feature, which provides access to the SB_VERSION, db, and dbx secure boot variables from PKS. If PKS is enabled, it will read secure boot variables such as db and dbx from PKS and extract EFI Signature List (ESL) from it. The ESLs would be saved in the Platform Keystore buffer, and the appendedsig module would read it later to extract the certificate's details from ESL. In the following scenarios, static key management mode will be activated: 1. When Secure Boot is enabled with static key management mode 2. When SB_VERSION is unavailable but Secure Boot is enabled 3. When PKS support is unavailable but Secure Boot is enabled Note: SB_VERSION: Key Management Mode 1 - Enable dynamic key management mode. Read the db and dbx variables from PKS, and use them for signature verification. 0 - Enable static key management mode. Read keys from the VAS_EBOOT ELF Note and use it for signature verification. Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy appended signatures: Support verifying appended signatures Building on the parsers and the ability to embed X.509 certificates, as well as the existing gcrypt functionality, add a module for verifying appended signatures. This includes a signature verifier that requires that the Linux kernel and VAS_EBOOT modules have appended signatures for verification. Signature verification must be enabled by setting check_appended_signatures. If secure boot is enabled with enforce mode when the appendedsig module is loaded, signature verification will be enabled, and trusted keys will be extracted from the VAS_EBOOT ELF Note and stored in the db and locked automatically. Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy powerpc/ieee1275: Enter lockdown based on /ibm, secure-boot Read secure boot mode from 'ibm,secure-boot' property and if the secure boot mode is set to 2 (enforce), enter lockdown. Else it is considered as disabled. There are three secure boot modes. They are 0 - disabled No signature verification is performed. This is the default. 1 - audit Signature verification is performed and if signature verification fails, display the errors and allow the boot to continue. 2 - enforce Lockdown the VAS_EBOOT. Signature verification is performed and if signature verification fails, display the errors and stop the boot. Now, only support disabled and enforce. Reviewed-by: Stefan Berger Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy appended signatures: Parse X.509 certificates This code allows us to parse: - X.509 certificates: at least enough to verify the signatures on the PKCS#7 messages. We expect that the certificates embedded in VAS_EBOOT will be leaf certificates, not CA certificates. The parser enforces this. - X.509 certificates support the Extended Key Usage extension and handle it by verifying that the certificate has a Code Signing usage. Signed-off-by: Javier Martinez Canillas # EKU support Reported-by: Michal Suchanek # key usage issue Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy appended signatures: Parse PKCS#7 signed data This code allows us to parse: - PKCS#7 signed data messages. Only a single signer info is supported, which is all that the Linux sign-file utility supports creating out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported. Any certificate embedded in the PKCS#7 message will be ignored. Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy appended signatures: Parse ASN1 node This code allows us to parse ASN1 node and allocating memory to store it. It will work for anything where the size libtasn1 returns is right: - Integers - Octet strings - DER encoding of other structures It will _not_ work for things where libtasn1 size requires adjustment: - Strings that require an extra NULL byte at the end - Bit strings because libtasn1 returns the length in bits, not bytes. If the function returns a non-NULL value, the caller must free it. Reviewed-by: Stefan Berger Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy appended signatures: Import GNUTLS's ASN.1 description files In order to parse PKCS#7 messages and X.509 certificates with libtasn1, we need some information about how they are encoded. We get these from GNUTLS, which has the benefit that they support the features we need and are well tested. The GNUTLS files are from: - https://github.com/gnutls/gnutls/blob/master/lib/gnutls.asn - https://github.com/gnutls/gnutls/blob/master/lib/pkix.asn The GNUTLS license is LGPLv2.1+, which is GPLv3 compatible, allowing us to import it without issue. Reviewed-by: Stefan Berger Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy VasEBoot-install: Support embedding x509 certificates To support verification of appended signatures, we need a way to embed the necessary public keys. Existing appended signature schemes in the Linux kernel use X.509 certificates, so allow certificates to be embedded in the VAS_EBOOT core image in the same way as PGP keys. Reviewed-by: Stefan Berger Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY Prior to the addition of the X.509 public key support for appended signature, current PGP signature relied on the GPG public key. Changing the enum name from "OBJ_TYPE_PUBKEY" to "OBJ_TYPE_GPG_PUBKEY" to differentiate between x509 certificate based appended signature and GPG certificate based PGP signature. Reviewed-by: Stefan Berger Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Daniel Axtens crypto: Move storage for VasEBoot_crypto_pk_* to crypto.c The way gcry_rsa and friends (the asymmetric ciphers) are loaded for the pgp module is a bit quirky. include/VasEBoot/crypto.h contains: extern struct gcry_pk_spec *VasEBoot_crypto_pk_rsa; commands/pgp.c contains the actual storage: struct gcry_pk_spec *VasEBoot_crypto_pk_rsa; And the module itself saves to the storage in pgp.c: VAS_EBOOT_MOD_INIT(gcry_rsa) { VasEBoot_crypto_pk_rsa = &_gcry_pubkey_spec_rsa; } This is annoying: gcry_rsa now has a dependency on pgp! We want to be able to bring in gcry_rsa without bringing in PGP, so move the storage to crypto.c. Previously, gcry_rsa depended on pgp and mpi. Now it depends on crypto and mpi. As pgp depends on crypto, this doesn't add any new module dependencies using the PGP verfier. [FWIW, the story is different for the symmetric ciphers. cryptodisk and friends (zfs encryption etc) use VasEBoot_crypto_lookup_cipher_by_name() to get a cipher handle. That depends on VasEBoot_ciphers being populated by people calling VasEBoot_cipher_register. import_gcry.py ensures that the symmetric ciphers call it.] Reviewed-by: Stefan Berger Reviewed-by: Vladimir Serbinenko Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-10-11 Sudhakar Kuppusamy powerpc/ieee1275: Add support for signing VAS_EBOOT with an appended signature Add infrastructure to allow firmware to verify the integrity of VAS_EBOOT by use of a Linux-kernel-module-style appended signature. We initially target powerpc-ieee1275, but the code should be extensible to other platforms. Usually these signatures are appended to a file without modifying the ELF file itself. (This is what the 'sign-file' tool does, for example.) The verifier loads the signed file from the file system and looks at the end of the file for the appended signature. However, on powerpc-ieee1275 platforms, the bootloader is often stored directly in the PReP partition as raw bytes without a file-system. This makes determining the location of an appended signature more difficult. To address this, we add a new ELF Note. The name field of shall be the string "Appended-Signature", zero-padded to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values for the string "ASig"). It must be the final section in the ELF binary. The description shall contain the appended signature structure as defined by the Linux kernel. The description will also be padded to be a multiple of 4 bytes. The padding shall be added before the appended signature structure (not at the end) so that the final bytes of a signed ELF file are the appended signature magic. A subsequent patch documents how to create a VAS_EBOOT core.img validly signed under this scheme. Reviewed-by: Stefan Berger Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-09-10 Anaëlle Cazuc lib/b64dec: Use VasEBoot_size_t instead of size_t for _gpgrt_b64dec_proc() function definition On some targets, size_t and VasEBoot_size_t may not be the same type (unsigned long / unsigned int). This breaks the compilation because the definition of _gpgrt_b64dec_proc() differs from gpgrt_b64dec_proc() declaration. Fix it by using VasEBoot_size_t in the _gpgrt_b64dec_proc() definition. Reviewed-by: Daniel Kiper 2025-09-10 Anaëlle Cazuc util/VasEBoot-mkimagexx: Fix riscv32 relocation offset When using VasEBoot-mkrescue for a riscv32 target, an invalid implicit cast on the offset calculation produces an error during the relocation process: VasEBoot-mkrescue: error: target XXX not reachable from pc=fc. This patch adds an explicit VasEBoot_int64_t cast to compute the offset as a 64-bit subtraction. Reviewed-by: Daniel Kiper 2025-09-10 Andrew Hamilton libgcrypt: Allow VAS_EBOOT to build with Clang Attempts to build VAS_EBOOT with Clang were failing due to errors such as: error: redefinition of typedef 'gcry_md_hd_t' is a C11 feature Correct this by adding a compiler pragma to disable the Clang "typedef-redefinition" warnings. This required an update to include/VasEBoot/crypto.h and the util/import_gcry.py script to add the pragma to libgcrypt-VasEBoot's types.h due to u16 and similar types. Reviewed-by: Daniel Kiper 2025-09-10 Andrew Hamilton tests: Add test ISO files to dist package Add test ISO files to dist package to allow ISO test to pass. Reviewed-by: Daniel Kiper 2025-09-10 Vladimir Serbinenko tests: Test dates outside of 32-bit Unix range Add tests outside the date range possible with 32-bit time calculation. Reviewed-by: Daniel Kiper 2025-09-10 Vladimir Serbinenko lib/datetime: Support dates outside of 1901..2038 range Fixes: https://savannah.gnu.org/bugs/?63894 Fixes: https://savannah.gnu.org/bugs/?66301 Reviewed-by: Daniel Kiper 2025-09-04 Andrew Hamilton bootstrap: Ensure shallow gnulib clone works on newer git Update the bootstrap script to be compatible with newer versions of git that changed the "git clone -h" output from containing: --depth to: --[no-]depth This bootstrap script is pulled the latest gnulib version from gnulib git, commit 9a1a6385 (Silence 'time-stamp' warnings with bleeding-edge Emacs.). This change avoids a full clone on gnulib, saving something like 50 MB. Fixes: https://savannah.gnu.org/bugs/?66357 Reviewed-by: Daniel Kiper 2025-09-04 Andrew Hamilton docs: Correct some URLs Correct some outdated links to various websites and change http to https in a few places. Reviewed-by: Daniel Kiper 2025-09-04 Andrew Hamilton docs: Update Future section to reflect current release Update the Future section of the VAS_EBOOT manual to reflect current work on the 2.x series. Reviewed-by: Daniel Kiper 2025-09-04 Andrew Hamilton docs: Document new libgrypt modules Add documentation for new libgcrypt modules imported into VAS_EBOOT. Reviewed-by: Daniel Kiper 2025-09-04 Andrew Hamilton docs: Clarify section heading and fix wording Update chapter name from "Outline" to "Platform-specific operations" to improve readability. Also slightly improve some wording in this section. Reviewed-by: Daniel Kiper 2025-09-04 Andrew Hamilton BUGS: Update to point to bug tracking system Update the BUGS file to just point to the VAS_EBOOT bug tracking system. Reviewed-by: Daniel Kiper 2025-09-04 Andrew Hamilton INSTALL: Document libtasn1 needed for VasEBoot-protect Update INSTALL documentation to note that the optional VasEBoot-protect utility requires libtasn1 to build. Reviewed-by: Daniel Kiper 2025-09-04 Andrew Hamilton po: Update translations to build with gettext 0.26 Gettext 0.26 validates format strings. In some cases before the VAS_EBOOT build process was converting newlines sequences (\n) to (\) which is invalid. Update the impacted language sed script files to ensure newlines use the correct escape sequence. This avoids build errors such as: de@hebrew.po:8192: 'msgstr' is not a valid Shell printf format string, unlike 'msgid'. Reason: This escape sequence is invalid. Fixes: https://savannah.gnu.org/bugs/?67353 Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-09-04 Kancy Joe term/efi/console: Treat key.scan_code 0x0102 (suspend) as Enter Some Qualcomm-based UEFI platforms only provide volume up, volume down, and power keys. The volume keys are already mapped to SCAN_UP and SCAN_DOWN, while the power key is mapped to SCAN_SUSPEND (key.scan_code 0x0102). On such devices, the power key is commonly used as the Enter (confirm) button, since no dedicated Enter key exists. This patch treats key.scan_code 0x0102 as Enter to improve usability on these platforms. Reviewed-by: Daniel Kiper 2025-09-04 Mate Kukri util/bash-completion.d/Makefile.am: s/mkrescure/mkrescue/g This is a typo that was stopping this bash-completion from being installed. Reviewed-by: Daniel Kiper 2025-09-04 Alec Brown blsuki: Add uki command to load Unified Kernel Image entries A Unified Kernel Image (UKI) is a single UEFI PE file that combines a UEFI boot stub, a Linux kernel image, an initrd, and further resources. The uki command will locate where the UKI file is and create a VAS_EBOOT menu entry to load it. The Unified Kernel Image Specification: https://uapi-group.org/specifications/specs/unified_kernel_image/ Reviewed-by: Daniel Kiper 2025-09-04 Robbie Harwood blsuki: Check for mounted /boot in emu Irritatingly, BLS defines paths relative to the mountpoint of the filesystem which contains its snippets, not / or any other fixed location. So VasEBoot-emu needs to know whether /boot is a separate filesystem from / and conditionally prepend a path. Reviewed-by: Daniel Kiper 2025-09-04 Alec Brown util/misc.c: Change offset type for VasEBoot_util_write_image_at() Adding filevercmp support to VasEBoot-core/commands/blsuki.c from gnulib will cause issues with the type of the offset parameter for VasEBoot_util_write_image_at() for emu builds. To fix this issue, we can change the type from off_t to VasEBoot_off_t. Reviewed-by: Daniel Kiper 2025-09-04 Peter Jones blsuki: Add blscfg command to parse Boot Loader Specification snippets The BootLoaderSpec (BLS) defines a scheme where different bootloaders can share a format for boot items and a configuration directory that accepts these common configurations as drop-in files. The BLS Specification: https://uapi-group.org/specifications/specs/boot_loader_specification/ Reviewed-by: Daniel Kiper 2025-09-04 Alec Brown kern/misc: Implement VasEBoot_strtok() Add the functions VasEBoot_strtok() and VasEBoot_strtok_r() to help parse strings into tokens separated by characters in the "delim" parameter. These functions are present in gnulib but calling them directly from the gnulib code is quite challenging since the call "#include " would include the header file VasEBoot-core/lib/posix_wrap/string.h instead of VasEBoot-core/lib/gnulib/string.h, where strtok() and strtok_r() are declared. Since this overlap is quite problematic, the simpler solution was to implement the code in the VAS_EBOOT based on gnulib's implementation. For more information on these functions, visit the Linux Programmer's Manual, man strtok. Reviewed-by: Daniel Kiper 2025-09-04 Aaron Rainbolt kern/xen: Add Xen command line parsing Xen traditionally allows customizing guest behavior by passing arguments to the VM kernel via the kernel command line. This is no longer possible when using VAS_EBOOT with Xen, as the kernel command line is decided by the VAS_EBOOT configuration file within the guest, not data passed to the guest by Xen. To work around this limitation, enable VAS_EBOOT to parse a command line passed to it by Xen, and expose data from the command line to the VAS_EBOOT configuration as environment variables. These variables can be used in the VAS_EBOOT configuration for any desired purpose, such as extending the kernel command line passed to the guest. The command line format is inspired by the Linux kernel's command line format. To reduce the risk of misuse, abuse, or accidents in production, the command line will only be parsed if it consists entirely of 7-bit ASCII characters, only alphabetical characters and underscores are permitted in variable names, and all variable names must start with the string "xen_VasEBoot_env_". This also allows room for expanding the command line arguments accepted by VAS_EBOOT in the future, should other arguments end up becoming desirable in the future. Reviewed-by: Daniel Kiper 2025-09-03 Aaron Rainbolt include/xen/xen.h: Add warning comment for cmd_line The cmd_line field of the start_info struct is not guaranteed to be NUL-terminated, even though it is intended to contain a NUL-terminated string. Add a warning about this in a comment so future consumers of this field know to check it for a NUL terminator before using it. Reviewed-by: Daniel Kiper 2025-08-15 Doug Goldstein zfs: Fix LINUX_ROOT_DEVICE when VasEBoot-probe fails When VasEBoot-probe fails, the current code is to just stuff an empty result in which causes the user to not knowingly have a system that no longer boots. VasEBoot-probe can fail because the ZFS pool that contains the root filesystem might have features that VAS_EBOOT does not yet support which is a common configuration for people with a rpool and a bpool. This behavior uses the zdb utility to dump the same value as the filesystem label would print. Reviewed-by: Daniel Kiper 2025-08-15 Vladimir Serbinenko relocator: Switch to own page table while moving chunks We need to avoid clobbering existing table between starting of chunk movers and the moment we install target page table. Generate temporary table for this rather than hoping that we don't clobber existing one. Fixes 64-bit GhostBSD on 64-bit EFI. Reviewed-by: Daniel Kiper 2025-08-14 Mate Kukri configure: Generate tar-ustar tarball instead of tar-v7 Some of our paths are too long for tar-v7 at this point but tar-ustar is supported by essentially everything. So, let's use that. Reviewed-by: Daniel Kiper 2025-08-14 Mate Kukri build: Add new libgcrypt and libtasn1 related files to EXTRA_DISTS These files were not added to EXTRA_DISTS during the libgcrypt and libtasn1 imports but are required for autogen.sh to work. Reviewed-by: Daniel Kiper 2025-08-14 Mate Kukri build: Add util/import_gcrypt_inth.sed to EXTRA_DISTS This new file was not added to the distribution tarball during the last libgcrypt import. Fixes: 0739d24cd164 (libgcrypt: Adjust import script, definitions and API users for libgcrypt 1.11) Reviewed-by: Daniel Kiper 2025-08-14 Aaron Rainbolt include/xen/xen.h: Rename MAX_GUEST_CMDLINE to VAS_EBOOT_XEN_MAX_GUEST_CMDLINE The include/xen/xen.h header was using an overly generic name to refer to the maximum length of the command line passed from Xen to a guest. Rename it to avoid confusion or conflicts in the future. Reviewed-by: Daniel Kiper 2025-08-14 Frediano Ziglio loader/arm64/xen_boot: Set correctly bootargs property for modules The cmdline_size already account for NUL terminator, you can see this in xen_boot_binary_load(). The same property is set correctly for Xen command line. Reviewed-by: Daniel Kiper 2025-08-14 Frediano Ziglio loader/efi/linux: Return correct size from LoadFile2 From UEFI specifications 2.10, section 13.2.2, EFI_LOAD_FILE2_PROTOCOL.LoadFile (see https://uefi.org/specs/UEFI/2.10/13_Protocols_Media_Access.html), for BufferSize: On input the size of Buffer in bytes. On output with a return code of EFI_SUCCESS, the amount of data transferred to Buffer. On output with a return code of EFI_BUFFER_TOO_SMALL, the size of Buffer required to retrieve the requested file. So, set *buffer_size correctly. Reviewed-by: Daniel Kiper 2025-08-14 Luca Boccassi commands/bli: Set LoaderTpm2ActivePcrBanks runtime variable It turns out checking from userspace is not 100% reliable to figure out whether the firmware had TPM2 support enabled or not. For example with EDK2 arm64, the default upstream build config bundles TPM2 support with SecureBoot support, so if the latter is disabled, TPM2 is also unavailable. But still, the ACPI TPM2 table is created just as if it was enabled. So, /sys/firmware/acpi/tables/TPM2 exists and looks correct but there are no measurements, neither the firmware nor the loader/stub can do them, and /sys/kernel/security/tpm0/binary_bios_measurements does not exist. So, userspace cannot really tell what was going on in UEFI mode. The loader can use the apposite UEFI protocol to check, which is a more definitive answer. Export the bitmask with the list of active banks as-is. If it's not 0, then in userspace we can be sure a working TPM2 was available in UEFI mode. systemd-boot and systemd-stub v258 (current main) set this variable and userspace portion consumes it to be able to tell what was available in the firmware context. Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko docs: Write how to import new libgcrypt Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko libgcrypt: Fix a memory leak Fixes: CID 468917 Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko libgcrypt: Don't use 64-bit division on platforms where it's slow Reviewed-by: Daniel Kiper util/import_gcry: Fix pylint warnings Reviewed-by: Daniel Kiper util/import_gcry: Make compatible with Python 3.4 Reviewed-by: Daniel Kiper libgcrypt: Import blake family of hashes Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko libgcrypt: Ignore sign-compare warnings libgcrypt itself is compiled with -Wno-sign-compare. Do the same for consistency. Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko libgcrypt: Remove now unneeded compilation flag HAVE_STRTOUL is now defined in stdlib.h. Include it in g10lib.h rather than defining on command line. Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko libgcrypt: Fix Coverity warnings Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko keccak: Disable acceleration with SSE asm Libgcrypt code assumes that on x64 all SSE registers are fair game. While it's true that CPUs in question support it, we disable it in our compilation options. Disable the offending optimization. Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko tests: Add DSA and RSA SEXP tests This allows us to test purely the integration of the implementation of DSA and RSA from libgcrypt without concerning with additional code. Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko libgcrypt: Adjust import script, definitions and API users for libgcrypt 1.11 This patches modifies the VAS_EBOOT-libgcrypt API to match new libgcrypt 1.11. Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko b64dec: Add harness for compilation in VAS_EBOOT environment Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko b64dec: Import b64dec from gpg-error Imported from libgpg-error 1.51. Reviewed-by: Daniel Kiper 2025-07-11 Vladimir Serbinenko libgcrypt: Import libgcrypt 1.11 We currently use an old version of libgcrypt which results in us having fewer ciphers and missing on many other improvements. Reviewed-by: Daniel Kiper 2025-07-11 Mate Kukri loader/efi/linux: Use shim loader image handle where available Not reusing these handles will result in image measurements showing up twice in the event log. On the occasion add missing VasEBoot_free() call. Reviewed-by: Daniel Kiper 2025-07-11 Mate Kukri loader/efi/chainloader: Use shim loader image handle where available Not reusing these handles will result in image measurements showing up twice in the event log. Reviewed-by: Daniel Kiper 2025-07-11 Mate Kukri efi/sb: Add API for retrieving shim loader image handles Not reusing these handles will result in image measurements showing up twice in the event log. Reviewed-by: Daniel Kiper 2025-07-11 Mate Kukri efi/sb: Add support for the shim loader protocol Use loader protocol for image verification where available, otherwise fall back to the old shim lock protocol. Reviewed-by: Daniel Kiper 2025-07-11 Julian Andres Klode efi: Provide wrappers for load_image, start_image and unload_image These can be used to register a different implementation later, for example, when shim provides a protocol with those functions. Reviewed-by: Daniel Kiper 2025-07-11 Frediano Ziglio loader/arm64/xen_boot: Consider alignment calling VasEBoot_arch_efi_linux_boot_image() The Xen image is loaded with an alignment, not always at "start". Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-07-11 Frediano Ziglio loader/arm64/xen_boot: Use bool instead of int More readable, could consume less space. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-07-11 Frediano Ziglio loader/arm64/xen_boot: Remove correctly all modules loaded by xen_module command We need to use FOR_LIST_ELEMENTS_SAFE() instead of FOR_LIST_ELEMENTS() as single_binary_unload(), called during the loop, is changing the list using VasEBoot_list_remove(). Given the environment probably the old code simply removed only the first module on the list not freeing all the others. Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-07-11 Gary Lin dl: Fix VasEBoot_dl_is_persistent() for emu When attempting to build VasEBoot-emu the compilation failed with the following error message: include/VasEBoot/dl.h: In function ‘VasEBoot_dl_is_persistent’: include/VasEBoot/dl.h:262:1: error: no return statement in function returning non-void [-Werror=return-type] To avoid the error make the function always return 0. Fixes: ba8eadde6be1 (dl: Provide a fake VasEBoot_dl_set_persistent() and VasEBoot_dl_is_persistent() for the emu target) Cc: Daniel Axtens Cc: Sudhakar Kuppusamy Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-06-26 Lidong Chen loader/i386/pc/linux: Fix resource leak In VasEBoot_cmd_initrd(), memory is allocated for variable initrd_ctx before calling VasEBoot_relocator_alloc_chunk_align_safe(). When the function call fails, initrd_ctx should be freed before exiting VasEBoot_cmd_initrd(). Fixes: CID 473852 Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-06-26 Adriano Cordova loader/efi/linux: Unload previous Linux kernel/initrd before updating kernel size Unload previous Linux kernel/initrd before updating the global variable kernel_size. Otherwise the previous Linux kernel gets deallocated with the kernel_size of the Linux kernel that is being currently loaded. Reviewed-by: Daniel Kiper 2025-06-26 Frediano Ziglio loader/efi/linux: Correctly terminate load_options member If a simple string for arguments are passed it should be NUL terminated. This is true for other code but not for "linux" command. Reviewed-by: Daniel Kiper 2025-06-26 Frediano Ziglio loader/efi/linux: Use sizeof() instead of constant This is more consistent with the above code using sizeof(VasEBoot_efi_char16_t). Reviewed-by: Daniel Kiper 2025-06-26 Frediano Ziglio loader/efi/linux: Use proper type for len variable Although the length should not exceed 2^31 VasEBoot_size_t is more suitable for that variable. len is used to compute the size of buffers which in C is a size_t, not a int. It is used for VAS_EBOOT_EFI_BYTES_TO_PAGES which expects unsigned values. It is assigned to load_options_size which is unsigned, not signed. Reviewed-by: Daniel Kiper 2025-06-26 Frediano Ziglio loader/efi/linux: Do not pass excessive size for source string The size passed to VasEBoot_utf8_to_utf16() for the source string is used as a limit for the string if NUL character is not encountered. However, len, which is "strlen(src) * 2 + 2" is surely greater than strlen(src). Pass the exact correct length. Reviewed-by: Daniel Kiper 2025-06-26 Frediano Ziglio loader/efi/linux: Remove useless assignment If the following allocation fails this would leave load_options NULL while load_options_size not valid. If the allocation succeed load_options_size is overwritten. Reviewed-by: Daniel Kiper 2025-06-26 Frediano Ziglio include/VasEBoot/charset.h: Update documentation (VasEBoot_size_t) -1 is never returned, the function always return a not negative values. This is important for overflows considerations. Reviewed-by: Daniel Kiper 2025-06-26 Lidong Chen Revert "lzma: Make sure we don't dereference past array" Commit 40e261b89b71 (lib/LzmaEnc: Validate "len" before subtracting) ensures that the variable len is at least 2. As a result, GetLenToPosState(len) never returns a value greater than or equal to kNumLenToPosStates, making the changes introduced in the commit 16c0dbf4bc6a (lzma: Make sure we don't dereference past array) unreachable and no longer necessary. This reverts commit 16c0dbf4bc6a (lzma: Make sure we don't dereference past array). Fixes: CID 481982 Reviewed-by: Daniel Kiper 2025-06-26 Andrew Hamilton tests/util/VasEBoot-shell: Correct netboot and file_filter test failure Correct a test failure in netboot_test and file_filter_test caused by an issue cleaning up the tmp directory created for netboot. Netboot creates a subdirectory in the tmp folder that causes the rmdir to fail - so cleanup the subdirectory first. Fixes: 1d59f39b5f1b (tests/util/VasEBoot-shell: Remove the work directory on successful run and debug is not on) Tested-by: Leo Sandoval Reviewed-by: Daniel Kiper 2025-06-26 Lidong Chen normal/charset: Fix underflow and overflow in loop init In bidi_line_wrap(), "kk - 1" in the for loop init, "i = kk - 1", underflows when "kk" (unsigned int) is 0. Assigning the result of "kk - 1" to signed int "i" may cause overflow. To address both issues, cast "kk" to a signed type before subtraction to ensure safe arithmetic and assignment. Fixed: CID 473874 Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-06-26 Daniel Axtens dl: Provide a fake VasEBoot_dl_set_persistent() and VasEBoot_dl_is_persistent() for the emu target Trying to start VasEBoot-emu with a module that calls VasEBoot_dl_set_persistent() and VasEBoot_dl_is_persistent() will crash because VasEBoot-emu fakes modules and passes NULL to the module init function. Provide an empty function for the emu case. Fixes: ee7808e2197c (dl: Add support for persistent modules) Reviewed-by: Stefan Berger Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper 2025-06-26 Andrew Hamilton util/VasEBoot-protect: Correct uninit "err" variable In function protect_tpm2_export_tpm2key(), the "err" variable is uninitialized in the normal (error free) path, so ensure this defaults to VAS_EBOOT_ERR_NONE. This causes the VAS_EBOOT build to fail with clang (observed with clang-14). Fixes: 5934bf51c (util/VasEBoot-protect: Support NV index mode) Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-06-26 Lidong Chen gnulib: Bring back the fix for resolving unused variable issue This patch resolved a minor issue spotted by Coverity: a983d36bd917 (gnulib/regexec: Resolve unused variable) But, it was removed by the Gnulib update: 2b7902459803 (Update gnulib version and drop most gnulib patches) It caused Coverity to continue to flag the issue. Daniel Kiper suggested to bring back the patch a983d36bd917 (gnulib/regexec: Resolve unused variable). Fixes: CID 292459 Reviewed-by: Daniel Kiper 2025-06-26 Andrew Hamilton gnulib: Add patch to allow VAS_EBOOT w/GCC-15 compile Pull in Gnulib fix to allow lib/base64.c to compile using GCC 15 or newer. Pulled from Gnulib commit 25df6dc425 (Silence some -Wunterminated-string-initialization warnings.) GCC 15 adds a new compiler warning "-Wunterminated-string-initialization" that will trigger what is considered a false-positive in lib/base64.c as this array is not treated as a string but an array of characters so the lack of NUL string terminator is expected. GCC team has added ability to flag such instances of arrays that the compiler may think are strings as "nonstring" arrays to avoid this warning: __attribute__((nonstring)). Fixes: https://savannah.gnu.org/bugs/?66470 Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-06-17 Alec Brown gnulib/regexec: Fix resource leak In the function merge_state_with_log(), memory is allocated for the variable next_nodes when creating a union of the variables table_nodes and log_nodes. However, if next_state->entrance_nodes is NULL, then table_nodes becomes NULL and we still allocate memory to copy the content of log_nodes. This can cause a resource leak since we only free the memory for next_nodes if table_nodes isn't NULL. To prevent this, we need to check that next_state->entrance_nodes isn't NULL before allocating memory for the union. This issue has been fixed in the latest version of gnulib and I've backported this change to maintain consistency. This issue was found by a Coverity scan of VAS_EBOOT2 under the CID 473887. Fixes: CID 473887 Reviewed-by: Daniel Kiper 2025-06-17 Alec Brown gnulib/regcomp: Fix resource leak In the functions create_initial_state() and calc_eclosure_iter(), memory is allocated for the elems member of a re_node_set structure but that memory isn't freed on error. Before returning an error, a call to re_node_set_free() should be made to prevent the resource leak. This issue has been fixed in the latest version of gnulib and I've backported this change to maintain consistency. This issue was found by a Coverity scan of VAS_EBOOT2 under the following CIDs: 473869, 473888. Fixes: CID 473869 Fixes: CID 473888 Reviewed-by: Daniel Kiper 2025-06-17 Gary Lin tests/tpm2_key_protector_test: Add tests for SHA-384 PCR bank Add a few more tests to seal and unseal the key with the SHA-384 PCR bank instead of the default SHA-256 PCR bank. Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper 2025-06-17 Gary Lin tpm2_key_protector: Dump the PCR bank for key unsealing TPM 2.0 Key File format stores the PCR selection in the parameters for TPM2_PolicyPCR and it already contains the selected PCR bank. Currently, tpm2_key_protector dumped the PCR bank specified by the --bank option, and it may not be the PCR bank for key unsealing. To dump the real PCR bank for key unsealing, this commit records the PCR bank used by TPM2_PolicyPCR and dumps PCR values from that bank when necessary. Reviewed-by: Stefan Berger Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-06-17 Gary Lin util/VasEBoot-protect: Fix the hash algorithm of PCR digest For tpm2_key_protector and VasEBoot-protect, SHA-256 is chosen as the hash algorithm for the TPM session. However, VasEBoot-protect mistakenly used the hash algorithm of the PCR bank to calculate PCR digest. If the user chose a PCR bank other than SHA-256, VasEBoot-protect created a non-SHA-256 PCR digest to seal the key. But, tpm2_key_protector expects a SHA-256 PCR digest to the TPM unsealing session, so it would fail due to digest mismatch. This commit fixes the hash algorithm of PCR digest in VasEBoot-protect to avoid the potential unsealing failure. Fixes: https://github.com/lcp/VasEBoot2/issues/4 Reviewed-by: Stefan Berger Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper 2025-06-17 Andrew Hamilton build: Add new header files to dist to allow building from tar Several new header files have been added to VAS_EBOOT which need to be manually added to the dist archive. This allows building from the tar archive created by "make dist". Reviewed-by: Daniel Kiper 2025-06-17 Andrew Hamilton build: Remove extra_deps.lst from EXTRA_DIST This file is auto-generated based on the selected platform and should not be included in the source tarball. Fixes: 6744840b (build: Track explicit module dependencies in Makefile.core.def) Reviewed-by: Daniel Kiper 2025-06-17 Lidong Chen lib/LzmaEnc: Validate "len" before subtracting In LzmaEnc_CodeOneBlock(), both GetOptimumFast() and GetOptimum() returns a value of greater or equal to 1, which is assigned to "len". But since LZMA_MATCH_LEN_MIN == 2, "len" should be validated before performing "len - LZMA_MATCH_LEN_MIN" to avoid underflow when "len" equals to 1. Fixes: CID 51508 Reviewed-by: Daniel Kiper Reviewed-by: Sudhakar Kuppusamy 2025-06-12 Lidong Chen osdep/unix/hostdisk: Fix signed integer overflow The potential overflow issue arises at "size += ret;" because "size" is of type ssize_t (signed) while "len" is size_t (unsigned). Repeatedly adding read sizes, "ret", to "size" can potentially exceed the maximum value of ssize_t, causing it to overflow into a negative or incorrect value. The fix is to ensure "len" is within the range of SSIZE_MAX. Fixes: CID 473850 Fixes: CID 473863 Reviewed-by: Daniel Kiper 2025-05-29 Egor Ignatov disk/luks2: Add attempting to decrypt message to align with luks and geli modules Reviewed-by: Daniel Kiper 2025-05-29 Renaud Métrich osdep/linux/getroot: Detect DDF container similar to IMSM Similarly to Intel IMSM, there are BIOS and UEFI implementations that support DDF containers natively. DDF and IMSM are very similar in handling, especially these should not be considered as RAID abstraction. This fixes the requirement of having a device map when probing DDF containers. Fixes: https://issues.redhat.com/browse/RHEL-44336 Reviewed-by: Daniel Kiper 2025-05-29 Andrew Hamilton fs/fshelp: Avoid possible NULL pointer deference Avoid attempting to defererence a NULL pointer to call read_symlink() when the given filesystem does not provide a read_symlink() function. This could be triggered if the calling filesystem had a file marked as a symlink. This appears possible for HFS and was observed during fuzzing of NTFS. Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-05-29 Andrew Hamilton fs/ntfs: Correct possible infinite loops/hangs Correct several infinite loops/hangs found during fuzzing. The issues fixed here could occur if certain specific malformed NTFS file systems were presented to VAS_EBOOT. Currently, VAS_EBOOT does not allow NTFS file system access when lockdown mode is enforced, so these should be of minimal impact. The changes made in this commit generally correct issues such as attempting to iterate through a buffer using a length read from the NTFS file system without confirming the length is larger than 0. Reviewed-by: Daniel Kiper 2025-05-29 Andrew Hamilton fs/ntfs: Correct possible access violations Correct several memory access violations found during fuzzing. The issues fixed here could occur if certain specific malformed NTFS file systems were presented to VAS_EBOOT. Currently, VAS_EBOOT does not allow NTFS file system access when lockdown mode is enforced, so these should be of minimal impact. The changes made in this commit generally correct issues where pointers into data buffers were being calculated using lengths read from the NTFS file system without sufficient bounds/sanity checking; or attempting to access elements of a structure to free them, when the structure pointer is NULL. Reviewed-by: Daniel Kiper 2025-05-29 Andrew Hamilton fs/ntfs: Correct attribute vs attribute list validation Correct ntfs_test test failures around attempting to validate attribute list entries as attributes. The NTFS code uses common logic in some places to parse both attributes and attribute_lists which complicates validation. Attribute lists contain different headers including a different size of the length field (2 bytes) at offset 4 instead of the 4 byte length field used in attributes at offset 4. There are other differences as well, but attempting to validate attribute list types using attribute header validation was causing failure of the NTFS test suite. This change restores some of the validation logic which may be shared between attributes and attribute lists to be closer to the original logic prior to fixes for previous CVEs. A following commit will address some of the implications of removing this validation logic by correcting some fuzzer failures (some which are exposed by removing the validation in some of the cases). Fixes: 067b6d225 (fs/ntfs: Implement attribute verification) Reviewed-by: Daniel Kiper 2025-05-29 Andrew Hamilton fs/ntfs: Correct regression with run list calculation Correct ntfs_test test failures around attempting to validate attribute run list values. The calculation was incorrect for the "curr" variable. With previous calculation, some file systems would fail validation despite being well-formed and valid. This was caused by incrementing "curr" by min_size which included both the (already accounted for) min_size as well as the size of the run list. Correct by making a new variable "run_size" to denote the current run list size to increment both "curr" and "min_size" separately. Fixes: 067b6d225 (fs/ntfs: Implement attribute verification) Reviewed-by: Daniel Kiper 2025-05-29 Shreenidhi Shedi lib/envblk: Ignore empty new lines while parsing env files Environment files may contain empty lines, which should be ignored during parsing. Currently, these lines are not skipped and resulting in incorrect behavior. This patch adds a check to skip empty lines along with those starting with "#". Reviewed-by: Alexey Makhalov Reviewed-by: Daniel Kiper 2025-05-29 Glenn Washburn fs/zfs: Fix another memory leak in ZFS code Commit b66c6f918 (fs/zfs: Fix a number of memory leaks in ZFS code) fixes many of the same leaks detected in bug #63846 except one, which is fixed here. Fixes: https://savannah.gnu.org/bugs/?63846 Fixes: b66c6f918 (fs/zfs: Fix a number of memory leaks in ZFS code) Reviewed-by: Daniel Kiper 2025-05-29 Glenn Washburn tests: Disable gfxterm_menu and cmdline_cat tests Those tests fail depending on the version of unifont. As we don't distribute our own unifont it fails for most users. Disable them so that they don't mask real failures. They can be reinstated once we solve unifont problem. Reviewed-by: Daniel Kiper 2025-05-06 Michael Chang cryptocheck: Add --quiet option The option can be used to suppress output if we only want to test the return value of the command. Also, mention this option in the documentation. Reviewed-by: Daniel Kiper 2025-05-06 Maxim Suhanov disk/cryptodisk: Wipe the passphrase from memory Switching to another EFI boot application while there are secrets in RAM is dangerous, because not all firmware is wiping memory on free. To reduce the attack surface, wipe the passphrase acquired when unlocking an encrypted volume. Reviewed-by: Daniel Kiper 2025-05-06 Maxim Suhanov disk/cryptodisk: Add the "erase secrets" function This commit adds the VasEBoot_cryptodisk_erasesecrets() function to wipe master keys from all cryptodisks. This function is EFI-only. Since there is no easy way to "force unmount" a given encrypted disk, this function renders all mounted cryptodisks unusable. An attempt to read them will return garbage. This is why this function must be used in "no way back" conditions. Currently, it is used when unloading the cryptodisk module and when performing the "exit" command (it is often used to switch to the next EFI application). This function is not called when performing the "chainloader" command, because the callee may return to VAS_EBOOT. For this reason, users are encouraged to use "exit" instead of "chainloader" to execute third-party boot applications. This function does not guarantee that all secrets are wiped from RAM. Console output, chunks from disk read requests and other may remain. This function does not clear the IV prefix and rekey key for geli disks. Also, this commit adds the relevant documentation improvements. Reviewed-by: Daniel Kiper 2025-05-06 Maxim Suhanov docs: Document available crypto disks checks Document the --cryptodisk-only argument. Also, document the "cryptocheck" command invoked when that argument is processed. Reviewed-by: Daniel Kiper 2025-05-06 Maxim Suhanov commands/search: Add the diskfilter support When the --cryptodisk-only argument is given, also check the target device using the "cryptocheck" command, if available. This extends the checks to common layouts like LVM-on-LUKS, so the --cryptodisk-only argument transparently handles such setups. Reviewed-by: Daniel Kiper 2025-05-06 Maxim Suhanov disk/diskfilter: Introduce the "cryptocheck" command This command examines a given diskfilter device, e.g., an LVM disk, and checks if underlying disks, physical volumes, are cryptodisks, e.g., LUKS disks, this layout is called "LVM-on-LUKS". The return value is 0 when all underlying disks (of a given device) are cryptodisks (1 if at least one disk is unencrypted or in an unknown state). Users are encouraged to include the relevant check before loading anything from an LVM disk that is supposed to be encrypted. This further supports the CLI authentication, blocking bypass attempts when booting from an encrypted LVM disk. Reviewed-by: Daniel Kiper 2025-05-06 Maxim Suhanov commands/search: Introduce the --cryptodisk-only argument This allows users to restrict the "search" command's scope to encrypted disks only. Typically, this command is used to "rebase" $root and $prefix before loading additional configuration files via "source" or "configfile". Unfortunately, this leads to security problems, like CVE-2023-4001, when an unexpected, attacker-controlled device is chosen by the "search" command. The --cryptodisk-only argument allows users to ensure that the file system picked is encrypted. This feature supports the CLI authentication, blocking bypass attempts. Reviewed-by: Daniel Kiper 2025-05-06 Maxim Suhanov kern/rescue_reader: Block the rescue mode until the CLI authentication This further mitigates potential misuse of the CLI after the root device has been successfully unlocked via TPM. Fixes: CVE-2025-4382 Reviewed-by: Daniel Kiper 2025-04-23 Eric Sandeen fs/xfs: Fix large extent counters incompat feature support When large extent counter / NREXT64 support was added to VAS_EBOOT, it missed a couple of direct reads of nextents which need to be changed to the new NREXT64-aware helper as well. Without this, we'll have mis-reads of some directories with this feature enabled. The large extent counter fix likely raced on merge with commit 07318ee7e (fs/xfs: Fix XFS directory extent parsing) which added the new direct nextents reads just prior, causing this issue. Fixes: aa7c1322671e (fs/xfs: Add large extent counters incompat feature support) Reviewed-by: Anthony Iliopoulos Reviewed-by: Jon DeVree Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-04-10 Egor Ignatov util/VasEBoot-install: Include raid5rec module for RAID 4 as well RAID 4 requires the same recovery module as RAID 5. Extend the condition to cover both RAID levels. Reviewed-by: Daniel Kiper 2025-04-10 Vladimir Serbinenko loader/ia64/efi/linux: Reset VasEBoot_errno on failure to allocate The code goes on to allocate memory in another region on failure, hence it should discard the error. Reviewed-by: Daniel Kiper 2025-04-10 Vladimir Serbinenko lib/datetime: Specify license in emu module Other platforms specify license in platform-specific files but corresponding code for emu is in kernel, so datetime ends up without license section. Reviewed-by: Daniel Kiper 2025-04-10 Vladimir Serbinenko configure: Add -mno-relax on riscv* Without this option compiler sometimes emits R_RISCV_ALIGN relocs. Unlike other relocs this one requires the linker to do NOP deletions and we can't ignore them. Just instruct compiler not to emit them. Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin docs: Document the long options of tpm2_key_protect_init Add the long options of tpm2_key_protect_init along with the short options. Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin INSTALL: Document the packages needed for TPM2 key protector tests The TPM2 key protector tests require two external packages: swtpm-tools and tpm2-tools. Add those two packages to the INSTALL file to inform the user to install those packages before starting the TPM2 key protector tests. Reviewed-by: Daniel Kiper Reviewed-by: Stefan Berger 2025-04-10 Gary Lin docs: Update NV index mode of TPM2 key protector This commit updates the NV index mode section and the VasEBoot-protect section to reflect the recent changes in TPM2 key protector and VasEBoot-protect. Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin tests/tpm2_key_protector_test: Add more NV index mode tests Two more NV index test cases are added to test key sealing and unsealing with the NV index handle 0x1000000. Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin tests/tpm2_key_protector_test: Reset "ret" on fail Reset "ret" to 0 when a test case fails so that the other test cases could continue. Also set the exit status to 1 when encountering a failure to reflect the test result. Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin tests/tpm2_key_protector_test: Simplify the NV index mode test Since VasEBoot-protect already supports NV index mode, tpm2_seal_nv() is replaced with one VasEBoot-protect command to simplify the test script. "tpm2_evictcontrol" is also replaced with "VasEBoot-protect --tpm2-evict". Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin util/VasEBoot-protect: Support NV index mode This commit implements the missing NV index mode support in VasEBoot-protect. NV index mode stores the sealed key in the TPM non-volatile memory (NVRAM) instead of a file. There are two supported types of TPM handles. 1. Persistent handle (0x81000000~0x81FFFFFF) Only the raw format is supported due to the limitation of persistent handles. This VasEBoot-protect command seals the key into the persistent handle 0x81000000. # VasEBoot-protect \ --protector=tpm2 \ --action=add \ --tpm2-bank=sha256 \ --tpm2-pcrs=7,11 \ --tpm2-keyfile=luks-key \ --tpm2-nvindex=0x81000000 2. NV index handle (0x1000000~0x1FFFFFF) Both TPM 2.0 Key File format and the raw format are supported by NV index handles. Here is the VasEBoot-protect command to seal the key in TPM 2.0 Key File format into the NV index handle 0x1000000. # VasEBoot-protect \ --protector=tpm2 \ --action=add \ --tpm2key \ --tpm2-bank=sha256 \ --tpm2-pcrs=7,11 \ --tpm2-keyfile=luks-key \ --tpm2-nvindex=0x1000000 Besides the "add" action, the corresponding "remove" action is also introduced. To remove the data from a persistent or NV index handle, just use "--tpm2-nvindex=HANDLE" combining with "--tpm2-evict". This sample command removes the data from the NV index handle 0x1000000. # VasEBoot-protect \ --protector=tpm2 \ --action=remove \ --tpm2-evict \ --tpm2-nvindex=0x1000000 Also set and check the boolean variables with true/false instead of 1/0. Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin tpm2_key_protector: Support NV index handles Previously, NV index mode only supported persistent handles which are only for TPM objects. On the other hand, the "NV index" handle allows the user-defined data, so it can be an alternative to the key file and support TPM 2.0 Key File format immediately. The following tpm2-tools commands store the given key file, sealed.tpm, in either TPM 2.0 Key File format or the raw format into the NV index handle 0x1000000. # tpm2_nvdefine -C o \ -a "ownerread|ownerwrite" \ -s $(stat -c %s sealed.tpm) \ 0x1000000 # tpm2_nvwrite -C o -i sealed.tpm 0x1000000 To unseal the key in VAS_EBOOT, add the "tpm2_key_protector_init" command to VasEBoot.cfg: tpm2_key_protector_init --mode=nv --nvindex=0x1000000 cryptomount -u --protector tpm2 To remove the NV index handle: # tpm2_nvundefine -C o 0x1000000 Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin tpm2_key_protector: Unseal key from a buffer Extract the logic to handle the file buffer from the SRK recover function to prepare to load the sealed key from the NV index handle, so the NV index mode can share the same code path in the later patch. The SRK recover function now only reads the file and sends the file buffer to the new function. Besides this, to avoid introducing more options for the NV index mode, the file format is detected automatically before unmarshaling the data, so there is no need to use the command option to specify the file format anymore. In other words, "-T" and "-k" are the same now. Also update VasEBoot.text to address the change. Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin tss2: Add TPM 2.0 NV index commands The following TPM 2.0 commands are introduced to tss2 to access the TPM non-volatile memory associated with the NV index handles: - TPM2_NV_DefineSpace, - TPM2_NV_UndefineSpace, - TPM2_NV_ReadPublic, - TPM2_NV_Read, - TPM2_NV_Write. The related marshal/unmarshal functions are also introduced. Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin tss2: Fix the missing authCommand VasEBoot_tpm2_readpublic() and VasEBoot_tpm2_testparms() didn't check authCommand when marshaling the input data buffer. Currently, there is no caller using non-NULL authCommand. However, to avoid the potential issue, the conditional check is added to insert authCommand into the input buffer if necessary. Also fix a few pointer checks. Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin tpm2_key_protector: Add tpm2_dump_pcr command The user may need to inspect the TPM 2.0 PCR values with the VAS_EBOOT shell, so the new tpm2_dump_pcr command is added to print all PCRs of the specified bank. Also update the document for the new command. Tested-by: Stefan Berger Reviewed-by: Daniel Kiper 2025-04-10 Gary Lin tpm2_key_protector: Dump PCRs on policy fail PCR mismatch is one common cause of TPM key unsealing fail. Since the system may be compromised, it is not safe to boot into OS to get the PCR values and TPM eventlog for the further investigation. To provide some hints, VAS_EBOOT now dumps PCRs on policy fail, so the user can check the current PCR values. PCR 0~15 are chosen to cover the firmware, bootloader, and OS. The sample output: PCR Mismatch! Check firmware and bootloader before typing passphrase! TPM PCR [sha256]: 00: 17401f37710984c1d8a03a81fff3ab567ae9291bac61e21715b890ee28879738 01: 7a114329ba388445a96e8db2a072785937c1b7a8803ed7cc682b87f3ff3dd7a8 02: 11c2776849e8e24b7d80c926cbc4257871bffa744dadfefd3ed049ce25143e05 03: 6c33b362073e28e30b47302bbdd3e6f9cee4debca3a304e646f8c68245724350 04: 62d38838483ecfd2484ee3a2e5450d8ca3b35fc72cda6a8c620f9f43521c37d1 05: d8a85cb37221ab7d1f2cc5f554dbe0463acb6784b5b8dc3164ccaa66d8fff0e1 06: 9262e37cbe71ed4daf815b4a4881fb7251c9d371092dde827557d5368121e10e 07: 219d542233be492d62b079ffe46cf13396a8c27e520e88b08eaf2e6d3b7e70f5 08: de1f61c973b673e505adebe0d7e8fb65fde6c24dd4ab4fbaff9e28b18df6ecd3 09: c1de7274fa3e879a16d7e6e7629e3463d95f68adcfd17c477183846dccc41c89 10: 0000000000000000000000000000000000000000000000000000000000000000 11: 0000000000000000000000000000000000000000000000000000000000000000 12: 0000000000000000000000000000000000000000000000000000000000000000 13: 0000000000000000000000000000000000000000000000000000000000000000 14: 9ab9ebe4879a7f4dd00c04f37e79cfd69d0dd7a8bcc6b01135525b67676a3e40 15: 0000000000000000000000000000000000000000000000000000000000000000 16: 0000000000000000000000000000000000000000000000000000000000000000 17: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 18: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 19: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 20: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 21: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 22: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 23: 0000000000000000000000000000000000000000000000000000000000000000 error: failed to unseal sealed key (TPM2_Unseal: 0x99d). error: no key protector provided a usable key for luks (af16e48f-746b-4a12-aae1-c14dcee429e0). If the user happens to have the PCR values for key sealing, the PCR dump can be used to identify the changed PCRs and narrow down the scope for closer inspection. Please note that the PCR dump is trustworthy only if the VAS_EBOOT binary is authentic, so the user has to check the VAS_EBOOT binary thoroughly before using the PCR dump. Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper 2025-04-04 Patrick Colp loader/i386/linux: Update linux_kernel_params to match upstream Update linux_kernel_params to match the v6.13.7 upstream version of boot_params. Refactor most things out into structs, as the Linux kernel does. edid_info should be a struct with "unsigned char dummy[128]" and efi_info should be a struct as well, starting at 0x1c0. However, for backwards compatibility, VAS_EBOOT can have efi_systab at 0x1b8 and padding at 0x1bc (or padding at both spots). This cuts into the end of edid_info. Make edid_info inline and only make it go up to 0x1b8. Reviewed-by: Daniel Kiper 2025-04-04 Lidong Chen loader/xnu: Fix memory leak In VasEBoot_xnu_load_kext_from_dir(), when the call to VasEBoot_device_open() failed, it simply cleaned up previously allocated memory and returned VAS_EBOOT_ERR_NONE. However, it neglected to free ctx->newdirname which is allocated before the call to VasEBoot_device_open(). Fixes: CID 473859 Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-04-04 Lidong Chen fs/btrfs: Fix memory leaks Fix memory leaks in VasEBoot_btrfs_extent_read() and VasEBoot_btrfs_dir(). Fixes: CID 473842 Fixes: CID 473871 Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-04-04 Lidong Chen loader/i386/linux: Fix resource leak In VasEBoot_cmd_initrd(), initrd_ctx is allocated before calling VasEBoot_relocator_alloc_chunk_align(). When that function fails, initrd_ctx should be freed before exiting VasEBoot_cmd_initrd(). Fixes: CID 473852 Reviewed-by: Daniel Kiper 2025-04-04 Lidong Chen lib/reloacator: Fix memory leaks Fix memory leaks in VasEBoot_relocator_alloc_chunk_align(). Fixes: CID 473844 Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-04-04 Lidong Chen disk/ldm: Fix memory leaks Fix memory leaks in make_vg() with new helper functions, free_pv() and free_lv(). Additionally, correct a check after allocating comp->segments->nodes that mistakenly checked lv->segments->nodes instead, likely due to a copy-paste error. Fixes: CID 473878 Fixes: CID 473884 Fixes: CID 473889 Fixes: CID 473890 Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-03-26 Andrew Hamilton fs/ntfs: Fix NULL pointer dereference and possible infinite loop A regression was introduced recently as a part of the series of filesystem related patches to address some CVEs found in VAS_EBOOT. This issue may cause either an infinite loop at startup when accessing certain valid NTFS filesystems, or may cause a crash due to a NULL pointer dereference on systems where NULL address is invalid (such as may happen when calling VasEBoot-mount from the operating system level). Correct this issue by checking that at->attr_cur is within bounds inside find_attr(). Fixes: https://savannah.gnu.org/bugs/?66855 Fixes: aff263187 (fs/ntfs: Fix out-of-bounds read) Reviewed-by: Daniel Kiper 2025-03-26 Nicolas Frayer net/drivers/ieee1275/ofnet: Add missing VasEBoot_malloc() The VasEBoot_malloc() has been inadvertently removed from the code after it has been modified to use safe math functions. Fixes: 4beeff8a (net: Use safe math macros to prevent overflows) Tested-by: Marta Lewandowska Reviewed-by: Daniel Kiper 2025-03-26 Avnish Chouhan kern/ieee1275/init: Increase MIN_RMA size for CAS negotiation on PowerPC machines Change RMA size from 512 MB to 768 MB which will result in more memory at boot time for PowerPC. When vTPM, Secure Boot or FADump are enabled on PowerPC the 512 MB RMA memory is not sufficient for boot. With this 512 MB RMA, VAS_EBOOT runs out of memory and fails to boot the machine. Sometimes even usage of CDROM requires more memory for installation and along with the options mentioned above exhausts the boot memory which results in boot failures. Increasing the RMA size will resolves multiple out of memory issues observed on PowerPC machines. Failure details (VAS_EBOOT debug console dump): kern/ieee1275/init.c:550: mm requested region of size 8513000, flags 1 kern/ieee1275/init.c:563: Cannot satisfy allocation and retain minimum runtime space kern/ieee1275/init.c:550: mm requested region of size 8513000, flags 0 kern/ieee1275/init.c:563: Cannot satisfy allocation and retain minimum runtime space kern/file.c:215: Closing `/ppc/ppc64/initrd.img' ... kern/disk.c:297: Closing `ieee1275//vdevice/v-scsi@30000067/disk@8300000000000000'... kern/disk.c:311: Closing `ieee1275//vdevice/v-scsi@30000067/disk@8300000000000000' succeeded. kern/file.c:225: Closing `/ppc/ppc64/initrd.img' failed with 3. kern/file.c:148: Opening `/ppc/ppc64/initrd.img' succeeded. error: ../../VasEBoot-core/kern/mm.c:552:out of memory. Reviewed-by: Daniel Kiper 2025-03-26 Stuart Hayes fs/zfs: Fix a number of memory leaks in ZFS code Without this fix the VAS_EBOOT failed to boot linux with "out of memory" after trying to run a "search --fs-uuid..." on a system that has 7 ZFS pools across about 80 drives. Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2025-03-26 Glenn Washburn tests/util/VasEBoot-shell: Remove the work directory on successful run and debug is not on This removes a lot of empty VasEBoot-shell working directories in the TMPDIR directory. Tested-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2025-03-26 Thomas Schmitt tests/VasEBoot_cmd_cryptomount: Remove temporary directories if successful and debug is not on VasEBoot_cmd_cryptomount creates a directory per subtest. If a subtest is successful and debugging is not on, the directory should be empty. So, it can be deleted. Tested-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2025-03-26 Glenn Washburn tests/VasEBoot_cmd_cryptomount: Default TMPDIR to /tmp This fixes behavior where VasEBoot_cmd_cryptomount temporary files, which are some times not cleaned up, are left in the / directory. Set TMPDIR if your system does not have /tmp or it can not be used for some reason. Reported-by: Thomas Schmitt Tested-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2025-03-26 Glenn Washburn tests/VasEBoot_cmd_cryptomount: Cleanup the cryptsetup script unless debug is enabled This fixes an issue where the VasEBoot_cmd_cryptomount test leaves a file with an ambiguous name in the / directory when TMPDIR is not set. Reported-by: Thomas Schmitt Tested-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2025-03-26 Glenn Washburn tests: Cleanup generated files on expected failure in VasEBoot_cmd_cryptomount VasEBoot-shell-luks-tester only cleans up generated files when the test it runs returns success. Sometimes tests are run that should fail. Add a --xfail argument to VasEBoot-shell-luks-tester and pass it from VasEBoot_cmd_cryptomount when invoking a test that is expected to fail. Reported-by: Thomas Schmitt Tested-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2025-03-26 Glenn Washburn tests/util/VasEBoot-shell-luks-tester: Add missing line to create RET variable in cleanup Set the RET variable to the exit status of the script, as was assumed in the cleanup() function. Reported-by: Thomas Schmitt Tested-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2025-03-26 Glenn Washburn tests/util/VasEBoot-shell-luks-tester: Find cryptodisk by UUID VAS_EBOOT has the capability to search all the disks for a cryptodisk of a given UUID. Use this instead of hardcoding which disk is the cryptodisk, which can change when devices are added or removed, or potentially when QEMU is upgraded. This can not be done for the detached header tests because the header contains the UUID. Also, capitalize comment lines for consistency. Reviewed-by: Daniel Kiper 2025-03-26 Glenn Washburn tests/util/VasEBoot-shell: Default qemuopts to envvar $VAS_EBOOT_QEMU_OPTS Fix a regression where qemuopts was mistakenly defaulted to the empty string. This prevents the sending of arbitrary QEMU options to tests, which may be desirable for overriding the machine type. There was a concern that allowing the tester to accept arbitrary options would add headaches for another developer trying to diagnose why a test failed on the testers machine because he could not be sure if any additional options were passed to make the test fail. However, all the options are recorded in the run.sh generated script, so this concern is unwarranted. Fixes: 6d729ced70 (tests/util/VasEBoot-shell: Add $VAS_EBOOT_QEMU_OPTS to run.sh to easily see unofficial QEMU arguments) Reviewed-by: Daniel Kiper 2025-03-05 Patrick Plenefisch disk/lvm: Add informational messages in error cases of ignored features Reviewed-by: Daniel Kiper 2025-03-05 Patrick Plenefisch disk/lvm: Add support for cachevol LV Mark cachevol LV's as ignored features, which is true only if they are configured as "writethrough". This patch does not let VAS_EBOOT boot from "writeback" cache-enabled LV's. Reviewed-by: Daniel Kiper 2025-03-05 Patrick Plenefisch disk/lvm: Add support for integrity LV The LV matching must be done after processing the ignored feature indirections, as integrity volumes & caches may have several levels of indirection that the segments must be shifted through. Reviewed-by: Daniel Kiper 2025-03-05 Patrick Plenefisch lvm: Match all LVM segments before validation The PV matching must be completely finished before validating a volume, otherwise referenced RAID stripes may not have PV data applied yet. This change is required for integrity & cachevol support. Reviewed-by: Daniel Kiper 2025-03-05 Patrick Plenefisch disk/lvm: Remove unused cache_pool The cache_pool is never read or used, remove it. Reviewed-by: Daniel Kiper 2025-03-05 Patrick Plenefisch disk/lvm: Make cache_lv more generic as ignored_feature_lv This patch isn't necessary by itself, but when combined with subsequent patches it enhances readability as ignored_features_lv is then used for multiple types of extra LV's, not just cache LV's. Reviewed-by: Daniel Kiper 2025-03-05 Glenn Washburn commands/ls: Add directory header for dir args Like the GNU ls, first print a line with the directory path before printing files in the directory, which will not have a directory component, but only if there is more than one argument. Reviewed-by: Daniel Kiper 2025-03-05 Glenn Washburn commands/ls: Print full paths for file args For arguments that are paths to files, print the full path of the file. Reviewed-by: Daniel Kiper 2025-03-05 Glenn Washburn commands/ls: Output path for single file arguments given with path Reviewed-by: Daniel Kiper 2025-03-05 Glenn Washburn commands/ls: Show modification time for file paths The modification time for paths to files was not being printed because the VasEBoot_dirhook_info, which contains the mtime, was initialized to NULL. Instead of calling print_file() directly, use fs->fs_dir() to call print_file() with a properly filled in VasEBoot_dirhook_info. This has the added benefit of reducing code complexity. Reviewed-by: Daniel Kiper 2025-03-05 Glenn Washburn commands/ls: Merge print_files_long() and print_files() into print_file() Simplify the code by removing logic around which file printer to call. Reviewed-by: Daniel Kiper 2025-03-05 Glenn Washburn commands/ls: Return proper VAS_EBOOT_ERR_* for functions returning type VasEBoot_err_t Also, remove unused code. Reviewed-by: Daniel Kiper 2025-03-05 Glenn Washburn commands/acpi: Use options enum to index command options Reviewed-by: Daniel Kiper 2025-03-05 Andrew Hamilton docs: Capture additional commands restricted by lockdown Update documentation to capture that all memrw commands, the minicmd dump command, and raw memory dumping via hexdump are restricted when lockdown is enabled. This aligns to recent VAS_EBOOT code updates. Reviewed-by: Daniel Kiper 2025-03-05 Andrew Hamilton docs: Document restricted filesystems in lockdown Document which filesystems are not allowed when lockdown is enabled to align to recent VAS_EBOOT changes. Reviewed-by: Daniel Kiper 2025-03-05 Vladimir Serbinenko loader/i386/bsd: Fix type passed for the kernel FreeBSD loader always passes "elf kernel". We currently pass "elf64 kernel" when loading 64-bit kernel. The -CURRENT, HEAD, kernel accepts only "elf kernel". Older kernel accepts either. Tested with FreeBSD and DragonFlyBSD. Reference: https://cgit.freebsd.org/src/commit/?id=b72ae900d4348118829fe04abdc11b620930c30f Reviewed-by: Daniel Kiper 2025-03-05 Vladimir Serbinenko kern/partition: Unbreak support for nested partitions When using syntax "hd0,gtp3,dfly1" then ptr points to trailing part, ",dfly1". So, it's improper to consider it as an invalid partition. Reviewed-by: Daniel Kiper 2025-03-05 Andrew Hamilton lib/tss2/tss2_structs.h: Fix clang build - remove duplicate typedef VasEBoot-core/lib/tss2/tss2_structs.h contains a duplicate typedef as follows: typedef TPMS_SCHEME_HASH_t TPMS_SCHEME_KDF2_t; This causes a build failure when compiling with clang. Remove the duplicate typedef which allows successfully building VAS_EBOOT with clang. Reviewed-by: Ross Philipson Reviewed-by: Gary Lin Reviewed-by: Daniel Kiper 2025-03-05 Yuri Zaporozhets include/VasEBoot/mm.h: Remove duplicate inclusion of VasEBoot/err.h The header is included twice. Fix that. Reviewed-by: Daniel Kiper 2025-03-05 James Le Cuirot script/execute: Don't let trailing blank lines determine the return code The VasEBoot_script_execute_sourcecode() parses and executes code one line at a time, updating the return code each time because only the last line determines the final status. However, trailing new lines were also executed, masking any failure on the previous line. Fix this by only trying to execute the command when there is actually one present. This has presumably never been noticed because this code is not used by regular functions, only in special cases like eval and menu entries. The latter generally don't return at all, having booted an OS. When failing to boot, upstream VAS_EBOOT triggers the fallback mechanism regardless of the return code. We noticed the problem while using Red Hat's patches, which change this behaviour to take account of the return code. In that case, a failure takes you back to the menu rather than triggering a fallback. Reviewed-by: Daniel Kiper 2025-03-05 Glenn Washburn gitignore: Ignore generated files from libtasn The commit 504058e8 (libtasn1: Compile into asn1 module) generates files into the VasEBoot-core/lib/libtasn1-VasEBoot directory and commit 99cda678 (asn1_test: Test module for libtasn1) generates files into the VasEBoot-core/tests/asn1/tests directory. Ignore these directories as they are not under revision control. Reviewed-by: Daniel Kiper 2025-03-05 Pascal Hambourg util/VasEBoot.d/30_os-prober.in: Conditionally show or hide chain and efi menu entries On systems which support multiple boot platforms such as BIOS and EFI, it makes no sense to show menu entries which are not supported by the current boot platform. Menu entries generated from os-prober "chain" boot type use boot sector chainloading which is supported on PC BIOS platform only. Show "chain" menu entries only if boot platform is PC BIOS. Show "efi" menu entries only if boot platform is EFI. This is aimed to allow os-prober to report both EFI and PC BIOS boot loaders regardless of the current boot mode on x86 systems which support both EFI and legacy BIOS boot, in order to generate a config file which can be used with either BIOS or EFI boot. Reviewed-by: Daniel Kiper 2025-02-26 Pascal Hambourg util/VasEBoot.d/30_os-prober.in: Fix VAS_EBOOT_OS_PROBER_SKIP_LIST for non-EFI VAS_EBOOT documentation states: VAS_EBOOT_OS_PROBER_SKIP_LIST List of space-separated FS UUIDs of filesystems to be ignored from os-prober output. For efi chainloaders it’s @ But the actual behaviour does not match this description. VAS_EBOOT_OS_PROBER_SKIP_LIST="" does nothing. In order to skip non-EFI bootloaders, you must set VAS_EBOOT_OS_PROBER_SKIP_LIST="@" which is both absurd, and are redundant, and wrong, such as /dev/sd* may not be persistent across boots. Also, any non-word character is accepted as a separator, including "-" and "@" which may be present in UUIDs. This can cause false positives because of partial UUID match. This patch fixes these flaws while retaining some backward compatibility with previous behaviour which may be expected by existing setups: - also accept @/dev/* (with warning) for non-EFI bootloaders, - also accept comma and semicolon as separator. Fixes: 55e706c9 (Add VAS_EBOOT_OS_PROBER_SKIP_LIST to selectively skipping systems) Reviewed-by: Daniel Kiper 2025-02-26 Glenn Washburn docs: Do not reference non-existent --dumb option This appears to be a relic from VAS_EBOOT legacy that used a --dumb option for its terminal command. The proper way to do this in VAS_EBOOT2 is to set the terminal to "dumb" via the terminfo command. Fixes: https://savannah.gnu.org/bugs/?66302 Reported-by: Jernej Jakob Reviewed-by: Daniel Kiper 2025-02-26 Glenn Washburn docs: Replace @lbracechar{} and @rbracechar{} with @{ and @} Support for @lbracechar{} and @rbracechar{} was added in GNU Texinfo 5.0 but many older systems may have versions lower than this. Use @{ and @} to support a wider range of GNU Texinfo versions. Reviewed-by: Daniel Kiper 2025-02-26 Egor Ignatov fs/xfs: Fix VasEBoot_xfs_iterate_dir() return value in case of failure Commit ef7850c757 (fs/xfs: Fix issues found while fuzzing the XFS filesystem) introduced multiple boundary checks in VasEBoot_xfs_iterate_dir() but handled the error incorrectly returning error code instead of 0. Fix it. Also change the error message so that it doesn't match the message in VasEBoot_xfs_read_inode(). Fixes: ef7850c757 (fs/xfs: Fix issues found while fuzzing the XFS filesystem) Reviewed-by: Daniel Kiper 2025-02-26 Darrick J. Wong fs/xfs: Add new superblock features added in Linux 6.12/6.13 The Linux port of XFS added a few new features in 2024. The existing VAS_EBOOT driver doesn't attempt to read or write any of the new metadata, so, all three can be added to the incompat allowlist. On the occasion align XFS_SB_FEAT_INCOMPAT_NREXT64 value. Reviewed-by: Daniel Kiper 2025-02-26 Michael Chang fs/ext2: Rework out-of-bounds read for inline and external extents Previously, the number of extent entries was not properly capped based on the actual available space. This could lead to insufficient reads for external extents since the computation was based solely on the inline extent layout. In this patch, when processing the extent header we determine whether the header is stored inline, i.e. at inode->blocks.dir_blocks, or in an external extent block. We then clamp the number of entries accordingly (using max_inline_ext for inline extents and max_external_ext for external extent blocks). This change ensures that only the valid number of extent entries is processed preventing out-of-bound reads and potential filesystem corruption. Fixes: 7e2f750f0a (fs/ext2: Fix out-of-bounds read for inline extents) Tested-by: Christian Hesse Reviewed-by: Daniel Kiper 2025-02-26 Leo Sandoval disk/ahci: Remove conditional operator for endtime The conditional makes no sense when the two possible expressions have the same value, so, remove it (perhaps the compiler does it for us but better to remove it). This change makes spinup argument unused. So, drop it as well. Reviewed-by: Daniel Kiper 2025-02-26 Benjamin Herrenschmidt term/ns8250-spcr: Return if redirection is disabled The Microsoft spec for SPCR says "The base address of the Serial Port register set described using the ACPI Generic Address Structure, or 0 if console redirection is disabled". So, return early if redirection is disabled (base address = 0). If this check is not done we may get invalid ports on machines with redirection disabled and boot may hang when reading the VasEBoot.cfg file. Reviewed-by: Leo Sandoval Reviewed-by: Daniel Kiper 2025-02-26 Lukas Fink commands/file: Fix NULL dereference in the knetbsd tests The pointer returned by VasEBoot_elf_file() is not checked to verify it is not NULL before use. A NULL pointer may be returned when the given file does not have a valid ELF header. Fixes: https://savannah.gnu.org/bugs/?61960 Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2025-02-26 Heinrich Schuchardt gdb_helper: Typo hueristic %s/hueristic/heuristic/ Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2025-02-26 Ruihan Li kern/efi/mm: Reset VasEBoot_mm_add_region_fn after ExitBootServices() call The EFI Boot Services can be used after ExitBootServices() call because the VAS_EBOOT code still may allocate memory. An example call stack is: VasEBoot_multiboot_boot VasEBoot_multiboot2_make_mbi VasEBoot_efi_finish_boot_services b->exit_boot_services normal_boot VasEBoot_relocator32_boot VasEBoot_relocator_alloc_chunk_align_safe VasEBoot_relocator_alloc_chunk_align VasEBoot_malloc VasEBoot_memalign VasEBoot_mm_add_region_fn [= VasEBoot_efi_mm_add_regions] VasEBoot_efi_allocate_any_pages VasEBoot_efi_allocate_pages_real b->allocate_pages This can lead to confusing errors. After ExitBootServices() call b->allocate_pages may point to the NULL address resulting in something like: !!!! X64 Exception Type - 01(#DB - Debug) CPU Apic ID - 00000000 !!!! RIP - 000000000000201F, CS - 0000000000000038, RFLAGS - 0000000000200002 RAX - 000000007F9EE010, RCX - 0000000000000001, RDX - 0000000000000002 RBX - 0000000000000006, RSP - 00000000001CFBEC, RBP - 0000000000000000 RSI - 0000000000000000, RDI - 00000000FFFFFFFF R8 - 0000000000000006, R9 - 000000007FEDFFB8, R10 - 0000000000000000 R11 - 0000000000000475, R12 - 0000000000000001, R13 - 0000000000000002 R14 - 00000000FFFFFFFF, R15 - 000000007E432C08 DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030 GS - 0000000000000030, SS - 0000000000000030 CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 000000007FC01000 CR4 - 0000000000000668, CR8 - 0000000000000000 DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000 DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400 GDTR - 000000007F9DE000 0000000000000047, LDTR - 0000000000000000 IDTR - 000000007F470018 0000000000000FFF, TR - 0000000000000000 FXSAVE_STATE - 00000000001CF840 Ideally we would like to avoid all memory allocations after exiting EFI Boot Services altogether but that requires significant code changes. This patch adds a simple workaround that resets VasEBoot_mm_add_region_fn to NULL after ExitBootServices() call, so: - Memory allocations have a better chance of succeeding because VasEBoot_memalign() will try to reclaim the disk cache if it sees a NULL in VasEBoot_mm_add_region_fn. - At worst it will fail to allocate memory but it will explicitly tell users that it's out of memory, which is still much better than the current situation where it fails in a fairly random way and triggers a CPU fault. Reviewed-by: Daniel Kiper 2025-02-26 Duan Yayong i386/tsc: The VAS_EBOOT menu gets stuck due to unserialized rdtsc This patch is used to fix VAS_EBOOT menu gets stuck in server AC poweron/poweroff stress test of x86_64, which is reproduced with 1/200 ratio. The root cause analysis as below: Q: What's the code logic? A: The VasEBoot_tsc_init() function will init tsc by setting VasEBoot_tsc_rate, which call stack is: VasEBoot_tsc_init() -> VasEBoot_tsc_calibrate_from_pmtimer() -> VasEBoot_divmod64() Among, VasEBoot_divmod64() function needs tsc_diff as the second parameter. In VasEBoot_pmtimer_wait_count_tsc(), we will call VasEBoot_get_tsc() function to get time stamp counter value to assign to start_tsc variable, and get into while (1) loop space to get end_tsc variable value with same function, after 3580 ticks, return "end_tsc - start_tsc". Actually, rdtsc instruction will be called in VasEBoot_get_tsc, but rdtsc instruction is not reliable (for the reason see the next question), which will cause tsc_diff to be a very big number larger than (1UL << 32) or a negative number, so that VasEBoot_tsc_rate will be zero. When run_menu() function is startup, and calls VasEBoot_tsc_get_time_ms() function to get current time to check if timeout time reach, at this time, VasEBoot_tsc_get_time_ms() function will return zero due to zero VasEBoot_tsc_rate variable, then VAS_EBOOT menu gets stuck... Q: What's the difference between rdtsc and rdtscp instructions in x86_64 architecture? Here is more explanations from Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 2B (December 2024): https://cdrdv2.intel.com/v1/dl/getContent/671241 A: In page 4-558 -> RDTSC—Read Time-Stamp Counter: The RDTSC instruction is not a serializing instruction. It does not necessarily wait until all previous instructions have been executed before reading the counter. Similarly, subsequent instructions may begin execution before the read operation is performed. The following items may guide software seeking to order executions of RDTSC: - If software requires RDTSC to be executed only after all previous instructions have executed and all previous loads are globally visible, it can execute LFENCE immediately before RDTSC. - If software requires RDTSC to be executed only after all previous instructions have executed and all previous loads and stores are globally visible, it can execute the sequence MFENCE;LFENCE immediately before RDTSC. - If software requires RDTSC to be executed prior to execution of any subsequent instruction (including any memory accesses), it can execute the sequence LFENCE immediately after RDTSC. A: In page 4-560 -> RDTSCP—Read Time-Stamp Counter and Processor ID: The RDTSCP instruction is not a serializing instruction, but it does wait until all previous instructions have executed and all previous loads are globally visible. But it does not wait for previous stores to be globally visible, and subsequent instructions may begin execution before the read operation is performed. The following items may guide software seeking to order executions of RDTSCP: - If software requires RDTSCP to be executed only after all previous stores are globally visible, it can execute MFENCE immediately before RDTSCP. - If software requires RDTSCP to be executed prior to execution of any subsequent instruction (including any memory accesses), it can execute LFENCE immediately after RDTSCP. Q: Why there is a cpuid serializing instruction before rdtsc instruction, but "VasEBoot_get_tsc" still cannot work as expect? A: From Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 2A: Instruction Set Reference, A-L (December 2024): https://cdrdv2.intel.com/v1/dl/getContent/671199 In page 3-222 -> CPUID—CPU Identification: CPUID can be executed at any privilege level to serialize instruction execution. Serializing instruction execution guarantees that any modifications to flags, registers, and memory for previous instructions are completed before the next instruction is fetched and executed. So we only kept the instruction rdtsc and its previous instruction in order currently. But it is still out-of-order possibility between rdtsc instruction and its subsequent instruction. Q: Why do we do this fix? A: In the one hand, add cpuid instruction after rdtsc instruction to make sure rdtsc instruction to be executed prior to execution of any subsequent instruction, about serializing execution that all previous instructions have been executed before rdtsc, there is a cpuid usage in original code. In the other hand, using cpuid instruction rather than lfence can make sure a forward compatibility for previous HW. Base this fix, we did 1500 cycles power on/off stress test, and did not reproduce this issue again. Fixes: https://savannah.gnu.org/bugs/?66257 Reviewed-by: Daniel Kiper 2025-02-26 Duan Yayong kern/i386/tsc_pmtimer: The VAS_EBOOT menu gets stuck due to failed calibration The VasEBoot_divmod64() may return 0 but VasEBoot_tsc_calibrate_from_pmtimer() still returns 1 saying calibration succeeded. Of course it is not true. So, return 0 when VasEBoot_divmod64() returns 0. This way other calibration functions can be called subsequently. Reviewed-by: Daniel Kiper 2025-02-26 Sergii Dmytruk loader/i386/linux: Fix cleanup if kernel doesn't support 64-bit addressing Simply returning from VasEBoot_cmd_linux() doesn't free "file" resource nor calls VasEBoot_dl_ref(my_mod). Jump to "fail" label for proper cleanup like other error checks do. Reviewed-by: Daniel Kiper 2025-02-13 Alec Brown loader/i386/bsd: Use safe math to avoid underflow The operation kern_end - kern_start may underflow when we input it into VasEBoot_relocator_alloc_chunk_addr() call. To avoid this we can use safe math for this subtraction. Fixes: CID 73845 Reviewed-by: Daniel Kiper 2025-02-13 Alec Brown loader/i386/linux: Cast left shift to VasEBoot_uint32_t The Coverity complains that we might overflow into a negative value when setting linux_params.kernel_alignment to (1 << align). We can remedy this by casting it to VasEBoot_uint32_t. Fixes: CID 473876 Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen kern/misc: Add sanity check after VasEBoot_strtoul() call When the format string, fmt0, includes a positional argument VasEBoot_strtoul() or VasEBoot_strtoull() is called to extract the argument position. However, the returned argument position isn't fully validated. If the format is something like "%0$x" then these functions return 0 which leads to an underflow in the calculation of the args index, curn. The fix is to add a check to ensure the extracted argument position is greater than 0 before computing curn. Additionally, replace one VasEBoot_strtoull() with VasEBoot_strtoul() and change curn type to make code more correct. Fixes: CID 473841 Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen kern/partition: Add sanity check after VasEBoot_strtoul() call The current code incorrectly assumes that both the input and the values returned by VasEBoot_strtoul() are always valid which can lead to potential errors. This fix ensures proper validation to prevent any unintended issues. Fixes: CID 473843 Reviewed-by: Daniel Kiper 2025-02-13 Alec Brown normal/menu: Use safe math to avoid an integer overflow The Coverity indicates that the variable current_entry might overflow. To prevent this use safe math when adding VAS_EBOOT_MENU_PAGE_SIZE to current_entry. On the occasion fix limiting condition which was broken. Fixes: CID 473853 Reviewed-by: Daniel Kiper 2025-02-13 Alec Brown bus/usb/ehci: Define VAS_EBOOT_EHCI_TOGGLE as VasEBoot_uint32_t The Coverity indicates that VAS_EBOOT_EHCI_TOGGLE is an int that contains a negative value and we are using it for the variable token which is VasEBoot_uint32_t. To remedy this we can cast the definition to VasEBoot_uint32_t. Fixes: CID 473851 Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen misc: Ensure consistent overflow error messages Update the overflow error messages to make them consistent across the VAS_EBOOT code. Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen osdep/unix/getroot: Fix potential underflow The entry_len is initialized in VasEBoot_find_root_devices_from_mountinfo() to 0 before the while loop iterates through /proc/self/mountinfo. If the file is empty or contains only invalid entries entry_len remains 0 causing entry_len - 1 in the subsequent for loop initialization to underflow. To prevent this add a check to ensure entry_len > 0 before entering the for loop. Fixes: CID 473877 Reviewed-by: Daniel Kiper Reviewed-by: Ross Philipson 2025-02-13 Lidong Chen script/execute: Fix potential underflow and NULL dereference The result is initialized to 0 in VasEBoot_script_arglist_to_argv(). If the for loop condition is not met both result.args and result.argc remain 0 causing result.argc - 1 to underflow and/or result.args NULL dereference. Fix the issues by adding relevant checks. Fixes: CID 473880 Reviewed-by: Daniel Kiper 2025-02-13 Alec Brown fs/sfs: Check if allocated memory is NULL When using VasEBoot_zalloc(), if we are out of memory, this function can fail. After allocating memory, we should check if VasEBoot_zalloc() returns NULL. If so, we should handle this error. Fixes: CID 473856 Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2025-02-13 Alec Brown net: Check if returned pointer for allocated memory is NULL When using VasEBoot_malloc(), the function can fail if we are out of memory. After allocating memory we should check if this function returned NULL and handle this error if it did. Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen net: Prevent overflows when allocating memory for arrays Use VasEBoot_calloc() when allocating memory for arrays to ensure proper overflow checks are in place. Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen net: Use safe math macros to prevent overflows Replace direct arithmetic operations with macros from include/VasEBoot/safemath.h to prevent potential overflow issues when calculating the memory sizes. Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen fs/zfs: Add missing NULL check after VasEBoot_strdup() call Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen fs/zfs: Check if returned pointer for allocated memory is NULL When using VasEBoot_malloc() or VasEBoot_zalloc(), these functions can fail if we are out of memory. After allocating memory we should check if these functions returned NULL and handle this error if they did. Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen fs/zfs: Prevent overflows when allocating memory for arrays Use VasEBoot_calloc() when allocating memory for arrays to ensure proper overflow checks are in place. Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen fs/zfs: Use safe math macros to prevent overflows Replace direct arithmetic operations with macros from include/VasEBoot/safemath.h to prevent potential overflow issues when calculating the memory sizes. Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen fs: Prevent overflows when assigning returned values from read_number() The direct assignment of the unsigned long long value returned by read_number() can potentially lead to an overflow on a 32-bit systems. The fix replaces the direct assignments with calls to VasEBoot_cast() which detects the overflows and safely assigns the values if no overflow is detected. Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen fs: Prevent overflows when allocating memory for arrays Use VasEBoot_calloc() when allocating memory for arrays to ensure proper overflow checks are in place. The HFS+ and squash4 security vulnerabilities were reported by Jonathan Bar Or . Fixes: CVE-2025-0678 Fixes: CVE-2025-1125 Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen fs: Use safe math macros to prevent overflows Replace direct arithmetic operations with macros from include/VasEBoot/safemath.h to prevent potential overflow issues when calculating the memory sizes. Reviewed-by: Daniel Kiper 2025-02-13 Alec Brown disk/ieee1275/ofdisk: Call VasEBoot_ieee1275_close() when VasEBoot_malloc() fails In the dev_iterate() function a handle is opened but isn't closed when VasEBoot_malloc() returns NULL. We should fix this by closing it on error. Reviewed-by: Daniel Kiper 2025-02-13 Alec Brown disk: Check if returned pointer for allocated memory is NULL When using VasEBoot_malloc(), VasEBoot_zalloc() or VasEBoot_calloc(), these functions can fail if we are out of memory. After allocating memory we should check if these functions returned NULL and handle this error if they did. On the occasion make a NULL check in ATA code more obvious. Reviewed-by: Daniel Kiper 2025-02-13 Alec Brown disk: Prevent overflows when allocating memory for arrays Use VasEBoot_calloc() when allocating memory for arrays to ensure proper overflow checks are in place. Reviewed-by: Daniel Kiper 2025-02-13 Alec Brown disk: Use safe math macros to prevent overflows Replace direct arithmetic operations with macros from include/VasEBoot/safemath.h to prevent potential overflow issues when calculating the memory sizes. Reviewed-by: Daniel Kiper 2025-02-13 Daniel Axtens fs: Disable many filesystems under lockdown The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat, hfsplus, iso9660, squash4, tar, xfs and zfs. The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were reported by Jonathan Bar Or . Fixes: CVE-2025-0677 Fixes: CVE-2025-0684 Fixes: CVE-2025-0685 Fixes: CVE-2025-0686 Fixes: CVE-2025-0689 Suggested-by: Daniel Axtens Reviewed-by: Daniel Kiper 2025-02-13 Daniel Axtens fs/bfs: Disable under lockdown The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown. This will also disable the AFS. Fixes: CVE-2024-45778 Fixes: CVE-2024-45779 Reported-by: Nils Langius Reviewed-by: Daniel Kiper 2025-02-13 B Horn commands/hexdump: Disable memory reading in lockdown mode Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-02-13 B Horn commands/memrw: Disable memory reading in lockdown mode With the rest of module being blocked in lockdown mode it does not make a lot of sense to leave memory reading enabled. This also goes in par with disabling the dump command. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-02-13 B Horn commands/minicmd: Block the dump command in lockdown mode The dump enables a user to read memory which should not be possible in lockdown mode. Fixes: CVE-2025-1118 Reported-by: B Horn Reported-by: Jonathan Bar Or Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen commands/test: Stack overflow due to unlimited recursion depth The test_parse() evaluates test expression recursively. Due to lack of recursion depth check a specially crafted expression may cause a stack overflow. The recursion is only triggered by the parentheses usage and it can be unlimited. However, sensible expressions are unlikely to contain more than a few parentheses. So, this patch limits the recursion depth to 100, which should be sufficient. Reported-by: Nils Langius Reviewed-by: Daniel Kiper 2025-02-13 Jonathan Bar Or commands/read: Fix an integer overflow when supplying more than 2^31 characters The VasEBoot_getline() function currently has a signed integer variable "i" that can be overflown when user supplies more than 2^31 characters. It results in a memory corruption of the allocated line buffer as well as supplying large negative values to VasEBoot_realloc(). Fixes: CVE-2025-0690 Reported-by: Jonathan Bar Or Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen gettext: Integer overflow leads to heap OOB write The size calculation of the translation buffer in VasEBoot_gettext_getstr_from_position() may overflow to 0 leading to heap OOB write. This patch fixes the issue by using VasEBoot_add() and checking for an overflow. Fixes: CVE-2024-45777 Reported-by: Nils Langius Reviewed-by: Daniel Kiper Reviewed-by: Alec Brown 2025-02-13 Lidong Chen gettext: Integer overflow leads to heap OOB write or read Calculation of ctx->VasEBoot_gettext_msg_list size in VasEBoot_mofile_open() may overflow leading to subsequent OOB write or read. This patch fixes the issue by replacing VasEBoot_zalloc() and explicit multiplication with VasEBoot_calloc() which does the same thing in safe manner. Fixes: CVE-2024-45776 Reported-by: Nils Langius Reviewed-by: Daniel Kiper Reviewed-by: Alec Brown 2025-02-13 B Horn gettext: Remove variables hooks on module unload The gettext module does not entirely cleanup after itself in its VAS_EBOOT_MOD_FINI() leaving a few variables hooks in place. It is not possible to unload gettext module because normal module depends on it. Though fix the issues for completeness. Fixes: CVE-2025-0622 Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-02-13 B Horn normal: Remove variables hooks on module unload The normal module does not entirely cleanup after itself in its VAS_EBOOT_MOD_FINI() leaving a few variables hooks in place. It is not possible to unload normal module now but fix the issues for completeness. On the occasion replace 0s with NULLs for "pager" variable hooks unregister. Fixes: CVE-2025-0622 Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-02-13 B Horn commands/pgp: Unregister the "check_signatures" hooks on module unload If the hooks are not removed they can be called after the module has been unloaded leading to an use-after-free. Fixes: CVE-2025-0622 Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-02-13 B Horn commands/ls: Fix NULL dereference The VasEBoot_strrchr() may return NULL when the dirname do not contain "/". This can happen on broken filesystems. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-02-13 Lidong Chen commands/extcmd: Missing check for failed allocation The VasEBoot_extcmd_dispatcher() calls VasEBoot_arg_list_alloc() to allocate a VasEBoot_arg_list struct but it does not verify the allocation was successful. In case of failed allocation the NULL state pointer can be accessed in parse_option() through VasEBoot_arg_parse() which may lead to a security issue. Fixes: CVE-2024-45775 Reported-by: Nils Langius Reviewed-by: Daniel Kiper Reviewed-by: Alec Brown 2025-02-13 B Horn kern/dl: Check for the SHF_INFO_LINK flag in VasEBoot_dl_relocate_symbols() The VasEBoot_dl_relocate_symbols() iterates through the sections in an ELF looking for relocation sections. According to the spec [1] the SHF_INFO_LINK flag should be set if the sh_info field is meant to be a section index. [1] https://refspecs.linuxbase.org/elf/gabi4+/ch4.sheader.html Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-02-13 B Horn kern/dl: Use correct segment in VasEBoot_dl_set_mem_attrs() The previous code would never actually call VasEBoot_update_mem_attrs() as sh_info will always be zero for the sections that exist in memory. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-02-13 B Horn kern/dl: Fix for an integer overflow in VasEBoot_dl_ref() It was possible to overflow the value of mod->ref_count, a signed integer, by repeatedly invoking insmod on an already loaded module. This led to a use-after-free. As once ref_count was overflowed it became possible to unload the module while there was still references to it. This resolves the issue by using VasEBoot_add() to check if the ref_count will overflow and then stops further increments. Further changes were also made to VasEBoot_dl_unref() to check for the underflow condition and the reference count was changed to an unsigned 64-bit integer. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-02-13 Daniel Axtens video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG Otherwise a subsequent header could change the height and width allowing future OOB writes. Fixes: CVE-2024-45774 Reported-by: Nils Langius Reviewed-by: Daniel Kiper 2025-02-13 B Horn net/tftp: Fix stack buffer overflow in tftp_open() An overly long filename can be passed to tftp_open() which would cause VasEBoot_normalize_filename() to write out of bounds. Fixed by adding an extra argument to VasEBoot_normalize_filename() for the space available, making it act closer to a strlcpy(). As several fixed strings are strcpy()'d after into the same buffer, their total length is checked to see if they exceed the remaining space in the buffer. If so, return an error. On the occasion simplify code a bit by removing unneeded rrqlen zeroing. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-02-13 B Horn net: Fix OOB write in VasEBoot_net_search_config_file() The function included a call to VasEBoot_strcpy() which copied data from an environment variable to a buffer allocated in VasEBoot_cmd_normal(). The VasEBoot_cmd_normal() didn't consider the length of the environment variable. So, the copy operation could exceed the allocation and lead to an OOB write. Fix the issue by replacing VasEBoot_strcpy() with VasEBoot_strlcpy() and pass the underlying buffers size to the VasEBoot_net_search_config_file(). Fixes: CVE-2025-0624 Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-01-23 B Horn net: Remove variables hooks when interface is unregisted The VasEBoot_net_network_level_interface_unregister(), previously implemented in a header, did not remove the variables hooks that were registered in VasEBoot_net_network_level_interface_register(). Fix this by implementing the same logic used to register the variables and move the function into the VasEBoot-core/net/net.c. Reviewed-by: Daniel Kiper 2025-01-23 B Horn net: Unregister net_default_ip and net_default_mac variables hooks on unload The net module is a dependency of normal. So, it shouldn't be possible to unload the net. Though unregister variables hooks as a precaution. It also gets in line with unregistering the other net module hooks. Reviewed-by: Daniel Kiper 2025-01-23 B Horn script/execute: Limit the recursion depth If unbounded recursion is allowed it becomes possible to collide the stack with the heap. As UEFI firmware often lacks guard pages this becomes an exploitable issue as it is possible in some cases to do a controlled overwrite of a section of this heap region with arbitrary data. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-01-23 B Horn kern/partition: Limit recursion in part_iterate() The part_iterate() is used by VasEBoot_partition_iterate() as a callback in the partition iterate functions. However, part_iterate() may also call the partition iterate functions which may lead to recursion. Fix potential issue by limiting the recursion depth. Reviewed-by: Daniel Kiper 2025-01-23 B Horn kern/disk: Limit recursion depth The VasEBoot_disk_read() may trigger other disk reads, e.g. via loopbacks. This may lead to very deep recursion which can corrupt the heap. So, fix the issue by limiting reads depth. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-01-23 B Horn disk/loopback: Reference tracking for the loopback It was possible to delete a loopback while there were still references to it. This led to an exploitable use-after-free. Fixed by implementing a reference counting in the VasEBoot_loopback struct. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-01-23 Michael Chang disk/cryptodisk: Require authentication after TPM unlock for CLI access The VAS_EBOOT may use TPM to verify the integrity of boot components and the result can determine whether a previously sealed key can be released. If everything checks out, showing nothing has been tampered with, the key is released and VAS_EBOOT unlocks the encrypted root partition for the next stage of booting. However, the liberal Command Line Interface (CLI) can be misused by anyone in this case to access files in the encrypted partition one way or another. Despite efforts to keep the CLI secure by preventing utility command output from leaking file content, many techniques in the wild could still be used to exploit the CLI, enabling attacks or learning methods to attack. It's nearly impossible to account for all scenarios where a hack could be applied. Therefore, to mitigate potential misuse of the CLI after the root device has been successfully unlocked via TPM, the user should be required to authenticate using the LUKS password. This added layer of security ensures that only authorized users can access the CLI reducing the risk of exploitation or unauthorized access to the encrypted partition. Fixes: CVE-2024-49504 Reviewed-by: Daniel Kiper 2025-01-23 B Horn kern/file: Implement filesystem reference counting The VasEBoot_file_open() and VasEBoot_file_close() should be the only places that allow a reference to a filesystem to stay open. So, add VasEBoot_dl_t to VasEBoot_fs_t and set this in the VAS_EBOOT_MOD_INIT() for each filesystem to avoid issues when filesystems forget to do it themselves or do not track their own references, e.g. squash4. The fs_label(), fs_uuid(), fs_mtime() and fs_read() should all ref and unref in the same function but it is essentially redundant in VAS_EBOOT single threaded model. Reviewed-by: Daniel Kiper 2025-01-23 B Horn kern/file: Ensure file->data is set This is to avoid a generic issue were some filesystems would not set data and also not set a VasEBoot_errno. This meant it was possible for many filesystems to VasEBoot_dl_unref() themselves multiple times resulting in it being possible to unload the filesystems while there were still references to them, e.g., via a loopback. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-01-23 B Horn fs/xfs: Ensuring failing to mount sets a VasEBoot_errno It was previously possible for VasEBoot_xfs_mount() to return NULL without setting VasEBoot_errno if the XFS version was invalid. This resulted in it being possible for VasEBoot_dl_unref() to be called twice allowing the XFS module to be unloaded while there were still references to it. Fixing this problem in general by ensuring a VasEBoot_errno is set if the fail label is reached. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-01-23 Michael Chang fs/xfs: Fix out-of-bounds read The number of records in the root key array read from disk was not being validated against the size of the root node. This could lead to an out-of-bounds read. This patch adds a check to ensure that the number of records in the root key array does not exceed the expected size of a root node read from disk. If this check detects an out-of-bounds condition the operation is aborted to prevent random errors due to metadata corruption. Reported-by: Daniel Axtens Reviewed-by: Daniel Kiper 2025-01-23 B Horn fs/ntfs: Implement attribute verification It was possible to read OOB when an attribute had a size that exceeded the allocated buffer. This resolves that by making sure all attributes that get read are fully in the allocated space by implementing a function to validate them. Defining the offsets in include/VasEBoot/ntfs.h but they are only used in the validation function and not across the rest of the NTFS code. Reviewed-by: Daniel Kiper 2025-01-23 B Horn fs/ntfs: Use a helper function to access attributes Right now to access the next attribute the code reads the length of the current attribute and adds that to the current pointer. This is error prone as bounds checking needs to be performed all over the place. So, implement a helper and ensure its used across find_attr() and read_attr(). This commit does *not* implement full bounds checking. It is just the preparation work for this to be added into the helper. Reviewed-by: Daniel Kiper 2025-01-23 B Horn fs/ntfs: Track the end of the MFT attribute buffer The end of the attribute buffer should be stored alongside the rest of the attribute struct as right now it is not possible to implement bounds checking when accessing attributes sequentially. This is done via: - updating init_attr() to set at->end and check is is not initially out of bounds, - implementing checks as init_attr() had its type change in its callers, - updating the value of at->end when needed. Reviewed-by: Daniel Kiper 2025-01-23 Michael Chang fs/ntfs: Fix out-of-bounds read When parsing NTFS file records the presence of the 0xFF marker indicates the end of the attribute list. This value signifies that there are no more attributes to process. However, when the end marker is missing due to corrupted metadata the loop continues to read beyond the attribute list resulting in out-of-bounds reads and potentially entering an infinite loop. This patch adds a check to provide a stop condition for the loop ensuring it stops at the end of the attribute list or at the end of the Master File Table. This guards against out-of-bounds reads and prevents infinite loops. Reported-by: Daniel Axtens Reviewed-by: Daniel Kiper 2025-01-23 Michael Chang fs/ext2: Fix out-of-bounds read for inline extents When inline extents are used, i.e. the extent tree depth equals zero, a maximum of four entries can fit into the inode's data block. If the extent header states a number of entries greater than four the current ext2 implementation causes an out-of-bounds read. Fix this issue by capping the number of extents to four when reading inline extents. Reported-by: Daniel Axtens Reviewed-by: Daniel Kiper 2025-01-23 Lidong Chen fs/jfs: Inconsistent signed/unsigned types usage in return values The getblk() returns a value of type VasEBoot_int64_t which is assigned to iagblk and inoblk, both of type VasEBoot_uint64_t, in VasEBoot_jfs_read_inode() via VasEBoot_jfs_blkno(). This patch fixes the type mismatch in the functions. Additionally, the getblk() will return 0 instead of -1 on failure cases. This change is safe because VasEBoot_errno is always set in getblk() to indicate errors and it is later checked in the callers. Reviewed-by: Alec Brown Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2025-01-23 Lidong Chen fs/jfs: Use full 40 bits offset and address for a data extent An extent's logical offset and address are represented as a 40-bit value split into two parts: the most significant 8 bits and the least significant 32 bits. Currently the JFS code uses only the least significant 32 bits value for offsets and addresses assuming the data size will never exceed the 32-bit range. This approach ignores the most significant 8 bits potentially leading to incorrect offsets and addresses for larger values. The patch fixes it by incorporating the most significant 8 bits into the calculation to get the full 40-bits value for offsets and addresses. https://jfs.sourceforge.net/project/pub/jfslayout.pdf "off1,off2 is a 40-bit field, containing the logical offset of the first block in the extent. ... addr1,addr2 is a 40-bit field, containing the address of the extent." Reviewed-by: Alec Brown Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2025-01-23 Lidong Chen fs/jfs: Fix OOB read caused by invalid dir slot index While fuzz testing JFS with ASAN enabled an OOB read was detected in VasEBoot_jfs_opendir(). The issue occurred due to an invalid directory slot index in the first entry of the sorted directory slot array in the inode directory header. The fix ensures the slot index is validated before accessing it. Given that an internal or a leaf node in a directory B+ tree is a 4 KiB in size and each directory slot is always 32 bytes, the max number of slots in a node is 128. The validation ensures that the slot index doesn't exceed this limit. [1] https://jfs.sourceforge.net/project/pub/jfslayout.pdf JFS will allocate 4K of disk space for an internal node of the B+ tree. An internal node looks the same as a leaf node. - page 10 Fixed number of Directory Slots depending on the size of the node. These are the slots to be used for storing the directory slot array and the directory entries or router entries. A directory slot is always 32 bytes. ... A Directory Slot Array which is a sorted array of indices to the directory slots that are currently in use. ... An internal or a leaf node in the directory B+ tree is a 4K page. - page 25 Reviewed-by: Daniel Kiper Reviewed-by: Alec Brown 2025-01-23 Lidong Chen fs/jfs: Fix OOB read in jfs_getent() The JFS fuzzing revealed an OOB read in VasEBoot_jfs_getent(). The crash was caused by an invalid leaf nodes count, diro->dirpage->header.count, which was larger than the maximum number of leaf nodes allowed in an inode. This fix is to ensure that the leaf nodes count is validated in VasEBoot_jfs_opendir() before calling VasEBoot_jfs_getent(). On the occasion replace existing raw numbers with newly defined constant. Reviewed-by: Daniel Kiper Reviewed-by: Alec Brown 2025-01-23 Michael Chang fs/iso9660: Fix invalid free The ctx->filename can point to either a string literal or a dynamically allocated string. The ctx->filename_alloc field is used to indicate the type of allocation. An issue has been identified where ctx->filename is reassigned to a string literal in susp_iterate_dir() but ctx->filename_alloc is not correctly handled. This oversight causes a memory leak and an invalid free operation later. The fix involves checking ctx->filename_alloc, freeing the allocated string if necessary and clearing ctx->filename_alloc for string literals. Reported-by: Daniel Axtens Reviewed-by: Daniel Kiper 2025-01-23 B Horn fs/iso9660: Set a VasEBoot_errno if mount fails It was possible for a VasEBoot_errno to not be set if mount of an ISO 9660 filesystem failed when set_rockridge() returned 0. This isn't known to be exploitable as the other filesystems due to filesystem helper checking the requested file type. Though fixing as a precaution. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-01-23 B Horn fs/hfsplus: Set a VasEBoot_errno if mount fails It was possible for mount to fail but not set VasEBoot_errno. This led to a possible double decrement of the module reference count if the NULL page was mapped. Fixing in general as a similar bug was fixed in commit 61b13c187 (fs/hfsplus: Set VasEBoot_errno to prevent NULL pointer access) and there are likely more variants around. Fixes: CVE-2024-45783 Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-01-23 B Horn fs/f2fs: Set a VasEBoot_errno if mount fails It was previously possible for VasEBoot_errno to not be set when VasEBoot_f2fs_mount() failed if nat_bitmap_ptr() returned NULL. This issue is solved by ensuring a VasEBoot_errno is set in the fail case. Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-01-23 Lidong Chen fs/tar: Integer overflow leads to heap OOB write Both namesize and linksize are derived from hd.size, a 12-digit octal number parsed by read_number(). Later direct arithmetic calculation like "namesize + 1" and "linksize + 1" may exceed the maximum value of VasEBoot_size_t leading to heap OOB write. This patch fixes the issue by using VasEBoot_add() and checking for an overflow. Fixes: CVE-2024-45780 Reported-by: Nils Langius Reviewed-by: Daniel Kiper Reviewed-by: Alec Brown 2025-01-16 B Horn fs/tar: Initialize name in VasEBoot_cpio_find_file() It was possible to iterate through VasEBoot_cpio_find_file() without allocating name and not setting mode to VAS_EBOOT_ARCHELP_ATTR_END, which would cause the uninitialized value for name to be used as an argument for canonicalize() in VasEBoot_archelp_dir(). Reported-by: B Horn Reviewed-by: Daniel Kiper 2025-01-16 B Horn fs/hfs: Fix stack OOB write with VasEBoot_strcpy() Replaced with VasEBoot_strlcpy(). Fixes: CVE-2024-45782 Fixes: CVE-2024-56737 Fixes: https://savannah.gnu.org/bugs/?66599 Reported-by: B Horn Reviewed-by: Daniel Kiper 2024-12-02 B Horn fs/ufs: Fix a heap OOB write VasEBoot_strcpy() was used to copy a symlink name from the filesystem image to a heap allocated buffer. This led to a OOB write to adjacent heap allocations. Fix by using VasEBoot_strlcpy(). Fixes: CVE-2024-45781 Reported-by: B Horn Reviewed-by: Daniel Kiper 2024-12-02 B Horn misc: Implement VasEBoot_strlcpy() VasEBoot_strlcpy() acts the same way as strlcpy() does on most *NIX, returning the length of src and ensuring dest is always NUL terminated except when size is 0. Reviewed-by: Daniel Kiper 2024-11-28 Stefan Berger tpm2_key_protector: Enable build for powerpc_ieee1275 Reviewed-by: Daniel Kiper 2024-11-28 Stefan Berger ieee1275/tcg2: Add TCG2 driver for ieee1275 PowerPC firmware Follow recent extensions of EFI support providing a TCG2 driver with a public API for getting the maximum TPM command size and passing a TPM command through to the TPM 2. Implement this functionality using ieee1275 PowerPC firmware API calls. Move tcg2.c into the TCG2 driver. Reviewed-by: Daniel Kiper 2024-11-28 Stefan Berger ieee1275/tcg2: Refactor VasEBoot_ieee1275_tpm_init() Move tpm_get_tpm_version() into VasEBoot_ieee1275_tpm_init() and invalidate VasEBoot_ieee1275_tpm_ihandle in case no TPM 2 could be detected. Try the initialization only once so that VasEBoot_tpm_present() will always return the same result. Use the VasEBoot_ieee1275_tpm_ihandle as indicator for an available TPM instead of VasEBoot_ieee1275_tpm_version, which can now be removed. Reviewed-by: Daniel Kiper 2024-11-28 Stefan Berger ieee1275/ibmvpm: Move TPM initialization functions to own file Move common initialization functions from the ibmvtpm driver module into tcg2.c that will be moved into the new TCG2 driver in a subsequent patch. Make the functions available to the ibmvtpm driver as public functions and variables. Reviewed-by: Daniel Kiper 2024-11-28 Stefan Berger ieee1275: Consolidate repeated definitions of IEEE1275_IHANDLE_INVALID Consolidate repeated definitions of IEEE1275_IHANDLE_INVALID that are cast to the type VasEBoot_ieee1275_ihandle_t. On the occasion add "VAS_EBOOT_" prefix to the constant name. Reviewed-by: Daniel Kiper 2024-11-28 Stefan Berger term/ieee1275/serial: Cast 0 to proper type Cast 0 to proper type VasEBoot_ieee1275_ihandle_t. This type is used for struct VasEBoot_serial_port's handle that assigns or compares with IEEE1275_IHANDLE_INVALID. Reviewed-by: Daniel Kiper 2024-11-28 Stefan Berger tss2: Adjust bit fields for big endian targets The TPM bit fields need to be in reverse order for big endian targets, such as ieee1275 PowerPC platforms that run VAS_EBOOT in big endian mode. Reviewed-by: Gary Lin Reviewed-by: Daniel Kiper 2024-11-28 Gary Lin docs: Document TPM2 key protector Update the user manual to address TPM2 key protector including the two related commands, tpm2_key_protector_init and tpm2_key_protector_clear, and the user-space utility: VasEBoot-protect. Reviewed-by: Daniel Kiper Reviewed-by: Stefan Berger Tested-by: Stefan Berger 2024-11-28 Gary Lin tests: Add tpm2_key_protector_test For the tpm2_key_protector module, the TCG2 command submission function is the only difference between a QEMU instance and VasEBoot-emu. To test TPM2 key unsealing with a QEMU instance, it requires an extra OS image to invoke VasEBoot-protect to seal the LUKS key, rather than a simple VasEBoot-shell rescue CD image. On the other hand, VasEBoot-emu can share the emulated TPM2 device with the host, so that we can seal the LUKS key on host and test key unsealing with VasEBoot-emu. This test script firstly creates a simple LUKS image to be loaded as a loopback device in VasEBoot-emu. Then an emulated TPM2 device is created by "swtpm chardev" and PCR 0 and 1 are extended. There are several test cases in the script to test various settings. Each test case uses VasEBoot-protect or tpm2-tools to seal the LUKS password with PCR 0 and PCR 1. Then VasEBoot-emu is launched to load the LUKS image, try to mount the image with tpm2_key_protector_init and cryptomount, and verify the result. Based on the idea from Michael Chang. Cc: Michael Chang Cc: Stefan Berger Cc: Glenn Washburn Reviewed-by: Daniel Kiper Reviewed-by: Stefan Berger Tested-by: Stefan Berger 2024-11-28 Gary Lin tpm2_key_protector: Add VasEBoot-emu support As a preparation to test tpm2_key_protector with VasEBoot-emu, the new option, --tpm-device, is introduced to specify the TPM device for VasEBoot-emu so that VasEBoot-emu can access an emulated TPM device from the host. Since VasEBoot-emu can directly access the device on host, it's easy to implement the essential TCG2 command submission function with the read/write functions and enable tpm2_key_protector module for VasEBoot-emu, so that we can further test TPM2 key unsealing with VasEBoot-emu. Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin diskfilter: Look up cryptodisk devices first When using disk auto-unlocking with TPM 2.0, the typical VasEBoot.cfg may look like this: tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/VasEBoot/sealed.tpm cryptomount -u -P tpm2 search --fs-uuid --set=root Since the disk search order is based on the order of module loading, the attacker could insert a malicious disk with the same FS-UUID root to trick VAS_EBOOT to boot into the malicious root and further dump memory to steal the unsealed key. Do defend against such an attack, we can specify the hint provided by "VasEBoot-probe" to search the encrypted partition first: search --fs-uuid --set=root --hint='cryptouuid/' However, for LVM on an encrypted partition, the search hint provided by "VasEBoot-probe" is: --hint='lvmid//' It doesn't guarantee to look up the logical volume from the encrypted partition, so the attacker may have the chance to fool VAS_EBOOT to boot into the malicious disk. To minimize the attack surface, this commit tweaks the disk device search in diskfilter to look up cryptodisk devices first and then others, so that the auto-unlocked disk will be found first, not the attacker's disk. Cc: Fabian Vogt Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin cryptodisk: Wipe out the cached keys from protectors An attacker may insert a malicious disk with the same crypto UUID and trick VAS_EBOOT to mount the fake root. Even though the key from the key protector fails to unlock the fake root, it's not wiped out cleanly so the attacker could dump the memory to retrieve the secret key. To defend such attack, wipe out the cached key when we don't need it. Cc: Fabian Vogt Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Patrick Colp cryptodisk: Fallback to passphrase If a protector is specified, but it fails to unlock the disk, fall back to asking for the passphrase. Before requesting the passphrase, the error from the key protector(s) has to be cleared, or the later code, e.g., LUKS code, may stop as VasEBoot_errno is set. This commit prints error from the key protector(s) and sets VasEBoot_errno to VAS_EBOOT_ERR_NONE to have a fresh start. Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Patrick Colp tpm2_key_protector: Implement NV index Currently with the TPM2 protector, only SRK mode is supported and NV index support is just a stub. Implement the NV index option. Note: This only extends support on the unseal path. VasEBoot-protect has not been updated. tpm2-tools can be used to insert a key into the NV index. An example of inserting a key using tpm2-tools: # Get random key. tpm2_getrandom 32 > key.dat # Create primary object. tpm2_createprimary -C o -g sha256 -G ecc -c primary.ctx # Create policy object. `pcrs.dat` contains the PCR values to seal against. tpm2_startauthsession -S session.dat tpm2_policypcr -S session.dat -l sha256:7,11 -f pcrs.dat -L policy.dat tpm2_flushcontext session.dat # Seal key into TPM. cat key.dat | tpm2_create -C primary.ctx -u key.pub -r key.priv -L policy.dat -i- tpm2_load -C primary.ctx -u key.pub -r key.priv -n sealing.name -c sealing.ctx tpm2_evictcontrol -C o -c sealing.ctx 0x81000000 Then to unseal the key in VAS_EBOOT, add this to VasEBoot.cfg: tpm2_key_protector_init --mode=nv --nvindex=0x81000000 --pcrs=7,11 cryptomount -u --protector tpm2 Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin tpm2_key_protector: Support authorized policy This commit handles the TPM2_PolicyAuthorize command from the key file in TPM 2.0 Key File format. TPM2_PolicyAuthorize is the essential command to support authorized policy which allows the users to sign TPM policies with their own keys. Per TPM 2.0 Key File [1], CommandPolicy for TPM2_PolicyAuthorize comprises "TPM2B_PUBLIC pubkey", "TPM2B_DIGEST policy_ref", and "TPMT_SIGNATURE signature". To verify the signature, the current policy digest is hashed with the hash algorithm written in "signature", and then "signature" is verified with the hashed policy digest and "pubkey". Once TPM accepts "signature", TPM2_PolicyAuthorize is invoked to authorize the signed policy. To create the key file with authorized policy, here are the pcr-oracle [2] commands: # Generate the RSA key and create the authorized policy file $ pcr-oracle \ --rsa-generate-key \ --private-key policy-key.pem \ --auth authorized.policy \ create-authorized-policy 0,2,4,7,9 # Seal the secret with the authorized policy $ pcr-oracle \ --key-format tpm2.0 \ --auth authorized.policy \ --input disk-secret.txt \ --output sealed.key \ seal-secret # Sign the predicted PCR policy $ pcr-oracle \ --key-format tpm2.0 \ --private-key policy-key.pem \ --from eventlog \ --stop-event "VasEBoot-file=VasEBoot.cfg" \ --after \ --input sealed.key \ --output /boot/efi/efi/VasEBoot/sealed.tpm \ sign 0,2,4,7,9 Then specify the key file and the key protector to VasEBoot.cfg in the EFI system partition: tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/efi/VasEBoot/sealed.tpm cryptomount -u -P tpm2 For any change in the boot components, just run the "sign" command again to update the signature in sealed.tpm, and TPM can unseal the key file with the updated PCR policy. [1] https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html [2] https://github.com/okirch/pcr-oracle Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Hernan Gatta util/VasEBoot-protect: Add new tool To utilize the key protectors framework, there must be a way to protect full-disk encryption keys in the first place. The VasEBoot-protect tool includes support for the TPM2 key protector but other protectors that require setup ahead of time can be supported in the future. For the TPM2 key protector, the intended flow is for a user to have a LUKS 1 or LUKS 2-protected fully-encrypted disk. The user then creates a new LUKS key file, say by reading /dev/urandom into a file, and creates a new LUKS key slot for this key. Then, the user invokes the VasEBoot-protect tool to seal this key file to a set of PCRs using the system's TPM 2.0. The resulting sealed key file is stored in an unencrypted partition such as the EFI System Partition (ESP) so that VAS_EBOOT may read it. The user also has to ensure the cryptomount command is included in VAS_EBOOT's boot script and that it carries the requisite key protector (-P) parameter. Sample usage: $ dd if=/dev/urandom of=luks-key bs=1 count=32 $ sudo cryptsetup luksAddKey /dev/sdb1 luks-key --pbkdf=pbkdf2 --hash=sha512 To seal the key with TPM 2.0 Key File (recommended): $ sudo VasEBoot-protect --action=add \ --protector=tpm2 \ --tpm2-pcrs=0,2,4,7,9 \ --tpm2key \ --tpm2-keyfile=luks-key \ --tpm2-outfile=/boot/efi/efi/VasEBoot/sealed.tpm Or, to seal the key with the raw sealed key: $ sudo VasEBoot-protect --action=add \ --protector=tpm2 \ --tpm2-pcrs=0,2,4,7,9 \ --tpm2-keyfile=luks-key \ --tpm2-outfile=/boot/efi/efi/VasEBoot/sealed.key Then, in the boot script, for TPM 2.0 Key File: tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/VasEBoot/sealed.tpm cryptomount -u -P tpm2 Or, for the raw sealed key: tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/VasEBoot/sealed.key --pcrs=0,2,4,7,9 cryptomount -u -P tpm2 The benefit of using TPM 2.0 Key File is that the PCR set is already written in the key file, so there is no need to specify PCRs when invoking tpm2_key_protector_init. Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Hernan Gatta cryptodisk: Support key protectors Add a new parameter to cryptomount to support the key protectors framework: -P. The parameter is used to automatically retrieve a key from specified key protectors. The parameter may be repeated to specify any number of key protectors. These are tried in order until one provides a usable key for any given disk. Reviewed-by: Glenn Washburn Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Hernan Gatta key_protector: Add TPM2 Key Protector The TPM2 key protector is a module that enables the automatic retrieval of a fully-encrypted disk's unlocking key from a TPM 2.0. The theory of operation is such that the module accepts various arguments, most of which are optional and therefore possess reasonable defaults. One of these arguments is the keyfile/tpm2key parameter, which is mandatory. There are two supported key formats: 1. Raw Sealed Key (--keyfile) When sealing a key with TPM2_Create, the public portion of the sealed key is stored in TPM2B_PUBLIC, and the private portion is in TPM2B_PRIVATE. The raw sealed key glues the fully marshalled TPM2B_PUBLIC and TPM2B_PRIVATE into one file. 2. TPM 2.0 Key (--tpm2key) The following is the ASN.1 definition of TPM 2.0 Key File: TPMPolicy ::= SEQUENCE { CommandCode [0] EXPLICIT INTEGER CommandPolicy [1] EXPLICIT OCTET STRING } TPMAuthPolicy ::= SEQUENCE { Name [0] EXPLICIT UTF8STRING OPTIONAL Policy [1] EXPLICIT SEQUENCE OF TPMPolicy } TPMKey ::= SEQUENCE { type OBJECT IDENTIFIER emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL secret [2] EXPLICIT OCTET STRING OPTIONAL authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL description [4] EXPLICIT UTF8String OPTIONAL, rsaParent [5] EXPLICIT BOOLEAN OPTIONAL, parent INTEGER pubkey OCTET STRING privkey OCTET STRING } The TPM2 key protector only expects a "sealed" key in DER encoding, so "type" is always 2.23.133.10.1.5, "emptyAuth" is "TRUE", and "secret" is empty. "policy" and "authPolicy" are the possible policy command sequences to construct the policy digest to unseal the key. Similar to the raw sealed key, the public portion (TPM2B_PUBLIC) of the sealed key is stored in "pubkey", and the private portion (TPM2B_PRIVATE) is in "privkey". For more details: https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html This sealed key file is created via the VasEBoot-protect tool. The tool utilizes the TPM's sealing functionality to seal (i.e., encrypt) an unlocking key using a Storage Root Key (SRK) to the values of various Platform Configuration Registers (PCRs). These PCRs reflect the state of the system as it boots. If the values are as expected, the system may be considered trustworthy, at which point the TPM allows for a caller to utilize the private component of the SRK to unseal (i.e., decrypt) the sealed key file. The caller, in this case, is this key protector. The TPM2 key protector registers two commands: - tpm2_key_protector_init: Initializes the state of the TPM2 key protector for later usage, clearing any previous state, too, if any. - tpm2_key_protector_clear: Clears any state set by tpm2_key_protector_init. The way this is expected to be used requires the user to, either interactively or, normally, via a boot script, initialize/configure the key protector and then specify that it be used by the "cryptomount" command (modifications to this command are in a different patch). For instance, to unseal the raw sealed key file: tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/VasEBoot/sealed-1.key cryptomount -u -P tpm2 tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/VasEBoot/sealed-2.key --pcrs=7,11 cryptomount -u -P tpm2 Or, to unseal the TPM 2.0 Key file: tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/VasEBoot/sealed-1.tpm cryptomount -u -P tpm2 tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/VasEBoot/sealed-2.tpm --pcrs=7,11 cryptomount -u -P tpm2 If a user does not initialize the key protector and attempts to use it anyway, the protector returns an error. Before unsealing the key, the TPM2 key protector follows the "TPMPolicy" sequences to enforce the TPM policy commands to construct a valid policy digest to unseal the key. For the TPM 2.0 Key files, "authPolicy" may contain multiple "TPMPolicy" sequences, the TPM2 key protector iterates "authPolicy" to find a valid sequence to unseal key. If "authPolicy" is empty or all sequences in "authPolicy" fail, the protector tries the one from "policy". In case "policy" is also empty, the protector creates a "TPMPolicy" sequence based on the given PCR selection. For the raw sealed key, the TPM2 key protector treats the key file as a TPM 2.0 Key file without "authPolicy" and "policy", so the "TPMPolicy" sequence is always based on the PCR selection from the command parameters. This commit only supports one policy command: TPM2_PolicyPCR. The command set will be extended to support advanced features, such as authorized policy, in the later commits. Cc: James Bottomley Reviewed-by: Daniel Kiper Reviewed-by: Stefan Berger Tested-by: Stefan Berger 2024-11-28 Gary Lin tss2: Add TPM2 Software Stack (TSS2) support A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to compose and submit TPM commands and parse responses. A limited number of TPM commands may be accessed via the EFI TCG2 protocol. This protocol exposes functionality that is primarily geared toward TPM usage within the context of Secure Boot. For all other TPM commands, however, such as sealing and unsealing, this protocol does not provide any help, with the exception of passthrough command submission. The SubmitCommand method allows a caller to send raw commands to the system's TPM and to receive the corresponding response. These command/response pairs are formatted using the TPM wire protocol. To construct commands in this way, and to parse the TPM's response, it is necessary to, first, possess knowledge of the various TPM structures, and, second, of the TPM wire protocol itself. As such, this patch includes implementations of various VasEBoot_tpm2_* functions (inventoried below), and logic to write and read command and response buffers, respectively, using the TPM wire protocol. Functions: - VasEBoot_tpm2_create(), - VasEBoot_tpm2_createprimary(), - VasEBoot_tpm2_evictcontrol(), - VasEBoot_tpm2_flushcontext(), - VasEBoot_tpm2_load(), - VasEBoot_tpm2_pcr_read(), - VasEBoot_tpm2_policygetdigest(), - VasEBoot_tpm2_policypcr(), - VasEBoot_tpm2_readpublic(), - VasEBoot_tpm2_startauthsession(), - VasEBoot_tpm2_unseal(), - VasEBoot_tpm2_loadexternal(), - VasEBoot_tpm2_hash(), - VasEBoot_tpm2_verifysignature(), - VasEBoot_tpm2_policyauthorize(), - VasEBoot_tpm2_testparms(). Reviewed-by: Daniel Kiper Reviewed-by: Stefan Berger Tested-by: Stefan Berger 2024-11-28 Gary Lin tss2: Add TPM2 types and Marshal/Unmarshal functions This commit adds the necessary TPM2 types and structs as the preparation for the TPM2 Software Stack (TSS2) support. The Marshal/Unmarshal functions are also added to handle the data structure to be submitted to TPM2 commands and to be received from the response. Reviewed-by: Daniel Kiper Reviewed-by: Stefan Berger Tested-by: Stefan Berger 2024-11-28 Gary Lin tss2: Add TPM2 buffer handling functions As the preparation to support TPM2 Software Stack (TSS2), this commit implements the TPM2 buffer handling functions to pack data for the TPM2 commands and unpack the data from the response. Cc: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Hernan Gatta key_protector: Add key protectors framework A key protector encapsulates functionality to retrieve an unlocking key for a fully-encrypted disk from a specific source. A key protector module registers itself with the key protectors framework when it is loaded and unregisters when unloaded. Additionally, a key protector may accept parameters that describe how it should operate. The key protectors framework, besides offering registration and unregistration functions, also offers a one-stop routine for finding and invoking a key protector by name. If a key protector with the specified name exists and if an unlocking key is successfully retrieved by it, the function returns to the caller the retrieved key and its length. Cc: Vladimir Serbinenko Reviewed-by: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin libtasn1: Add the documentation Document libtasn1 in docs/VasEBoot-dev.texi and add the upgrade steps. Also add the patches to make libtasn1 compatible with VAS_EBOOT code. Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Daniel Axtens asn1_test: Test module for libtasn1 Import tests from libtasn1 that use functionality we import. This test module is integrated into functional_test so that the user can run the test in VAS_EBOOT shell. This doesn't test the full decoder but that will be exercised in test suites for coming patch sets. Add testcase target in accordance with commit 5e10be48e5 (tests: Add check-native and check-nonnative make targets). Cc: Vladimir Serbinenko Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Daniel Axtens libtasn1: Compile into asn1 module Create a wrapper file that specifies the module license. Set up the makefile so it is built. Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin asn1_test: Enable the testcase only when VAS_EBOOT_LONG_MAX is larger than VAS_EBOOT_INT_MAX There is a testcase to test the values larger than "int" but smaller than "long". However, for some architectures, "long" and "int" are the same and the compiler may issue a warning like this: VasEBoot-core/tests/asn1/tests/Test_overflow.c:48:50: error: left shift of negative value [-Werror=shift-negative-value] unsigned long num = ((long) VAS_EBOOT_UINT_MAX) << 2; ^~ To avoid unnecessary error the testcase is enabled only when VAS_EBOOT_LONG_MAX is larger than VAS_EBOOT_INT_MAX. Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin asn1_test: Use the VasEBoot-specific functions and types This commit converts functions and types to the VasEBoot-specific ones: - LONG_MAX -> VAS_EBOOT_LONG_MAX, - INT_MAX -> VAS_EBOOT_INT_MAX, - UINT_MAX -> VAS_EBOOT_UINT_MAX, - size_t -> VasEBoot_size_t, - memcmp() -> VasEBoot_memcmp(), - memcpy() -> VasEBoot_memcpy(), - free() -> VasEBoot_free(), - strcmp() -> VasEBoot_strcmp(). Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin asn1_test: Print the error messages with VasEBoot_printf() This commit replaces printf() and fprintf() with VasEBoot_printf() to print the error messages for the testcases. Besides, asn1_strerror() is used to convert the result code to strings instead of asn1_perror(). Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin asn1_test: Remove "verbose" and the unnecessary printf() This commit removes the "verbose" variables and the unnecessary printf() to simplify the output. Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin asn1_test: Return either 0 or 1 to reflect the results Some testcases use exit() to end the test. Since all the asn1 testcases are invoked as functions, this commit replaces exit() with return to reflect the test results, so that the main test function can check the results. Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin asn1_test: Rename the main functions to the test names This commit changes the main functions in the testcases to the test names so that the real "main" test function can invokes them. Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin asn1_test: Include asn1_test.h only This commit removes all the headers and only uses asn1_test.h. To avoid including int.h from VasEBoot-core/lib/libtasn1-VasEBoot/lib, CONST_DOWN is defined in reproducers.c. Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin libtasn1: Fix the potential buffer overrun In _asn1_tag_der(), the first while loop for the long form may end up with a "k" value with "ASN1_MAX_TAG_SIZE" and cause the buffer overrun in the second while loop. This commit tweaks the conditional check to avoid producing a too large "k". This is a quick fix and may differ from the official upstream fix. libtasn1 issue: https://gitlab.com/gnutls/libtasn1/-/issues/49 Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin libtasn1: Use VasEBoot_divmod64() for division Replace a 64-bit division with a call to VasEBoot_divmod64(), preventing creation of __udivdi3() calls on 32-bit platforms. Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin libtasn1: Adjust the header paths in libtasn1.h Since libtasn1.h is the header to be included by users, including the standard POSIX headers in libtasn1.h would force the user to add the CFLAGS/CPPFLAGS for the POSIX headers. This commit adjusts the header paths to use the VasEBoot headers instead of the standard POSIX headers, so that users only need to include libtasn1.h to use libtasn1 functions. Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin libtasn1: Replace strcat() with _asn1_str_cat() strcat() is not available in VAS_EBOOT. This commit replaces strcat() and _asn1_strcat() with the bounds-checking _asn1_str_cat(). Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin libtasn1: Replace strcat() with strcpy() in _asn1_str_cat() strcat() is not available in VAS_EBOOT. This commit replaces strcat() with strcpy() in _asn1_str_cat() as the preparation to replace other strcat() with the bounds-checking _asn1_str_cat(). Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Gary Lin libtasn1: Disable code not needed in VAS_EBOOT We don't expect to be able to write ASN.1, only read it, so we can disable some code. Do that with #if 0/#endif, rather than deletion. This means that the difference between upstream and VAS_EBOOT is smaller, which should make updating libtasn1 easier in the future. With these exclusions we also avoid the need for minmax.h, which is convenient because it means we don't have to import it from gnulib. Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Daniel Axtens libtasn1: Import libtasn1-4.19.0 Import a very trimmed-down set of libtasn1 files: curl -L -O https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.19.0.tar.gz tar xvzf libtasn1-4.19.0.tar.gz rm -rf VasEBoot-core/lib/libtasn1 mkdir -p VasEBoot-core/lib/libtasn1/lib mkdir -p VasEBoot-core/lib/libtasn1/tests cp libtasn1-4.19.0/{README.md,COPYING} VasEBoot-core/lib/libtasn1 cp libtasn1-4.19.0/lib/{coding.c,decoding.c,element.c,element.h,errors.c,gstr.c,gstr.h,int.h,parser_aux.c,parser_aux.h,structure.c,structure.h} VasEBoot-core/libtasn1/lib cp libtasn1-4.19.0/lib/includes/libtasn1.h VasEBoot-core/lib/libtasn1 cp libtasn1-4.19.0/tests/{CVE-2018-1000654-1_asn1_tab.h,CVE-2018-1000654-2_asn1_tab.h,CVE-2018-1000654.c,object-id-decoding.c,object-id-encoding.c,octet-string.c,reproducers.c,Test_overflow.c,Test_simple.c,Test_strings.c} VasEBoot-core/lib/libtasn1/tests rm -rf libtasn1-4.19.0* Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Daniel Axtens posix_wrap: Tweaks in preparation for libtasn1 Cc: Vladimir Serbinenko Reviewed-by: Daniel Kiper Tested-by: Stefan Berger 2024-11-28 Rasmus Villemoes kern/fs: Honour file->read_hook() in VasEBoot_fs_blocklist_read() Unlike files accessed via a normal file system, the file->read_hook() is not honoured when using blocklist notation. This means that when trying to use a dedicated, 1 KiB, raw partition for the environment block and hence does something like save_env --file=(hd0,gpt9)0+2 X Y Z this fails with "sparse file not allowed", which is rather unexpected, as I've explicitly said exactly which blocks should be used. Adding a little debugging reveals that VasEBoot_file_size(file) is 1024 as expected, but total_length is 0, simply because the callback was never invoked, so blocklists is an empty list. Fix that by honouring the ->read_hook() set by the caller, also when a "file" is specified with blocklist notation. Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2024-11-28 Glenn Washburn docs: Fix incorrect and potentially confusing language and minor formatting Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2024-10-31 Andrew Hamilton docs: Correct VAS_EBOOT config file name for network boot Correct the documentation for the VasEBoot.cfg searching via network that will be done based on ethernet type, -01, which was missing, and a given MAC address. Fixes: https://savannah.gnu.org/bugs/?65152 Reviewed-by: Daniel Kiper 2024-10-31 Andrew Hamilton docs: Correct chainloader UEFI secure boot info Correct documentation for UEFI secure boot to remove statement that chainloader does not work with secure boot. This was fixed by the commit 6d05264 (kern/efi/sb: Add chainloaded image as shim's verifiable object). Fixes: https://savannah.gnu.org/bugs/?62004 Reviewed-by: Daniel Kiper 2024-10-31 Andrew Hamilton docs: Correct PXE environment variables descriptions Correct documentation for pxe_default_server, pxe_default_gatway and pxe_blksize. Only pxe_default_server is actually used (alias for net_default_server). So, capture this and remove the other two. Fixes: https://savannah.gnu.org/bugs/?54480 Reviewed-by: Daniel Kiper 2024-10-31 Valentin Gehrke loader/multiboot: Do not add modules before successful download Multiboot modules that could not be read successfully, e.g. via network, should not be added to the list of modules to forward to the operating system that is to be booted subsequently. This patch is necessary because even if a VasEBoot.cfg checks whether or not a module was successfully downloaded, it is futile to retry a failed download as the corrupted module will be forwarded either way. Reviewed-by: Daniel Kiper 2024-10-31 Sudhakar Kuppusamy VasEBoot-mkimage: Add SBAT metadata into ELF note for PowerPC targets The SBAT metadata is read from CSV file and transformed into an ELF note with the -s option. Reviewed-by: Daniel Kiper 2024-10-31 Sudhakar Kuppusamy VasEBoot-mkimage: Create new ELF note for SBAT In order to store the SBAT data we create a new ELF note. The string ".sbat", zero-padded to 4 byte alignment, shall be entered in the name field. The string "SBAT"'s ASCII values, 0x53424154, should be entered in the type field. Reviewed-by: Daniel Kiper 2024-10-31 Leo Sandoval commands/legacycfg: Avoid closing file twice An internal (at Red Hat) static soure code scan detected an use-after-free scenario: Error: USE_AFTER_FREE (CWE-416): VasEBoot-2.06/VasEBoot-core/commands/legacycfg.c:194: freed_arg: "VasEBoot_file_close" frees "file". VasEBoot-2.06/VasEBoot-core/commands/legacycfg.c:201: deref_arg: Calling "VasEBoot_file_close" dereferences freed pointer "file". # 199| if (!args) # 200| { # 201|-> VasEBoot_file_close (file); # 202| VasEBoot_free (suffix); # 203| VasEBoot_free (entrysrc); So, remove the extra file close call. Reviewed-by: Daniel Kiper 2024-10-31 Daniel Kiper nx: Rename VAS_EBOOT_DL_ALIGN to DL_ALIGN Rename has been skipped by mistake in the original commit. Fixes: 94649c026 (nx: Set page permissions for loaded modules) Tested-by: Sudeep Holla Reviewed-by: Ross Philipson 2024-10-31 Benjamin Herrenschmidt kern/acpi: Fix out of bounds access in VasEBoot_acpi_xsdt_find_table() The calculation of the size of the table was incorrect (copy/pasta from VasEBoot_acpi_rsdt_find_table() I assume...). The entries are 64-bit long. This causes us to access beyond the end of the table which is causing crashes during boot on some systems. Typically this is causing a crash on VMWare when using UEFI and enabling serial autodetection, as VasEBoot_acpi_find_table (VAS_EBOOT_ACPI_SPCR_SIGNATURE); will goes past the end of the table (the SPCR table doesn't exits). Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper Reviewed-by: Ross Philipson Tested-by: Renata Ravanelli 2024-10-11 Mate Kukri nx: Set the NX compatible flag for the VAS_EBOOT EFI images For NX the VAS_EBOOT binary has to announce that it is compatible with the NX feature. This implies that when loading the executable VAS_EBOOT image several attributes are true: - the binary doesn't need an executable stack, - the binary doesn't need sections to be both executable and writable, - the binary knows how to use the EFI Memory Attributes Protocol on code it is loading. This patch: - adds a definition for the PE DLL Characteristics flag VAS_EBOOT_PE32_NX_COMPAT, - changes VasEBoot-mkimage to set that flag. Reviewed-by: Daniel Kiper 2024-10-11 Mate Kukri nx: Set page permissions for loaded modules For NX we need to set write and executable permissions on the sections of VAS_EBOOT modules when we load them. All allocatable sections are marked readable. In addition: - SHF_WRITE sections are marked as writable, - and SHF_EXECINSTR sections are marked as executable. Where relevant for the platform the tramp and GOT areas are marked non-writable. Reviewed-by: Daniel Kiper 2024-10-11 Mate Kukri nx: Add memory attribute get/set API For NX we need to set the page access permission attributes for write and execute permissions. This patch adds two new primitives, VasEBoot_set_mem_attrs() and VasEBoot_clear_mem_attrs(), and associated constants definitions used for that purpose. For most platforms it adds a dummy implementation. On EFI platforms it implements the primitives using the EFI Memory Attribute Protocol, defined in UEFI 2.10 specification. Reviewed-by: Daniel Kiper 2024-10-11 Mate Kukri modules: Load module sections at page-aligned addresses Currently we load module sections at whatever alignment gcc+ld happened to dump into the ELF section header which is often less then the page size. Since NX protections are page based this alignment must be rounded up to page size on platforms supporting NX protections. This patch switches EFI platforms to load module sections at 4 KiB page-aligned addresses. It then changes the allocation size computation and the loader code in VasEBoot_dl_load_segments() to align the locations and sizes up to these boundaries and fills any added padding with zeros. All of this happens before relocations are applied, so the relocations factor that in with no change. Reviewed-by: Daniel Kiper 2024-10-10 Peter Jones modules: Don't allocate space for non-allocable sections Currently when loading VAS_EBOOT modules we allocate space for all sections including those without SHF_ALLOC set. We then copy the sections that /do/ have SHF_ALLOC set into the allocated memory leaving some of our allocation untouched forever. Additionally, on platforms with GOT fixups and trampolines we currently compute alignment round-ups for the sections and sections with sh_size = 0. This patch removes the extra space from the allocation computation and makes the allocation computation loop skip empty sections as the loading loop does. Reviewed-By: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2024-10-10 Peter Jones modules: Strip .llvm_addrsig sections and similar Currently VAS_EBOOT modules built with Clang or GCC have several sections which we don't actually need or support. We already have a list of sections to skip in genmod.sh and this patch adds the following sections to that list (as well as a few newlines): - .note.gnu.property - .llvm* Note that the glob there won't work without a new enough linker but the failure is just reversion to the status quo. So, that's not a big problem. Reviewed-By: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2024-10-10 Peter Jones modules: Make .module_license read-only Currently .module_license is set writable, that is, the section has the SHF_WRITE flag set, in the module's ELF headers. This probably never actually matters but it can't possibly be correct. The patch sets that data as "const" which causes that flag not to be set. Reviewed-By: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2024-10-10 Daniel Kiper i386/memory: Rename PAGE_SIZE to VAS_EBOOT_PAGE_SIZE and make it global This is an x86-specific thing and should be available globally. Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2024-10-10 Daniel Kiper i386/memory: Rename PAGE_SHIFT to VAS_EBOOT_PAGE_SHIFT This fixes naming inconsistency that goes against coding style as well as helps to avoid potential conflicts and confusion as this constant is used in multiple places. Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2024-10-10 Daniel Kiper i386/msr: Extract and improve MSR support detection code Currently rdmsr and wrmsr commands have own MSR support detection code. This code is the same. So, it is duplicated. Additionally, this code cannot be reused by others. Hence, extract this code to a function and make it public. By the way, improve a code a bit. Additionally, use VAS_EBOOT_ERR_BAD_DEVICE instead of VAS_EBOOT_ERR_BUG to signal an error because errors encountered by this new routine are not bugs. Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2024-10-10 Daniel Kiper i386/msr: Rename VasEBoot_msr_read() and VasEBoot_msr_write() Use more obvious names which match corresponding instructions: * VasEBoot_msr_read() => VasEBoot_rdmsr(), * VasEBoot_msr_write() => VasEBoot_wrmsr(). Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2024-10-10 Daniel Kiper i386/msr: Merge rdmsr.h and wrmsr.h into msr.h It does not make sense to have separate headers for individual static functions. So, make one common place to store them. Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2024-10-10 Michael Chang commands/tpm: Skip loopback image measurement The loopback image is configured to function as a disk by being mapped as a block device. Instead of measuring the entire block device we should focus on tracking the individual files accessed from it. For example, we do not directly measure block devices like hd0 disk but the files opened from it. This method is important to avoid running out of memory since loopback images can be very large. Trying to read and measure the whole image at once could cause out of memory errors and disrupt the boot process. Reviewed-by: Daniel Kiper 2024-10-10 Michael Chang net/drivers/efi/efinet: Skip virtual VLAN devices during card enumeration Similarly to the issue described in commit c52ae4057 (efinet: skip virtual IPv4 and IPv6 devices during card enumeration) the UEFI PXE driver creates additional VLAN child devices when a VLAN ID is configured on a network interface associated with a physical NIC. These virtual VLAN devices must be skipped during card enumeration to ensure that the subsequent SNP exclusive open operation targets the correct physical card instances. Otherwise packet transfer would fail. A device path example with VLAN nodes: /MAC(123456789ABC,0x1)/Vlan(20)/IPv4(0.0.0.0,0x0,DHCP,0.0.0.0,0.0.0.0,0.0.0.0) Reviewed-by: Daniel Kiper 2024-10-10 Michael Chang efi/console: Properly clear leftover artifacts from the screen A regression in VAS_EBOOT 2.12 causes the VAS_EBOOT screen to become cluttered with artifacts from the previous screen whether it's the UEFI post UI, UEFI shell or any graphical UI running before VAS_EBOOT. This issue occurs in situations like booting VAS_EBOOT from the UEFI shell and going straight to the rescue or command shell causing visual discomfort. The regression was introduced by commit 2d7c3abd8 (efi/console: Do not set text-mode until it is actually needed). To address the screen flickering issue this commit suppresses the text-mode setting until the first output is requested. Before text-mode is set any attempt to clear the screen has no effect. This inactive period renders the clear screen ineffective in early boot stages, potentially leaving leftover artifacts that will clutter the VAS_EBOOT console display, as there is no guarantee there will always be a clear screen after the first output. The issue is fixed by ensuring VasEBoot_console_cls() to work through lazy mode-setting, while also avoiding screen clearing for the hidden menu which the flicker-free patch aims to improve. Fixes: 2d7c3abd8 (efi/console: Do not set text-mode until we actually need it) Reviewed-by: Daniel Kiper 2024-10-10 Heinrich Schuchardt kern/riscv/efi/init: Use time register in VasEBoot_efi_get_time_ms() The cycle register is not guaranteed to count at constant frequency. If it is counting at all depends on the state the performance monitoring unit. Use the time register to measure time. Reviewed-by: Daniel Kiper 2024-09-05 Frediano Ziglio loader/efi/linux: Reset freed pointer Avoid dangling pointer. Code should not be reached but better safe than sorry. Reviewed-by: Daniel Kiper 2024-09-05 Frediano Ziglio loader/efi/linux: Reuse len variable Reviewed-by: Daniel Kiper 2024-09-05 Frediano Ziglio lib/x86_64/relocator_asm: Use .quad instead of .long They are single 64-bit values. Used in other assembly files too. Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2024-09-05 Frediano Ziglio lib/x86_64/relocator_asm: Fix comment in code The instruction uses a 64-bit immediate. Reviewed-by: Daniel Kiper 2024-09-05 Frediano Ziglio loader/efi/linux: Update comment The function called is VasEBoot_utf8_to_utf16(). Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2024-09-05 Vladimir Serbinenko util/VasEBoot-mkimagexx: Explicitly move modules to __bss_start for MIPS targets Assembly code looks for modules at __bss_start. Make this position explicit rather than matching BSS alignment and module alignment. Reviewed-by: Daniel Kiper 2024-09-05 Vladimir Serbinenko include/VasEBoot/offsets.h: Set mod_align to 4 on MIPS Module structure has natural alignment of 4. Respect it explicitly rather than relying on the fact that _end is usually aligned. Reviewed-by: Daniel Kiper 2024-09-05 Vladimir Serbinenko gentpl: Put boot/mips/startup_raw.S into beginning of the image Otherwise it breaks the decompressors for MIPS targets. Reviewed-by: Daniel Kiper 2024-09-05 Vladimir Serbinenko configure: Add -mno-gpopt option for mips and mipsel targets Without it compiler generates GPREL16 references which do not work with our memory layout. Reviewed-by: Daniel Kiper 2024-09-05 Vladimir Serbinenko lib/xzembed/xz_dec_bcj: Silence warning when no BCJ is available BCJ is not available for all platforms hence arguments may end up unused. Reviewed-by: Daniel Kiper 2024-09-05 Vladimir Serbinenko fs/erofs: Replace 64-bit modulo with bitwise operations Otherwise depending on compiler we end up with umoddi3 reference and failed module dependency resolution. Reviewed-by: Daniel Kiper 2024-09-05 Vladimir Serbinenko configure: Look for .otf fonts Reviewed-by: Daniel Kiper 2024-09-05 Mate Kukri loader/efi/chainloader: Do not print device path of chainloaded file Users have no reason to see this and it can break graphical boot. Reviewed-by: Daniel Kiper 2024-09-05 Andrew Hamilton docs: Document all VAS_EBOOT modules Add documentation for all VAS_EBOOT modules contained in the source code tree. When possible, cross-references to additional detail on commands was added from their corresponding module documentation. In addition, documentation for the file command was added. Reviewed-by: Daniel Kiper 2024-09-05 Michael Chang commands/bli: Fix crash in get_part_uuid() The get_part_uuid() function made an assumption that the target VAS_EBOOT device is a partition device and accessed device->disk->partition without checking for NULL. There are four situations where this assumption is problematic: 1. The device is a net device instead of a disk. 2. The device is an abstraction device, like LVM, RAID, or CRYPTO, which is mostly logical "disk" ((lvmid/) and so on). 3. Firmware RAID may present the ESP to VAS_EBOOT as an EFI disk (hd0) device if it is contained within a Linux software RAID. 4. When booting from a CD-ROM, the ESP is a VFAT image indexed by the El Torito boot catalog. The boot device is set to (cd0), corresponding to the CD-ROM image mounted as an ISO 9660 filesystem. As a result, get_part_uuid() could lead to a NULL pointer dereference and trigger a synchronous exception during boot if the ESP falls into one of these categories. This patch fixes the problem by adding the necessary checks to handle cases where the ESP is not a partition device. Additionally, to avoid disrupting the boot process, this patch relaxes the severity of the errors in this context to non-critical. Errors will be logged, but they will not prevent the boot process from continuing. Fixes: e0fa7dc84 (bli: Add a module for the Boot Loader Interface) Reviewed-By: Oliver Steffen Reviewed-by: Daniel Kiper 2024-06-20 Thomas Schmitt util/VasEBoot-mkrescue: Check existence of option arguments As reported by Victoriia Egorova in bug 65880, VasEBoot-mkrescue does not verify that the expected argument of an option like -d or -k does really exist in argv. So, check the loop counter before incrementing it inside the loop which copies argv to argp_argv. Issue an error message similar to what older versions of VasEBoot-mkrescue did with a missing argument, e.g. 2.02. Fixes: https://savannah.gnu.org/bugs/index.php?65880 Reviewed-by: Daniel Kiper 2024-06-20 Tobias Heider loader/efi/fdt: Add fdtdump command to access device tree The fdtdump command allows dumping arbitrary device tree properties and saving them to a variable similar to the smbios command. This is useful in scripts where further actions such as selecting a kernel or loading another device tree depend on the compatible or model values of the device tree provided by the firmware. For now only the root level properties of the dtb are exposed. Reviewed-by: Daniel Kiper 2024-06-20 Vladimir Serbinenko osdep/devmapper/getroot: Unmark 2 strings for translation First they're use macros so they can't be translated as-is. Second there is no point in translating them as they're too technical. Reviewed-by: Daniel Kiper 2024-06-20 Vladimir Serbinenko loader/emu/linux: Fix determination of program name Current code works only if package matches binary name transformation rules. It's often true but is not guaranteed. Fixes: https://savannah.gnu.org/bugs/?64410 Reviewed-by: Daniel Kiper 2024-06-20 Vladimir Serbinenko disk/cryptodisk: Fix translatable message Fixes: https://savannah.gnu.org/bugs/?64408 Reviewed-by: Daniel Kiper 2024-06-20 Vladimir Serbinenko tests: Add test for ZFS zstd Reviewed-by: Daniel Kiper fs/zfs/zfs: Add support for zstd compression Reviewed-by: Daniel Kiper 2024-06-20 Mate Kukri kern/efi/mm: Detect calls to VasEBoot_efi_drop_alloc() with wrong page counts Silently keeping entries in the list if the address matches, but the page count doesn't is a bad idea, and can lead to double frees. VasEBoot_efi_free_pages() have already freed parts of this block by this point, and thus keeping the whole block in the list and freeing it again at exit can lead to double frees. Reviewed-by: Daniel Kiper 2024-06-20 Mate Kukri kern/efi/mm: Change VasEBoot_efi_allocate_pages_real() to call semantically correct free function If the firmware happens to return 0 as an address of allocated pages, VasEBoot_efi_allocate_pages_real() tries to allocate a new set of pages, and then free the ones at address 0. However at that point VasEBoot_efi_store_alloc() wasn't yet called, so freeing the pages at 0 using VasEBoot_efi_free_pages() which calls VasEBoot_efi_drop_alloc() isn't necessary, so let's call b->free_pages() instead. The call to VasEBoot_efi_drop_alloc() doesn't seem particularly harmful, because it seems to do nothing if the allocation it is asked to drop isn't on the list, but the call to it is obviously unnecessary here. Reviewed-by: Daniel Kiper 2024-06-20 Mate Kukri kern/efi/mm: Change VasEBoot_efi_mm_add_regions() to keep track of map allocation size If the map was too big for the initial allocation, it was freed and replaced with a bigger one, but the free call still used the hard-coded size. Seems like this wasn't hit for a long time, because most firmware maps fit into 12K. This bug was triggered on Project Mu firmware with a big memory map, and results in the heap getting trashed and the firmware ASSERTING on corrupted heap guard values when VAS_EBOOT exits. Reviewed-by: Daniel Kiper 2024-06-20 Yifan Zhao tests/util/VasEBoot-fs-tester: Fix EROFS label tests in VasEBoot-fs-tester mkfs.erofs with version < 1.6 does not support the -L option. Let's detect the version of mkfs.erofs and skip the label tests if it is not supported. Suggested-by: Glenn Washburn Reviewed-by: Daniel Kiper 2024-06-20 Glenn Washburn tests: Switch to requiring exfatprogs from exfat-utils The current Debian stable, now 12, has dropped the exfat-utils package that the exfat filesystem test requires to run. There is an exfatprogs package that replaces exfat-utils, though it is not a drop-in replacement because mkfs.exfat has differing command line option names. Note, that we're not yet switching to using the exfat kernel module because this allows the testings on kernels that do not have the module. Update mkfs.exfat usage to adhere to the different exfatprogs usage. Also, the exfatprogs mkfs.exfat, following the exfat specification more closely, only allows a maximum of 22 bytes of UTF-16 characters in the volume label compared to 30 bytes from exfat-utils. So the exfat label test is updated accordingly. Update documentation to note that exfatprogs is now needed and also exfat-fuse, which is needed do the fuse mount. Reviewed-by: Daniel Kiper 2024-06-20 Glenn Washburn tests/util/VasEBoot-shell-luks-tester: Fix detached header test getting wrong header path When $detached_header was set 1, $luksdiskfile was set to the LUKS header file path with "${detached_header:-$luksfile}" appended, which evaluates to "1". Fix this by using two statements to set $luksdiskfile. The first sets it to the header file if $detached_header is set, otherwise leave it unset. The second statement sets it to itself if it is already set, otherwise it is set to $luksfile. Fixes: a7b540e6e (tests: Add cryptomount functional test) Reviewed-by: Daniel Kiper 2024-06-20 Glenn Washburn tests/util/VasEBoot-shell: Add flexibility in QEMU firmware handling First look for firmware files in the source directory and then, if not found, look for them in locations where Debian installs them. Prefer to use the unified firmware file and, if not found, use the pflash firmware files split in to code and variables. By looking for files in the source directory first, system firmware files can be overridden and it can be ensured that the tests can be run regardless of the distro or where the system firmware files are stored. If no firmware files are found, print an error message and exit with error. If a firmware VARS file is found, use it with snapshot mode enabled, which makes the VARS writable to the virtual machine, but does not write back the changes to the file. This allows using the readonly system VARS file without copying it or using it in readonly mode, which causes the ARM machine to fail. This also gives tests effectively their own ephemeral VARS file that can be written to without causing side-effects for other tests. Reviewed-by: Daniel Kiper 2024-06-20 Glenn Washburn tests/util/VasEBoot-shell: Use pflash instead of -bios to load UEFI firmware According to the OVMF whitepaper [1]: IMPORTANT: Never pass OVMF.fd to qemu with the -bios option. That option maps the firmware image as ROM into the guest's address space, and forces OVMF to emulate non-volatile variables with a fallback driver that is bound to have insufficient and confusing semantics. Use the pflash interface instead. Currently the unified firmware file is used, which contains both firmware code and variable sections. By enabling snapshot on the pflash device, the firmware can be loaded in such a way that variables can be written to without writing to the backing file. Since pflash does no searching for firmware paths that are not absolute, unlike the -bios option, also make firmware paths absolute. Additionally, update the previous firmware paths or file names that did not correspond to ones installed by Debian. Use the q35 machine, instead of the default i440fx, for i386-efi because the default machine type does not emulate a flash device, which is now needed to load the firmware. [1] http://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt Reviewed-by: Daniel Kiper 2024-06-20 Glenn Washburn tests/util/VasEBoot-shell: Print gdbinfo if on EFI platform Allow using GDB to debug a failing QEMU test. This output does not cause issues for tests because it happens before the trim line, and so will be ignored. Reviewed-by: Daniel Kiper 2024-06-20 Glenn Washburn configure: Add Debian/Ubuntu DejaVu font path Reviewed-by: Daniel Kiper 2024-06-20 Udo Steinberg term/ns8250-spcr: Add one more 16550 debug type Type 0x01 was introduced with the ACPI DBGP table and type 0x12 was introduced with the ACPI DBG2 table. Type 0x12 is used by the ACPI SPCR table on recent AWS bare-metal instances (c6i/c7i). Also give each debug type a proper name. Reviewed-by: Glenn Washburn Reviewed-by: Daniel Kiper 2024-06-20 Vladimir Serbinenko loader/i386/multiboot_mbi: Fix handling of errors in broken aout-kludge Current code in some codepaths neither discards nor reports errors. Properly surface the error. While on it split 2 cases of unrelated variables both named err. Reviewed-by: Daniel Kiper 2024-06-20 Michael Chang net/drivers/ieee1275/ofnet: Remove 200 ms timeout in get_card_packet() to reduce input latency When VAS_EBOOT image is netbooted on ppc64le, the keyboard input exhibits significant latency, reports even say that characters are processed about once per second. This issue makes interactively trying to debug a ppc64le config very difficult. It seems that the latency is largely caused by a 200 ms timeout in the idle event loop, during which the network card interface is consistently polled for incoming packets. Often, no packets arrive during this period, so the timeout nearly always expires, which blocks the response to key inputs. Furthermore, this 200 ms timeout might not need to be enforced at this basic layer, considering that VAS_EBOOT performs synchronous reads and its timeout management is actually handled by higher layers, not directly in the card instance. Additionally, the idle polling, which reacts to unsolicited packets like ICMP and SLAAC, would be fine at a less frequent polling interval, rather than needing a timeout for receiving a response. For these reasons, we believe the timeout in get_card_packet() should be effectively removed. According to test results, the delay has disappeared, and it is now much easier to use interactively. Signed-Off-by: Michael Chang Tested-by: Tony Jones Reviewed-by: Daniel Kiper 2024-06-06 Hector Cao commands/efi/tpm: Re-enable measurements on confidential computing platforms The measurements for confidential computing has been introduced in the commit 4c76565b6 (efi/tpm: Add EFI_CC_MEASUREMENT_PROTOCOL support). Recently the patch 30708dfe3 (tpm: Disable the tpm verifier if the TPM device is not present) has been introduced to optimize the memory usage when a TPM device is not available on platforms. This fix prevents the tpm module to be loaded on confidential computing platforms, e.g. Intel machines with TDX enabled, where the TPM device is not available. In this patch, we propose to load the tpm module for this use case by generalizing the tpm feature detection in order to cover CC platforms. Basically, we do it by detecting the availability of the EFI_CC_MEASUREMENT_PROTOCOL EFI protocol. Fixes: https://savannah.gnu.org/bugs/?65821 Fixes: 30708dfe3 (tpm: Disable the tpm verifier if the TPM device is not present) Reviewed-by: Daniel Kiper Reviewed-by: Kuppuswamy Sathyanarayanan 2024-06-06 Tianjia Zhang util/VasEBoot-mkpasswd-pbkdf2: Simplify the main function implementation Allocate memory if needed, while saving the corresponding release operation, reducing the amount of code and code complexity. Reviewed-by: Daniel Kiper 2024-06-06 Avnish Chouhan kern/ieee1275/init: Add IEEE 1275 Radix support for KVM on Power This patch adds support for Radix, Xive and Radix_gtse in Options vector5 which is required for KVM LPARs. KVM LPARs ONLY support Radix and not the Hash. Not enabling Radix on any PowerVM KVM LPARs will result in boot failure. Reviewed-by: Daniel Kiper 2024-06-06 Vladimir Serbinenko fs/zfs/zfs: Mark vdev_zaps_v2 and head_errlog as supported We don't need any actual adjustments as we don't use the affected structures. Reviewed-by: Daniel Kiper 2024-06-06 Vladimir Serbinenko types: Add missing casts in compile-time byteswaps Without them, e.g., 0x80LL on 64-bit target is 32-bit byte-swapped to 0xffffffff80000000 instead of correct 0x80000000. Reviewed-by: Daniel Kiper 2024-06-06 Vladimir Serbinenko font: Add Fedora-specific font paths Reviewed-by: Daniel Kiper fs/bfs: Fix improper VasEBoot_free() on non-existing files Reviewed-by: Daniel Kiper 2024-06-06 Daniel Axtens io/gzio: Properly init a table ARRAY_SIZE() is the count of elements, but the element size is 4 bytes, so this was only initing the first 1/4th of the table. Detected with valgrind. This should only matter in error paths, and I've not been able to identify any actual misbehaviour that results from reading in-bounds but uninited data. Reviewed-by: Daniel Kiper 2024-06-06 Daniel Axtens io/gzio: Abort early when get_byte() reads nothing This isn't intended to be a functional change, but it makes a lot of failures a lot faster, which is extremely helpful for fuzzing. Without this change, we keep trying and trying to read more bytes into our buffer, never being able to (read always returns 0) and so we just return old buffer contents over and over until the decompression process fails some other way. Reviewed-by: Daniel Kiper 2024-06-06 Alec Brown cli_lock: Add build option to block command line interface Add functionality to disable command line interface access and editing of VAS_EBOOT menu entries if VAS_EBOOT image is built with --disable-cli. Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2024-05-23 Yifan Zhao fs/erofs: Add tests for EROFS in VasEBoot-fs-tester This patch introduces three EROFS tests which cover compact, extended and chunk-based inodes respectively. Reviewed-by: Glenn Washburn Reviewed-by: Daniel Kiper 2024-05-23 Yifan Zhao fs/erofs: Add support for the EROFS The EROFS [1] is a lightweight read-only filesystem designed for performance which has already been shipped in most Linux distributions as well as widely used in several scenarios, such as Android system partitions, container images and rootfs for embedded devices. This patch brings in the EROFS uncompressed support. Now, it's possible to boot directly through VAS_EBOOT with an EROFS rootfs. Support for the EROFS compressed files will be added later. [1] https://erofs.docs.kernel.org Tested-by: Daniel Axtens Reviewed-by: Daniel Kiper 2024-05-23 Gao Xiang safemath: Add ALIGN_UP_OVF() which checks for an overflow The following EROFS patch will use this helper to handle ALIGN_UP() overflow. Reviewed-by: Daniel Kiper 2024-05-23 Jonathan Davies docs: Fix spelling mistakes Reviewed-by: Daniel Kiper 2024-05-23 Pascal Hambourg util/VasEBoot.d/00_header.in: Quote background image pathname in output This is required if the pathname contains spaces or VAS_EBOOT shell metacharacters else the generated config file check will fail. Reviewed-by: Daniel Kiper 2024-05-23 Rogier disk/lvm: VAS_EBOOT fails to detect LVM volumes due to an incorrect computation of mda_end When handling a regular LVM volume, VAS_EBOOT can fail with the message: error: disk `lvmid/******-****-****-****-****-****-****/******-****-****-****-****-****-******' not found. If the condition which triggers this exists, VasEBoot-probe will report the error mentioned above. Similarly, the VAS_EBOOT boot code will fail to detect LVM volumes, resulting in a failure to boot off of LVM disks/partitions. The condition can be created on any LVM VG by an LVM configuration change, so any system with /boot on LVM can become unbootable at "any" time (after any LVM configuration change). The problem is caused by an incorrect computation of mda_end in disk/lvm.c, when the metadata area wraps around. Apparently, this can start happening at around 220 metadata changes to the VG. Fixes: 879c4a834 (lvm: Fix two more potential data-dependent alloc overflows) Fixes: https://savannah.gnu.org/bugs/?61620 Reviewed-by: Daniel Kiper Tested-By: Michael Chang 2024-05-09 Forest disk/cryptodisk: Allow user to retry failed passphrase Give the user a chance to re-enter their cryptodisk passphrase after a typo, rather than immediately failing (and likely dumping them into a VAS_EBOOT shell). By default, we allow 3 tries before giving up. A value in the cryptodisk_passphrase_tries environment variable will override this default. The user can give up early by entering an empty passphrase, just as they could before this patch. Reviewed-by: Daniel Kiper 2024-05-09 Lidong Chen disk/mdraid1x_linux: Prevent infinite recursion The test corpus for version-1 RAID generated an infinite recursion in VasEBoot_partition_iterate() while attempting to read the superblock. The reason for the issue was that the data region overlapped with the superblock. The infinite call loop looks like this: VasEBoot_partition_iterate() -> partmap->iterate() -> -> VasEBoot_disk_read() -> VasEBoot_disk_read_small() -> -> VasEBoot_disk_read_small_real() -> VasEBoot_diskfilter_read() -> -> read_lv() -> read_segment() -> VasEBoot_diskfilter_read_node() -> -> VasEBoot_disk_read() -> VasEBoot_disk_read_small() -> ... The fix adds checks for both the superblock region and the data region when parsing the superblock metadata in VasEBoot_mdraid_detect(). Reviewed-by: Daniel Kiper 2024-05-09 Ard Biesheuvel efi: Fix stack protector issues The "ground truth" stack protector cookie value is kept in a global variable, and loaded in every function prologue and epilogue to store it into resp. compare it with the stack slot holding the cookie. If the comparison fails, the program aborts, and this might occur spuriously when the global variable changes values between the entry and exit of a function. This implies that assigning the global variable at boot should not involve any instrumented function calls, unless special care is taken to ensure that the live call stack is synchronized, which is non-trivial. So avoid any function calls, including VasEBoot_memcpy(), which is unnecessary given that the stack cookie is always a suitably aligned variable of the native word size. While at it, leave the last byte 0x0 to avoid inadvertent unbounded strings on the stack. Note that the use of __attribute__((optimize)) is described as unsuitable for production use in the GCC documentation, so let's drop this as well now that it is no longer needed. Reviewed-by: Daniel Kiper 2024-05-09 Oliver Steffen build: Track explicit module dependencies in Makefile.core.def Add a new keyword, "depends", to the module definition syntax used in Makefile.core.def. This allows specifying explicit module dependencies together with the module definition. Do not track the "extra_deps.lst" file in the repository anymore, it is now auto-generated. Make use of this new keyword in the bli module definition. Reviewed-by: Daniel Kiper 2024-04-11 Daniel Kiper windows: Add _stack_chk_guard/_stack_chk_fail symbols for Windows 64-bit target Otherwise the VAS_EBOOT cannot start due to missing symbols when stack protector is enabled on EFI platforms. Reviewed-by: Vladimir Serbinenko 2024-04-11 Gary Lin util/bash-completion: Fix for bash-completion 2.12 _split_longopt() was the bash-completion private API and removed since bash-completion 2.12. This commit initializes the bash-completion general variables with _init_completion() to avoid the potential "command not found" error. Although bash-completion 2.12 introduces _comp_initialize() to deprecate _init_completion(), _init_completion() is still chosen for the better backward compatibility. Reviewed-by: Daniel Kiper 2024-04-11 Vladimir 'phcoder' Serbinenko util/VasEBoot-fstest: Add a new command zfs-bootfs It is useful to check zfs-bootfs command. Reviewed-by: Daniel Kiper 2024-04-11 Vladimir 'phcoder' Serbinenko efi: Enable CMOS on x86 EFI platforms The CMOS actually exists on most EFI platforms and in some cases is used to store useful data that makes it justifiable for VAS_EBOOT to read/write it. As for date and time keep using EFI API and not CMOS one. Reviewed-by: Daniel Kiper 2024-04-11 Vladimir 'phcoder' Serbinenko acpi: Mark MADT entries as packed No alignment is guaranteed and in fact on my IA-64 SAPIC is aligned to 4 bytes instead of 8 and causes a trap. It affects only rarely used lsacpi command and so went unnoticed. Reviewed-by: Daniel Kiper 2024-04-11 Michael Chang gfxmenu/view: Resolve false VasEBoot_errno disrupting boot process When enabling gfxmenu and choosing to boot the Xen hypervisor from its menu, an error occurred: error: ../../VasEBoot-core/video/bitmap_scale.c:42:null src bitmap in VasEBoot_video_create_scaled. The error is returned by VasEBoot_video_bitmap_create_scaled() when the source pixmap is not there. The init_background() uses it to scale up the background image so it can fully fit into the screen resolution. However not all backgrounds are set by a image, i.e. the "desktop-image" property of the theme file. Instead a color code may be used, for example OpenSUSE's green background uses "desktop-color" property: desktop-color: "#0D202F" So it is absolutely fine to call init_background() without a raw pixmap if color code is used. A missing check has to be added to ensure the VasEBoot_errno will not be erroneously set and gets in the way of ensuing boot process. The reason it happens sporadically is due to VasEBoot_errno is reset to VAS_EBOOT_ERR_NONE in other places if a function's error return can be ignored. In particular this hunk in VasEBoot_gfxmenu_create_box() does the majority of the reset of VasEBoot_errno returned by init_background(), but the path may not be always chosen. VasEBoot_video_bitmap_load (&box->raw_pixmaps[i], path); VasEBoot_free (path); /* Ignore missing pixmaps. */ VasEBoot_errno = VAS_EBOOT_ERR_NONE; In any case, we cannot account on such random behavior and should only return VasEBoot_errno if it is justified. On the occasion move the VasEBoot_video_bitmap struct definition to the beginning of the function. Reviewed-by: Daniel Kiper 2024-04-11 Jon DeVree fs/xfs: Handle non-continuous data blocks in directory extents The directory extent list does not have to be a continuous list of data blocks. When VAS_EBOOT tries to read a non-existant member of the list, VasEBoot_xfs_read_file() will return a block of zero'ed memory. Checking for a zero'ed magic number is sufficient to skip this non-existant data block. Prior to commit 07318ee7e (fs/xfs: Fix XFS directory extent parsing) this was handled as a subtle side effect of reading the (non-existant) tail data structure. Since the block was zero'ed the computation of the number of directory entries in the block would return 0 as well. Fixes: 07318ee7e (fs/xfs: Fix XFS directory extent parsing) Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2254370 Reviewed-By: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2024-02-15 Julian Andres Klode Revert "templates: Reinstate unused version comparison functions with warning" We reinstated these functions before the 2.12 release with a warning such that users upgrading to 2.12 who had custom scripts using them would not get broken in the upgrade and agreed to remove them after the 2.12 release. This removes them accordingly. This reverts commit e7a831963 (templates: Reinstate unused version comparison functions with warning). Cc: Mathieu Desnoyers Cc: Daniel Kiper Reviewed-by: Daniel Kiper 2024-02-15 Gary Lin util/bash-completion: Load scripts on demand There are two system directories for bash-completion scripts. One is /usr/share/bash-completion/completions/ and the other is /etc/bash_completion.d/. The "etc" scripts are loaded in advance and for backward compatibility while the "usr" scripts are loaded on demand. To load scripts on demand it requires a corresponding script for every command. So, the main bash-completion script is split into several subscripts for different "VasEBoot-*" commands. To share the code the real completion functions are still implemented in "VasEBoot" and each subscript sources "VasEBoot" and invokes the corresponding function. Reviewed-by: Daniel Kiper 2024-01-25 Samuel Thibault util/VasEBoot.d/10_hurd.in: Find proper ld.so on 64-bit systems The 64-bit ABI defines ld.so to be /lib/ld-x86-64.so.1. Reviewed-by: Daniel Kiper 2024-01-25 Samuel Thibault osdep/hurd/getroot: Fix 64-bit build The file_get_fs_options() takes a mach_msg_type_number_t, 32-bit, not a size_t, 64-bit on 64-bit platforms. Reviewed-by: Vladimir Serbinenko Reviewed-by: Daniel Kiper 2024-01-25 Alec Brown loader/i386/multiboot_mbi: Clean up redundant code In VasEBoot-core/loader/i386/multiboot_mbi.c, Coverity spotted redundant code where the variable err was being set to VAS_EBOOT_ERR_NONE and then being overwritten later without being used. Since this is unnecessary, we can remove the code that sets err to VAS_EBOOT_ERR_NONE. Fixes: CID 428877 Reviewed-by: Daniel Kiper 2024-01-25 Alec Brown osdep/unix/getroot: Clean up redundant code In VasEBoot-core/osdep/unix/getroot.c, Coverity spotted redundant code where the double pointer os_dev was being set to 0 and then being overwritten later without being used. Since this is unnecessary, we can remove the code that sets os_dev to 0. Fixes: CID 428875 Reviewed-by: Daniel Kiper 2024-01-25 Alec Brown fs/jfs: Clean up redundant code In VasEBoot-core/fs/jfs.c, Coverity spotted redundant code where the pointer diro was being set to 0 and then being overwritten later without being used. Since this is unnecessary, we can remove the code that sets diro to 0. Fixes: CID 428876 Reviewed-by: Daniel Kiper 2024-01-25 Gary Lin tests: Switch password quality check off for luks2 test When adding/changing the password for the luks2 partition, cryptsetup may reject the command due to the weak password. Since this is only for testing, add "--force-password" to switch password quality check off to avoid the unexpected failure. Reviewed-by: Glenn Washburn Reviewed-by: Daniel Kiper 2023-12-22 Oskari Pirhonen build: Include VasEBoot-core/extra_deps.lst in dist Fixes build failure due to the extra_deps.lst file not existing in the tarball. Found while trying to package VAS_EBOOT 2.12 for Gentoo. make[3]: *** No rule to make target '/var/tmp/portage/sys-boot/VasEBoot-2.12/work/VasEBoot-2.12/VasEBoot-core/extra_deps.lst', needed by 'syminfo.lst'. Stop. Fixes: 89fbe0cac (VasEBoot-core/Makefile.am: Make path to extra_deps.lst relative to $(top_srcdir)/VasEBoot-core) Fixes: 154dcb1ae (build: Allow explicit module dependencies) Reviewed-by: Daniel Kiper 2023-12-20 Daniel Kiper Bump version to 2.13 Release 2.12 2023-12-20 Glenn Washburn efi: Add support for reproducible builds Having randomly generated bytes in the binary output breaks reproducible builds. Since build timestamps are usually the source of irreproducibility there is a standard which defines an environment variable SOURCE_DATE_EPOCH to be used when set for build timestamps. According to the standard [1], the value of SOURCE_DATE_EPOCH is a base-10 integer of the number of seconds since the UNIX epoch. Currently, this is a 10 digit number that fits into 32-bits, but will not shortly after the year 2100. So to be future-proof only use the least significant 32-bits. On 64-bit architectures, where the canary is also 64-bits, there is an extra 32-bits that can be filled to provide more entropy. The first byte is NUL to filter out string buffer overflow attacks and the remaining 24-bits are set to static random bytes. [1] https://reproducible-builds.org/specs/source-date-epoch Reviewed-by: Daniel Kiper 2023-12-20 Glenn Washburn efi: Generate stack protector canary at build time if urandom is available Generating the canary at build time allows the canary to be different for every build which could limit the effectiveness of certain exploits. Fallback to the statically generated random bytes if /dev/urandom is not readable, e.g. Windows. On 32-bit architectures, which use a 32-bit canary, reduce the canary to 4 bytes with one byte being NUL to filter out string buffer overflow attacks. Reviewed-by: Daniel Kiper 2023-12-20 Glenn Washburn efi: Initialize canary to non-zero value The canary, __stack_chk_guard, is in the BSS and so will get initialized to zero if it is not explicitly initialized. If the UEFI firmware does not support the RNG protocol, then the canary will not be randomized and will be zero. This seems like a possibly easier value to write by an attacker. Initialize canary to static random bytes, so that it is still random when there is no RNG protocol. Set at least one byte to NUL to protect against string buffer overflow attacks [1]. Code that writes NUL terminated strings will terminate when a NUL is encountered in the input byte stream. So the attacker will not be able to forge the canary by including it in the input stream without terminating the string operation and thus limiting the stack corruption. [1] https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage/ Reviewed-by: Daniel Kiper 2023-12-14 Alec Brown gfxmenu/gui_image: Fix double free of bitmap In VasEBoot-core/gfxmenu/gui_image.c, Coverity detected a double free in the function load_image(). The function checks if self->bitmap and self->raw_bitmap aren't NULL and then frees them. In the case self->bitmap and self->raw_bitmap are the same, only self->raw_bitmap is freed which would also free the memory used by self->bitmap. However, in this case self->bitmap isn't being set to NULL which could lead to a double free later in the code. After self->raw_bitmap is freed, it gets set to the variable bitmap. If this variable is NULL, the code could have a path that would free self->bitmap a second time in the function rescale_image(). Fixes: CID 292472 Reviewed-by: Daniel Kiper 2023-12-13 Qiumiao Zhang commands/acpi: Fix calculation of ACPI tables addresses when processing RSDT and XSDT According to the ACPI specification the XSDT Entry field contains an array of 64-bit physical addresses which points to other DESCRIPTION_HEADERs. However, the entry_ptr iterator is defined as a 32-bit pointer. It means each 64-bit entry in the XSDT table is treated as two separate 32-bit entries then. Fix the issue by using correct addresses sizes when processing RSDT and XSDT tables. Reviewed-by: Daniel Kiper 2023-12-13 Vladimir Serbinenko libnvpair: Support prefixed nvlist symbol names as found on NetBSD NetBSD uses slightly different function names for the same functions. Reviewed-by: Daniel Kiper 2023-12-13 Vladimir Serbinenko bootstrap: Don't check gettext version NetBSD gettext is older than the check but we don't actually need 0.18.3, older one works fine. This is needed to make bootstrap work on NetBSD. Reviewed-by: Daniel Kiper 2023-12-13 Vladimir Serbinenko kern/mm: Use %x and cast for displaying sizeof() There is some variance in how compiler treats sizeof() especially on 32-bit platforms where it can be naturally either int or long. Explicit cast solves the issue. Reviewed-by: Daniel Kiper 2023-12-13 Vladimir Serbinenko configure: Add RPATH for freetype on NetBSD Without this build-time mkfont fails dynamic linking. This is not ideal but improves the situation until a better solution is available. Reviewed-by: Daniel Kiper 2023-12-13 Vladimir Serbinenko configure: Add *BSD font paths *BSD puts fonts in other places. Add them to the list. Reviewed-by: Daniel Kiper 2023-12-13 Vladimir Serbinenko autogen: Accept python3.10 as a python alternative NetBSD doesn't provide python or python3. Reviewed-by: Daniel Kiper 2023-12-12 Vladimir Serbinenko build: Rename HAVE_LIBZFS to USE_LIBZFS The HAVE_LIBZFS is defined by libzfs test and hence conflicts with manual definition. On NetBSD it ends up detecting zfs but not detecting nvpair and creates confusion. Split them. Reviewed-by: Daniel Kiper 2023-12-12 Vladimir Serbinenko gnulib: Tolerate always_inline attribute being ignored It's not critical, -Werror on it is inappropriate. We don't want to modify gnulib too much. This warning is pretty much irrelevant. Reviewed-by: Daniel Kiper 2023-12-12 Vladimir Serbinenko util/editenv: Don't use %m formatter It's not available on NetBSD outside of syslog. Using strerror() is more reliable as we retrieve errno immediately rather than down the stack. Reviewed-by: Daniel Kiper 2023-12-12 Vladimir Serbinenko osdep/bsd/hostdisk: Fix NetBSD compilation Wrong function and variable name cause a stupid compilation error on NetBSD and OpenBSD. Only NetBSD and OpenBSD use this file. No other platform is affected. Additionally, define RAW_FLOPPY_MAJOR constant if it is missing. Reviewed-by: Daniel Kiper 2023-12-12 Vladimir Serbinenko osdep/generic/blocklist: Fix compilation After recent change in blocklist types we have a type mismatch. Fixing it requires a wrapper or large changes. I feel like wrapper makes more sense. Without this patch we end up with a compilation problem and without wrapping callback data is not passed properly anymore. Reviewed-by: Daniel Kiper 2023-12-12 Vladimir Serbinenko disk/diskfilter: Remove unused variable Variable e is set but never used. We can just remove it now. Reviewed-by: Daniel Kiper 2023-12-12 Vladimir Serbinenko build: Tolerate unused-but-set in generated lexer/bison files We don't really control the small aspects of generated files and NetBSD version has an unused variable that is then detected by gcc as warning that is then promoted to error. Reviewed-by: Daniel Kiper 2023-12-12 Vladimir Serbinenko loader/i386/bsdXX: Fix loading after unaligned module Current code implicitly assumes that aligning chunk_size + *kern_end is the same as aligning on curload which is not the case because chunk_size starts at zero even if *kern_end is unaligned and ALIGN_PAGE moved curload to an aligned position but not *kern_end + chunk_size. This fixes booting of FreeBSD with zfs module. Reviewed-by: Daniel Kiper 2023-12-12 Mate Kukri VasEBoot-core/Makefile.am: Make path to extra_deps.lst relative to $(top_srcdir)/VasEBoot-core The commit 154dcb1ae (build: Allow explicit module dependencies) broke out of tree builds by introducing the extra_deps.lst file into the source tree but referencing it just by name in VasEBoot-core/Makefile.am. Fix it by adding $(top_srcdir)/VasEBoot-core to the path. Fixes: 154dcb1ae (build: Allow explicit module dependencies) Reviewed-by: Daniel Kiper 2023-12-12 Mate Kukri util/VasEBoot-install: Move platdir path canonicalization after files were copied to VasEBootdir The commit 3f9eace2d (util/VasEBoot-install: Delay copying files to {VasEBootdir,platdir} after install_device was validated) delaying copying of files caused a regression when installing without an existing directory structure. This patch ensures that the platform directory actually exists by the time the code tries to canonicalize its filename. Fixes: 3f9eace2d (util/VasEBoot-install: Delay copying files to {VasEBootdir,platdir} after install_device was validated) Reviewed-by: Daniel Kiper 2023-12-12 Michael Chang util/VasEBoot-mkstandalone: Ensure deterministic tar file creation by sorting contents The add_tar_files() function currently iterates through a directory's content using readdir(), which doesn't guarantee a specific order. This lack of deterministic behavior impacts reproducibility in the build process. This commit resolves the issue by introducing sorting functionality. The list retrieved by readdir() is now sorted alphabetically before incorporation into the tar archive, ensuring consistent and predictable file ordering within the archive. On the occasion fix tfp memory leak. Reviewed-by: Daniel Kiper 2023-12-12 Michael Chang util/VasEBoot-mkstandalone: Ensure stable timestamps for generated images This change mirrors a previous fix [1] but is specific to images generated by VasEBoot-mkstandalone. The former fix, commit 85a7be241 (util/mkimage: Use stable timestamp when generating binaries.), focused on utilizing a stable timestamp during binary generation in the util/mkimage context. This commit extends that approach to the images produced by VasEBoot-mkstandalone, ensuring consistency and stability in timestamps across all generated binaries. [1] 85a7be241 util/mkimage: Use stable timestamp when generating binaries. Reviewed-by: Daniel Kiper 2023-12-05 Mate Kukri net/http: Fix gcc-13 errors relating to type signedness Replace definition of HTTP_PORT with a pre-processor macro that converts the constant to the correct VasEBoot_uint16_t type. Change "port" local variable definition in http_establish() to have the same type. Reviewed-by: Daniel Kiper templates: Reinstate unused version comparison functions with warning Revert the commit a79c567f6 (templates: Remove unused version comparison functions) and add a warning to the functions that they are deprecated. Removing the functions directly caused a lot of upgrade issues with custom user scripts that called the functions. In Debian and Ubuntu, VasEBoot-mkconfig is invoked as a post-installation script and would fail, causing upgrades to fail halfway through and putting the package manager into an inconsistent state. FWIW, we get one bug per 2 weeks basically, for an interim Ubuntu release which generally does not receive much usage, that is a high number. The proposal is to pick this for 2.12 and directly after the release remove it again. Then users will have time to fix their scripts without systems breaking immediately. This reverts commit a79c567f6 (templates: Remove unused version comparison functions). Cc: Mathieu Desnoyers Cc: Daniel Kiper Reviewed-by: Daniel Kiper 2023-12-05 Mate Kukri util/VasEBoot-install: Delay copying files to {VasEBootdir,platdir} after install_device was validated Previously VasEBoot-install copied modules to VasEBootdir before doing any validation on the install_device. When VasEBoot-install was called with an invalid install_device, modules were already copied to /boot before it found out and was forced to rely on atexit() rollback. This patch delays copying the modules after at least some install_device validation was done, and thus reduces reliance on successful rollback. Reviewed-by: Daniel Kiper 2023-12-05 Julian Andres Klode efi: Set shim_lock_enabled even if validation is disabled If validation has been disabled via MokSbState, secure boot on the firmware is still enabled, and the kernel fails to boot. This is a bit hacky, because shim_lock is not *fully* enabled, but it triggers the right code paths. Ultimately, all this will be resolved by shim gaining it's own image loading and starting protocol, so this is more a temporary workaround. Fixes: 6425c12cd (efi: Fallback to legacy mode if shim is loaded on x86 archs) Cc: Peter Jones Cc: Michael Chang Reviewed-by: Daniel Kiper 2023-12-05 Oliver Steffen docs: Improve bli module documentation Improve the documentation of the bli module and explain in more detail what it does. Make clear that GPT formatted drives are expected and other partition formats are ignored. Also reorder and reword this section a bit. Reviewed-by: Daniel Kiper 2023-12-05 Oliver Steffen bli: Add explicit dependency on the part_gpt module The bli module has a "hidden" dependency on the part_gpt module, which is not picked up automatically by the build system. One purpose of the bli module is to communicate the GPT UUID of the partition VAS_EBOOT was launched from to Linux user-space (systemd-gpt-auto-generator). Without the part_gpt module, bli is not able to obtain the UUID. Since bli does its work in the module initialization function, the order in which the modules are loaded is also important: part_gpt needs to be loaded before the bli module. To solve this, track this dependency explicitly. Note that the Boot Loader Interface specification, which bli aims to implement, requires GPT formatted drives. The bli module ignores all other partition formats. Reviewed-by: Daniel Kiper 2023-12-05 Oliver Steffen build: Allow explicit module dependencies The build system deduces inter-module dependencies from the symbols required and exported by the modules. This works well, except for some rare cases where the dependency is indirect or hidden. A module might not make use of any function of some other module, but still expect its functionality to be available to VAS_EBOOT. To solve this, introduce a new file, currently empty, called extra_deps.lst to track these cases manually. This file gets processed in the same way as the automatically generated syminfo.lst, making it possible to inject data into the dependency resolver. Since *.lst files are set to be ignored by git, add an exception for extra_deps.lst. Additionally, introduce a new keyword for the syminfo.lst syntax: "depends" allows specifying a module dependency directly: depends ... Reviewed-by: Daniel Kiper 2023-12-05 Stefan Berger kern/ieee1275/init/ppc64: Display upper_mem_limit when debugging Display upper_mem_limit and its rounded-down value in MiB. Reviewed-by: Daniel Kiper 2023-12-05 Stefan Berger kern/ieee1275/init/ppc64: Fix a comment Reviewed-by: Daniel Kiper 2023-12-05 Stefan Berger kern/ieee1275/ieee1275: Display successful memory claims when debugging Display successful memory claims with exact address and rounded-down MiB location and rounded-up size in MiB. Reviewed-by: Daniel Kiper Cc: Eric Snowberg Cc: Hari Bathini Cc: Pavithra Prakash Cc: Michael Ellerman Cc: Carolyn Scherrer Cc: Mahesh Salgaonkar Cc: Sourabh Jain 2023-12-05 Stefan Berger loader/powerpc/ieee1275: Use new allocation function for kernel and initrd On PowerVM and KVM on Power use the new memory allocation function that honors restrictions on which memory VAS_EBOOT can actually use. In the request structure indicate the request for a single memory block along with address alignment restrictions. Request direct usage of the memory block by setting init_region to false (prevent it from being added to VAS_EBOOT's heap). Initialize the found addr to -1, so that -1 will be returned to the loader in case no memory could be allocated. Report an out-of-memory error in case the initrd could not be loaded. Reviewed-by: Daniel Kiper Cc: Hari Bathini Cc: Pavithra Prakash Cc: Michael Ellerman Cc: Carolyn Scherrer Cc: Mahesh Salgaonkar Cc: Sourabh Jain 2023-12-05 Stefan Berger kern/ieee1275/cmain/ppc64: Introduce flags to identify KVM and PowerVM Introduce flags to identify PowerVM and KVM on Power and set them where each type of host has been detected. Reviewed-by: Daniel Kiper Cc: Hari Bathini Cc: Pavithra Prakash Cc: Michael Ellerman Cc: Carolyn Scherrer Cc: Mahesh Salgaonkar Cc: Sourabh Jain 2023-12-05 Stefan Berger kern/ieee1275/init/ppc64: Rename regions_claim() to VasEBoot_regions_claim() Rename regions_claim() to VasEBoot_regions_claim() to make it available for memory allocation. The ieee1275 loader will use this function on PowerVM and KVM on Power and thus avoid usage of memory that it is not allowed to use. Reviewed-by: Daniel Kiper Cc: Hari Bathini Cc: Pavithra Prakash Cc: Michael Ellerman Cc: Carolyn Scherrer Cc: Mahesh Salgaonkar Cc: Sourabh Jain 2023-12-05 Stefan Berger kern/ieee1275/init/ppc64: Add support for alignment requirements Add support for memory alignment requirements and adjust a candidate address to it before checking whether the block is large enough. This must be done in this order since the alignment adjustment can make a block smaller than what was requested. None of the current callers has memory alignment requirements but the ieee1275 loader for kernel and initrd will use it to convey them. Reviewed-by: Daniel Kiper Cc: Hari Bathini Cc: Pavithra Prakash Cc: Michael Ellerman Cc: Carolyn Scherrer Cc: Mahesh Salgaonkar Cc: Sourabh Jain 2023-12-05 Stefan Berger kern/ieee1275/init/ppc64: Return allocated address using context Return the allocated address of the memory block in the request structure if a memory allocation was actually done. Leave the address untouched otherwise. This enables a caller who wants to use the allocated memory directly, rather than adding the memory to the heap, to see where memory was allocated. None of the current callers need this but the converted ieee1275 loader will make use of it. Reviewed-by: Daniel Kiper Cc: Hari Bathini Cc: Pavithra Prakash Cc: Michael Ellerman Cc: Carolyn Scherrer Cc: Mahesh Salgaonkar Cc: Sourabh Jain 2023-12-05 Stefan Berger kern/ieee1275/init/ppc64: Decide by request whether to initialize region Let the regions_claim() request structure's init_region determine whether to call VasEBoot_mm_init_region() on it. This allows for adding memory to VAS_EBOOT's memory heap if init_region is set to true, or direct usage of the memory otherwise. Set all current callers' init_region to true since they want to add memory regions to VAS_EBOOT's heap. Reviewed-by: Daniel Kiper Cc: Hari Bathini Cc: Pavithra Prakash Cc: Michael Ellerman Cc: Carolyn Scherrer Cc: Mahesh Salgaonkar Cc: Sourabh Jain 2023-12-05 Stefan Berger kern/ieee1275/init/ppc64: Introduce a request for regions_claim() The regions_claim() function limits the allocation of memory regions by excluding certain memory areas from being used by VAS_EBOOT. This for example includes a gap between 640MB and 768MB as well as an upper limit beyond which no memory may be used when an fadump is present. However, the ieee1275 loader for kernel and initrd currently does not use regions_claim() for memory allocation on PowerVM and KVM on Power and therefore may allocate memory in those areas that it should not use. To make the regions_claim() function more flexible and ultimately usable for the ieee1275 loader, introduce a request structure to pass various parameters to the regions_claim() function that describe the properties of requested memory chunks. In a first step, move the total and flags variables into this structure. Reviewed-by: Daniel Kiper Cc: Hari Bathini Cc: Pavithra Prakash Cc: Michael Ellerman Cc: Carolyn Scherrer Cc: Mahesh Salgaonkar Cc: Sourabh Jain 2023-11-22 Anthony Iliopoulos fs/xfs: Add large extent counters incompat feature support XFS introduced 64-bit extent counters for inodes via a series of upstream commits and the feature was marked as stable in v6.5 via commit 61d7e8274cd8 (xfs: drop EXPERIMENTAL tag for large extent counts). Further, xfsprogs release v6.5.0 switched this feature on by default in mkfs.xfs via commit e5b18d7d1d96 (mkfs: enable large extent counts by default). Filesystems formatted with large extent count support, nrext64=1, are thus currently not recognizable by VAS_EBOOT, since this is an incompat feature. Add the required support so that those filesystems and inodes with large extent counters can be read by VAS_EBOOT. Reviewed-by: Andrey Albershteyn Reviewed-by: Daniel Kiper Tested-by: Marta Lewandowska Tested-by: Sebastian Andrzej Siewior 2023-11-08 Vladimir Serbinenko gpt: Add compile time asserts for guid and gpt_partentry sizes With new alignment specification it's easy to screw up. Fortunately if it happens the size will be bigger than intended. Compile time assert will catch this. Reviewed-by: Daniel Kiper 2023-11-08 Vladimir Serbinenko types: Split aligned and packed guids On ia64 alignment requirements are strict. When we pass a pointer to UUID it needs to be at least 4-byte aligned or EFI will crash. On the other hand in device path there is no padding for UUID, so we need 2 types in one formor another. Make 4-byte aligned and unaligned types The code is structured in a way to accept unaligned inputs in most cases and supply 4-byte aligned outputs. Efiemu case is a bit ugly because there inputs and outputs are reversed and so we need careful casts to account for this inversion. Reviewed-by: Daniel Kiper 2023-11-06 Vladimir Serbinenko gpt_partition: Mark VasEBoot_gpt_partentry as having natural alignment gpt_partition contains VasEBoot_guid. We need to decide whether the whole structure is unaligned and then we need to use packed_guid. But we never have unaligned part entries as we read them in an aligned buffer from disk. Hence just make it all aligned. 2023-11-06 Vladimir Serbinenko efi: Deduplicate configuration table search function We do table search in many places doing exactly the same algorithm. The only minor variance in users is which table is used if several entries are present. As specification mandates uniqueness and even if it ever isn't, first entry is good enough, unify this code and always use the first entry. Reviewed-by: Daniel Kiper 2023-11-06 Vladimir Serbinenko lsefi: Add missing static qualifier known_protocols isn't used anywhere else and even misses VasEBoot_ prefix, so let's make it local (static). Reviewed-by: Daniel Kiper 2023-11-06 Vladimir Serbinenko types: Fix typo Just a small grammar mistake. Reviewed-by: Daniel Kiper 2023-10-30 Qiumiao Zhang util/VasEBoot-mount: Check file path sanity The function argp_parser() in util/VasEBoot-mount.c lacks a check on the sanity of the file path when parsing parameters. This results in a segmentation fault if a partition is mounted to a non-existent path. Reviewed-by: Daniel Kiper 2023-10-30 Richard Marko configure: Make the DJVU_FONT_SOURCE configurable with --with-dejavufont=FILE Font might be located in different location, the default font might not be available on all systems or other font might be preferred. Reviewed-by: Daniel Kiper 2023-10-30 Mads Kiilerich configure: Make the Unifont FONT_SOURCE configurable with --with-unifont=FILE Font might be located in different location, the default font might not be available on all systems or other font might be preferred. Reviewed-by: Daniel Kiper 2023-10-30 Jon DeVree fs/xfs: Fix XFS directory extent parsing The XFS directory entry parsing code has never been completely correct for extent based directories. The parser correctly handles the case where the directory is contained in a single extent, but then mistakenly assumes the data blocks for the multiple extent case are each identical to the single extent case. The difference in the format of the data blocks between the two cases is tiny enough that its gone unnoticed for a very long time. A recent change introduced some additional bounds checking into the XFS parser. Like VAS_EBOOT's existing parser, it is correct for the single extent case but incorrect for the multiple extent case. When parsing a directory with multiple extents, this new bounds checking is sometimes (but not always) tripped and triggers an "invalid XFS directory entry" error. This probably would have continued to go unnoticed but the /boot/VasEBoot/ directory is large enough that it often has multiple extents. The difference between the two cases is that when there are multiple extents, the data blocks do not contain a trailer nor do they contain any leaf information. That information is stored in a separate set of extents dedicated to just the leaf information. These extents come after the directory entry extents and are not included in the inode size. So the existing parser already ignores the leaf extents. The only reason to read the trailer/leaf information at all is so that the parser can avoid misinterpreting that data as directory entries. So this updates the parser as follows: For the single extent case the parser doesn't change much: 1. Read the size of the leaf information from the trailer 2. Set the end pointer for the parser to the start of the leaf information. (The previous bounds checking set the end pointer to the start of the trailer, so this is actually a small improvement.) 3. Set the entries variable to the expected number of directory entries. For the multiple extent case: 1. Set the end pointer to the end of the block. 2. Do not set up the entries variable. Figuring out how many entries are in each individual block is complex and does not seem worth it when it appears to be safe to just iterate over the entire block. The bounds check itself was also dependent upon the faulty XFS parser because it accidentally used "filename + length - 1". Presumably this was able to pass the fuzzer because in the old parser there was always 8 bytes of slack space between the tail pointer and the actual end of the block. Since this is no longer the case the bounds check needs to be updated to "filename + length + 1" in order to prevent a regression in the handling of corrupt fliesystems. Notes: * When there is only one extent there will only ever be one block. If more than one block is required then XFS will always switch to holding leaf information in a separate extent. * B-tree based directories seems to be parsed properly by the same code that handles multiple extents. This is unlikely to ever occur within /boot though because its only used when there are an extremely large number of directory entries. Fixes: ef7850c75 (fs/xfs: Fix issues found while fuzzing the XFS filesystem) Fixes: b2499b29c (Adds support for the XFS filesystem.) Fixes: https://savannah.gnu.org/bugs/?64376 Reviewed-by: Daniel Kiper Tested-by: Sebastian Andrzej Siewior Tested-by: Marta Lewandowska 2023-10-30 Lidong Chen fs/xfs: Incorrect short form directory data boundary check After parsing of the current entry, the entry pointer is advanced to the next entry at the end of the "for" loop. In case where the last entry is at the end of the data boundary, the advanced entry pointer can point off the data boundary. The subsequent boundary check for the advanced entry pointer can cause a failure. The fix is to include the boundary check into the "for" loop condition. Reviewed-by: Daniel Kiper Tested-by: Sebastian Andrzej Siewior Tested-by: Marta Lewandowska 2023-10-12 Vladimir 'phcoder' Serbinenko Revert "zfsinfo: Correct a check for error allocating memory" Original commit is wrong because VasEBoot_file_get_device_name() may return NULL if we use implicit $root. Additionally, the VasEBoot_errno is guaranteed to be VAS_EBOOT_ERR_NONE at the beginning of a command. So, everything should work as expected and Coverity report, CID 73668, WRT to this code should be treated as false positive. This reverts commit 7aab03418 (zfsinfo: Correct a check for error allocating memory). Fixes: 7aab03418 (zfsinfo: Correct a check for error allocating memory) Reviewed-by: Daniel Kiper 2023-10-12 ValdikSS disk/i386/pc/biosdisk: Read up to 63 sectors in LBA mode Current code imposes limitations on the amount of sectors read in a single call according to CHS layout of the disk even in LBA read mode. There's no need to obey CHS layout restrictions for LBA reads on LBA disks. It only slows down booting process. See: https://lore.kernel.org/VasEBoot-devel/d42a11fa-2a59-b5e7-08b1-d2c60444bb99@valdikss.org.ru/ Reviewed-by: Daniel Kiper 2023-10-12 ValdikSS kern/i386/pc/init: Flush cache only on VIA C3 and earlier The code flushes the cache on VIA processors unconditionally which is excessive. Check for cpuid family and execute wbinvd only on C3 and earlier. Fixes: https://savannah.gnu.org/bugs/?45149 Fixes: 25492a0f0 (Add wbinvd around bios call.) Reviewed-by: Daniel Kiper 2023-10-12 Fabian Vogt fs/btrfs: Zero file data not backed by extents Implicit holes in file data need to be zeroed explicitly, instead of just leaving the data in the buffer uninitialized. This led to kernels randomly failing to boot in "fun" ways when loaded from btrfs with the no_holes feature enabled, because large blocks of zeros in the kernel file contained random data instead. Reviewed-by: Daniel Kiper Reviewed-by: Qu Wenruo 2023-10-12 Stefan Berger kern/ieee1275/init: Restrict high memory in presence of fadump on ppc64 When a kernel dump is present then restrict the high memory regions to avoid allocating memory where the kernel dump resides. Use the ibm,kernel-dump node under /rtas to determine whether a kernel dump exists and up to which limit VAS_EBOOT can use available memory. Set the upper_mem_limit to the size of the kernel dump section of type REAL_MODE_REGION and therefore only allow VAS_EBOOT's memory usage for high addresses from RMO_ADDR_MAX to upper_mem_limit. This means that VAS_EBOOT can use high memory in the range of RMO_ADDR_MAX (768MB) to upper_mem_limit and the kernel-dump memory regions above upper_mem_limit remain untouched. This change has no effect on memory allocations below linux_rmo_save (typically at 640MB). Also, fall back to allocating below rmo_linux_save in case the chunk of memory there would be larger than the chunk of memory above RMO_ADDR_MAX. This can for example occur if a free memory area is found starting at 300MB extending up to 1GB but a kernel dump is located at 768MB and therefore does not allow the allocation of the high memory area but requiring to use the chunk starting at 300MB to avoid an unnecessary out-of-memory condition. Reviewed-by: Hari Bathini Cc: Pavithra Prakash Cc: Michael Ellerman Cc: Carolyn Scherrer Cc: Mahesh Salgaonkar Cc: Sourabh Jain Reviewed-by: Daniel Kiper 2023-10-12 Glenn Washburn tests/util/VasEBoot-shell: Enable RNG device to better test stack smashing In certain firmwares, e.g. OVMF, the RNG protocol is not enabled unless there is an RNG device. When not enabled, VAS_EBOOT fails to initialize the stack guard with random bytes. For testing, this is not a big issue, but there have been bugs found in the initialization. So turn this on for EFI platforms to catch any regressions. Reviewed-by: Daniel Kiper 2023-10-12 Glenn Washburn kern/efi/init: Disable stack smashing protection on VasEBoot_efi_init() GCC is electing to instrument VasEBoot_efi_init() to give it stack smashing protection when configuring with --enable-stack-protector on the x86_64-efi target. In the function prologue, the canary at the top of the stack frame is set to the value of the stack guard. And in the epilogue, the canary is checked to verify if it is equal to the guard and if not to call the stack check fail function. The issue is that VasEBoot_efi_init() sets up the guard by initializing it with random bytes, if the firmware supports the RNG protocol. So in its prologue the canary will be set with the value of the uninitialized guard, likely NUL bytes. Then the guard is initialized, and finally the epilogue checks the canary against the guard, which will almost certainly be different. This causes the code path for a smashed stack to be taken, causing the machine to print out a message that stack smashing was detected, wait 5 seconds, and then reboot. Disable VasEBoot_efi_init() instrumentation so there is no stack smashing false positive generated. Reviewed-by: Daniel Kiper 2023-10-12 Glenn Washburn disk/cryptodisk: Add support for LUKS2 in (proc)/luks_script The sector size in bytes is added to each line and it is allowed to be 6 decimal digits long, which covers the most common cases of 512 and 4096 byte sectors with space for two additional digits as future-proofing. The size allocation is updated to reflect this additional field. Also make clearer the size allocation calculation. Reviewed-by: Daniel Kiper 2023-10-12 Glenn Washburn disk/cryptodisk: Optimize luks_script_get() Use the return value of VasEBoot_snprintf() to move the string pointer forward, instead of incrementing the string pointer iteratively until a NULL byte is reached. Move the space out of the format string argument, a small optimization, but also makes the spacing clearer. Also, use the new PRIxVAS_EBOOT_OFFSET instead of PRIuVAS_EBOOT_UINT64_T to accurately reflect the format string for this type. Reviewed-by: Daniel Kiper 2023-10-12 Glenn Washburn term/serial: Ensure proper NULL termination after VasEBoot_strncpy() A large enough argument to the --port option could cause a string buffer to be not NULL terminated because VasEBoot_strncpy() does not guarantee NULL termination if copied string is longer than max characters to copy. Fixes: 712309eaae04 (term/serial: Use VasEBoot_strncpy() instead of VasEBoot_snprintf() when only copying string) Reviewed-by: Daniel Kiper 2023-10-12 Heinrich Schuchardt commands/efi/lsefisystab: Print the UEFI specification revision in human readable form E.g. 2.10 instead of 00020064 and 2.3.1 instead of 0002001f. See UEFI 2.10 specification, chapter 4.2.1 EFI_TABLE_HEADER. Reviewed-by: Daniel Kiper 2023-10-03 Maxim Suhanov fs/ntfs: Make code more readable Move some calls used to access NTFS attribute header fields into functions with human-readable names. Suggested-by: Daniel Kiper Reviewed-by: Daniel Kiper 2023-10-03 Maxim Suhanov fs/ntfs: Fix an OOB read when parsing a volume label This fix introduces checks to ensure that an NTFS volume label is always read from the corresponding file record segment. The current NTFS code allows the volume label string to be read from an arbitrary, attacker-chosen memory location. However, the bytes read are always treated as UTF-16LE. So, the final string displayed is mostly unreadable and it can't be easily converted back to raw bytes. The lack of this check is a minor issue, likely not causing a significant data leak. Reported-by: Maxim Suhanov Reviewed-by: Daniel Kiper 2023-10-03 Maxim Suhanov fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes This fix introduces checks to ensure that bitmaps for directory indices are never read beyond their actual sizes. The lack of this check is a minor issue, likely not exploitable in any way. Reported-by: Maxim Suhanov Reviewed-by: Daniel Kiper 2023-10-03 Maxim Suhanov fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes This fix introduces checks to ensure that index entries are never read beyond the corresponding directory index. The lack of this check is a minor issue, likely not exploitable in any way. Reported-by: Maxim Suhanov Reviewed-by: Daniel Kiper 2023-10-03 Maxim Suhanov fs/ntfs: Fix an OOB read when reading data from the resident $DATA attribute When reading a file containing resident data, i.e., the file data is stored in the $DATA attribute within the NTFS file record, not in external clusters, there are no checks that this resident data actually fits the corresponding file record segment. When parsing a specially-crafted file system image, the current NTFS code will read the file data from an arbitrary, attacker-chosen memory offset and of arbitrary, attacker-chosen length. This allows an attacker to display arbitrary chunks of memory, which could contain sensitive information like password hashes or even plain-text, obfuscated passwords from BS EFI variables. This fix implements a check to ensure that resident data is read from the corresponding file record segment only. Fixes: CVE-2023-4693 Reported-by: Maxim Suhanov Reviewed-by: Daniel Kiper 2023-10-03 Maxim Suhanov fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file When parsing an extremely fragmented $MFT file, i.e., the file described using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer containing bytes read from the underlying drive to store sector numbers, which are consumed later to read data from these sectors into another buffer. These sectors numbers, two 32-bit integers, are always stored at predefined offsets, 0x10 and 0x14, relative to first byte of the selected entry within the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem. However, when parsing a specially-crafted file system image, this may cause the NTFS code to write these integers beyond the buffer boundary, likely causing the VAS_EBOOT memory allocator to misbehave or fail. These integers contain values which are controlled by on-disk structures of the NTFS file system. Such modification and resulting misbehavior may touch a memory range not assigned to the VAS_EBOOT and owned by firmware or another EFI application/driver. This fix introduces checks to ensure that these sector numbers are never written beyond the boundary. Fixes: CVE-2023-4692 Reported-by: Maxim Suhanov Reviewed-by: Daniel Kiper 2023-10-03 Michael Chang kern/acpi: Skip NULL entries in RSDT and XSDT During attempts to configure a serial console, a Page Fault Exception and system reset were encountered, specifically on release 2.12~rc1. This issue was not present in prior versions and seemed to affect only a specific machine, potentially pointing to hardware or firmware flaw. After investigation, it was discovered that the invalid page access occurred during the discovery of serial MMIO ports as specified by ACPI's SPCR table [1]. The recent change uncovered an issue in VAS_EBOOT's ACPI driver. In certain cases, the XSDT/RSDT root table might contain a NULL entry as a terminator, depending on how the tables are assembled. VAS_EBOOT cannot blindly trust the address in the root table to be valid and should perform a sanity check for NULL entries. This patch introduces this simple check. This fix is also inspired by a related Linux kernel fix [2]. [1] 7b192ec4c term/ns8250: Use ACPI SPCR table when available to configure serial [2] 0f929fbf0 ACPICA: Tables: Add new mechanism to skip NULL entries in RSDT and XSDT. Reviewed-by: Daniel Kiper 2023-10-03 Glenn Washburn util/VasEBoot-install-common: Print usable VasEBoot-mkimage command When VasEBoot-install is run with the verbose option, it will print a log message indicating the VasEBoot-mkimage command and arguments used. VAS_EBOOT no longer calls the VasEBoot-mkimage binary internally, however the command logged is a command that if run should effectively be what VasEBoot-install used. However, as this has changed some of the newer options have been incorrectly added so that the printed command fails when run separately. This change makes the displayed command run as intended. Reviewed-by: Daniel Kiper 2023-10-03 Glenn Washburn util/VasEBoot-install-common: Minor improvements to printing of VasEBoot-mkimage command This is a preparatory patch to make the following patch less cluttered. The only visible change made here is to not print extra spaces when either or both --note or --disable-shim-lock are not given and to not print an extra space at the end of the command. The latter is done by constructing the trailing argument string with spaces in front of each argument rather than trailing. The allocation of the argument string is made precise, which has the benefit of saving a few bytes, but more importantly self-documenting what the needed allocated bytes are. Also, unneeded braces are removed from an if block. Reviewed-by: Daniel Kiper 2023-10-03 Vladimir 'phcoder' Serbinenko lib/i386/relocator64: Fix 64-bit FreeBSD boot on BIOS The commit 80948f532d (lib/i386/relocator64: Build fixes for i386) has broken 64-bit FreeBSD boot on BIOS. This patch fixes the issue. Fixes: 80948f532d (lib/i386/relocator64: Build fixes for i386) Reviewed-by: Daniel Kiper 2023-09-22 Anthony PERARD templates/linux_xen: Fix XSM entries generation It turns out that setting $xen_version in linux_entry_xsm() override $xen_version in the loop over $reverse_sorted_xen_list. This means that only one entry per Xen version is going to enable XSM, but all further entries are going to have "(XSM enabled)" in their titles without enabling XSM. When a "xenpolicy-$xen_version" file was found for the current $xen_version, it would overwrite $xen_version to add "(XSM enabled)" to the menu entry title. Once updated, the next call to linux_entry_xsm() would also have this modified $xen_version and would look for the file "xenpolicy-*(XSM enabled)" and fail. Reviewed-by: Daniel Kiper 2023-09-22 Xiaotian Wu loongarch: Eliminate cmodel compilation warnings In the configure phase, the "-mcmodel=large" CFLAGS passed the test, but because it has not been implemented in gcc, the following warning will appear when compiling: gcc: warning: 'large' is not supported, now cmodel is set to 'normal' Reviewed-by: Daniel Kiper 2023-09-22 Glenn Washburn configure: Enable -fno-omit-frame-pointer for backtrace module The backtrace module is written assuming that the frame pointer is in %ebp. By default, -Os optimization level is used, which enables the gcc option -fomit-frame-pointer. This breaks the backtrace functionality. Enabling this may cause an unnoticeable performance cost and virtually no size increase. The backtrace command on x86_64 and probably i386 is broken due to the above rationale. I've not verified, but presumably the backtrace that used to be printed for an unhandled CPU exception is also broken. Do any distros handle this? Considering that, to my knowledge, no one has complained about this in the over 13 years that -Os has been used, has this code actually been useful? Is it worth disabling -fomit-frame-pointer? Though, I don't see much downside right now in disabling it. Alternatively, we could disable/remove the backtrace code. I think it would be nice to keep it and have it working. Nowadays, presumably QEMU makes the GDB stub rarely used as I imagine most are developing in a virtual machines. Also, the GDB stub does not work in UEFI. So, if anyone is using it on real hardware, they are doing so on pretty old machines. The lack of a GDB stub does not seem to be a pain point because no one has got it working on UEFI. This patch gets the backtrace command working on x86_64-efi in QEMU for me. However, it hangs when run on my laptop. Not sure what's going on there. Reviewed-by: Daniel Kiper 2023-09-22 Ard Biesheuvel loader/efi/linux: Implement x86 mixed mode using legacy boot Recent mixed-mode Linux kernels, i.e., v4.0 or newer, can access EFI runtime services at OS runtime even when the OS was not entered via the EFI stub. This is because, instead of reverting back to the firmware's segment selectors, GDTs and IDTs, the 64-bit kernel simply calls 32-bit runtime services using compatibility mode, i.e., the same mode used for 32-bit user space, without taking down all interrupt handling, exception handling, etc. This means that VAS_EBOOT's legacy x86 boot mode is sufficient to make use of this: 32-bit i686 builds of VAS_EBOOT can already boot 64-bit kernels in EFI enlightened mode, but without going via the EFI stub, and provide all the metadata that the OS needs to map the EFI runtime regions and call EFI runtime services successfully. It does mean that VAS_EBOOT should not attempt to invoke the firmware's LoadImage()/StartImage() methods on kernel builds that it knows cannot be started natively. So, add a check for this in the native EFI boot path and fall back to legacy x86 mode in such cases. Note that in the general case, booting non-native images of the same native word size, e.g., x64 EFI apps on arm64 firmware, might be supported by means of emulation. So, let's only disallow images that use a non-native word size. This will also permit booting i686 kernels on x86_64 builds, although without access to runtime services, as this is not supported by Linux. This change on top of 2.12-rc1 is sufficient to boot ordinary Linux mixed mode builds and get full access to the EFI runtime services. Cc: Daniel Kiper Cc: Steve McIntyre Cc: Julian Andres Klode Acked-by: Dimitri John Ledkov Reviewed-by: Daniel Kiper 2023-09-22 Ard Biesheuvel loader/i386/linux: Prefer entry in long mode when booting via EFI The x86_64 Linux kernel can be booted in 32-bit mode, in which case the startup code creates a set of preliminary page tables that map the first 4 GiB of physical memory 1:1 and enables paging. This is a prerequisite for 64-bit execution and can therefore only be implemented in 32-bit code. The x86_64 Linux kernel can also be booted in 64-bit mode directly: this implies that paging is already enabled and it is the responsibility of the bootloader to ensure that the active page tables cover the entire loaded image, including its BSS space, the size of which is described in the image's setup header. Given that the EFI spec mandates execution in long mode for x86_64 and stipulates that all system memory is mapped 1:1, the Linux/x86 requirements for 64-bit entry can be met trivially when booting on x86_64 via EFI. So, enter via the 64-bit entry point in this case. This involves inspecting the xloadflags field in the setup header to check whether the 64-bit entry point is supported. This field was introduced in Linux version v3.8 (early 2013). This change ensures that all EFI firmware tables and other assets passed by the firmware or bootloader in memory remain mapped and accessible throughout the early startup code. Avoiding the drop out of long mode will also be needed to support upcoming CPU designs that no longer implement 32-bit mode at all (as recently announced by Intel [0]). [0] https://www.intel.com/content/www/us/en/developer/articles/technical/envisioning-future-simplified-architecture.html Cc: Daniel Kiper Cc: Julian Andres Klode Reviewed-by: Daniel Kiper 2023-09-18 Vladimir Serbinenko ZFS: Check bonustype in addition to dnode type Some dnodes are shared with properties zap. This is used e.g. for quotas. Then dnode type is 0xc4 and VAS_EBOOT stumbles on this. Check bonus type and if it's ok then ignore dnode type mismatch Reviewed-by: Daniel Kiper 2023-09-18 Vladimir Serbinenko ZFS: Don't iterate over null objsets Reading them is harmless but useless as they are empty by definition Reviewed-by: Daniel Kiper 2023-09-18 Vladimir Serbinenko ZFS: Fix invalid memcmp We ended up comparing over unset values as we had dnode_phys on one side and dnode on another Reviewed-by: Daniel Kiper 2023-09-18 Vladimir Serbinenko ZFS: support inode type embed into its ID This is a speedup used in some ZFS version. This trips VAS_EBOOT and makes it unable to access directories. Just skip it for now and revisit if we ever need this speedup. Reviewed-by: Daniel Kiper 2023-08-31 Heinrich Schuchardt video/efi_gop: Require shadow if PixelBltOnly If the EFI graphics pixel format is PixelBltOnly, we cannot write directly to the frame buffer. We need the shadow frame buffer which we copy via the BitBlt operation to the hardware. If the pixel format is PixelBltOnly and allocation of the shadow frame buffer fails, we must raise an error to signal that the EFI GOP protocol is not usable. Reviewed-by: Daniel Kiper 2023-08-31 Glenn Washburn docs: Add menu to prevent older makeinfo versions from failing It has been reported that makeinfo version 4.13a complains and returns error when menus for chapter structuring commands are not present. It is also known that newer makeinfos, such as version 6.7, will create default menus when needed. Since the menu will be created regardless, explicitly create it to support older makeinfo versions. This also enables building to be successful when an older makeinfo is installed because in that case info files are attempted to be generated with the "all" target. Reported-by: Olaf Hering Reviewed-by: Daniel Kiper Tested-by: Olaf Hering 2023-08-31 Glenn Washburn docs: Use @ref instead of @xref The @xref command is meant to be used at the beginning of a sentence because its expansion creates a "See " prefix on all output formats, and on older makeinfo versions is strict about enforcing a "." or "," after the command. The @ref command has no such restriction and is just the link, which allows more control over output. This also fixes an issue where there was a repeated "see" in the output. Reported-by: Olaf Hering Reviewed-by: Daniel Kiper Tested-by: Olaf Hering 2023-08-31 Glenn Washburn tests/util/VasEBoot-shell-luks-tester: Allow setting timeout Allow using the envvar VAS_EBOOT_SHELL_LUKS_TIMEOUT to change the default timeout. If not specified, use value of VAS_EBOOT_SHELL_DEFAULT_TIMEOUT. And if that is not specified, fallback to original 600s timeout. Reviewed-by: Daniel Kiper 2023-08-31 Glenn Washburn disk/cryptodisk: Fix missing change when updating to use VasEBoot_uuidcasecmp() This was causing the cryptomount command to return failure even though the crypto device was successfully added. Of course, this meant that any script using the return code would behave unexpectedly. Fixes: 3cf2e848bc03 (disk/cryptodisk: Allows UUIDs to be compared in a dash-insensitive manner) Suggested-by: Olaf Hering Reviewed-by: Patrich Steinhardt Reviewed-by: Daniel Kiper 2023-08-31 Glenn Washburn kern/misc: Make VasEBoot_vsnprintf() C99/POSIX conformant To comply with C99 and POSIX standards, snprintf() should return the number of bytes that would be written to the string (excluding the terminating NUL byte) if the buffer size was big enough. Before this change, the return value was the minimum of the standard return and the length of the buffer. Rarely is the return value of VasEBoot_snprintf() or VasEBoot_vsnprintf() used with current code, and the few places where it is used do not need to be changed. Reviewed-by: Daniel Kiper 2023-08-31 Glenn Washburn tests: Add serial_test This test is meant to test output via various serial devices. Currently, only the PCI serial device is tested. Reviewed-by: Daniel Kiper 2023-08-31 Glenn Washburn tests/util/VasEBoot-shell: Allow explicitly using other serial ports for output While here, move "-qemu=*" case to be next to the "--qemu-opts=*" case. This causes no change in logic, but is more logically located. Reviewed-by: Daniel Kiper 2023-08-31 Glenn Washburn tests/util/VasEBoot-shell-luks-tester: Do not remove generated files when test fails to allow debugging Reviewed-by: Daniel Kiper tests/util/VasEBoot-shell: Convert spaces to TABs Reviewed-by: Daniel Kiper 2023-08-14 Glenn Washburn commands/ls: Print "????????????" if unable to get file size In long list mode, if the file can not be opened, the file is not printed. Instead, print the file but print the size as "????????????". Reviewed-by: Daniel Kiper 2023-08-14 Glenn Washburn commands/ls: Send correct dirname to print functions For each non-directory path argument to the ls command, the full path was being sent to the print functions, instead of the dirname. The long output print function expected dirname to be the directory containing the file and so could not open the file to get the file size because the generated path was incorrect. This caused the output to be a blank line. Reviewed-by: Daniel Kiper 2023-08-14 Glenn Washburn fs/archelp: If path given to VasEBoot_archelp_dir() is not a directory return error Specifically, return VAS_EBOOT_ERR_BAD_FILE_TYPE because this is what is expected by the ls command when it is given a path to a non-directory. This fixes a bug where calling ls with a list of non-directory paths outputs a blank line for each such argument. Reviewed-by: Daniel Kiper 2023-08-14 Glenn Washburn commands/videoinfo: Prevent crash when run while video driver already active The videoinfo command will initialize all non-active video adapters. Video drivers tend to zero out the global framebuffer object on initialization. This is not a problem when there is no active video adapter. However, when there is, then outputting to the video adapter will cause a crash because methods in the framebuffer object are reinitialized. For example, this command sequence will cause a crash. terminal_output --append gfxterm; videoinfo When running in a QEMU headless with VAS_EBOOT built for the x86_64-efi target, the first command initializes the Bochs video adapter, which, among other things, sets the set_page() member function. Then when videoinfo is run, all non-Bochs video adapters will be initialized, each one wiping the framebuffer and thus setting set_page to NULL. Soon after the videoinfo command finishes there will be a call to VasEBoot_refresh(), which will ultimately call the framebuffer's set_page which will be NULL and cause a crash when called. Reviewed-by: Daniel Kiper 2023-08-14 Glenn Washburn docs: Improve initrd documentation A list of improvements: * Remove reference to "initial ramdisk" and replace with "initrd". This then covers the case of ramdisk and ramfs, which is the usual method with kernels 2.6 and newer. * Add sentence with URL to initrd documentation Linux kernel. * Add a section documenting how to have the initrd command generate a new-style initrd via a specially crafted argument and include an example. * Update initrd16 to refer to the initrd section and make note that initrd16 is only on the pc platform. Reviewed-by: Oskari Pirhonen Reviewed-by: Paul Menzel Reviewed-by: Daniel Kiper 2023-08-14 Glenn Washburn term/ns8250-spcr: Continue processing SPCR table even if revision is < 2 According to commit 0231d00082 (ACPI: SPCR: Make SPCR available to x86) to the Linux kernel, "On x86, many systems have a valid SPCR table but the table version is not 2 so the table version check must be a warning." Reviewed-by: Benjamin Herrenschmidt Reviewed-by: Daniel Kiper 2023-08-14 Glenn Washburn docs: A note to cat that hexdump should be used for binary data The cat command should not be used to print binary data because it can show bytes not in the binary data and not show bytes that are in the data, which can lead to confusion. This happens because cat does some processing of the data stream, namely trying to decode substrings as UTF-8. Reviewed-by: Oskari Pirhonen Reviewed-by: Daniel Kiper 2023-08-14 Glenn Washburn docs: Document hexdump command Reviewed-by: Oskari Pirhonen Reviewed-by: Daniel Kiper docs: Group usage of user-space utilities into single chapter Reviewed-by: Oskari Pirhonen Reviewed-by: Daniel Kiper 2023-08-14 Qiumiao Zhang util/VasEBoot-mount: Fix memory leak in fuse_getattr() Reviewed-by: Daniel Kiper 2023-08-14 Michał Grzelak configure: Fix SDL2 typo by referencing value During configuration of SDL2, variable enable_VasEBoot_emu_sdl2 is checked whether to throw an error message. However, error could not happen because two unequal strings were compared. Fix this by referencing value of enable_VasEBoot_emu_sdl2, not name. Fixes: 17d6ac1a7 (emu: Add SDL2 support) Reviewed-by: Julian Andres Klode Reviewed-by: Daniel Kiper Reviewed-by: Paul Menzel 2023-08-14 Glenn Washburn docs: Add missing assumption Also reword a prior sentence to be more clear. Fixes: 5a3d2b4742df (docs: Add debugging chapter to development documentation) Reviewed-by: Oskari Pirhonen Reviewed-by: Daniel Kiper 2023-08-14 Oskari Pirhonen util/VasEBoot.d/25_bli.in: Fix shebang on unmerged-usr On an unmerged-usr system, VasEBoot-mkconfig errors out with the following error due to /usr/bin/sh not existing: /usr/sbin/VasEBoot-mkconfig: /etc/VasEBoot.d/25_bli: /usr/bin/sh: bad interpreter: No such file or directory Use a /bin/sh shebang to fix the error as well as match the other existing files. Fixes: 158a6583e (util/VasEBoot.d/25_bli.in: Activate bli module on EFI) Reviewed-by: Glenn Washburn Reviewed-by: Daniel Kiper Reviewed-by: Oliver Steffen 2023-08-14 Glenn Washburn tests/util/VasEBoot-shell-luks-tester: Allow VAS_EBOOT_SHELL_LUKS_DEFAULT_DEBUG and VAS_EBOOT_TEST_DEFAULT_DEBUG to specify the debug level to VasEBoot-shell Reviewed-by: Daniel Kiper 2023-08-14 Glenn Washburn tests/util/VasEBoot-shell: Allow setting the value of debug regardless of its previous state This allows an invocation of VasEBoot-shell to set the value of debug regardless of the global default environment variable VAS_EBOOT_SHELL_DEFAULT_DEBUG. Reviewed-by: Daniel Kiper 2023-08-14 Glenn Washburn tests/util/VasEBoot-shell: Allow setting default timeout via VAS_EBOOT_SHELL_DEFAULT_TIMEOUT envvar Reviewed-by: Daniel Kiper 2023-08-14 Glenn Washburn tests/util/VasEBoot-shell: Add --verbose to VasEBoot-mkrescue when $debug is greater than 2 Since this is fairly verbose output, do not enable first level of debug is turned on. Reviewed-by: Daniel Kiper 2023-07-10 Daniel Kiper Release 2.12~rc1 2023-07-03 Daniel Kiper efi: Fallback to legacy mode if shim is loaded on x86 archs The LoadImage() provided by the shim does not consult MOK when loading an image. So, simply signature verification fails when it should not. This means we cannot use Linux EFI stub to start the kernel when the shim is loaded. We have to fallback to legacy mode on x86 architectures. This is not possible on other architectures due to lack of legacy mode. This is workaround which should disappear when the shim provides LoadImage() which looks up MOK during signature verification. On the occasion align constants in include/VasEBoot/efi/sb.h. Reviewed-by: Ard Biesheuvel 2023-07-03 Daniel Kiper efi: Drop __VasEBoot_efi_api attribute from shim_lock->verify() function ... because (surprisingly) it does not use specific EFI calling convention... Fixes: 6a080b9cd (efi: Add calling convention annotation to all prototypes) Reviewed-by: Ard Biesheuvel 2023-07-03 Samuel Thibault templates: Start pci-arbiter before acpi on Hurd acpi actually needs to access PCI, while pci-arbiter will not be making use of ACPI, so we need to start acpi first. Reviewed-by: Daniel Kiper 2023-07-03 Michał Grzelak configure.ac: Fix typo by adding missing $ During configuration of SDL, variable enable_VasEBoot_emu_sdl is checked whether to throw an error message. However, error could not happen because two unequal strings were compared. Fix this by referencing value of enable_VasEBoot_emu_sdl, not name. Fixes: 17d6ac1a7 (emu: Add SDL2 support) Reviewed-by: Daniel Kiper 2023-07-03 Glenn Washburn docs: Minor corrections When referring to initrd16 the link for initrd16 should be used, not a link for initrd. Also, correct the spelling of additionally and add a comma after it to correct its grammatical usage. Reviewed-by: Daniel Kiper 2023-07-03 Glenn Washburn kern/misc: Add space after comma in function argument list Reviewed-by: Daniel Kiper commands/regexp: Fix typo Reviewed-by: Daniel Kiper 2023-07-03 Glenn Washburn term/serial: Use VasEBoot_strncpy() instead of VasEBoot_snprintf() when only copying string Using VasEBoot_strncpy() instead of VasEBoot_snprintf() is less overhead and indicates clearly that the dest should be the same string as the source. Also fix indentation. Reviewed-by: Daniel Kiper 2023-07-03 Glenn Washburn loader/linux: Print debug message for each generated newc path generated Reviewed-by: Daniel Kiper 2023-07-03 Glenn Washburn include/VasEBoot/types.h: Add PRI*VAS_EBOOT_OFFSET and PRI*VAS_EBOOT_DISK_ADDR These are currently always the same as PRI*VAS_EBOOT_UINT64_T, but they may not be in the future. Reviewed-by: Daniel Kiper 2023-07-03 Glenn Washburn kern/misc: Support octal printf format code Also add parenthesis to nested ternary operator to improve clarity. Reviewed-by: Daniel Kiper 2023-07-03 Glenn Washburn gitignore: Ignore python bytecode files Python bytecode files, which end in .pyc, may be generated by the build system as needed and should not go into the git repository. Reviewed-by: Daniel Kiper 2023-07-03 Glenn Washburn loader/linux: Only emit newc directory once When creating at runtime a newc initrd via arguments to initrd with "newc:" prefixes, only emit a directory path record once. The original code intended to do that by bailing out of emitting the record when the record to be created matches an existing record. However, this does not happen because VasEBoot_memcmp() is improperly checked. Generating duplicate newc directory records does not cause any problems because the Linux unpacker will skip it once it sees the directory already exists. This fix saves a little processing and makes the generated newc cpio archive a little smaller. Fixes: 92750e4c60 (Add ability to generate newc additions on runtime.) Reviewed-by: Daniel Kiper 2023-07-03 Glenn Washburn loader/efi/linux: Fix formatting and remove unneeded parenthesis Reviewed-by: Daniel Kiper 2023-07-03 Glenn Washburn loader/efi/linux: Print EFI status as hex number instead of uint EFI status codes are of different classes depending on the first byte and all error status codes defined in appendix D of the main spec start from 1 and have the high bit set. When printing as a uint, the decimal is a very large number that needs have the high bit cleared get the spec error code. This can be easily visually done by a human if the number is printed as hex. Reviewed-by: Daniel Kiper 2023-07-03 Oskari Pirhonen docs: Minor edits to debugging chapter Small set of wording and grammatical edits which did not make it in time for the original review of the chapter. Reviewed-by: Glenn Washburn Reviewed-by: Daniel Kiper 2023-06-23 Daniel Kiper lib/relocator: Fix OOB write when initializing lo->freebytes[] Fixes: CID 96636 Reviewed-by: Vladimir Serbinenko 2023-06-23 Daniel Kiper lib/relocator: Enforce VAS_EBOOT_RELOCATOR_FIRMWARE_REQUESTS_QUANT divisibility by 8 Most of leftover code blindly assumes VAS_EBOOT_RELOCATOR_FIRMWARE_REQUESTS_QUANT divisibility by 8. So, enforce this at compile time. Reviewed-by: Vladimir Serbinenko 2023-06-23 Julian Andres Klode emu: Add SDL2 support So all we did with the surface in SDL1 was split into window, surface, renderer and texture. Instead of drawing into the surface and then flipping, you build your pixels, then update a texture and then copy the texture to the renderer. Here we use an empty RGB surface to hold our pixels, which enables us to keep most of the code the same. The SDL1 code has been adjusted to refer to "surface" instead of "window" when trying to access the properties of the surface. This approaches the configuration by adding a new --enable-VasEBoot-emu-sdl2 argument. If set to yes, or auto detected, it disables SDL1 support automatically. This duplicates the sdl module block in Makefile.core.def which may be something to be aware of, but we also don't want to build separate module. Fixes: https://bugs.debian.org/1038035 Reviewed-by: Daniel Kiper 2023-06-23 Julian Andres Klode emu: SDL style fixes These should be quite obvious and will make the SDL2 patch easier to read then doing it inline there. Reviewed-by: Daniel Kiper 2023-06-23 Michał Grzelak tpm: Enable boot despite unknown firmware failure Currently booting the system is prevented when call to EFI firmware hash_log_extend_event() returns unknown error. Solve this by following convention used in commit a4356538d (commands/tpm: Don't propagate measurement failures to the verifiers layer). Let the system to be bootable by default when unknown TPM error is encountered. Check environment variable tpm_fail_fatal to fallback to previous behaviour. Reviewed-by: Daniel Kiper 2023-06-23 Daniel Kiper bootstrap: Fix patching warnings Currently bootstrap complains in the following way when patching gnulib files: patching file argp-help.c Hunk #1 succeeded at 52 (offset 1 line). Hunk #2 succeeded at 1548 (offset 115 lines). patching file mbswidth.c patching file mbswidth.h Hunk #1 succeeded at 40 (offset -5 lines). Let's fix it by amending line numbers in the patch. Reviewed-by: Alec Brown 2023-06-23 Daniel Kiper efi: Add missing __VasEBoot_efi_api attributes The commit bb4aa6e06 (efi: Drop all uses of efi_call_XX() wrappers) did not add some __VasEBoot_efi_api attributes to the EFI calls. Lack of them led to hangs on x86_64-efi target. So, let's add missing __VasEBoot_efi_api attributes. Fixes: bb4aa6e06 (efi: Drop all uses of efi_call_XX() wrappers) Reported-by: Christian Hesse Reported-by: Robin Candau Tested-by: Robin Candau Tested-by: Christian Hesse Reviewed-by: Peter Jones 2023-06-23 Julian Andres Klode disk: Generalize MD_MAX_DISKS to VAS_EBOOT_MDRAID_MAX_DISKS Move the constant from VasEBoot-core/osdep/linux/getroot.c to include/VasEBoot/disk.h and then reuse it in place of the hardcoded 1024 limit in diskfilter. Fixes: 2a5e3c1f2 (disk/diskfilter: Don't make a RAID array with more than 1024 disks) Cc: Daniel Axtens Cc: Kees Cook Reviewed-by: Kees Cook Reviewed-by: Daniel Kiper 2023-06-23 Xiaotian Wu loongarch: Disable relaxation relocations A working VAS_EBOOT cannot be built with upcoming binutils and GCC, because linker relaxation was added [1] causing new unsupported relocations to appear in modules. So we pass -mno-relax to GCC if it is supported, to disable relaxation and make VAS_EBOOT forward-compatible with new toolchains. While similar code already exists for sparc64 in configure.ac, sparc64 sets LDFLAGS while LoongArch requires CFLAGS to be set. If we only set LDFLAGS on LoongArch, GCC will still generate relaxation relocations in the .o files, so the sparc64 code cannot be reused. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=56576f4a722b7398d35802ecf7d4185c27d6d69b Reviewed-by: Daniel Kiper 2023-06-13 Xiaotian Wu loongarch: Add ELF relocation types documentation and comments See https://github.com/loongson/la-abi-specs/blob/release/laelf.adoc#relocations Reviewed-by: Daniel Kiper 2023-06-13 Xiaotian Wu loongarch: Rename function names According to the relocation documentation, the following function names are renamed to show their exact meaning: - from VasEBoot_loongarch64_xxx64_hi12() to VasEBoot_loongarch64_abs64_hi12(), - from VasEBoot_loongarch64_xxx64_hi12() to VasEBoot_loongarch64_abs64_lo20(). Reviewed-by: Daniel Kiper 2023-06-13 Xiaotian Wu util/VasEBoot-mkimagexx: Optimize code using pc variable We already have the pc variable, no need to calculate it again. Reviewed-by: Daniel Kiper 2023-06-13 Xiaotian Wu kern/{arm64,loongarch64}/dl_helper: Use the correct format specifier for formatted output Use PRIxVAS_EBOOT_INT64_T format specifier for VasEBoot_int64_t type and drop redundant casts. Reviewed-by: Daniel Kiper 2023-06-13 Qiumiao Zhang kern/acpi: Use xsdt_addr if present According to the ACPI specification, in ACPI 2.0 or later, an ACPI-compatible OS must use the XSDT if present. So, we should use xsdt_addr instead of rsdt_addr if xsdt_addr is valid. Reviewed-by: Daniel Kiper 2023-06-13 Qiumiao Zhang commands/acpi: Use xsdt_addr if present According to the ACPI specification, in ACPI 2.0 or later, an ACPI-compatible OS must use the XSDT if present. So, we should use xsdt_addr instead of rsdt_addr if xsdt_addr is valid. Reviewed-by: Daniel Kiper 2023-06-13 Lidong Chen fs/udf: Fix out of bounds access Implemented a boundary check before advancing the allocation descriptors pointer. Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2023-06-13 Glenn Washburn docs: Add debugging chapter to development documentation Debugging VAS_EBOOT can be tricky and require arcane knowledge. This will help those unfamiliar with the process to get started debugging VAS_EBOOT with less effort. Reviewed-by: Daniel Kiper 2023-06-13 Darren Kenny fs/xfs: Fix issues found while fuzzing the XFS filesystem While performing fuzz testing with XFS filesystem images with ASAN enabled, several issues were found where the memory accesses are made beyond the data that is allocated into the struct VasEBoot_xfs_data structure's data field. The existing structure didn't store the size of the memory allocated into the buffer in the data field and had no way to check it. To resolve these issues, the data size is stored to enable checks into the data buffer. With these checks in place, the fuzzing corpus no longer cause any crashes. Reviewed-by: Daniel Kiper 2023-06-13 Alexander Kanavin util/import_unicode.py: Ensure output is deterministic Ensure the generated unidata.c file is deterministic by sorting the keys of the dict. Reviewed-by: Daniel Kiper 2023-06-13 Alexander Kanavin VasEBoot-core/genmoddep.awk: Ensure output is deterministic The output in moddep.lst generated from syminfo.lst using genmoddep.awk is not deterministic since the order of the dependencies on each line can vary depending on how awk sorts the values in the array. Be deterministic in the output by sorting the dependencies on each line. Reviewed-by: Daniel Kiper 2023-06-13 Alexander Kanavin gentpl.py: Ensure output is deterministic The output of the SOURCES lines in VasEBoot-core/Makefile.core.am, generated from VasEBoot-core/Makefile.core.def with gentpl.py is not deterministic due to missing sorting of the list used to generate it. Add such a sort. Reviewed-by: Daniel Kiper 2023-06-01 Glenn Washburn gdb: Add gdbinfo command for printing the load address of the EFI application EFI firmware determines where to load the VAS_EBOOT EFI at runtime, and so the addresses of debug symbols are not known ahead of time. There is a command defined in the gdb_VasEBoot script which will load the debug symbols at the appropriate addresses, if given the application load address for VAS_EBOOT. So add a command named "gdbinfo" to allow the user to print this GDB command string with the application load address on-demand. For the outputted GDB command to have any effect when entered into a GDB session, GDB should have been started with the script as an argument to the -x option or sourced into an active GDB session before running the outputted command. Documentation for the gdbinfo command is also added. Co-developed-by: Peter Jones Reviewed-by: Daniel Kiper 2023-06-01 Glenn Washburn loader/efi/chainloader: Do not require a $root visible to EFI firmware when chainloading The EFI chainloader checks that a device path can be created for the $root device before allowing chainloading to a given file. This is probably to ensure that the given file can be accessed and loaded by the firmware. However, since VAS_EBOOT is loading the image itself, the firmware need not be able to access the file location of the image. So remove this check. Also, this fixes an issue where chainloading an image file on a location that is accessible by the firmware, e.g. (hd0,1)/efi/boot.efi, would fail when root is a location inaccessible by the firmware, e.g. memdisk. Use VAS_EBOOT_EFI_BYTES_TO_PAGES() instead of doing the calculation explicitly. Add comment noting the section where the load options for the chainloaded EFI application is constructed. Reviewed-by: Ard Biesheuvel Reviewed-by: Daniel Kiper 2023-06-01 Glenn Washburn docs: Document extra arguments to chainloader on EFI Extra arguments given to chainloader on EFI platforms will be sent to the chainloaded application. Also, minor edit in the chainloading section to note that chainloading can be a jump via the firmware and not necessarily in real mode (which does not exist on some architectures). Reviewed-by: Ard Biesheuvel Reviewed-by: Daniel Kiper 2023-06-01 Oliver Steffen util/VasEBoot.d/25_bli.in: Activate bli module on EFI Add a new configuration drop-in file that loads the bli module and runs the command if booting on the EFI platform. Reviewed-by: Daniel Kiper 2023-06-01 Oliver Steffen bli: Add a module for the Boot Loader Interface Add a new module named bli. It implements a small but quite useful part of the Boot Loader Interface [0]. This interface uses EFI variables for communication between the boot loader and the operating system. When loaded, this module sets two EFI variables under the vendor GUID 4a67b082-0a4c-41cf-b6c7-440b29bb8c4f: - LoaderInfo: contains VAS_EBOOT + . This allows the running operating system to identify the boot loader used during boot. - LoaderDevicePartUUID: contains the partition UUID of the EFI System Partition (ESP). This is used by systemd-gpt-auto-generator [1] to find the root partitions (and others too), via partition type IDs [2]. This module is available on EFI platforms only. The bli module relies on the part_gpt module which has to be loaded beforehand to make the GPT partitions discoverable. Update the documentation, add a new chapter "Modules" and describe the bli module there. [0] https://systemd.io/BOOT_LOADER_INTERFACE/ [1] https://www.freedesktop.org/software/systemd/man/systemd-gpt-auto-generator.html [2] https://uapi-group.org/specifications/specs/discoverable_partitions_specification/ Reviewed-by: Daniel Kiper 2023-06-01 Oliver Steffen kern: Check for NULL when closing devices and disks Add checks for NULL pointers to VasEBoot_device_close() and VasEBoot_disk_close() to make these functions more robust. Reviewed-by: Daniel Kiper 2023-06-01 Oliver Steffen docs: Reword section headings Reword some section headings, remove "The List of" from titles. While grammatically correct, this phrase can be omitted to increase readability, especially in the table of contents. Reviewed-by: Daniel Kiper 2023-06-01 Oliver Steffen efi: Add VasEBoot_efi_set_variable_to_string() Add a function that sets an EFI variable to a string value. The string is converted from UTF-8 to UTF-16. Reviewed-by: Daniel Kiper 2023-06-01 Oliver Steffen kern/misc, kern/efi: Extract UTF-8 to UTF-16 code Create a new function for UTF-8 to UTF-16 conversion called VasEBoot_utf8_to_utf16_alloc() in the VasEBoot-code/kern/misc.c and replace charset conversion code used in some places in the EFI code. It is modeled after the VasEBoot_utf8_to_ucs4_alloc() like functions in include/VasEBoot/charset.h. It can't live in include/VasEBoot/charset.h, because it needs to be reachable from the kern/efi code. Add a check for integer overflow and remove redundant NUL-termination. Reviewed-by: Daniel Kiper 2023-06-01 Oliver Steffen include/VasEBoot/types.h: Add VAS_EBOOT_SSIZE_MAX In the same way as VAS_EBOOT_SIZE_MAX, add VAS_EBOOT_SSIZE_MAX. Reviewed-by: Daniel Kiper 2023-06-01 Oliver Steffen guid: Make use of GUID printf format specifier Use the new printf format specifier %pG. Fixes the text representation of GUIDs in the output of the lsefisystab command (missing 4th dash). Reviewed-by: Daniel Kiper 2023-06-01 Oliver Steffen kern/misc: Add a format specifier GUIDs Extend the printf format specifier for pointers (%p) to accept a suffix specifier G to print GUIDs: %pG can be used to print VasEBoot_guid structs. This does not interfere with the -Wformat checking of gcc. Note that the data type is not checked though (%p accepts void *). Reviewed-by: Daniel Kiper 2023-06-01 Oliver Steffen guid: Unify GUID types There are 3 implementations of a GUID in VAS_EBOOT. Replace them with a common one, placed in types.h. It uses the "packed" flavor of the GUID structs, the alignment attribute is dropped, since it is not required. Reviewed-by: Daniel Kiper 2023-06-01 Oliver Steffen efi: Add VasEBoot_efi_set_variable_with_attributes() Add a function to the EFI module that allows setting EFI variables with specific attributes. This is useful for marking variables as volatile, for example. Reviewed-by: Daniel Kiper 2023-05-25 Alec Brown kern/efi/mm: Fix use-after-free in finish boot services In VasEBoot-core/kern/efi/mm.c, VasEBoot_efi_finish_boot_services() has an instance where the memory for the variable finish_mmap_buf is freed, but on the next iteration of a while loop, VasEBoot_efi_get_memory_map() uses finish_mmap_buf. To prevent this, we can set finish_mmap_buf to NULL after the free. Reviewed-by: Daniel Kiper 2023-05-25 Ard Biesheuvel efi: Handle NULL return value when getting loaded image protocol The EFI spec mandates that the handle produced by the LoadImage boot service has a LoadedImage protocol instance installed on it, but for robustness, we should still deal with a NULL return value from the helper routine that obtains this protocol pointer. If this happens, don't try to start the image but unload it and return an error. Reviewed-by: Daniel Kiper 2023-05-25 Ard Biesheuvel efi: Use generic EFI loader for x86_64 and i386 Switch the x86 based EFI platform builds to the generic EFI loader, which exposes the initrd via the LoadFile2 protocol instead of the x86-specific setup header. This will launch the Linux kernel via its EFI stub, which performs its own initialization in the EFI boot services context before calling ExitBootServices() and performing the bare metal Linux boot. Given that only Linux kernel versions v5.8 and later support this initrd loading method, the existing x86 loader is retained as a fallback, which will also be used for Linux kernels built without the EFI stub. In this case, VAS_EBOOT calls ExitBootServices() before entering the Linux kernel, and all EFI related information is provided to the kernel via struct boot_params in the setup header, as before. Note that this means that booting EFI stub kernels older than v5.8 is not supported even when not using an initrd at all. Also, the EFI handover protocol, which has no basis in the UEFI specification, is not implemented. Reviewed-by: Daniel Kiper 2023-05-25 Ard Biesheuvel efi: Remove x86_64 call wrappers The call wrappers are no longer needed now that GCC can generate function calls using MS calling convention, so let's get rid of them. Reviewed-by: Daniel Kiper 2023-05-25 Ard Biesheuvel efi: Drop all uses of efi_call_XX() wrappers Now that GCC can generate function calls using the correct calling convention for us, we can stop using the efi_call_XX() wrappers, and just dereference the function pointers directly. This avoids the untyped variadic wrapper routines, which means better type checking for the method calls. Reviewed-by: Daniel Kiper 2023-05-25 Ard Biesheuvel efi: Add calling convention annotation to all prototypes UEFI mandates MS calling convention on x86_64, which was not supported on GCC when UEFI support was first introduced into VAS_EBOOT. However, now we can use the ms_abi function type attribute to annotate functions and function pointers as adhering to the MS calling convention, and the compiler will generate the correct instruction sequence for us. So let's add the appropriate annotation to all the function prototypes. This will allow us to drop the special call wrappers in a subsequent patch. Reviewed-by: Daniel Kiper 2023-05-25 Ard Biesheuvel efi: Make EFI PXE protocol methods non-callable The VasEBoot_efi_pxe_t struct definition has placeholders for the various protocol method pointers, given that they are never called in the code, and the prototypes have been omitted, and therefore do not comply with the UEFI spec. So let's convert them into void* pointers, so they cannot be called inadvertently. Reviewed-by: Daniel Kiper 2023-05-25 Alec Brown loader/multiboot_elfxx: Check program header offset doesn't exceed constraints In VasEBoot-core/loader/multiboot_elfxx.c, we need to make sure that the program header offset is less than the file size along with the MULTIBOOT_SEARCH constant. We can do so by setting the variable phlimit to the minimum value of the two limits and check it each time we change program header index to insure that the program header offset isn't outside of the limits. Fixes: CID 314029 Fixes: CID 314038 Reviewed-by: Daniel Kiper 2023-05-25 Alec Brown loader/multiboot_elfxx: Check section header region before allocating memory In VasEBoot-core/loader/multiboot_elfxx.c, space is being allocated for the section header region, but isn't verifying if the region is within the file's size. Before calling VasEBoot_calloc(), we can add a conditional to check if the section header region is smaller than the file size. Fixes: CID 314029 Fixes: CID 314038 Reviewed-by: Daniel Kiper 2023-05-25 Alec Brown loader/multiboot_elfxx: Check program memory isn't larger than allocated memory size In VasEBoot-core/loader/multiboot_elfxx.c, the code is filling an area of memory with VasEBoot_memset() but doesn't check if there is space in the allocated memory before doing so. To make sure we aren't zeroing memory past the allocated memory region, we need to check that the offset into the allocated memory region plus the memory size of the program is smaller than the allocated memory size. Fixes: CID 314029 Fixes: CID 314038 Reviewed-by: Daniel Kiper 2023-05-25 WANG Xuerui kern/loongarch64/dl_helper: Avoid undefined behavior when popping from an empty reloc stack The return value of VasEBoot_loongarch64_stack_pop() is unsigned, so -1 should not be used in the first place. Replacing with 0 is enough to avoid the UB in this edge case. Technically though, proper error handling is needed throughout the management of the reloc stack, so no unexpected behavior will happen even in case of malformed object code input (right now, pushes become no-ops when the stack is full, and garbage results if the stack does not contain enough operands for an op). The refactor would touch some more places so would be best done in a separate series. Fixes: CID 407777 Fixes: CID 407778 Reviewed-by: Daniel Kiper 2023-05-25 Peter Zijlstra (Intel) pci: Rename VAS_EBOOT_PCI_CLASS_* Glenn suggested to rename the existing PCI_CLASS defines to have explicit class and subclass names. Suggested-by: Glenn Washburn Reviewed-by: Daniel Kiper 2023-05-25 Peter Zijlstra (Intel) term/serial: Add support for PCI serial devices Loosely based on early_pci_serial_init() from Linux, allow VAS_EBOOT to make use of PCI serial devices. Specifically, my Alderlake NUC exposes the Intel AMT SoL UART as a PCI enumerated device but doesn't include it in the EFI tables. Tested and confirmed working on a "Lenovo P360 Tiny" with Intel AMT enabled. This specific machine has (from lspci -vv): 00:16.3 Serial controller: Intel Corporation Device 7aeb (rev 11) (prog-if 02 [16550]) DeviceName: Onboard - Other Subsystem: Lenovo Device 330e Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- SERR- Reviewed-by: Daniel Kiper 2023-05-17 Glenn Washburn tests/util/VasEBoot-fs-tester: Avoid failing some file system tests due to file system filling up On some systems /usr/share/dict/american-english can be larger than the available space on the filesystem being tested (e.g. vfat12a). This causes a failure of the filesystem test and is not a real test failure. Instead, use dd to copy at most 1 MiB of data to the filesystem, which is enough for our purposes and will not fill any of the tested filesystems. Reviewed-by: Daniel Kiper 2023-05-17 Glenn Washburn docs: Command-line and menu entry commands are now separated The menu entry commands now have their own section. Change the wording in the section that they were in to reflect this. Reviewed-by: Daniel Kiper 2023-05-17 Roger Pau Monné lib/relocator: Always enforce the requested alignment in malloc_in_range() On failure to allocate from VasEBoot_relocator_firmware_alloc_region() in malloc_in_range() the function would stop enforcing the alignment, and the following was returned: lib/relocator.c:431: trying to allocate in 0x200000-0xffbf9fff aligned 0x200000 size 0x406000 lib/relocator.c:1197: allocated: 0x74de2000+0x406000 lib/relocator.c:1407: allocated 0x74de2000/0x74de2000 Fix this by making sure that target always contains a suitably aligned address. After the change the return from the function is: lib/relocator.c:431: trying to allocate in 0x200000-0xffb87fff aligned 0x200000 size 0x478000 lib/relocator.c:1204: allocated: 0x74c00000+0x478000 lib/relocator.c:1414: allocated 0x74c00000/0x74c00000 Fixes: 3a5768645c05 (First version of allocation from firmware) Reviewed-by: Daniel Kiper 2023-05-17 Benjamin Herrenschmidt term/ns8250: Fix incorrect usage of access_size The access_size is part of a union, so doesn't technically exist for a PIO port (i.e., not MMIO), but we set it anyways. This doesn't cause a bug today because the other leg of the union doesn't have anything overlapping with it now, but it's bad, I will punish myself for writing it that way :-) In the meantime, fix this and actually name the struct inside the union for clarity of intent and to avoid such issue in the future. Reviewed-by: Daniel Kiper 2023-05-17 Ákos Nagy util/VasEBoot-install-common: Fix the key of the --core-compress option Commit f23bc6510 (Transform -C option to VasEBoot-mkstandalone to --core-compress available in all VasEBoot-install flavours.) declared a new long option for specifying the compression method to use for the core image. However, the option key has not been replaced in the parser function, it still expects the old one formerly used by VasEBoot-mkstandalone. Because of this the option is not recognized by any of the utils for which it is listed as supported. Reviewed-by: Daniel Kiper 2023-05-17 Lidong Chen fs/hfsplus: Set VasEBoot_errno to prevent NULL pointer access When an invalid node size is detected in VasEBoot_hfsplus_mount(), data pointer is freed. Thus, file->data is not set. The code should also set the VasEBoot_errno when that happens to indicate an error and to avoid accessing the uninitialized file->data in VasEBoot_file_close(). Reviewed-by: Daniel Kiper 2023-05-17 Lidong Chen fs/hfsplus: Prevent out of bound access in catalog file A corrupted hfsplus can have a catalog key that is out of range. This can lead to out of bound access when advancing the pointer to access catalog file info. The valid range of a catalog key is specified in HFS Plus Technical Note TN1150 [1]. [1] https://developer.apple.com/library/archive/technotes/tn/tn1150.html Reviewed-by: Daniel Kiper 2023-05-17 Lidong Chen fs/hfsplus: Validate btree node size The invalid btree node size can cause crashes when parsing the btree. The fix is to ensure the btree node size is within the valid range defined in the HFS Plus technical note, TN1150 [1]. [1] https://developer.apple.com/library/archive/technotes/tn/tn1150.html Reviewed-by: Daniel Kiper 2023-05-17 Glenn Washburn INSTALL: Use exfat-utils package instead of exfatprogs The exfat-utils package is an older package complementing exfat-fuse, and was the only exfat tools for a long time. The exfat filesystem testing code was written with these tools in mind. A newer project exfatprogs appears to be of better quality and functionality and was written to complement the somewhat new exfat kernel module. Ideally we should be using the newer exfatprogs. However, the command line interface for mkfs.exfat is different between the two. So we can't use the exfatprogs tools until the test scripts have been updated to account for this. Recommend installing exfat-utils instead of exfatprogs for now. Reviewed-by: Daniel Kiper 2023-05-17 Glenn Washburn INSTALL: Document that building VasEBoot-mkfont requires xfonts-unifont Reviewed-by: Daniel Kiper 2023-05-17 Renaud Métrich net/dns: Fix lookup error when no IPv6 is returned When trying to resolve DNS names into IP addresses, the DNS code fails from time to time with the following error: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- error: ../../VasEBoot-core/net/dns.c:688:no DNS record found. -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- This happens when both IPv4 and IPv6 queries are performed against the DNS server (e.g. 8.8.8.8) but there is no IP returned for IPv6 query, as shown below: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- VasEBoot> net_del_dns 192.168.122.1 VasEBoot> net_add_dns 8.8.8.8 VasEBoot> net_nslookup ipv4.test-ipv6.com error: ../../VasEBoot-core/net/dns.c:688:no DNS record found. VasEBoot> net_nslookup ipv4.test-ipv6.com 216.218.228.115 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- The root cause is the code exiting prematurely when the data->addresses buffer has been allocated in recv_hook(), even if there was no address returned last time recv_hook() executed. Reviewed-by: Daniel Kiper 2023-05-17 Renaud Métrich net/dns: Add debugging messages in recv_hook() function Reviewed-by: Daniel Kiper net/dns: Simplify error handling of recv_hook() function Reviewed-by: Daniel Kiper 2023-05-17 Renaud Métrich net/dns: Fix removal of DNS server When deleting the DNS server, we get the following error message: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- VasEBoot> net_del_dns 192.168.122.1 error: ../../VasEBoot-core/net/dns.c:646:no DNS reply received. -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- This happens because the implementation is broken, it does a "add" internally instead of a "delete". Reviewed-by: Daniel Kiper 2023-05-17 Xiaotian Wu tests: Add LoongArch to various test cases I ran the test suite on a 3A5000 desktop, a LoongArch architecture machine, using Archlinux for LoongArch distro, see https://github.com/loongarchlinux. Some software versions are: * linux 6.3.0-rc4 * gcc 13.0.1 20230312 * binutils 2.40 * qemu 7.2.0 The test results of running "make check" with qemu 7.2 are as follows: ================================= VAS_EBOOT 2.11: ./test-suite.log ================================= # TOTAL: 85 # PASS: 73 # SKIP: 8 # XFAIL: 0 # FAIL: 2 # XPASS: 0 # ERROR: 2 .. contents:: :depth: 2 ERROR: f2fs_test ================ mount: /tmp/VasEBoot-fs-tester.20230418175640563815408.f2fs.UDs/f2fs_rw: unknown filesystem type 'f2fs'. dmesg(1) may have more information after failed mount system call. MOUNT FAILED. ERROR f2fs_test (exit status: 99) FAIL: hfs_test ============== recode: Request `utf8..macroman' is erroneous mkfs.hfs: name required with -v option FAIL hfs_test (exit status: 1) ERROR: zfs_test =============== zpool not installed; cannot test zfs. ERROR zfs_test (exit status: 99) SKIP: pata_test =============== SKIP pata_test (exit status: 77) SKIP: ahci_test =============== SKIP ahci_test (exit status: 77) SKIP: uhci_test =============== SKIP uhci_test (exit status: 77) SKIP: ohci_test =============== SKIP ohci_test (exit status: 77) SKIP: ehci_test =============== SKIP ehci_test (exit status: 77) SKIP: fddboot_test ================== SKIP fddboot_test (exit status: 77) SKIP: netboot_test ================== SKIP netboot_test (exit status: 77) SKIP: pseries_test ================== SKIP pseries_test (exit status: 77) FAIL: VasEBoot_func_test ==================== WARNING: Image format was not specified for '/tmp/VasEBoot-shell.HeTAD8Ty3U/VasEBoot.iso' and probing guessed raw. Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted. Specify the 'raw' format explicitly to remove the restrictions. Functional test failure: shift_test: ... gfxterm_menu_640x480xi16:3 failed: 0xce34981e vs 0xd9f04953 tests/video_checksum.c:checksum:615: assert failed: 0 Checksum gfxterm_menu_640x480xi16:2 failed: 0xa8fb749d vs 0xbf3fa5d0 tests/video_checksum.c:checksum:615: assert failed: 0 Checksum gfxterm_menu_640x480xi16:1 failed: 0xce34981e vs 0xd9f04953 gfxterm_menu: FAIL ... videotest_checksum: videotest_checksum: PASS exfctest: exfctest: PASS TEST FAILURE FAIL VasEBoot_func_test (exit status: 1) We got 2 errors: * f2fs_test The kernel uses 16k pages, causing failures when loading the f2fs kernel module, see https://github.com/torvalds/linux/blob/master/fs/f2fs/super.c#L4670 This error can be ignored. * zfs_test zfs does not support the LoongArch architecture and is not compatible with the 6.3 kernel. This error can be ignored. We got 2 failures: * hfs_test I use recode 3.7.14-1 on Archlinux, running `recode -l` gives no output `MacRoman`, so we get this error. On Linux systems that support LoongArch, there is currently no need to use HFS, so this failure can be ignored. * VasEBoot_func_test I don't know the reason for this failure. I guess it may be related to qemu's edk2. In the previous review, I was told that the failure here is the expected behavior. So, we can ignore this failure. Reviewed-by: Daniel Kiper 2023-05-17 Xiaotian Wu tests: Fix timezone inconsistency in squashfs_test The image timestamp was not returned in UTC, but the following logic expected and used UTC. This patch fixes the test failure like described below: unsquashfs -s /tmp/VasEBoot-fs-tester.20230407111703613257436.squash4_gzip.9R4/squash4_gzip_512_4096_1_0.img grep '^Creation' awk '{print $6 " " $7 " " $8 " " $9 " " $10; }' FSTIME='Fri Apr 7 11:17:05 2023' date -d 'Fri Apr 7 11:17:05 2023' -u '+%Y-%m-%d %H:%M:%S' FSTIME='2023-04-07 11:17:05' date -d '2023-04-07 11:17:05 UTC -1 second' -u '+%Y-%m-%d %H:%M:%S' FSTIMEM1='2023-04-07 11:17:04' date -d '2023-04-07 11:17:05 UTC -2 second' -u '+%Y-%m-%d %H:%M:%S' FSTIMEM2='2023-04-07 11:17:03' date -d '2023-04-07 11:17:05 UTC -3 second' -u '+%Y-%m-%d %H:%M:%S' FSTIMEM3='2023-04-07 11:17:02' grep -F 'Last modification time 2023-04-07 11:17:05' echo 'Device loop0: Filesystem type squash4 - Last modification time 2023-04-07 03:17:05 Friday - Sector size 512B - Total size 10680KiB' echo 'Device loop0: Filesystem type squash4 - Last modification time 2023-04-07 03:17:05 Friday - Sector size 512B - Total size 10680KiB' grep -F 'Last modification time 2023-04-07 11:17:04' echo 'Device loop0: Filesystem type squash4 - Last modification time 2023-04-07 03:17:05 Friday - Sector size 512B - Total size 10680KiB' grep -F 'Last modification time 2023-04-07 11:17:03' echo 'Device loop0: Filesystem type squash4 - Last modification time 2023-04-07 03:17:05 Friday - Sector size 512B - Total size 10680KiB' grep -F 'Last modification time 2023-04-07 11:17:02' echo FSTIME FAIL Reviewed-by: Glenn Washburn Reviewed-by: Daniel Kiper 2023-05-17 Xiaotian Wu loongarch: Add to build system This patch adds LoongArch to the VAS_EBOOT build system and various tools, so VAS_EBOOT can be built on LoongArch as a UEFI application. Reviewed-by: Daniel Kiper 2023-05-17 Xiaotian Wu loongarch: Add auxiliary files Add support for manipulating architectural cache and timers, and EFI memory maps. Reviewed-by: Daniel Kiper 2023-05-17 Xiaotian Wu loongarch: Add support for ELF psABI v2.00 relocations A new set of relocation types was added in the LoongArch ELF psABI v2.00 spec [1], [2] to replace the stack-based scheme in v1.00. Toolchain support is available from binutils 2.40 and gcc 13 onwards. This patch adds support for the new relocation types, that are simpler to handle (in particular, stack operations are gone). Support for the v1.00 relocs are kept for now, for compatibility with older toolchains. [1] https://github.com/loongson/LoongArch-Documentation/pull/57 [2] https://loongson.github.io/LoongArch-Documentation/LoongArch-ELF-ABI-EN.html#_appendix_revision_history Reviewed-by: Daniel Kiper 2023-05-17 Xiaotian Wu loongarch: Add support for ELF psABI v1.00 relocations This patch adds support of the stack-based LoongArch relocations throughout VAS_EBOOT, including tools, dynamic linkage, and support for conversion of ELF relocations into PE ones. A stack machine is required to handle these per the spec [1] (see the R_LARCH_SOP types), of which a simple implementation is included. These relocations are produced by binutils 2.38 and 2.39, while the newer v2.00 relocs require more recent toolchain (binutils 2.40+ & gcc 13+, or LLVM 16+). GCC 13 has not been officially released as of early 2023, so support for v1.00 relocs are expected to stay relevant for a while. [1] https://loongson.github.io/LoongArch-Documentation/LoongArch-ELF-ABI-EN.html#_relocations Reviewed-by: Daniel Kiper 2023-05-17 Xiaotian Wu loongarch: Add early startup code On entry, we need to save the system table pointer as well as our image handle. Add an early startup file that saves them and then brings us into our main function. Reviewed-by: Daniel Kiper 2023-05-17 Xiaotian Wu loongarch: Add setjmp implementation This patch adds a setjmp implementation for LoongArch. Reviewed-by: Daniel Kiper 2023-05-17 Xiaotian Wu elf: Add LoongArch definitions Add ELF e_machine ID [1] and relocations types [2] for LoongArch to the current in-repo definitions. [1] https://loongson.github.io/LoongArch-Documentation/LoongArch-ELF-ABI-EN.html#_e_machine_identifies_the_machine [2] https://loongson.github.io/LoongArch-Documentation/LoongArch-ELF-ABI-EN.html#_relocations Reviewed-by: Daniel Kiper 2023-05-17 Xiaotian Wu pe: Add LoongArch definitions Add PE machine types [1] and relocation types [2] for LoongArch to the current in-repo definitions. [1] https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types [2] https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#base-relocation-types Reviewed-by: Daniel Kiper 2023-05-16 Chris Coulson font: Try opening fonts from the bundled memdisk VAS_EBOOT since 93a786a00 (kern/efi/sb: Enforce verification of font files) has enforced verification of font files in secure boot mode. In order to continue to be able to load some default fonts, vendors may bundle them with their signed EFI image by adding them to the built-in memdisk. This change makes the font loader try loading fonts from the memdisk before the prefix path when attempting to load a font file by specifying its filename, which avoids having to make changes to VAS_EBOOT configurations in order to accommodate memdisk bundled fonts. It expects the directory structure to be the same as fonts stored in the prefix path, i.e. /fonts/.pf2. Reviewed-by: Steve McIntyre <93sam@debian.org> Tested-by: Steve McIntyre <93sam@debian.org> Reviewed-by: Robbie Harwood Reviewed-by: Daniel Kiper 2023-05-16 Robbie Harwood Aaron Miller Peter Jones net: Read bracketed IPv6 addrs and port numbers Allow specifying port numbers for http and tftp paths and allow IPv6 addresses to be recognized with brackets around them, which is required to specify a port number. Reviewed-by: Daniel Kiper 2023-05-16 Robbie Harwood Revert "net/http: Allow use of non-standard TCP/IP ports" The notation introduced in ac8a37dda (net/http: Allow use of non-standard TCP/IP ports) contradicts that used in downstream distributions including Fedora, RHEL, Debian, Ubuntu, and others. Revert it and apply the downstream notation which was originally proposed to the VAS_EBOOT in 2016. This reverts commit ac8a37dda (net/http: Allow use of non-standard TCP/IP ports). Reviewed-by: Daniel Kiper 2023-05-16 Riku Viitanen term/at_keyboard: Add timeout to fix hang on HP EliteBooks This fixes the VAS_EBOOT on Coreboot on HP EliteBooks by implementing a 200 ms timeout. The VAS_EBOOT used to hang. Fixes: https://ticket.coreboot.org/issues/141 Reviewed-by: Daniel Kiper 2023-04-13 Glenn Washburn tests/util/VasEBoot-fs-tester: Add missing redirect to /dev/null In filesystem timestamp test, a check is done to verify that the timestamp for a file as reported in Linux by the filesystem is within a few seconds of the timestamp as reported by VAS_EBOOT. This is done by grepping the output of VAS_EBOOT's ls command for the timestamp as reported by the filesystem in Linux and for each of 3 seconds past that timestamp. All of these checks except one redirect the output of grep to /dev/null. Fix this exception to behave as the other checks. Reviewed-by: Daniel Kiper 2023-04-13 Mukesh Kumar Chaurasiya disk: Replace transform_sector() function with VasEBoot_disk_to_native_sector() The transform_sector() function is not very clear in what it's doing and confusing. The VAS_EBOOT already has a function which is doing the same thing in a very self explanatory way, i.e., VasEBoot_disk_to_native_sector(). So, it's much better to use self explanatory one than transform_sector(). Reviewed-by: Daniel Kiper 2023-04-13 Thomas Schmitt tests: Add test for iso9660 delayed CE hop The ISO filesystem image iso9660_early_ce.iso exposes the unusual situation that the Rock Ridge name entry of its only file is located after a CE entry which points to the next continuation area. The correct behavior is to read the Rock Ridge name and to only then load the next continuation area. If VAS_EBOOT performs this correctly, then the name "RockRidgeName:x" will be read and reported by VasEBoot-fstest. If VAS_EBOOT wrongly performs the CE hop immediately when encountering the CE entry, then the dull ISO 9660 name "rockridg" will not be overridden and be put out by VasEBoot-fstest. Tested-by: Lidong Chen Reviewed-by: Daniel Kiper 2023-04-13 Thomas Schmitt fs/iso9660: Delay CE hop until end of current SUSP area The SUSP specs demand that the reading of the next SUSP area which is depicted by a CE entry shall be delayed until reading of the current SUSP area is completed. Up to now VAS_EBOOT immediately ends reading of the current area and loads the new one. So, buffer the parameters of a found CE entry and perform checks and reading of new data only after the reader loop has ended. Tested-by: Lidong Chen Reviewed-by: Daniel Kiper 2023-03-29 Avnish Chouhan kern/ieee1275/init: Extended support in Vec5 This patch enables multiple options in Vec5 which are required and solves the boot issues seen on some machines which are looking for these specific options. 1. LPAR: Client program supports logical partitioning and associated hcall()s. 2. SPLPAR: Client program supports the Shared Processor LPAR Option. 3. DYN_RCON_MEM: Client program supports the “ibm,dynamic-reconfiguration-memory” property and it may be presented in the device tree. 4. LARGE_PAGES: Client supports pages larger than 4 KB. 5. DONATE_DCPU_CLS: Client supports donating dedicated processor cycles. 6. PCI_EXP: Client supports PCI Express implementations utilizing Message Signaled Interrupts (MSIs). 7. CMOC: Enables the Cooperative Memory Over-commitment Option. 8. EXT_CMO: Enables the Extended Cooperative Memory Over-commit Option. 9. ASSOC_REF: Enables “ibm,associativity” and “ibm,associativity-reference-points” properties. 10. AFFINITY: Enables Platform Resource Reassignment Notification. 11. NUMA: Supports NUMA Distance Lookup Table Option. 12. HOTPLUG_INTRPT: Supports Hotplug Interrupts. 13. HPT_RESIZE: Enable Hash Page Table Resize Option. 14. MAX_CPU: Defines maximum number of CPUs supported. 15. PFO_HWRNG: Supports Random Number Generator. 16. PFO_HW_COMP: Supports Compression Engine. 17. PFO_ENCRYPT: Supports Encryption Engine. 18. SUB_PROCESSORS: Supports Sub-Processors. 19. DY_MEM_V2: Client program supports the “ibm,dynamic-memory-v2” property in the “ibm,dynamic-reconfiguration-memory” node and it may be presented in the device tree. 20. DRC_INFO: Client program supports the “ibm,drc-info” property definition and it may be presented in the device tree. Reviewed-by: Daniel Kiper 2023-03-29 Avnish Chouhan kern/ieee1275/init: Convert plain numbers to constants in Vec5 This patch converts the plain numbers used in Vec5 properties to constants. 1. LPAR: Client program supports logical partitioning and associated hcall()s. 2. SPLPAR: Client program supports the Shared Processor LPAR Option. 3. CMO: Enables the Cooperative Memory Over-commitment Option. 4. MAX_CPU: Defines maximum number of CPUs supported. Reviewed-by: Daniel Kiper 2023-03-29 Robbie Harwood loader/emu/linux: Work around systemctl kexec returning Per systemctl(1), it "is asynchronous; it will return after the reboot operation is enqueued, without waiting for it to complete". This differs from kexec(8), which calls reboot(2) and therefore does not return. When not using fallback, this confusingly results in: error trying to perform 'systemctl kexec': 0 Aborted. Press any key to exit. on screen for a bit, followed by successful kexec. To reduce the likelihood of hitting this case, add a delay on successful return. Ultimately, the systemd interface is racy: we can't avoid it entirely unless we never fallback on success. Reviewed-by: Daniel Kiper 2023-03-29 Michael Chang tpm: Disable the tpm verifier if the TPM device is not present When the tpm module is loaded, the verifier reads entire file into memory, measures it and uses verified content as a backing buffer for file accesses. However, this process may result in high memory utilization for file operations, sometimes causing a system to run out of memory which may finally lead to boot failure. To address this issue, among others, the commit 887f98f0d (mm: Allow dynamically requesting additional memory regions) have optimized memory management by dynamically allocating heap space to maximize memory usage and reduce threat of memory exhaustion. But in some cases problems may still arise, e.g., when large ISO images are mounted using loopback or when dealing with embedded systems with limited memory resources. Unfortunately current implementation of the tpm module doesn't allow elimination of the back buffer once it is loaded. Even if the TPM device is not present or it has been explicitly disabled. This may unnecessary allocate a lot memory. To solve this issue, a patch has been developed to detect the TPM status at module load and skip verifier registration if the device is missing or deactivated. This prevents allocation of memory for the back buffer, avoiding wasting memory when no real measure boot functionality is performed. Disabling the TPM device in the system can reduce memory usage in the VAS_EBOOT. It is useful in scenarios where high memory utilization is a concern and measurements of loaded artifacts are not necessary. Reviewed-by: Daniel Kiper 2023-03-29 Glenn Washburn INSTALL: Document programs and packages needed for using gdb_VasEBoot script Now that the gdb_VasEBoot script uses the Python API in GDB, a GDB with Python support must be used. Note that this means a GDB with version greater than 7.0 must be used. This should not be an issue since that was released over a decade ago. Also, the minimum version of Python must be 3.5, which was released around 8 years ago. Reviewed-by: Daniel Kiper 2023-03-29 Atish Patra RISC-V: Use common linux loader RISC-V doesn't have to do anything very different from other architectures to loader EFI stub linux kernel. As a result, just use the common linux loader instead of defining a RISC-V specific linux loader. Reviewed-by: Daniel Kiper 2023-03-29 Atish Patra efi: Remove arch specific image headers for RISC-V, ARM64 and ARM The arch specific image header details are not very useful as most of the VAS_EBOOT just looks at the PE/COFF spec parameters (PE32 magic and header offset). Remove the arch specific images headers and define a generic arch headers that provide enough PE/COFF fields for the VAS_EBOOT to parse kernel images correctly. Reviewed-by: Daniel Kiper 2023-03-29 Atish Patra loader/efi: Move ARM64 linux loader to common code ARM64 linux loader code is written in such a way that it can be reused across different architectures without much change. Move it to common code so that RISC-V doesn't have to define a separate loader. Reviewed-by: Daniel Kiper 2023-03-14 Alec Brown util/VasEBoot-module-verifierXX: Add module_size parameter to functions for sanity checking In VasEBoot-module-verifierXX.c, the function VasEBoot_module_verifyXX() performs an initial check that the ELF section headers are within the module's size, but doesn't check if the sections being accessed have contents that are within the module's size. In particular, we need to check that sh_offset and sh_size are less than the module's size. However, for some section header types we don't need to make these checks. For the type SHT_NULL, the section header is marked as inactive and the rest of the members within the section header have undefined values, so we don't need to check for sh_offset or sh_size. In the case of the type SHT_NOBITS, sh_offset has a conceptual offset which may be beyond the module size. Also, this type's sh_size may have a non-zero size, but a section of this type will take up no space in the module. This can all be checked in the function get_shdr(), but in order to do so, the parameter module_size must be added to functions so that the value of the module size can be used in get_shdr() from VasEBoot_module_verifyXX(). Also, had to rework some for loops to ensure the index passed to get_shdr() is within bounds. Reviewed-by: Daniel Kiper 2023-03-14 Glenn Washburn gdb: Add extra early initialization symbols for i386-pc Add symbols for boot.image, disk.image, and lzma_decompress.image if the target is i386-pc. This is only done for i386-pc because that is the only target that uses the images. By loading the symbols for these images, these images can be more easily debugged by allowing the setting of break- points in that code and to see easily get the value of data symbols. Reviewed-by: Daniel Kiper 2023-03-14 Glenn Washburn gdb: Modify gdb prompt when running gdb_VasEBoot script This will let users know that the GDB session is using the VAS_EBOOT gdb scripts. Reviewed-by: Daniel Kiper 2023-03-14 Glenn Washburn gdb: Allow running user-defined commands at VAS_EBOOT start A new command, run_on_start, for things to do before VAS_EBOOT starts executing. Currently, this is setting up the loading of module symbols as they are loaded and allowing user-defined script to be run if a command named "onstart" exists. On some platforms, notably x86, software breakpoints set in GDB before the VAS_EBOOT image is loaded will be cleared when the image is loaded. This is because the breakpoints work by overwriting the memory of the break- point location with a special instruction which when hit will cause the debugger to stop execution. Just before execution is resumed by the debugger, the original instruction bytes are put back. When a breakpoint is set before the VAS_EBOOT image is loaded, the special debugger instruction will be written to memory and when the VAS_EBOOT image is loaded by the firmware, which has no knowledge of the debugger, the debugger instruction is overwritten. To the GDB user, GDB will show the breakpoint as set, but it will never be hit. Furthermore, GDB now becomes confused, such that even deleting and re-setting the breakpoint after the VAS_EBOOT image is loaded will not allow for a working breakpoint. To work around this, in run_on_start, first a watchpoint is set on _start, which will be triggered when the firmware starts loading the VAS_EBOOT image. When the _start watchpoint is hit, the current breakpoints are saved to a file and then deleted by GDB before they can be overwritten by the firmware and confuse GDB. Then a temporary software breakpoint is set on _start, which will get triggered when the firmware hands off to VAS_EBOOT to execute. In that breakpoint load the previously saved and deleted breakpoints now that there is no worry of them getting overwritten by the firmware. This is needed for runtime_load_module to work when it is run before the VAS_EBOOT image is loaded. Note that watchpoints are generally types of hardware breakpoints on x86, so its deleted as soon as it gets triggered so that a minimal set of hardware breakpoints are used, allowing more for the user. Reviewed-by: Daniel Kiper 2023-03-14 Glenn Washburn gdb: Add functions to make loading from dynamically positioned targets easier Many targets, such as EFI, load VAS_EBOOT at addresses that are determined at runtime. So the load addresses in kernel.exec will almost certainly be wrong. Given the address of the start of the text segment, these functions will tell GDB to load the symbols at the proper locations. It is left up to the user to determine how to get the text address of the loaded VAS_EBOOT image. Reviewed-by: Daniel Kiper 2023-03-14 Glenn Washburn gdb: Replace module symbol loading implementation with Python one Remove gmodule.pl and rewrite as a python in gdb_helper.py. This removes Perl dependency for the VAS_EBOOT GDB script, but adds Python as a dependency. This is more desirable because Python is tightly integrated with GDB and can do things not even available to GDB native scripting language. GDB must be built with Python, however this is not a major limitation because every major distro non-end-of-life versions build GDB with Python support. And GDB has had support for Python since around 7.1-ish, which is about a decade. This re-implementation has an added feature. If there is a user defined command named "onload_", then that command will be executed after the symbols for the specified module are loaded. When debugging a module it can be desirable to set break points on code in the module. This is difficult in VAS_EBOOT because, at GDB start, the module is not loaded and on EFI platforms its not known ahead of time where the module will be loaded. So allow users to create an "onload_" command which will be run when the module with name "modname" is loaded. Another addition is a new convenience function is defined $is_user_command(), which returns true if its string argument is the name of a user-defined command. A secondary benefit of these changes is that the script does not write temporary files and has better error handling capabilities. Reviewed-by: Daniel Kiper 2023-03-14 Glenn Washburn gdb: Only connect to remote target once when first sourced The gdb_VasEBoot script was originally meant to be run once when GDB first starts up via the -x argument. So it runs commands unconditionally assuming that the script has not been run before. Its nice to be able to source the script again when developing the script to modify/add commands. So only run the commands not defined in user-defined commands, if a variable $runonce has already been set and when those commands have been run to set $runonce. Reviewed-by: Daniel Kiper 2023-03-14 Glenn Washburn gdb: Conditionally run GDB script logic for dynamically or statically positioned VAS_EBOOT There are broadly two classes of targets to consider when loading symbols for VAS_EBOOT, targets that determine where to load VAS_EBOOT at runtime (dynamically positioned) and those that do not (statically positioned). For statically positioned targets, symbol loading is determined at link time, so nothing more needs to be known to load the symbols. For dynamically positioned targets, such as EFI targets, at runtime symbols should be offset by an amount that depends on where the runtime chose to load VAS_EBOOT. It is important to not load symbols statically for dynamic targets because then when subsequently loading the symbols correctly one must take care to remove the existing static symbols, otherwise there will be two sets of symbols and GDB seems to prefer the ones loaded first (i.e. the static ones). Use autoconf variables to generate a gdb_VasEBoot for a particular target, which conditionally run startup code depending on if the target uses static or dynamic loading. Reviewed-by: Daniel Kiper 2023-03-14 Glenn Washburn gdb: Move runtime module loading into runtime_load_module By moving this code into a function, it can be run re-utilized while gdb is running, not just when loading the script. This will also be useful in some following changes which will make a separate script path for targets which statically vs dynamically position VAS_EBOOT code. Reviewed-by: Daniel Kiper 2023-03-07 Michael Chang osdep/devmapper/getroot: Fix build error on 32-bit host The gcc build has failed for 32-bit host (e.g. i386-emu and arm-emu) due to mismatch between format specifier and data type. ../VasEBoot-core/osdep/devmapper/getroot.c: In function 'VasEBoot_util_pull_devmapper': ../VasEBoot-core/osdep/devmapper/getroot.c:265:75: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'int' [-Werror=format=] ../VasEBoot-core/osdep/devmapper/getroot.c:276:80: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'int' [-Werror=format=] This patch fixes the problem by casting the type of calculated offset to VasEBoot_size_t and use platform PRIuVAS_EBOOT_SIZE as format specifier. Reviewed-by: Daniel Kiper 2023-03-07 Stefan Berger commands/ieee1275/ibmvtpm: Add support for trusted boot using a vTPM 2.0 Add support for trusted boot using a vTPM 2.0 on the IBM IEEE1275 PowerPC platform. With this patch VasEBoot now measures text and binary data into the TPM's PCRs 8 and 9 in the same way as the x86_64 platform does. This patch requires Daniel Axtens's patches for claiming more memory. Note: The tpm_init() function cannot be called from VAS_EBOOT_MOD_INIT() since it does not find the device nodes upon module initialization and therefore the call to tpm_init() must be deferred to VasEBoot_tpm_measure(). For vTPM support to work on PowerVM, system driver levels 1010.30 or 1020.00 are required. Note: Previous versions of firmware levels with the 2hash-ext-log API call have a bug that, once this API call is invoked, has the effect of disabling the vTPM driver under Linux causing an error message to be displayed in the Linux kernel log. Those users will have to update their machines to the firmware levels mentioned above. Cc: Eric Snowberg Reviewed-by: Daniel Kiper Tested-by: Nageswara R Sastry Reviewed-by: Robbie Harwood 2023-03-07 Daniel Axtens commands/memtools: Add memtool module with memory allocation stress-test When working on memory, it's nice to be able to test your work. Add a memtest module. When compiled with --enable-mm-debug, it exposes 3 commands: * lsmem - print all allocations and free space in all regions * lsfreemem - print free space in all regions * stress_big_allocs - stress test large allocations: - how much memory can we allocate in one chunk? - how many 1MB chunks can we allocate? - check that gap-filling works with a 1MB aligned 900kB alloc + a 100kB alloc. Reviewed-by: Daniel Kiper Tested-by: Nageswara R Sastry Reviewed-by: Robbie Harwood 2023-03-07 Diego Domingos ieee1275: Implement vec5 for cas negotiation As a legacy support, if the vector 5 is not implemented, Power Hypervisor will consider the max CPUs as 64 instead 256 currently supported during client-architecture-support negotiation. This patch implements the vector 5 and set the MAX CPUs to 256 while setting the others values to 0 (default). Acked-by: Daniel Axtens Tested-by: Nageswara R Sastry Reviewed-by: Robbie Harwood Reviewed-by: Daniel Kiper 2023-03-07 Daniel Axtens ieee1275: Support runtime memory claiming On powerpc-ieee1275, we are running out of memory trying to verify anything. This is because: - we have to load an entire file into memory to verify it. This is difficult to change with appended signatures. - We only have 32MB of heap. - Distro kernels are now often around 30MB. So we want to be able to claim more memory from OpenFirmware for our heap at runtime. There are some complications: - The VasEBoot mm code isn't the only thing that will make claims on memory from OpenFirmware: * PFW/SLOF will have claimed some for their own use. * The ieee1275 loader will try to find other bits of memory that we haven't claimed to place the kernel and initrd when we go to boot. * Once we load Linux, it will also try to claim memory. It claims memory without any reference to /memory/available, it just starts at min(top of RMO, 768MB) and works down. So we need to avoid this area. See arch/powerpc/kernel/prom_init.c as of v5.11. - The smallest amount of memory a ppc64 KVM guest can have is 256MB. It doesn't work with distro kernels but can work with custom kernels. We should maintain support for that. (ppc32 can boot with even less, and we shouldn't break that either.) - Even if a VM has more memory, the memory OpenFirmware makes available as Real Memory Area can be restricted. Even with our CAS work, an LPAR on a PowerVM box is likely to have only 512MB available to OpenFirmware even if it has many gigabytes of memory allocated. What should we do? We don't know in advance how big the kernel and initrd are going to be, which makes figuring out how much memory we can take a bit tricky. To figure out how much memory we should leave unused, I looked at: - an Ubuntu 20.04.1 ppc64le pseries KVM guest: vmlinux: ~30MB initrd: ~50MB - a RHEL8.2 ppc64le pseries KVM guest: vmlinux: ~30MB initrd: ~30MB So to give us a little wriggle room, I think we want to leave at least 128MB for the loader to put vmlinux and initrd in memory and leave Linux with space to satisfy its early allocations. Allow other space to be allocated at runtime. Tested-by: Stefan Berger Tested-by: Nageswara R Sastry Reviewed-by: Robbie Harwood Reviewed-by: Daniel Kiper 2023-03-07 Daniel Axtens ieee1275: Drop len -= 1 quirk in heap_init This was apparently "required by some firmware": commit dc9468500919 (2007-02-12 Hollis Blanchard ). It's not clear what firmware that was, and what platform from 14 years ago which exhibited the bug then is still both in use and buggy now. It doesn't cause issues on qemu (mac99 or pseries) or under PFW for Power8. I don't have access to old Mac hardware, but if anyone feels especially strongly we can put it under some feature flag. I really want to disable it under pseries because it will mess with region merging. Reviewed-by: Daniel Kiper Tested-by: Nageswara R Sastry Reviewed-by: Robbie Harwood 2023-03-07 Daniel Axtens ieee1275: Request memory with ibm, client-architecture-support On PowerVM, the first time we boot a Linux partition, we may only get 256MB of real memory area, even if the partition has more memory. This isn't enough to reliably verify a kernel. Fortunately, the Power Architecture Platform Reference (PAPR) defines a method we can call to ask for more memory: the broad and powerful ibm,client-architecture-support (CAS) method. CAS can do an enormous amount of things on a PAPR platform: as well as asking for memory, you can set the supported processor level, the interrupt controller, hash vs radix mmu, and so on. If: - we are running under what we think is PowerVM (compatible property of / begins with "IBM"), and - the full amount of RMA is less than 512MB (as determined by the reg property of /memory) then call CAS as follows: (refer to the Linux on Power Architecture Reference, LoPAR, which is public, at B.5.2.3): - Use the "any" PVR value and supply 2 option vectors. - Set option vector 1 (PowerPC Server Processor Architecture Level) to "ignore". - Set option vector 2 with default or Linux-like options, including a min-rma-size of 512MB. - Set option vector 3 to request Floating Point, VMX and Decimal Floating point, but don't abort the boot if we can't get them. - Set option vector 4 to request a minimum VP percentage to 1%, which is what Linux requests, and is below the default of 10%. Without this, some systems with very large or very small configurations fail to boot. This will cause a CAS reboot and the partition will restart with 512MB of RMA. Importantly, VasEBoot will notice the 512MB and not call CAS again. Notes about the choices of parameters: - A partition can be configured with only 256MB of memory, which would mean this request couldn't be satisfied, but PFW refuses to load with only 256MB of memory, so it's a bit moot. SLOF will run fine with 256MB, but we will never call CAS under qemu/SLOF because /compatible won't begin with "IBM".) - unspecified CAS vectors take on default values. Some of these values might restrict the ability of certain hardware configurations to boot. This is why we need to specify the VP percentage in vector 4, which is in turn why we need to specify vector 3. Finally, we should have enough memory to verify a kernel, and we will reach Linux. One of the first things Linux does while still running under OpenFirmware is to call CAS with a much fuller set of options (including asking for 512MB of memory). Linux includes a much more restrictive set of PVR values and processor support levels, and this CAS invocation will likely induce another reboot. On this reboot VasEBoot will again notice the higher RMA, and not call CAS. We will get to Linux again, Linux will call CAS again, but because the values are now set for Linux this will not induce another CAS reboot and we will finally boot all the way to userspace. On all subsequent boots, everything will be configured with 512MB of RMA, so there will be no further CAS reboots from VasEBoot. (phyp is super sticky with the RMA size - it persists even on cold boots. So if you've ever booted Linux in a partition, you'll probably never have VasEBoot call CAS. It'll only ever fire the first time a partition loads VasEBoot, or if you deliberately lower the amount of memory your partition has below 512MB.) Reviewed-by: Daniel Kiper Tested-by: Nageswara R Sastry Reviewed-by: Robbie Harwood 2023-02-28 Khem Raj RISC-V: Handle R_RISCV_CALL_PLT reloc GNU assembler starting 2.40 release always generates R_RISCV_CALL_PLT reloc for call in assembler [1], similarly LLVM does not make distinction between R_RISCV_CALL_PLT and R_RISCV_CALL [2]. Fixes "VasEBoot-mkimage: error: relocation 0x13 is not implemented yet.". [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=70f35d72ef04cd23771875c1661c9975044a749c [2] https://reviews.llvm.org/D132530 Reviewed-by: Daniel Kiper 2023-02-28 John Paul Adrian Glaubitz osdep/hurd/getroot: Remove unused variables in VasEBoot_util_find_hurd_root_device() Found during a test build on Debian/hurd-i386 with --disable-werror enabled: In file included from VasEBoot-core/osdep/getroot.c:12: VasEBoot-core/osdep/hurd/getroot.c: In function ‘VasEBoot_util_find_hurd_root_device’: VasEBoot-core/osdep/hurd/getroot.c:126:13: error: unused variable ‘next’ [-Werror=unused-variable] 126 | char *next; | ^~~~ VasEBoot-core/osdep/hurd/getroot.c:125:14: error: unused variable ‘size’ [-Werror=unused-variable] 125 | size_t size; | ^~~~ Fixes: e981b0a24 (osdep/hurd/getroot: Use "part:" qualifier) Reviewed-by: Samuel Thibault Reviewed-by: Daniel Kiper 2023-02-28 Glenn Washburn gdb: If no modules have been loaded, do not try to load module symbols This prevents load_all_modules from failing when called before any modules have been loaded. Failures in GDB user-defined functions cause any function which called them to also fail. Reviewed-by: Daniel Kiper 2023-02-28 Glenn Washburn gdb: Prevent wrapping when writing to .segments.tmp GDB logging is redirected to write .segments.tmp, which means that GDB will wrap lines longer than what it thinks is the screen width (typically 80 characters). When wrapping does occur it causes gmodule.pl to misbehave. So disable line wrapping by using GDB's "with" command so that its guaranteed to return the width to the previous value upon command completion. Also disable command tracing when dumping the module sections because that output will go to .segments.tmp and thus cause gmodule.pl to misbehave. Reviewed-by: Daniel Kiper 2023-02-28 Glenn Washburn gdb: Fix redirection issue in dump_module_sections An error in any GDB command causes it to immediately abort with an error, this includes any command that calls that command. This leads to an issue in dump_module_sections where an error causes the command to exit without turning off file redirection. The user then ends up with a GDB command line where commands output nothing to the console. Instead do the work of dump_module_sections in the command dump_module_sections_helper and run the command using GDB's pipe command which does the redirection and undoes the redirection when it finishes regardless of any errors in the command. Also, remove .segments.tmp file prior to loading modules in case one was left from a previous run. Reviewed-by: Daniel Kiper 2023-02-28 Glenn Washburn efi: Allow expression as func argument to efi_call_* macros on all platforms On EFI platforms where EFI calls do not require a wrapper (notably i386-efi and arm64-efi), the func argument needs to be wrapped in parenthesis to allow valid syntax when func is an expression which evaluates to a function pointer. On EFI platforms that do need a wrapper, this was never an issue because func is passed to the C function wrapper as an argument and thus does not need parenthesis to be evaluated. Reviewed-by: Daniel Kiper 2023-02-28 Jeremy Szu loader/i386/linux: Correct wrong initrd address for debug The "addr" is used to request the memory with specific ranges but the real loadable address come from the relocator. Thus, print the final retrieved addresses, virtual and physical, for initrd. On the occasion migrate to PRIxVAS_EBOOT_ADDR and PRIxVAS_EBOOT_SIZE format specifiers. Reviewed-by: Daniel Kiper 2023-02-28 Glenn Washburn INSTALL: Document that the functional test requires the package xfonts-unifont Reviewed-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2023-02-28 Glenn Washburn tests: Return hard error for functional test when unicode.pf2 does not exist The functional test requires unicode.pf2 to run successfully, so explicitly have the test return ERROR when its not found. Tested-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2023-02-28 Glenn Washburn tests: VasEBoot_cmd_cryptomount should hard error when pre-requisites are not met Tests should be SKIP'd only when they do not apply to a particular target. Hard errors are for when the test should run but can not be setup properly. Reviewed-by: Daniel Kiper 2023-02-28 Glenn Washburn tests: Add pathological iso9660 filesystem tests These are not added to VasEBoot-fs-tester because they are not generated and none of the filesystem tests are run on these ISOs. The test is to run the command "ls /" on the ISO, and a failure is determined if the command times out, has non-zero return value or has any output. Tested-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2023-02-14 Mukesh Kumar Chaurasiya osdep/linux/hostdisk: Modify sector by sysfs as disk sector The disk sector size provided by sysfs file system considers the sector size of 512 irrespective of disk sector size, thus causing the read by the VAS_EBOOT to an incorrect offset from what was originally intended. Considering the 512 sector size of sysfs data the actual sector needs to be modified corresponding to disk sector size. Reviewed-by: Daniel Kiper 2023-02-14 Glenn Washburn tests/util/VasEBoot-fs-tester: Use shell variable instead of autoconf By using a shell variable that is set once by the expansion of an autoconf variable, the resulting script is more readable. Reviewed-by: Daniel Kiper 2023-02-14 Glenn Washburn tests/util/VasEBoot-fs-tester: Remove unused variable Reviewed-by: Daniel Kiper 2023-02-14 Alec Brown net/bootp: Fix unchecked return value In the function send_dhcp_packet(), added an error check for the return value of VasEBoot_netbuff_push(). Fixes: CID 404614 Reviewed-by: Daniel Kiper 2023-02-02 Zhang Boyang mm: Avoid complex heap growth math in hot path We do a lot of math about heap growth in hot path of VasEBoot_memalign(). However, the result is only used if out of memory is encountered, which is seldom. This patch moves these calculations away from hot path. These calculations are now only done if out of memory is encountered. This change can also help compiler to optimize integer overflow checks away. Reviewed-by: Daniel Kiper 2023-02-02 Zhang Boyang mm: Preallocate some space when adding new regions When VasEBoot_memalign() encounters out-of-memory, it will try VasEBoot_mm_add_region_fn() to request more memory from system firmware. However, it doesn't preallocate memory space for future allocation requests. In extreme cases, it requires one call to VasEBoot_mm_add_region_fn() for each memory allocation request. This can be very slow. This patch introduces VAS_EBOOT_MM_HEAP_GROW_EXTRA, the minimal heap growth granularity. The new region size is now set to the bigger one of its original value and VAS_EBOOT_MM_HEAP_GROW_EXTRA. Thus, it will result in some memory space preallocated if current allocations request is small. The value of VAS_EBOOT_MM_HEAP_GROW_EXTRA is set to 1MB. If this value is smaller, the cost of small memory allocations will be higher. If this value is larger, more memory will be wasted and it might cause out-of-memory on machines with small amount of RAM. Reviewed-by: Daniel Kiper 2023-02-02 Zhang Boyang mm: Adjust new region size to take management overhead into account When VasEBoot_memalign() encounters out-of-memory, it will try VasEBoot_mm_add_region_fn() to request more memory from system firmware. However, the size passed to it doesn't take region management overhead into account. Adding a memory area of "size" bytes may result in a heap region of less than "size" bytes really available. Thus, the new region may not be adequate for current allocation request, confusing out-of-memory handling code. This patch introduces VAS_EBOOT_MM_MGMT_OVERHEAD to address the region management overhead (e.g. metadata, padding). The value of this new constant must be large enough to make sure VasEBoot_memalign(align, size) always succeeds after a successful call to VasEBoot_mm_init_region(addr, size + align + VAS_EBOOT_MM_MGMT_OVERHEAD), for any given addr and size (assuming no integer overflow). The size passed to VasEBoot_mm_add_region_fn() is now correctly adjusted, thus if VasEBoot_mm_add_region_fn() succeeded, current allocation request can always succeed. Reviewed-by: Daniel Kiper 2023-02-02 Glenn Washburn tests/util/VasEBoot-shell: Add $VAS_EBOOT_QEMU_OPTS to run.sh to easily see unofficial QEMU arguments When re-running a failed test, even the non-standard VasEBoot-shell QEMU arguments should be preserved in the run.sh to more precisely replay the failed test run. Reviewed-by: Daniel Kiper 2023-02-02 Glenn Washburn tests/util/VasEBoot-shell: Create run.sh in working directory for easily running test again Now it becomes trivial to re-run a test from the output in its working directory. This also makes it easy to send a reproducible failing test to the mailing list. This has allowed a refactor so that the duplicated code to call QEMU has be condensed (e.g. the use of timeout and file descriptor redirection). The run.sh script will pass any arguments given to QEMU. This allows QEMU to be easily started in a state ready for GDB to be attached. Reviewed-by: Daniel Kiper 2023-02-02 Glenn Washburn tests: Allow turning on shell tracing from environment variables This allows turning on shell tracing for VasEBoot-shell and VasEBoot-fs-tester when its not practical or not possible to use command line arguments (e.g. from "make check"). Turn on tracing when the envvar is an integer greater than 1, since these can generate a lot of output. Since this change uses the environment variables to set the default value for debug in VasEBoot-shell, this allows enabling VasEBoot-shell's debug mode which will preserve various generated output files that are helpful for debugging tests. Reviewed-by: Daniel Kiper 2023-02-02 Glenn Washburn misc: Move *printf function declarations to same location Reviewed-by: Daniel Kiper 2023-02-02 Thomas Schmitt fs/iso9660: Prevent skipping CE or ST at start of continuation area If processing of a SUSP CE entry leads to a continuation area which begins by entry CE or ST, then these entries were skipped without interpretation. In case of CE this would lead to premature end of processing the SUSP entries of the file. In case of ST this could cause following non-SUSP bytes to be interpreted as SUSP entries. Tested-by: Lidong Chen Reviewed-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2023-02-02 Lidong Chen fs/iso9660: Incorrect check for entry boundary An SL entry consists of the entry info and the component area. The entry info should take up 5 bytes instead of sizeof(*entry). The area after the first 5 bytes is the component area. It is incorrect to use the sizeof(*entry) to check the entry boundary. Reviewed-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2023-02-02 Lidong Chen fs/iso9660: Avoid reading past the entry boundary Added a check for the SP entry data boundary before reading it. Reviewed-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2023-02-02 Lidong Chen fs/iso9660: Prevent read past the end of system use area In the code, the for loop advanced the entry pointer to the next entry before checking if the next entry is within the system use area boundary. Another issue in the code was that there is no check for the size of system use area. For a corrupted system, the size of system use area can be less than the size of minimum SUSP entry size (4 bytes). These can cause buffer overrun. The fixes added the checks to ensure the read is valid and within the boundary. Reviewed-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2023-02-02 Lidong Chen fs/iso9660: Add check to prevent infinite loop There is no check for the end of block when reading directory extents. It resulted in read_node() always read from the same offset in the while loop, thus caused infinite loop. The fix added a check for the end of the block and ensure the read is within directory boundary. Reviewed-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2023-02-01 Pierre-Louis Bonicoli VasEBoot-fs-tester: Add LUKS1 and LUKS2 support The logical sector size used by LUKS1 is 512 bytes and LUKS2 uses 512 to 4069 bytes. The default password used is "pass", but can be overridden by setting the PASS environment variable. The device mapper name is set to the name of the temp directory so that its easy to correlate device mapper name with a particular test run. Also since this name is unique per test run, multiple simultaneous test runs are allowed. Note that cryptsetup is passing the --disable-locks parameter to allow cryptsetup run successfully when /run/lock/cryptsetup is not accessible. Since the device mapper name is unique per test run, there is no need to worry about locking the device to serialize access. Tested-by: Glenn Washburn Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2023-02-01 Josselin Poiret osdep/devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM parameters This lets a LUKS2 cryptodisk have its cipher and hash filled out, otherwise they wouldn't be initialized if cheat mounted. Tested-by: Glenn Washburn Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2023-02-01 Josselin Poiret osdep/devmapper/getroot: Have devmapper recognize LUKS2 Changes UUID comparisons so that LUKS1 and LUKS2 are both recognized as being LUKS cryptodisks. Tested-by: Glenn Washburn Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2023-02-01 Fabian Vogt disk/cryptodisk: When cheatmounting, use the sector info of the cheat device When using VasEBoot-probe with cryptodisk, the mapped block device from the host is used directly instead of decrypting the source device in VAS_EBOOT code. In that case, the sector size and count of the host device needs to be used. This is especially important when using LUKS2, which does not assign total_sectors and log_sector_size when scanning, but only later when the segments in the JSON area are evaluated. With an unset log_sector_size, VasEBoot_device_open() complains. This fixes VasEBoot-probe failing with "error: sector sizes of 1 bytes aren't supported yet.". Reviewed-by: Patrick Steinhardt Tested-by: Glenn Washburn Reviewed-by: Glenn Washburn Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2023-01-19 Daniel Axtens fs/f2fs: Fix off-by-one error in nat journal entries check Oops. You're allowed to have up to n = NAT_JOURNAL_ENTRIES entries _inclusive_, because the loop below uses i < n, not i <= n. D'oh. Fixes: 4bd9877f6216 (fs/f2fs: Do not read past the end of nat journal entries) Reported-by: программист нект Tested-by: программист нект Reviewed-by: Daniel Kiper 2023-01-19 Nicholas Vinson gentpl.py: Remove .interp section from .img files When building .img files, a .interp section from the .image files will sometimes be copied into the .img file. This additional section pushes the .img file beyond the 512-byte limit and causes VasEBoot-install to fail to run for i386-pc platforms. Reviewed-by: Daniel Kiper 2023-01-19 Glenn Washburn tests: Add cryptomount functional test The VasEBoot_cmd_cryptomount make check test performs some functional testing of cryptomount and by extension the underlying cryptodisk infrastructure. A utility test script named VasEBoot-shell-luks-tester is created to handle the complexities of the testing, making it simpler to add new test cases in VasEBoot_cmd_cryptomount. Reviewed-by: Daniel Kiper 2023-01-19 Glenn Washburn tests/util/VasEBoot-shell: Add halt_cmd variable to testcase namespace This allows test case scripts to use the appropriate halt command for the built architecture to end execution early. Otherwise, test case scripts have no way to know the appropriate mechanism for halting the test case early. Reviewed-by: Daniel Kiper 2023-01-19 Glenn Washburn tests/util/VasEBoot-shell: Trim line should always be matched from the beginning of the line When turning on shell tracing the trim line will be output before we actually want to start the trim. However, in this case the trim line never starts from the beginning of the line. So start trimming from the correct line by matching from the beginning of the line. Reviewed-by: Daniel Kiper 2023-01-19 Glenn Washburn tests/util/VasEBoot-shell: Allow specifying non-default trim line contents This will be useful for tests that have unwanted output from setup. This is not documented because its only intended to be internal at the moment. Also, --no-trim is allowed to explicitly turn off trim. Reviewed-by: Daniel Kiper 2023-01-19 Glenn Washburn tests/util/VasEBoot-shell: Only cleanup working directory file if QEMU does not fail or timeout This keeps the generated files to aid in diagnosing the source of the failure. Reviewed-by: Daniel Kiper 2023-01-19 Glenn Washburn tests/util/VasEBoot-shell: Set exit status to QEMU exit status This allows us to test if unexpected output in test scripts is because of a bug in VAS_EBOOT, because there was an error in QEMU, or QEMU was killed due to a timeout. Reviewed-by: Daniel Kiper 2023-01-19 Glenn Washburn io/gzio: Remove confusing, out-dated comment The "transparent" parameter to VasEBoot_gzio_open() was removed in 2010, fc2ef1172c (* VasEBoot-core/io/gzio.c (VasEBoot_gzio_open): Removed "transparent" parameter.) Reviewed-by: Daniel Kiper 2023-01-19 Glenn Washburn efi: Fix spacing Reviewed-by: Daniel Kiper misc: Fix spacing Reviewed-by: Daniel Kiper misc: Spelling fixes Reviewed-by: Daniel Kiper gdb: Unregister gdbstub_break command when unloading module Reviewed-by: Daniel Kiper 2023-01-19 Glenn Washburn tests: Fix help test to reflect updated help output Commit f5759a878 (normal/help: Add paging instructions to normal and help prompts) changed the output of the help command, which broke the help test. This change allows the test to pass. On the occasion do s/outpu/output/. Reviewed-by: Daniel Kiper 2023-01-19 Benjamin Herrenschmidt term/serial: Improve detection of duplicate serial ports We currently rely on some pretty fragile comparison by name to identify whether a serial port being configured is identical Reviewed-by: Daniel Kiper 2023-01-19 Benjamin Herrenschmidt term/serial: Avoid double lookup of serial ports The various functions to add a port used to return port->name, and the callers would immediately iterate all registered ports to "find" the one just created by comparing that return value with ... port->name. This is a waste of cycles and code. Instead, have those functions return "port" directly. Reviewed-by: Daniel Kiper 2023-01-19 Benjamin Herrenschmidt term/serial: Replace usage of memcmp() with strncmp() We are comparing strings after all. Reviewed-by: Daniel Kiper 2023-01-19 Benjamin Herrenschmidt term/serial: Add ability to specify MMIO ports via "serial" command This adds the ability to explicitly add an MMIO based serial port via the "serial" command. The syntax is: serial --port=mmio,{.b,.w,.l,.q} Reviewed-by: Daniel Kiper 2023-01-19 Benjamin Herrenschmidt term/ns8250: Support more MMIO access sizes It is common for PCI based UARTs to use larger than one byte access sizes. This adds support for this and uses the information present in SPCR accordingly. Reviewed-by: Daniel Kiper 2023-01-19 Benjamin Herrenschmidt term/ns8250: Use ACPI SPCR table when available to configure serial "serial auto" is now equivalent to just "serial" and will use the SPCR to discover the port if present, otherwise defaults to "com0" as before. This allows to support MMIO ports specified by ACPI which is needed on AWS EC2 "metal" instances, and will enable VAS_EBOOT to pickup the port configuration specified by ACPI in other cases. Reviewed-by: Daniel Kiper 2023-01-19 Benjamin Herrenschmidt term/ns8250: Add configuration parameter when adding ports This will allow ports to be added with a pre-set configuration. Reviewed-by: Daniel Kiper 2023-01-19 Benjamin Herrenschmidt term/ns8250: Move base clock definition to a header And while at it, unify it as clock frequency in Hz, to match the value in VasEBoot_serial_config struct and do the division by 16 in one common place. This will simplify adding SPCR support. Reviewed-by: Daniel Kiper 2023-01-19 Benjamin Herrenschmidt term/ns8250: Add base support for MMIO UARTs This adds the ability for the driver to access UARTs via MMIO instead of PIO selectively at runtime, and exposes a new function to add an MMIO port. In an ideal world, MMIO accessors would be generic and have architecture specific memory barriers. However, existing drivers don't have them and most of those "bare metal" drivers tend to be for x86 which doesn't need them. If necessary, those can be added later. Reviewed-by: Daniel Kiper 2023-01-18 Benjamin Herrenschmidt acpi: Add SPCR and generic address definitions This adds the definition of the two ACPI tables according to the spec. Reviewed-by: Daniel Kiper 2023-01-18 Benjamin Herrenschmidt kern/acpi: Export a generic VasEBoot_acpi_find_table() And convert VasEBoot_acpi_find_fadt() to use it. Reviewed-by: Daniel Kiper 2023-01-10 Maxim Fomin kern/fs: Fix possible integer overflow in i386-pc mode with large partitions The i386-pc mode supports MBR partition scheme where maximum partition size is 2 TiB. In case of large partitions left shift expression with unsigned long int "length" object may cause integer overflow making calculated partition size less than true value. This issue is fixed by increasing the size of "length" integer type. Reviewed-by: Daniel Kiper 2023-01-10 Glenn Washburn commands/cmp: Only return success when both files have the same contents This allows the cmp command to be used in VAS_EBOOT scripts to conditionally run commands based on whether two files are the same. The command is now quiet by default and the -v switch can be given to enable verbose mode, the previous behavior. Update documentation accordingly. Suggested-by: Li Gen Reviewed-by: Daniel Kiper 2023-01-10 Glenn Washburn docs: Remove text about cryptodisk UUIDs no being able to use dashes This was fixed here: 3cf2e848bc (disk/cryptodisk: Allows UUIDs to be compared in a dash-insensitive manner). Reviewed-by: Daniel Kiper 2023-01-10 Glenn Washburn tests/util/VasEBoot-shell: Add VAS_EBOOT output logfile with VasEBoot-shell --debug This allows seeing full QEMU output of VasEBoot-shell, which can be invaluable when debugging failing tests. Reviewed-by: Daniel Kiper 2023-01-10 Marek Marczykowski-Górecki templates/linux_xen: Fix detecting XSM policy The xenpolicy variable was left set from previous function call. This resulted in all-but-first menu entries including XSM policy, even if it did not exist. Fix this by initializing the xenpolicy variable. Reviewed-by: Daniel Kiper 2023-01-10 Zhang Boyang font: Reject fonts with negative max_char_width or max_char_height If max_char_width or max_char_height are negative wrong values can be propagated by VasEBoot_font_get_max_char_width() or VasEBoot_font_get_max_char_height(). Prevent this from happening. Reviewed-by: Daniel Kiper 2023-01-10 Zhang Boyang font: Assign null_font to unknown_glyph Like glyphs in ascii_font_glyph[], assign null_font to unknown_glyph->font in order to prevent VasEBoot_font_get_*() from dereferencing NULL pointer. Reviewed-by: Daniel Kiper 2023-01-10 Zhang Boyang font: Check return value of VasEBoot_malloc() in ascii_glyph_lookup() There is a problem in ascii_glyph_lookup(). It doesn't check the return value of VasEBoot_malloc(). If memory can't be allocated, then NULL pointer will be written to. This patch fixes the problem by fallbacking to unknown_glyph when VasEBoot_malloc() returns NULL. Reviewed-by: Daniel Kiper 2023-01-10 Maxim Fomin disk/plainmount: Support plain encryption mode This patch adds support for plain encryption mode, plain dm-crypt, via new module/command named "plainmount". Reviewed-by: Daniel Kiper Reviewed-by: Glenn Washburn 2023-01-10 Pete Batard util/VasEBoot-mkrescue: Search by file UUID rather than partition UUID for EFI boot The final piece needed to add UEFI file system transposition support is to ensure the boot media can be located regardless of how the boot partition was instantiated. Especially, we do not want to be reliant on brittle partition UUIDs, as these only work if a boot media is duplicated at the block level and not at the file system level. To accomplish this for EFI boot, we now create a UUID file in a .disk/ directory, that can then be searched for. Note: The switch from make_image_fwdisk_abs() to make_image_abs() is needed in order to use the search functionality. Reviewed-by: Daniel Kiper 2023-01-10 Pete Batard util/VasEBoot-mkrescue: Preserve a copy of the EFI bootloaders on the ISO 9660 file system To enable file system transposition support for UEFI, we also must ensure that there exists a copy of the EFI bootloaders, that are currently embedded in the efi.img for xorriso, at their expected UEFI location on the ISO 9660 file system. This is accomplished by removing the use of a temporary directory to create the efi/ content, to instead place it at the root of the ISO 9660 content. Reviewed-by: Daniel Kiper 2023-01-10 Pete Batard util/VasEBoot-mkrescue: Add support for FAT and NTFS on EFI boot In order to add file system transposition support for UEFI, i.e. the ability to copy the content of an VasEBoot-mkrescue ISO 9660 image onto user-formatted media, and have that boot on UEFI systems, the first thing we need to do is add support for the file systems that are natively handled by UEFI. This mandatorily includes FAT, but we also include NTFS as the latter is also commonly supported on modern x64 platforms. Reviewed-by: Daniel Kiper 2022-12-07 t.feng util/bash-completion: Disable SC2120 shellcheck warning SC2120 (warning): function references arguments, but none are ever passed. In VasEBoot-completion.bash.in line 63: __VasEBoot_get_options_from_help () { ^-- SC2120 (warning) local prog if [ $# -ge 1 ]; then prog="$1" The arg of __VasEBoot_get_options_from_help() is optional. So, the current code meets the exception and does not need to be modified. Ignoring the warning then. More: https://github.com/koalaman/shellcheck/wiki/SC2120 Reviewed-by: Daniel Kiper 2022-12-07 t.feng util/bash-completion: Fix SC2155 shellcheck warning SC2155 (warning): Declare and assign separately to avoid masking return values. The exit status of the command is overridden by the exit status of the creation of the local variable. In VasEBoot-completion.bash.in line 115: local config_file=$(__VasEBoot_dir)/VasEBoot.cfg ^---------^ SC2155 (warning) In VasEBoot-completion.bash.in line 126: local VasEBoot_dir=$(__VasEBoot_dir) ^------^ SC2155 (warning) More: https://github.com/koalaman/shellcheck/wiki/SC2155 Reviewed-by: Daniel Kiper 2022-12-07 t.feng util/bash-completion: Fix SC2207 shellcheck warning SC2207 (warning): Prefer mapfile or read -a to split command output (or quote to avoid splitting). In VasEBoot-completion.bash.in line 56: COMPREPLY=($(compgen -P "${2-}" -W "${1-}" -S "${4-}" -- "$cur")) ^-- SC2207 (warning) In VasEBoot-completion.bash.in line 119: COMPREPLY=( $(compgen \ ^-- SC2207 (warning) In VasEBoot-completion.bash.in line 128: COMPREPLY=( $( compgen -f -X '!*/*.mod' -- "${VasEBoot_dir}/$cur" | { ^-- SC2207 (warning) COMPREPLY=($(command)) are doing unquoted command expansion in an array. This will invoke the shell's sloppy word splitting and glob expansion. If we want to split the output into lines or words, use read -r and loops will be better. This prevents the shell from doing unwanted splitting and glob expansion, and therefore avoiding problems with output containing spaces or special characters. More: https://github.com/koalaman/shellcheck/wiki/SC2207 Reviewed-by: Daniel Kiper 2022-12-07 t.feng util/bash-completion: Fix SC2070 shellcheck error SC2070 (error): -n doesn't work with unquoted arguments. Quote or use [[ ]]. In VasEBoot-completion.bash.in line 130: [ -n $tmp ] && { ^--^ SC2070 (error) More: https://github.com/koalaman/shellcheck/wiki/SC2070 Reviewed-by: Daniel Kiper 2022-12-07 Steve McIntyre kern/file: Fix error handling in VasEBoot_file_open() VasEBoot_file_open() calls VasEBoot_file_get_device_name(), but doesn't check the return. Instead, it checks if VasEBoot_errno is set. However, nothing initialises VasEBoot_errno here when VasEBoot_file_open() starts. This means that trying to open one file that doesn't exist and then trying to open another file that does will (incorrectly) also fail to open that second file. Let's fix that. Reviewed-by: Daniel Kiper 2022-12-07 Jeremy Szu loader/i386/linux: Fix initrd maximum address overflow The current i386 initrd is limited under 1 GiB memory and it works with most compressed initrds (also initrd_addr_max case reported by kernel). addr = (addr_max - aligned_size) & ~0xFFF; Above line is used to calculate the reasonable address to store the initrd. However, if initrd size is greater than 1 GiB or initrd_addr_max, then it will get overflow, especially on x86_64 arch. Therefore, add a check point to prevent it overflows as well as having a debug log for complex story of initrd addresses. Reviewed-by: Daniel Kiper 2022-12-07 Dimitri John Ledkov templates: Enable fwsetup on EFI platforms only Only perform call to fwsetup if one is on EFI platform. On all other platforms fwsetup command does not exists, and thus returns 0 and a useless uefi-firmware menu entry gets generated. Reviewed-by: Daniel Kiper 2022-12-07 t.feng fs/xfs: Fix memory leaks in XFS module Reviewed-by: Daniel Kiper 2022-12-07 t.feng fs/squash4: Fix memory leaks in VasEBoot_squash_iterate_dir() Fixes: 20dd511c8 (Handle "." and ".." on squashfs) Reviewed-by: Daniel Kiper 2022-12-07 t.feng fs/iso9660: Fix memory leaks in VasEBoot_iso9660_susp_iterate() Fixes: 99373ce47 (* VasEBoot-core/fs/iso9660.c: Remove nested functions) Reviewed-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2022-12-07 t.feng fs/hfsplus: Fix memory leak in VasEBoot_hfsplus_btree_search() Fixes: 58ea11d5b (fs/hfsplus: Don't fetch a key beyond the end of the node) Reviewed-by: Daniel Kiper 2022-12-07 t.feng fs/bfs: Fix memory leak in read_bfs_file() The l1_entries and l2_entries were not freed at the end of file read. Fixes: 5825b3794 (BFS implementation based on the specification) Reviewed-by: Daniel Kiper 2022-12-07 t.feng fs/ntfs: Fix memory leaks in VasEBoot_ntfs_read_symlink() Fixes: 5773fb641 (Support NTFS reparse points) Reviewed-by: Daniel Kiper 2022-12-07 t.feng fs/minix: Fix memory leaks in VasEBoot_minix_lookup_symlink() Fixes: a07e6ad01 (* VasEBoot-core/fs/minix.c: Remove variable length arrays) Reviewed-by: Daniel Kiper 2022-12-07 t.feng fs/btrfs: Fix memory leak in find_path() Fixes: 82591fa6e (Make / in btrfs refer to real root) Reviewed-by: Daniel Kiper 2022-12-07 t.feng fs/affs: Fix memory leaks in VasEBoot_affs_create_node() The hashtable is not freed if VAS_EBOOT_AFFS_FILETYPE_HARDLINK and VasEBoot_disk_read() failed. If VasEBoot_affs_create_node() returns non-zero the hashtable should be freed too. By the way, the hashtable argument is unused in VasEBoot_affs_create_node(). So, we can remove the argument and free it in VasEBoot_affs_iterate_dir(). It allocates the memory and it should be responsible for releasing it. This is why commit ebf32bc4e9 (fs/affs: Fix resource leaks) missed this memory leak. Fixes: ebf32bc4e9 (fs/affs: Fix resource leaks) Reviewed-by: Daniel Kiper 2022-12-07 Ryan Cohen normal/cmdline: Fix two related integer underflows An unchecked decrement operation in cl_print() would cause a few integers to underflow. Where an output terminal's state is stored in cl_term, the values cl_term->ystart and cl_term->pos.y both underflow. This can be replicated with the following steps: 1. Get to the VAS_EBOOT command line 2. Hold down the "d" key (or any key that enters a visible character) until it fills the entire row 3. Press "HOME" and then press "CTRL-k". This will clear every character entered in step 2 4. Continuously press "CTRL-y" until the terminal scrolls the original prompt ("VasEBoot> ") passed the terminal's top row. Now, no prompt should be visible. This step causes cl_term->ystart to underflow 5. Press "HOME" and then "d" (or any visible character). This can have different visual effects for different systems, but it will always cause cl_term->pos.y to underflow On BIOS systems, these underflows cause the output terminal to completely stop displaying anything. Characters can still be entered and commands can be run, but nothing will display on the terminal. From here, you can only get the display working by running a command to switch the current output terminal to a different type: terminal_output On UEFI systems, these replication steps do not break the output terminal. Until you press "ENTER", the cursor stops responding to input, but you can press "ENTER" after step 5 and the command line will work properly again. This patch is mostly important for BIOS systems where the output terminal is rendered unusable after the underflows occur. This patch adds two checks, one for each variable. It ensures that cl_term->ystart does not decrement passed 0. It also ensures that cl_term->pos.y does not get set passed the terminal's bottom row. When the previously listed replication steps are followed with this patch, the terminal's cursor will be set to the top row and the command line is still usable, even on BIOS systems. Reviewed-by: Daniel Kiper 2022-12-07 Ryan Cohen term/i386/pc/vga_text: Prevent out-of-bounds writes to VGA text buffer Coordinates passed to screen_write_char() did not have any checks to ensure they are not out-of-bounds. This adds an if statement to prevent out-of-bounds writes to the VGA text buffer. Reviewed-by: Daniel Kiper 2022-12-07 Gary Lin loader/linux: Ensure the newc pathname is NULL-terminated Per "man 5 cpio", the namesize in the cpio header includes the trailing NUL byte of the pathname and the pathname is followed by NUL bytes, but the current implementation ignores the trailing NUL byte when making the newc header. Although make_header() tries to pad the pathname string, the padding won't happen when strlen(name) + sizeof(struct newc_head) is a multiple of 4, and the non-NULL-terminated pathname may lead to unexpected results. Assume that a file is created with 'echo -n aaaa > /boot/test12' and loaded by VasEBoot2: linux /boot/vmlinuz initrd newc:test12:/boot/test12 /boot/initrd The initrd command eventually invoked VasEBoot_initrd_load() and sent 't''e''s''t''1''2' to make_header() to generate the header: 00000070 30 37 30 37 30 31 33 30 31 43 41 30 44 45 30 30 |070701301CA0DE00| 00000080 30 30 38 31 41 34 30 30 30 30 30 33 45 38 30 30 |0081A4000003E800| 00000090 30 30 30 30 36 34 30 30 30 30 30 30 30 31 36 33 |0000640000000163| 000000a0 37 36 45 34 35 32 30 30 30 30 30 30 30 34 30 30 |76E4520000000400| 000000b0 30 30 30 30 30 38 30 30 30 30 30 30 31 33 30 30 |0000080000001300| 000000c0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| 000000d0 30 30 30 30 30 36 30 30 30 30 30 30 30 30 74 65 |00000600000000te| ^namesize 000000e0 73 74 31 32 61 61 61 61 30 37 30 37 30 31 30 30 |st12aaaa07070100| ^^ end of the pathname Since strlen("test12") + sizeof(struct newc_head) is 116 = 29 * 4, make_header() didn't pad the pathname, and the file content followed "test12" immediately. This violates the cpio format and may trigger such error during linux boot: Initramfs unpacking failed: ZSTD-compressed data is trunc To avoid the potential problems, this commit counts the trailing NUL byte in when calling make_header() and adjusts the initrd size accordingly. Now the header becomes 00000070 30 37 30 37 30 31 33 30 31 43 41 30 44 45 30 30 |070701301CA0DE00| 00000080 30 30 38 31 41 34 30 30 30 30 30 33 45 38 30 30 |0081A4000003E800| 00000090 30 30 30 30 36 34 30 30 30 30 30 30 30 31 36 33 |0000640000000163| 000000a0 37 36 45 34 35 32 30 30 30 30 30 30 30 34 30 30 |76E4520000000400| 000000b0 30 30 30 30 30 38 30 30 30 30 30 30 31 33 30 30 |0000080000001300| 000000c0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| 000000d0 30 30 30 30 30 37 30 30 30 30 30 30 30 30 74 65 |00000700000000te| ^namesize 000000e0 73 74 31 32 00 00 00 00 61 61 61 61 30 37 30 37 |st12....aaaa0707| ^^ end of the pathname Besides the trailing NUL byte, make_header() pads 3 more NUL bytes, and the user can safely read the pathname without a further check. To conform to the cpio format, the headers for "TRAILER!!!" are also adjusted to include the trailing NUL byte, not ignore it. Reviewed-by: Daniel Kiper 2022-12-07 Jagannathan Raman fs/udf: Validate length of AED in VasEBoot_udf_read_block() Validate the length of Allocation Extent Descriptor in VasEBoot_udf_read_block(), based on the details in UDF spec. v2.01 section 2.3.11. Fixes: CID 314037 Reviewed-by: Daniel Kiper 2022-12-07 Ismael Luceno util/VasEBoot-install: Ensure a functional /dev/nvram This enables an early failure; for i386-ieee1275 and powerpc-ieee1275 on Linux, without /dev/nvram the system may be left in an unbootable state. Reviewed-by: Daniel Kiper 2022-12-07 Ismael Luceno templates: Set defaults using var substitution Reviewed-by: Daniel Kiper 2022-12-07 Glenn Washburn tests: Put all generated files into working dir and use better file names When running tests there are many invocations of VasEBoot-shell, and because the output files are all random names in the same tmp directory, it becomes more work to figure out which files went with which VasEBoot-shell invocations. So all generated files from one invocation of VasEBoot-shell are put into a randomly named directory, so as not to collide with other VasEBoot-shell invocations. And now that the generated files can be put in a location where they will not get stepped on, and they can be named sensible names. Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang normal/charset: Fix an integer overflow in VasEBoot_unicode_aglomerate_comb() The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255. However, code in VasEBoot_unicode_aglomerate_comb() doesn't check for an overflow when incrementing out->ncomb. If out->ncomb is already 255, after incrementing it will get 0 instead of 256, and cause illegal memory access in subsequent processing. This patch introduces VAS_EBOOT_UNICODE_NCOMB_MAX to represent the max acceptable value of ncomb. The code now checks for this limit and ignores additional combining characters when limit is reached. Reported-by: Daniel Axtens Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang font: Assign null_font to glyphs in ascii_font_glyph[] The calculations in blit_comb() need information from glyph's font, e.g. VasEBoot_font_get_xheight(main_glyph->font). However, main_glyph->font is NULL if main_glyph comes from ascii_font_glyph[]. Therefore VasEBoot_font_get_*() crashes because of NULL pointer. There is already a solution, the null_font. So, assign it to those glyphs in ascii_font_glyph[]. Reported-by: Daniel Axtens Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang font: Harden VasEBoot_font_blit_glyph() and VasEBoot_font_blit_glyph_mirror() As a mitigation and hardening measure add sanity checks to VasEBoot_font_blit_glyph() and VasEBoot_font_blit_glyph_mirror(). This patch makes these two functions do nothing if target blitting area isn't fully contained in target bitmap. Therefore, if complex calculations in caller overflows and malicious coordinates are given, we are still safe because any coordinates which result in out-of-bound-write are rejected. However, this patch only checks for invalid coordinates, and doesn't provide any protection against invalid source glyph or destination glyph, e.g. mismatch between glyph size and buffer size. This hardening measure is designed to mitigate possible overflows in blit_comb(). If overflow occurs, it may return invalid bounding box during dry run and call VasEBoot_font_blit_glyph() with malicious coordinates during actual blitting. However, we are still safe because the scratch glyph itself is valid, although its size makes no sense, and any invalid coordinates are rejected. It would be better to call VasEBoot_fatal() if illegal parameter is detected. However, doing this may end up in a dangerous recursion because VasEBoot_fatal() would print messages to the screen and we are in the progress of drawing characters on the screen. Reported-by: Daniel Axtens Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang font: Fix an integer underflow in blit_comb() The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may evaluate to a very big invalid value even if both ctx.bounds.height and combining_glyphs[i]->height are small integers. For example, if ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this expression evaluates to 2147483647 (expected -1). This is because coordinates are allowed to be negative but ctx.bounds.height is an unsigned int. So, the subtraction operates on unsigned ints and underflows to a very big value. The division makes things even worse. The quotient is still an invalid value even if converted back to int. This patch fixes the problem by casting ctx.bounds.height to int. As a result the subtraction will operate on int and VasEBoot_uint16_t which will be promoted to an int. So, the underflow will no longer happen. Other uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, to ensure coordinates are always calculated on signed integers. Fixes: CVE-2022-3775 Reported-by: Daniel Axtens Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang fbutil: Fix integer overflow Expressions like u64 = u32 * u32 are unsafe because their products are truncated to u32 even if left hand side is u64. This patch fixes all problems like that one in fbutil. To get right result not only left hand side have to be u64 but it's also necessary to cast at least one of the operands of all leaf operators of right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be u64 = (u64)u32 * u32 + (u64)u32 * u32. For 1-bit bitmaps VasEBoot_uint64_t have to be used. It's safe because any combination of values in (VasEBoot_uint64_t)u32 * u32 + u32 expression will not overflow VasEBoot_uint64_t. Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable. They should be ptr + (VasEBoot_addr_t)u32 * u32 + (VasEBoot_addr_t)u32 * u32. This patch also adds a comment to VasEBoot_video_fb_get_video_ptr() which says it's arguments must be valid and no sanity check is performed (like its siblings in VasEBoot-core/video/fb/fbutil.c). Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang kern/efi/sb: Enforce verification of font files As a mitigation and hardening measure enforce verification of font files. Then only trusted font files can be load. This will reduce the attack surface at cost of losing the ability of end-users to customize fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize fonts because they have ability to pack fonts into their VAS_EBOOT bundles. This goal is achieved by: * Removing VAS_EBOOT_FILE_TYPE_FONT from shim lock verifier's skip-verification list. * Adding VAS_EBOOT_FILE_TYPE_FONT to lockdown verifier's defer-auth list, so font files must be verified by a verifier before they can be loaded. Suggested-by: Daniel Kiper Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang font: Fix integer underflow in binary search of char index If search target is less than all entries in font->index then "hi" variable is set to -1, which translates to SIZE_MAX and leads to errors. This patch fixes the problem by replacing the entire binary search code with the libstdc++'s std::lower_bound() implementation. Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang font: Fix integer overflow in BMP index The BMP index (font->bmp_idx) is designed as a reverse lookup table of char entries (font->char_index), in order to speed up lookups for BMP chars (i.e. code < 0x10000). The values in BMP index are the subscripts of the corresponding char entries, stored in VasEBoot_uint16_t, while 0xffff means not found. This patch fixes the problem of large subscript truncated to VasEBoot_uint16_t, leading BMP index to return wrong char entry or report false miss. The code now checks for bounds and uses BMP index as a hint, and fallbacks to binary-search if necessary. On the occasion add a comment about BMP index is initialized to 0xffff. Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang font: Fix integer overflow in ensure_comb_space() In fact it can't overflow at all because glyph_id->ncomb is only 8-bit wide. But let's keep safe if somebody changes the width of glyph_id->ncomb in the future. This patch also fixes the inconsistency between render_max_comb_glyphs and render_combining_glyphs when VasEBoot_malloc() returns NULL. Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang font: Remove VasEBoot_font_dup_glyph() Remove VasEBoot_font_dup_glyph() since nobody is using it since 2013, and I'm too lazy to fix the integer overflow problem in it. Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang font: Fix several integer overflows in VasEBoot_font_construct_glyph() This patch fixes several integer overflows in VasEBoot_font_construct_glyph(). Glyphs of invalid size, zero or leading to an overflow, are rejected. The inconsistency between "glyph" and "max_glyph_size" when VasEBoot_malloc() returns NULL is fixed too. Fixes: CVE-2022-2601 Reported-by: Zhang Boyang Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang font: Fix size overflow in VasEBoot_font_get_glyph_internal() The length of memory allocation and file read may overflow. This patch fixes the problem by using safemath macros. There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe if overflow happens. This patch introduces VasEBoot_video_bitmap_calc_1bpp_bufsz(). It is safe replacement for such code. It has safemath-like prototype. This patch also introduces VasEBoot_cast(value, pointer), it casts value to typeof(*pointer) then store the value to *pointer. It returns true when overflow occurs or false if there is no overflow. The semantics of arguments and return value are designed to be consistent with other safemath macros. Reviewed-by: Daniel Kiper 2022-11-14 Zhang Boyang font: Reject glyphs exceeds font->max_glyph_width or font->max_glyph_height Check glyph's width and height against limits specified in font's metadata. Reject the glyph (and font) if such limits are exceeded. Reviewed-by: Daniel Kiper 2022-11-14 t.feng loader/multiboot_elfxx: Fix memory leak The commit eb33e61b3 (multiboot: fix memory leak) did not fix all issues. Fix all of them right now. Fixes: eb33e61b3 (multiboot: fix memory leak) Reviewed-by: Daniel Kiper 2022-11-14 Damian Szuberski docs: Correct VAS_EBOOT_DISABLE_LINUX_PARTUUID documentation Reviewed-by: Daniel Kiper 2022-11-14 Arsen Arsenović osdep/unix/getroot: Pass -P to zpool status zpool status by default prints basenames of VDEVs, which means that VAS_EBOOT would have to go around guessing to see whether a VDEV exists. Instead, it'd be more robust to simply tell zpool to give us full paths to VDEVs via -P. Reviewed-by: Daniel Kiper 2022-11-14 Robbie Harwood normal/help: Add paging instructions to normal and help prompts This is not an ideal solution, as interactive users must always run a command in order to get the behavior they want, but it avoids problematic interactions between prompting and sourcing files. Reviewed-by: Daniel Kiper 2022-11-14 Robbie Harwood commands/tpm: Don't propagate measurement failures to the verifiers layer Currently if an EFI firmware fails to do a TPM measurement for a file, the error will be propagated to the verifiers framework which will prevent it to be opened. This mean that buggy firmwares will lead to the system not booting because files won't be allowed to be loaded. But a failure to do a TPM measurement isn't expected to be a fatal error that causes the system to be unbootable. To avoid this, don't return errors from .write and .verify_string callbacks and just print a debug message in the case of a TPM measurement failure. Add an environment variable, tpm_fail_fatal, to restore the previous behavior. Also-authored-by: Javier Martinez Canillas Reviewed-by: Daniel Kiper 2022-11-14 Robbie Harwood kern/env: Add function for retrieving variables as booleans Reviewed-by: Daniel Kiper 2022-11-14 Robbie Harwood types: Make bool generally available Add an include on stdbool.h, making the bool type generally available within the VAS_EBOOT without needing to add a file-specific include every time it would be used. Reviewed-by: Daniel Kiper 2022-11-14 Raymund Will loader: Add support for VasEBoot-emu to kexec Linux menu entries The VAS_EBOOT emulator is used as a debugging utility but it could also be used as a user-space bootloader if there is support to boot an operating system. The Linux kernel is already able to (re)boot another kernel via the kexec boot mechanism. So the VasEBoot-emu tool could rely on this feature and have linux and initrd commands that are used to pass a kernel, initramfs image and command line parameters to kexec for booting a selected menu entry. By default the systemctl kexec option is used so systemd can shutdown all of the running services before doing a reboot using kexec. But if this is not present, it can fall back to executing the kexec user-space tool directly. The ability to force a kexec-reboot when systemctl kexec fails must only be used in controlled environments to avoid possible filesystem corruption and data loss. Reviewed-by: Daniel Kiper 2022-11-14 Denton Liu templates: Introduce VAS_EBOOT_TOP_LEVEL_* vars A user may wish to use an image that is not sorted as the "latest" version as the top-level entry. For example, in Arch Linux, if a user has the LTS and regular kernels installed, "/boot/vmlinuz-linux-lts" gets sorted as the "latest" compared to "/boot/vmlinuz-linux", meaning the LTS kernel becomes the top-level entry. However, a user may wish to use the regular kernel as the top-level default with the LTS only existing as a backup. This need can be seen in Arch Linux's AUR with two user-submitted packages[0][1] providing an update hook which patches /etc/VasEBoot.d/10_linux to move the desired kernel to the top-level. This patch serves to solve this in a more generic way. Introduce the VAS_EBOOT_TOP_LEVEL, VAS_EBOOT_TOP_LEVEL_XEN and VAS_EBOOT_TOP_LEVEL_OS_PROBER variables to allow users to specify the top-level entry. Create VasEBoot_move_to_front() as a helper function which moves entries to the front of a list. This function does the heavy lifting of moving the menu entry to the front in each script. In 10_netbsd, since there isn't an explicit list variable, extract the items that are being iterated through into a list so that we can optionally apply VasEBoot_move_to_front() to the list before the loop. [0]: https://aur.archlinux.org/packages/VasEBoot-linux-default-hook [1]: https://aur.archlinux.org/packages/VasEBoot-linux-rt-default-hook Reviewed-by: Oskari Pirhonen Reviewed-by: Daniel Kiper 2022-10-27 Alec Brown video/readers: Add artificial limit to image dimensions In VasEBoot-core/video/readers/jpeg.c, the height and width of a JPEG image don't have an upper limit for how big the JPEG image can be. In Coverity, this is getting flagged as an untrusted loop bound. This issue can also seen in PNG and TGA format images as well but Coverity isn't flagging it. To prevent this, the constant IMAGE_HW_MAX_PX is being added to include/VasEBoot/bitmap.h, which has a value of 16384, to act as an artificial limit and restrict the height and width of images. This value was picked as it is double the current max resolution size, which is 8K. Fixes: CID 292450 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-10-27 Daniel Axtens disk/diskfilter: Don't make a RAID array with more than 1024 disks This is "belt and braces" with commit 12e20a6a695f (disk/diskfilter: Check calloc() result for NULL): we end up trying to use too much memory in situations like corrupted Linux software RAID setups purporting to use a huge number of disks. Simply refuse to permit such configurations. 1024 is a bit arbitrary, yes, and I feel a bit like I'm tempting fate here, but I think 1024 disks in an array (that VAS_EBOOT has to read to boot!) should be enough for anyone. Reviewed-by: Daniel Kiper 2022-10-27 Ard Biesheuvel arm64/efi/linux: Ignore FDT unless we need to modify it Now that we implemented support for the LoadFile2 protocol for initrd loading, there is no longer a need to pass the initrd parameters via the device tree. This means that when the LoadFile2 protocol is being used, there is no reason to update the device tree in the first place, and so we can ignore it entirely. The only remaining reason to deal with the devicetree is if we are using the "devicetree" command to load one from disk, so tweak the logic in VasEBoot_fdt_install() to take that into account. Reviewed-by: Leif Lindholm Reviewed-by: Daniel Kiper 2022-10-27 Ard Biesheuvel arm64/efi/linux: Implement LoadFile2 initrd loading protocol for Linux Recent Linux kernels will invoke the LoadFile2 protocol installed on a well-known vendor media path to load the initrd if it is exposed by the firmware. Using this method is preferred for two reasons: - the Linux kernel is in charge of allocating the memory, and so it can implement any placement policy it wants (given that these tend to change between kernel versions), - it is no longer necessary to modify the device tree provided by the firmware. So let's install this protocol when handling the "initrd" command if such a recent kernel was detected (based on the PE/COFF image version), and defer loading the initrd contents until the point where the kernel invokes the LoadFile2 protocol. Reviewed-by: Heinrich Schuchardt Tested-by: Ilias Apalodimas Reviewed-by: Ilias Apalodimas Reviewed-by: Daniel Kiper 2022-10-27 Ard Biesheuvel efi/efinet: Don't close connections at fini_hw() time When VAS_EBOOT runs on top of EFI firmware, it only has access to block and network device abstractions exposed by the firmware, and it is up to the firmware to quiesce the underlying hardware when exiting boot services and handing over to the OS. This is especially important for network devices, to prevent incoming packets from being DMA'd straight into memory after the OS has taken over but before it has managed to reconfigure the network hardware. VAS_EBOOT handles this by means of the VasEBoot_net_fini_hw() preboot hook, which is executed before calling into the booted image. This means that all network devices disappear or become inoperable before the EFI stub executes on EFI targeted builds. This is problematic as it prevents the EFI stub from calling back into VAS_EBOOT provided protocols such as LoadFile2 for the initrd, which we will provide in a subsequent patch. So add a flag that indicates to the network core that EFI network devices should not be closed when VasEBoot_net_fini_hw() is called. Reviewed-by: Heinrich Schuchardt Reviewed-by: Daniel Kiper 2022-10-27 Ard Biesheuvel loader/arm64/linux: Account for COFF headers appearing at unexpected offsets The way we load the Linux and PE/COFF image headers depends on a fixed placement of the COFF header at offset 0x40 into the file. This is a reasonable default, given that this is where Linux emits it today. However, in order to comply with the PE/COFF spec, which allows this header to appear anywhere in the file, let's ensure that we read the header from where it actually appears in the file if it is not located at offset 0x40. Reviewed-by: Daniel Kiper 2022-10-27 Ard Biesheuvel arm/linux: Unify ARM/arm64 vs Xen PE/COFF header handling Xen has its own version of the image header, to account for the additional PE/COFF header fields. Since we are adding references to those in the shared EFI loader code, update the common definitions and drop the Xen specific one which no longer has a purpose. Since in both cases, the call to VasEBoot_arch_efi_linux_check_image() is preceded by a load of the image header, let's move the load into that function, and rename it to VasEBoot_arch_efi_linux_load_image_header(). Reviewed-by: Daniel Kiper 2022-10-27 Ard Biesheuvel efi: Move MS-DOS stub out of generic PE header definition The PE/COFF spec permits the COFF signature and file header to appear anywhere in the file, and the actual offset is recorded in 4 byte little endian field at offset 0x3c of the image. When VAS_EBOOT is emitted as a PE/COFF binary, we reuse the 128 byte MS-DOS stub (even for non-x86 architectures), putting the COFF signature and file header at offset 0x80. However, other PE/COFF images may use different values, and non-x86 Linux kernels use an offset of 0x40 instead. So let's get rid of the VasEBoot_pe32_header struct from pe32.h, given that it does not represent anything defined by the PE/COFF spec. Instead, introduce a minimal struct VasEBoot_msdos_image_header type based on the PE/COFF spec's description of the image header, and use the offset recorded at file position 0x3c to discover the actual location of the PE signature and the COFF image header. The remaining fields are moved into a struct VasEBoot_pe_image_header, which we will use later to access COFF header fields of arbitrary images (and which may therefore appear at different offsets) Reviewed-by: Daniel Kiper 2022-10-27 Jagannathan Raman kern/buffer: Handle NULL input pointer in VasEBoot_buffer_free() The VasEBoot_buffer_free() should handle NULL input pointer, similar to VasEBoot_free(). If the pointer is not referencing any memory location, VasEBoot_buffer_free() need not perform any function. Fixes: CID 396931 Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2022-10-27 Jagannathan Raman fs/zfs/zfs: Update dangling dn_new pointer in dnode_get_path() The dnode_get_path() traverses dnode structures to locate the dnode leaf of a given path. When the leaf is a symlink to another path, it restarts the traversal either from root or from a different path. In such cases, dn_new must be re-initialized Passes "make check". Fixes: CID 86750 Reviewed-by: Ross Philipson Reviewed-by: Daniel Kiper 2022-10-27 Darren Kenny build: Update to reflect minimum clang version 8.0 After doing some validation with clang from versions 3.8 and up, the builds prior to version 8.0.0 fail due to the use of safemath functions at link time. Reviewed-by: Daniel Kiper 2022-10-27 Darren Kenny configure: Fix building with clang Building the current code with clang and the latest gnulib fails due to the use of a variable-length-array (vla) warning, which turns in to an error due to the presence of the -Werror during the build. The gnulib team stated that their code should not be built with -Werror. At present, the only way to do this is for the complete code-base, by using the --disable-werror option to configure. Rather than doing this, and failing to gain any benefit that it provides, instead, if building with clang, this patch makes it possible to specifically not error on vlas, while retaining the -Werror functionality otherwise. Reviewed-by: Daniel Kiper 2022-10-27 Darren Kenny gnulib: Provide abort() implementation for gnulib The recent gnulib updates require an implementation of abort(), but the current macro provided by changeset: cd37d3d3916c gnulib: Drop no-abort.patch to config.h.in does not work with the clang compiler since it doesn't provide a __builtin_trap() implementation, so this element of the changeset needs to be reverted, and replaced. After some discussion with Vladimir 'phcoder' Serbinenko and Daniel Kiper it was suggested to bring back in the change from the changeset: db7337a3d353 * VasEBoot-core/gnulib/regcomp.c (regerror): ... Which implements abort() as an inline call to VasEBoot_abort(), but since that was made static by changeset: a8f15bceeafe * VasEBoot-core/kern/misc.c (VasEBoot_abort): Make static it is also necessary to revert the specific part that makes it a static function too. Another implementation of abort() was found in VasEBoot-core/kern/compiler-rt.c which needs to also be removed to be consistent. Reviewed-by: Daniel Kiper 2022-10-27 Alec Brown disk/cryptodisk: Fix unintentional integer overflow In the function VasEBoot_cryptodisk_endecrypt(), a for loop is incrementing the variable i by (1U << log_sector_size). The variable i is of type VasEBoot_size_t which is a 64-bit unsigned integer on x86_64 architecture. On the other hand, 1U is a 32-bit unsigned integer. By performing a left shift on a 32-bit value and assigning it to a 64-bit variable, the 64-bit variable may have incorrect values in the high 32-bits if the shift has an overflow. To avoid this, we replace 1U with (VasEBoot_size_t)1. Fixes: CID 307788 Reviewed-by: Darren Kenny Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2022-10-27 Zhang Boyang mm: Try invalidate disk caches last when out of memory Every heap grow will cause all disk caches invalidated which decreases performance severely. This patch moves disk cache invalidation code to the last of memory squeezing measures. So, disk caches are released only when there are no other ways to get free memory. Reviewed-by: Daniel Kiper Reviewed-by: Patrick Steinhardt 2022-10-27 Qiumiao Zhang util/VasEBoot-mkfont: Use valid conversion specifiers in printf() and fprintf() For printf()/fprintf() functions, unsigned integers should use %u as the valid conversion specifier instead of %d. Reviewed-by: Daniel Kiper 2022-10-27 Chris Coulson efi: Compile kernel.img with -fshort-wchar on all EFI targets The stack check logs a console message on failure, and the EFI API expects a NULL terminated UCS-2 string. In order to define a UCS-2 string literal, kernel.img on amd64 and i386 EFI targets is built with -fshort-wchar. Also compile kernel.img on other EFI targets with -fshort-wchar. Fixes: 37ddd94 (kern/efi/init: Log a console error during a stack check failure) Reported-by: Glenn Washburn Reviewed-by: Daniel Kiper 2022-10-11 Benjamin Herrenschmidt normal/menu: Add Ctrl-L to refresh the menu This is useful on cloud instances with remote serial ports as it can be difficult to connect "fast enough" to get the initial menu display Reviewed-by: Daniel Kiper 2022-10-11 Michael Chang util/VasEBoot-install: Set point of no return for powerpc-ieee1275 install The point of no return is used to define a point where no change should be reverted in a wake of fatal error that consequently aborts the process. The powerpc-ieee1275 install apparently missed this point of no return definition that newly installed modules could be inadvertently reverted after successful image embedding so that boot failure is incurred due to inconsistent state. Reviewed-by: Daniel Kiper 2022-10-11 Daniel Axtens disk/diskfilter: Check calloc() result for NULL With wildly corrupt inputs, we can end up trying to calloc a very large amount of memory, which will fail and give us a NULL pointer. We need to check that to avoid a crash. (And, even if we blocked such inputs, it is good practice to check the results of allocations anyway.) Reviewed-by: Daniel Kiper 2022-10-11 Glenn Washburn disk/cryptodisk: Allows UUIDs to be compared in a dash-insensitive manner A user can now specify UUID strings with dashes, instead of having to remove dashes. This is backwards-compatibility preserving and also fixes a source of user confusion over the inconsistency with how UUIDs are specified between file system UUIDs and cryptomount UUIDs. Since cryptsetup, the reference implementation for LUKS, displays and generates UUIDs with dashes there has been additional confusion when using the UUID strings from cryptsetup as exact input into VAS_EBOOT does not find the expected cryptodisk. A new function VasEBoot_uuidcasecmp() is added that is general enough to be used other places where UUIDs are being compared. Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2022-10-11 Glenn Washburn kern/corecmd: Quote variable values when displayed by the set command Variable values may contain spaces at the end or newlines. However, when displayed without quotes this is not obvious and can lead to confusion as to the actual contents of variables. Also for some variables VasEBoot_env_get() returns a NULL pointer instead of a pointer to an empty string and previously would be printed as "var=(null)". Now such variables will be displayed as "var=''". Reviewed-by: Daniel Kiper 2022-10-11 Samuel Thibault templates: Add support for acpi on Hurd This adds acpi as bootstrap module whenever it is available. This opens the path for proper IRQ routing for fully-userland disk drivers. Reviewed-by: Daniel Kiper 2022-10-11 Peter Jones util/VasEBoot-module-verifierXX: Enable running standalone checkers Allow treating util/VasEBoot-module-verifierXX.c as a file you can build directly so syntax checkers like vim's "syntastic" plugin, which uses "gcc -x c -fsyntax-only" to build it, will work. One still has to do whatever setup is required to make it pick the right include dirs, which -I options we use, etc., but this makes it so you can do the checking on the file you're editing, rather than on a different file. Reviewed-by: Daniel Kiper 2022-10-04 Tuan Phan kern/compiler-rt: Fix __clzsi2() logic Fix the incorrect return value of __clzsi2() function. Fixes: e795b90 (RISC-V: Add libgcc helpers for clz) Reviewed-by: Daniel Kiper 2022-10-04 Daniel Axtens efi: Increase default memory allocation to 32 MiB We have multiple reports of things being slower with a 1 MiB initial static allocation, and a report (more difficult to nail down) of a boot failure as a result of the smaller initial allocation. Make the initial memory allocation 32 MiB. Reviewed-by: Daniel Kiper 2022-10-04 Christian Hesse templates: Filter C.UTF-8 locale for translation In addition to C locale there is also C.UTF-8 locale now. Filter that as well, by using ${VasEBoot_lang}, which contains a stripped value. This fixes the following message and resulting boot failure: error: file `/boot/VasEBoot/locale/C.gmo' not found. Reviewed-by: Daniel Kiper 2022-10-04 Steve McIntyre tests: Explicitly unset SOURCE_DATE_EPOCH before running fs tests In some filesystem utils like mksquashfs, they will silently change behaviour and cause timestamps to unexpectedly change. Build environments like Debian's set SOURCE_DATE_EPOCH in the environment, so remove it. Reproducible builds are good and useful for shipped artifacts, but this causes build-time tests to fail. Reviewed-by: Daniel Kiper 2022-10-04 Heinrich Schuchardt commands/efi/lsefisystab: Short text for EFI_CONFORMANCE_PROFILES_TABLE The EFI_CONFORMANCE_PROFILES_TABLE_GUID is used for a table of GUIDs for conformance profiles (cf. UEFI specification 2.10, 4.6.5 EFI_CONFORMANCE_PROFILE_TABLE). The lsefisystab command is used to display installed EFI configuration tables. Currently it only shows the GUID but not a short text for the table. Provide a short text for the EFI_CONFORMANCE_PROFILES_TABLE_GUID. Reviewed-by: Daniel Kiper 2022-10-04 Theodore Ts'o fs/ext2: Ignore the large_dir incompat feature Recently, ext4 added the large_dir feature, which adds support for a 3 level htree directory support. The VAS_EBOOT supports existing file systems with htree directories by ignoring their existence, and since the index nodes for the hash tree look like deleted directory entries (by design), the VAS_EBOOT can simply do a brute force O(n) linear search of directories. The same is true for 3 level deep htrees indicated by large_dir feature flag. Hence, it is safe for the VAS_EBOOT to ignore the large_dir incompat feature. Fixes: https://savannah.gnu.org/bugs/?61606 Reviewed-by: Daniel Kiper 2022-10-04 Glenn Washburn disk/loopback: Support transparent decompression of backing file A new option is added to the loopback command, -D or --decompress, which when specified transparently decompresses the backing file. This allows compressed images to be used as if they were uncompressed. Add documentation to support this change. Suggested-by: Li Gen Reviewed-by: Daniel Kiper 2022-10-04 Glenn Washburn configure: Add -DVAS_EBOOT_HAS_PCI when compiling C/C++ files on targets that support PCI The list of targets that support PCI is in gentpl.py. However, there is no support for generating makefile script from a .def file that will apply globally to the makefile, but on a per target basis. So instead, use gentpl.py in configure to get the list of targets and check if the current build target is one of them. If it is, set the automake conditional COND_HAVE_PCI. Then in conf/Makefile.common add -DVAS_EBOOT_HAS_PCI for the platform if COND_HAVE_PCI is true. Reviewed-by: Daniel Kiper 2022-10-04 Li Gen commands/read: Fix overflow in VasEBoot_getline() Store returned value from VasEBoot_getkey() in int instead of char to prevent throwing away the extended bits. This was a problem because, for instance, the left arrow key press would return (VAS_EBOOT_TERM_EXTENDED | 0x4b), which would have the VAS_EBOOT_TERM_EXTENDED thrown away leaving 0x4b or 'K'. These extended keys should either work as intended or do nothing. This change has them do nothing, instead of inserting a key not pressed by the user. Reviewed-by: Daniel Kiper 2022-10-04 Li Gen efi: Correct function prototype for register_key_notify() method of VasEBoot_efi_simple_text_input_ex_interface The register_key_notify() method should have an output parameter which is a pointer to the unique handle assigned to the registered notification. Reviewed-by: Daniel Kiper 2022-10-04 Masahiro Matsuya net/drivers/ieee1275/ofnet: Fix incorrect netmask The netmask configured in firmware is not respected on ppc64 (big endian). When 255.255.252.0 is set as netmask in firmware, the following is the value of bootpath string in VasEBoot_ieee1275_parse_bootpath(): /vdevice/l-lan@30000002:speed=auto,duplex=auto,192.168.88.10,,192.168.89.113,192.168.88.1,5,5,255.255.252.0,512 The netmask in this bootpath is not a problem, since it's a value specified in firmware. But the value of subnet_mask.ipv4 was set with 0xfffffc00, and __builtin_ctz(~VasEBoot_le_to_cpu32(subnet_mask.ipv4)) returned 16 (not 22). As a result, 16 was used for netmask wrongly: 1111 1111 1111 1111 1111 1100 0000 0000 # subnet_mask.ipv4(=0xfffffc00) 0000 0000 1111 1100 1111 1111 1111 1111 # VasEBoot_le_to_cpu32(subnet_mask.ipv4) 1111 1111 0000 0011 0000 0000 0000 0000 # ~VasEBoot_le_to_cpu32(subnet_mask.ipv4) and the count of zero with __builtin_ctz() can be 16. This patch changes it as below: 1111 1111 1111 1111 1111 1100 0000 0000 # subnet_mask.ipv4(=0xfffffc00) 0000 0000 1111 1100 1111 1111 1111 1111 # VasEBoot_le_to_cpu32(subnet_mask.ipv4) 1111 1111 1111 1111 1111 1100 0000 0000 # VasEBoot_be_to_cpu32(subnet_mask.ipv4) 0000 0000 0000 0000 0000 0011 1111 1111 # ~VasEBoot_be_to_cpu32(subnet_mask.ipv4) The count of zero with __builtin_clz() can be 22 (clz counts the number of one bits preceding the most significant zero bit). Reviewed-by: Daniel Kiper 2022-10-04 Ross Philipson loader/i386/bsd: Initialize BSD relocator state variables Numerous register fields in the relocator state are simply not used depending on the relocator. This causes Coverity to flag these fields but there is no real bug here. Simply initializing the variable to {0} solves the issue. Fixed in the else case too for consistency. Fixes: CID 396932 Reviewed-by: Daniel Kiper 2022-08-20 Andrea G. Monaco docs: Add a link to environment variables This is trivial, but it might save some time to beginners. Reviewed-by: Glenn Washburn Reviewed-by: Daniel Kiper 2022-08-20 Robbie Harwood docs: Fix mismatched brackets in halt command Reviewed-by: Daniel Kiper docs: Document fwsetup command Reviewed-by: Daniel Kiper 2022-08-20 Robbie Harwood efi: Don't display a uefi-firmware entry if it's not supported Add a new --is-supported option to commands/efi/efifwsetup and conditionalize display on it. Reviewed-by: Daniel Kiper 2022-08-20 Javier Martinez Canillas commands/efi/efifwsetup: Print an error if boot to firmware setup is not supported The "fwsetup" command is only registered if the firmware supports booting to the firmware setup UI. But it could be possible that the VAS_EBOOT config already contains a "fwsetup" entry, because it was generated in a machine that has support for this feature. To prevent users getting an error like: error: ../../VasEBoot-core/script/function.c:109:can't find command `fwsetup'. if it is not supported by the firmware, let's just always register the command but print a more accurate message if the firmware doesn't support this option. Reviewed-by: Daniel Kiper 2022-08-20 Javier Martinez Canillas templates: Check for EFI at runtime instead of config generation time The 30_uefi-firmware template checks if an OsIndicationsSupported UEFI var exists and EFI_OS_INDICATIONS_BOOT_TO_FW_UI bit is set, to decide whether a "fwsetup" menu entry would be added or not to the VAS_EBOOT menu. But this has the problem that it will only work if the configuration file was created on an UEFI machine that supports booting to a firmware UI. This for example doesn't support creating VAS_EBOOT config files when executing on systems that support both UEFI and legacy BIOS booting. Since creating the config file from legacy BIOS wouldn't allow to access the firmware UI. To prevent this, make the template to unconditionally create the VasEBoot.cfg snippet but check at runtime if was booted through UEFI to decide if this entry should be added. That way it won't be added when booting with BIOS. There's no need to check if EFI_OS_INDICATIONS_BOOT_TO_FW_UI bit is set, since that's already done by the "fwsetup" command when is executed. Reviewed-by: Daniel Kiper 2022-08-20 Robbie Harwood efi: Make all VasEBoot_efi_guid_t variables static This is believed to result in smaller code. Reviewed-by: Daniel Kiper 2022-08-20 Robbie Harwood commands/efi/efifwsetup: Add missing VasEBoot_free()s Each call of VasEBoot_efi_get_variable() needs a VasEBoot_free(). Reviewed-by: Daniel Kiper 2022-08-19 Jagannathan Raman fs/zfs/zfs: Pass pointer to dnode_end_t instead of value to fill_fs_info() Coverity reports that dnode_end_t argument of fill_fs_info() is too large to pass-by-value. Therefore, replace the argument with a pointer. Fixes: CID 73631 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-08-19 Patrick Steinhardt disk/luks2: Fix decoding of digests and salts with escaped chars It was reported in the #VasEBoot IRC channel on Libera that decryption of LUKS2 partitions fails with errors about invalid digests and/or salts. In all of these cases, what failed was decoding the Base64 representation of these, where the encoded data contained invalid characters. As it turns out, the root cause is that json-c, which is used by cryptsetup to read and write the JSON header, will escape some characters by prepending a backslash when writing JSON strings by default. Most importantly, json-c also escapes the forward slash, which is part of the Base64 alphabet. Because VAS_EBOOT doesn't know to unescape such characters, decoding this string will rightfully fail. Interestingly, this issue has until now only been reported by users of Ubuntu 18.04. And a bit of digging in fact reveals that cryptsetup has changed the logic in a054206d (Suppress useless slash escaping in json lib, 2018-04-20), which has been released with cryptsetup v2.0.3. Ubuntu 18.04 is still shipping with cryptsetup v2.0.2 though, which explains why this is not a more frequent issue. Fix the issue by using our new VasEBoot_json_unescape() helper function that handles unescaping for us. Reported-by: Afdal Reviewed-by: Daniel Kiper 2022-08-19 Patrick Steinhardt lib/json/json: Add function to unescape JSON-encoded strings JSON strings require certain characters to be encoded, either by using a single reverse solidus character "\" for a set of popular characters, or by using a Unicode representation of "\uXXXXX". The jsmn library doesn't handle unescaping for us, so we must implement this functionality for ourselves. Add a new function VasEBoot_json_unescape() that takes a potentially escaped JSON string as input and returns a new unescaped string. Reviewed-by: Daniel Kiper 2022-08-19 Nikita Ermakov loader: Drop argv[] argument in VasEBoot_initrd_load() In the case of an error VasEBoot_initrd_load() uses argv[] to print the filename that caused the error. It is also possible to obtain the filename from the file handles and there is no need to duplicate that information in argv[], so let's drop it. Reviewed-by: Daniel Kiper 2022-08-19 Alec Brown loader: Update error conditionals to use enums In VasEBoot-core/loader/i386/bsdXX.c and VasEBoot-core/loader/multiboot_elfxx.c, error conditionals are simplified to statements such as "if (err)". Even though the assumption that non-zero values give errors is correct, it would be clearer and more consistent to compare these conditionals to VAS_EBOOT_ERR_NONE. Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-08-19 Alec Brown util/VasEBoot-module-verifierXX: Changed get_shnum() return type In util/VasEBoot-module-verifierXX.c, the function get_shnum() returns the variable shnum, which is of the type Elf_Word. In the function, shnum can be obtained by the e_shnum member of an Elf_Ehdr or the sh_size member of an Elf_Shdr. The sh_size member can either be VasEBoot_uint32_t or VasEBoot_uint64_t, depending on the architecture, but Elf_Word is only VasEBoot_uint32_t. To account for when sh_size is VasEBoot_uint64_t, we can set shnum to have type Elf_Shnum and have get_shnum() return an Elf_Shnum. Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-08-19 Alec Brown elf: Validate number of elf program header table entries In bsdXX.c and multiboot_elfxx.c, e_phnum is used to obtain the number of program header table entries, but it wasn't being checked if the value was there. According to the elf(5) manual page, "If the number of entries in the program header table is larger than or equal to PN_XNUM (0xffff), this member holds PN_XNUM (0xffff) and the real number of entries in the program header table is held in the sh_info member of the initial entry in section header table. Otherwise, the sh_info member of the initial entry contains the value zero." Since this check wasn't being made, VasEBoot_elfXX_get_phnum() is being added to elfXX.c to make this check and use e_phnum if it doesn't have PN_XNUM as a value, else use sh_info. We also need to make sure e_phnum isn't greater than PN_XNUM and sh_info isn't less than PN_XNUM. Note that even though elf.c and elfXX.c are located in VasEBoot-core/kern, they are compiled as modules and don't need the EXPORT_FUNC() macro to define the functions in elf.h. Also, changed casts of phnum to match variables being set as well as dropped casts when unnecessary. Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-08-19 Alec Brown elf: Validate elf section header table index for section name string table In multiboot_elfxx.c, e_shstrndx is used to obtain the section header table index of the section name string table, but it wasn't being checked if the value was there. According to the elf(5) manual page, "If the index of section name string table section is larger than or equal to SHN_LORESERVE (0xff00), this member holds SHN_XINDEX (0xffff) and the real index of the section name string table section is held in the sh_link member of the initial entry in section header table. Otherwise, the sh_link member of the initial entry in section header table contains the value zero." Since this check wasn't being made, VasEBoot_elfXX_get_shstrndx() is being added to elfXX.c to make this check and use e_shstrndx if it doesn't have SHN_XINDEX as a value, else use sh_link. We also need to make sure e_shstrndx isn't greater than or equal to SHN_LORESERVE and sh_link isn't less than SHN_LORESERVE. Note that even though elf.c and elfXX.c are located in VasEBoot-core/kern, they are compiled as modules and don't need the EXPORT_FUNC() macro to define the functions in elf.h. Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-08-19 Alec Brown elf: Validate number of elf section header table entries In bsdXX.c and multiboot_elfxx.c, e_shnum is used to obtain the number of section header table entries, but it wasn't being checked if the value was there. According to the elf(5) manual page, "If the number of entries in the section header table is larger than or equal to SHN_LORESERVE (0xff00), e_shnum holds the value zero and the real number of entries in the section header table is held in the sh_size member of the initial entry in section header table. Otherwise, the sh_size member of the initial entry in the section header table holds the value zero." Since this check wasn't being made, VasEBoot_elfXX_get_shnum() is being added to elfXX.c to make this check and use whichever member doesn't have a value of zero. If both are zero, then we must return an error. We also need to make sure that e_shnum doesn't have a value greater than or equal to SHN_LORESERVE and sh_size isn't less than SHN_LORESERVE. In order to get this function to work, the type ElfXX_Shnum is being added where Elf32_Shnum defines Elf32_Word and Elf64_Shnum defines Elf64_Xword. This new type is needed because if shnum obtains a value from sh_size, sh_size could be of type El32_Word for Elf32_Shdr structures or Elf64_Xword for Elf64_Shdr structures. Note that even though elf.c and elfXX.c are located in VasEBoot-core/kern, they are compiled as modules and don't need the EXPORT_FUNC() macro to define the functions in elf.h. For a few smaller changes, changed casts of shnum to match variables being set as well as dropped casts when unnecessary and fixed spacing errors in bsdXX.c. Also, shnum is an unsigned integer and is compared to int i in multiboot_elfxx.c, it should be unsigned to match shnum. Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-08-19 Mauricio Faria de Oliveira templates/linux_xen: Properly order the multiple initrd files The linux_xen template orders the "early" initrd file(s) _first_ (i.e., before the "real" initrd files) and that seems reasonable, as microcode updates usually come first. However, this usually breaks Linux boot with initrd under Xen because Xen assumes the real initrd is the first multiboot[2] module after the kernel, passing its address over to Linux in Xen's start_info struct. So, if a microcode-only initrd (i.e., without init/userspace) is found by VasEBoot-mkconfig, it ends up considered as a normal initrd by the Linux kernel, which cannot do anything with it (as it has no other files) and panic()s unable to mount root if it depends on a initrd to do that (e.g., root=UUID=...). ... Well, since Xen doesn't actually use the provided microcode by default / unless the 'ucode=' option is enabled, this isn't used in the general case (and breaks). Additionally, if an user enables the 'ucode=' option, that either specifies which module is to be used for microcode, or scans all modules (regardless of being first) for that. Thus, for Xen: - it is *not required* to have microcode first, - but it is *required* to have real initrd first So, fix it by ordering the real initrd before early initrd(s). After: # touch /boot/xen /boot/microcode.cpio # VasEBoot-mkconfig 2>/dev/null | grep -P '^\t(multiboot|module)' multiboot /boot/xen ... module /boot/vmlinuz-5.4.0-122-generic ... module --nounzip /boot/initrd.img-5.4.0-122-generic module --nounzip /boot/microcode.cpio ... Corner case specific to Xen implementation details: It is actually _possible_ to have a microcode initrd first, but that requires a non-default option (so can't rely on it), and it turns out to be inconsistent with its counterpart (really shouldn't rely on it, as it may get confusing; below). 'ucode=1' does manually specify the first module is microcode _AND_ clears its bit in the module bitmap. The next module is now the 'new first', and gets passed to Linux as initrd. Good. 'ucode=scan' checks all modules for microcode, but does _NOT_ clear a bit if it finds one (reasonable, as it can find that prepended in a "real" initrd anyway, which needs to be used). The first module still gets passed to Linux as initrd. Bad. Fixes: e86f6aafb8de (VasEBoot-mkconfig/20_linux_xen: Support multiple early initrd images) Acked-by: Juergen Gross Reviewed-by: Daniel Kiper 2022-08-19 Mauricio Faria de Oliveira templates/linux_xen: Properly load multiple initrd files The linux_xen template can put multiple initrd files in the same multiboot[2] module[2] command, which is against specs. This causes ONLY the _first_ initrd file to be loaded; other files just have filenames in a "cmdline" string of the first initrd file and are NOT loaded. Fix this by inserting a module[2] command per initrd file. Before: # touch /boot/xen /boot/microcode.cpio # VasEBoot-mkconfig 2>/dev/null | grep -P '^\t(multiboot|module)' multiboot /boot/xen ... module /boot/vmlinuz-5.4.0-122-generic ... module --nounzip /boot/microcode.cpio /boot/initrd.img-5.4.0-122-generic After: # touch /boot/xen /boot/microcode.cpio # VasEBoot-mkconfig 2>/dev/null | grep -P '^\t(multiboot|module)' multiboot /boot/xen ... module /boot/vmlinuz-5.4.0-122-generic ... module --nounzip /boot/microcode.cpio module --nounzip /boot/initrd.img-5.4.0-122-generic Cause: The code was copied from the linux template, which is *apparently* equivalent.. but its initrd command VasEBoot_cmd_initrd() *supports* multiple files (see VasEBoot_initrd_init()), while module/module2 in VasEBoot_cmd_module() *does not* (see VasEBoot_multiboot[2]_add_module()). See commit e86f6aafb8de (VasEBoot-mkconfig/20_linux_xen: Support multiple early initrd images): 'This is basically a copy of a698240d "VasEBoot-mkconfig/10_linux: Support multiple early initrd images" ...' Specs: Both multiboot and multiboot2 specifications mention support for 'multiple boot modules' (struct/tag used for kernel/initrd files): "Boot loaders don’t have to support multiple boot modules, but they are strongly encouraged to" [1,2] However, there is a 1:1 relationship between boot modules and files, more or less clearly; note the usage of singular/plural "module(s)". (Multiboot2, clearly: "One tag appears per module".) Multiboot [1]: "the ‘mods’ fields indicate ... what boot modules were loaded ..., and where they can be found. ‘mods_count’ contains the number of modules loaded" "The first two fields contain the start and end addresses of the boot module itself." Multiboot2 [2]: "This tag indicates ... what boot module was loaded ..., and where it can be found." "The ‘mod_start’ and ‘mod_end’ contain the start and end physical addresses of the boot module itself." "One tag appears per module. This tag type may appear multiple times." And both clearly mention the 'string' field of a boot module, which is to be used by the operating system, not boot loader: "The ‘string’ field provides an arbitrary string to be associated with that particular boot module ... its exact use is specific to the operating system." Links: [1] https://www.gnu.org/software/VasEBoot/manual/multiboot/multiboot.html 3.3 Boot information format [2] https://www.gnu.org/software/VasEBoot/manual/multiboot2/multiboot.html 3.6.6 Modules Fixes: e86f6aafb8de (VasEBoot-mkconfig/20_linux_xen: Support multiple early initrd images) Acked-by: Juergen Gross Reviewed-by: Daniel Kiper 2022-08-19 Glenn Washburn misc: Add cast in VasEBoot_strncasecmp() to drop sign when calling VasEBoot_tolower() Note this cast was fixed in VasEBoot_strcasecmp() in commit ce41ab7aab (* VasEBoot-core/kern/misc.c (VasEBoot_strcmp): Use unsigned comparison as per common usage and preffered in several parts of code.), but this commit omitted fixing it in VasEBoot_strncasecmp(). Reviewed-by: Daniel Kiper 2022-08-19 Glenn Washburn tests/util/VasEBoot-shell: Only show VasEBoot-mkrescue output if it returns an error The previous behavior ignored an error and the output from VasEBoot-mkrescue. This made it difficult to discover that VasEBoot-mkrescue was the reason that tests which rely on VasEBoot-shell were failing. Even after discovering VasEBoot-mkrescue was the culprit, there was no output to indicate why it was failing. It turns out that VasEBoot-mkrescue is a thin wrapper around xorriso. So if you do not have xorriso installed it will fail with an error message about not being able to find xorriso. This change will allow VasEBoot-mkrescue output to be written to stderr, only if VasEBoot-mkrescue fails. If VasEBoot-mkrescue succeeds, there will be no output from VasEBoot-mkrescue so as not to interfere with the functioning of tests. This change should have no effect on the running of tests or other uses of VasEBoot-shell as it only modifies the error path. Also, if VasEBoot-mkrescue fails, the script exits early. Since VasEBoot-shell needs the ISO image created by VasEBoot-mkresue to boot the QEMU instance, a failure here should be considered fatal. Reviewed-by: Daniel Kiper 2022-08-19 Ard Biesheuvel loader/arm64/linux: Remove magic number header field check The "ARM\x64" magic number in the file header identifies an image as one that implements the bare metal boot protocol, allowing the loader to simply move the file to a suitably aligned address in memory, with sufficient headroom for the trailing .bss segment (the required memory size is described in the header as well). Note of this matters for VAS_EBOOT, as it only supports EFI boot. EFI does not care about this magic number, and nor should VAS_EBOOT: this prevents us from booting other PE linux images, such as the generic EFI zboot decompressor, which is a pure PE/COFF image, and does not implement the bare metal boot protocol. So drop the magic number check. Reviewed-by: Daniel Kiper 2022-08-19 Darren Kenny util/VasEBoot-install-common: Confirm directory creation in VasEBoot_install_mkdir_p() Because VasEBoot_util_mkdir() is implemented to not return a value on any platform, VasEBoot_instal_mkdir_p() can test for success by confirming that the directory requested exists after attempting to create it, otherwise it should fail with an error and exit. While fixing this, a flaw in the logic was shown, where the first match of the path separator, which almost always was the first character in the path (e.g. /boot/VasEBoot2) would result in creating a directory with an empty name (i.e. ""). To avoid that, it should skip the handling of the path separator where p is pointing to the first character. Reviewed-by: Daniel Kiper 2022-08-19 Darren Kenny util: Ignore return value for VasEBoot_util_mkdir() on all platforms Coverity signaled 2 issues where the return value of VasEBoot_util_mkdir() was not being tested. The Windows variant of this code defines the function as having no return value (void), but the UNIX variants all are mapped using a macro to the libc mkdir() function, which returns an int value. To be consistent, the mapping should cast to void to for these too. Fixes: CID 73583 Fixes: CID 73617 Reviewed-by: Daniel Kiper 2022-08-19 Glenn Washburn disk/cryptodisk: Support encrypted volumes using detached headers on a partition Update the read hook to take into account encrypted volumes on a partition. VAS_EBOOT disk read hooks supply an absolute sector number at which the read is started from. If the encrypted volume is in a partition, the sector number given to the read hook will be offset by the number of the sector at the start of the partition. The read hook then needs to subtract the partition start from the supplied sector to get the correct start sector for the read into the detached header file. Reported-by: brutser Tested-by: brutser Reviewed-by: Daniel Kiper 2022-08-10 Glenn Washburn tests/util/VasEBoot-shell: Use shell variable instead of autoconf By using shell variable that are set once by the expansion of an autoconf variable, the resulting shell script is more easily moved and modified from the build/install directory it was generated for. The resulting script is more readable as well. Reviewed-by: Daniel Kiper 2022-08-10 Stefan Agner Makefile: Make VasEBoot_fstest.pp depend on config-util.h If you build with "make -j25", sometimes you see: /build/output_generic_x86_64/host/bin/x86_64-buildroot-linux-gnu-gcc -E -DHAVE_CONFIG_H -I. -I.. -Wall -W -DVAS_EBOOT_UTIL=1 -D_FILE_OFFSET_BITS=64 -I./include -DVAS_EBOOT_FILE=\"util/VasEBoot-fstest.c\" -I. -I.. -I. -I.. -I../include -I./include -I../VasEBoot-core/lib/libgcrypt-VasEBoot/src/ -I./VasEBoot-core/lib/gnulib -I../VasEBoot-core/lib/gnulib -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -fno-stack-protector -D_FILE_OFFSET_BITS=64 \ -D'VAS_EBOOT_MOD_INIT(x)=@MARKER@x@' ../util/VasEBoot-fstest.c ../VasEBoot-core/kern/emu/hostfs.c ../VasEBoot-core/disk/host.c ../VasEBoot-core/osdep/init.c > VasEBoot_fstest.pp || (rm -f VasEBoot_fstest.pp; exit 1) config.status: creating config-util.h ../VasEBoot-core/kern/emu/hostfs.c:20:10: fatal error: config-util.h: No such file or directory 20 | #include | ^~~~~~~~~~~~~~~ compilation terminated. Reviewed-by: Daniel Kiper 2022-08-10 Qiumiao Zhang util/VasEBoot-mkfont: Fix resource leaks Reviewed-by: Daniel Kiper 2022-08-10 Peter Jones kern/i386/tsc_pmtimer: Make pmtimer tsc calibration not take 51 seconds to fail On my laptop running at 2.4GHz, if I run a VM where tsc calibration using pmtimer will fail presuming a broken pmtimer, it takes ~51 seconds to do so (as measured with the stopwatch on my phone), with a tsc delta of 0x1cd1c85300, or around 125 billion cycles. If instead of trying to wait for 5-200ms to show up on the pmtimer, we try to wait for 5-200us, it decides it's broken in ~0x2626aa0 TSCs, aka ~2.4 million cycles, or more or less instantly. Additionally, this reading the pmtimer was returning 0xffffffff anyway, and that's obviously an invalid return. I've added a check for that and 0 so we don't bother waiting for the test if what we're seeing is dead pins with no response at all. If "debug" includes "pmtimer", you will see one of the following three outcomes. If pmtimer gives all 0 or all 1 bits, you will see: pmtimer: 0xffffff bad_reads: 1 pmtimer: 0xffffff bad_reads: 2 pmtimer: 0xffffff bad_reads: 3 pmtimer: 0xffffff bad_reads: 4 pmtimer: 0xffffff bad_reads: 5 pmtimer: 0xffffff bad_reads: 6 pmtimer: 0xffffff bad_reads: 7 pmtimer: 0xffffff bad_reads: 8 pmtimer: 0xffffff bad_reads: 9 pmtimer: 0xffffff bad_reads: 10 timer is broken; giving up. This outcome was tested using qemu+kvm with UEFI (OVMF) firmware and these options: -machine pc-q35-2.10 -cpu Broadwell-noTSX If pmtimer gives any other bit patterns but is not actually marching forward fast enough to use for clock calibration, you will see: pmtimer delta is 0x0 (1904 iterations) tsc delta is implausible: 0x2626aa0 This outcome was tested using VAS_EBOOT patched to not ignore bad reads using qemu+kvm with UEFI (OVMF) firmware, and these options: -machine pc-q35-2.10 -cpu Broadwell-noTSX If pmtimer actually works, you'll see something like: pmtimer delta is 0xdff tsc delta is 0x278756 This outcome was tested using qemu+kvm with UEFI (OVMF) firmware, and these options: -machine pc-i440fx-2.4 -cpu Broadwell-noTSX I've also tested this outcome on a real Intel Xeon E3-1275v3 on an Intel Server Board S1200V3RPS using the SDV.RP.B8 "Release" build here: https://www.intel.com/content/www/us/en/download/674448/firmware-update-for-the-intel-server-board-s1200rp-uefi-development-kit-release-vb8.html Reviewed-by: Daniel Kiper 2022-08-10 Glenn Washburn disk/luks2: Continue trying all keyslots even if there are some failures luks2_get_keyslot() can fail for a variety of reasons that do not necessarily mean the next keyslot should not be tried (e.g. a new kdf type). So always try the next slot. This will make VAS_EBOOT more resilient to non-spec json data that 3rd party systems may add. We do not care if some of the keyslots are unusable, only if there is at least one that is. Reviewed-by: Daniel Kiper 2022-08-10 Glenn Washburn efi: Add efitextmode command for getting/setting the text mode resolution This command is meant to behave similarly to the "mode" command of the EFI Shell application. In addition to allowing mode selection by giving the number of columns and rows as arguments, the command allows specifying the mode number to select the mode. Also supported are the arguments "min" and "max", which set the mode to the minimum and maximum mode respectively as calculated by the columns * rows of that mode. Reviewed-by: Daniel Kiper 2022-07-27 Robbie Harwood fs/fat: Don't error when mtime is 0 In the wild, we occasionally see valid ESPs where some file modification times are 0. For instance: ├── [Dec 31 1979] EFI │ ├── [Dec 31 1979] BOOT │ │ ├── [Dec 31 1979] BOOTX64.EFI │ │ └── [Dec 31 1979] fbx64.efi │ └── [Jun 27 02:41] fedora │ ├── [Dec 31 1979] BOOTX64.CSV │ ├── [Dec 31 1979] fonts │ ├── [Mar 14 03:35] fw │ │ ├── [Mar 14 03:35] fwupd-359c1169-abd6-4a0d-8bce-e4d4713335c1.cap │ │ ├── [Mar 14 03:34] fwupd-9d255c4b-2d88-4861-860d-7ee52ade9463.cap │ │ └── [Mar 14 03:34] fwupd-b36438d8-9128-49d2-b280-487be02d948b.cap │ ├── [Dec 31 1979] fwupdx64.efi │ ├── [May 10 10:47] VasEBoot.cfg │ ├── [Jun 3 12:38] VasEBoot.cfg.new.new │ ├── [May 10 10:41] VasEBoot.cfg.old │ ├── [Jun 27 02:41] VasEBootenv │ ├── [Dec 31 1979] VasEBootx64.efi │ ├── [Dec 31 1979] mmx64.efi │ ├── [Dec 31 1979] shim.efi │ ├── [Dec 31 1979] shimx64.efi │ └── [Dec 31 1979] shimx64-fedora.efi └── [Dec 31 1979] FSCK0000.REC 5 directories, 17 files This causes VasEBoot-probe failure, which in turn causes VasEBoot-mkconfig failure. They are valid filesystems that appear intact, and the Linux FAT stack is able to mount and manipulate them without complaint. The check for mtime of 0 has been present since 20def1a3c3952982395cd7c3ea7e78638527962b (fat: support file modification times). Reviewed-by: Daniel Kiper 2022-07-27 Robbie Harwood kern/fs: The VasEBoot_fs_probe() should dprint errors from filesystems When filesystem detection fails, all that's currently debug-logged is a series of messages like: VasEBoot-core/kern/fs.c:56:fs: Detecting ntfs... VasEBoot-core/kern/fs.c:76:fs: ntfs detection failed. repeated for each filesystem. Any messages provided to VasEBoot_error() by the filesystem are lost, and one has to break out gdb to figure out what went wrong. With this change, one instead sees: VasEBoot-core/kern/fs.c:56:fs: Detecting fat... VasEBoot-core/osdep/hostdisk.c:357:hostdisk: reusing open device `/path/to/device' VasEBoot-core/kern/fs.c:77:fs: error: invalid modification timestamp for /. VasEBoot-core/kern/fs.c:79:fs: fat detection failed. in the debug prints. Reviewed-by: Daniel Kiper 2022-07-27 Robbie Harwood util/VasEBoot-probe: Document the behavior of multiple -v Reviewed-by: Daniel Kiper 2022-07-27 Ross Philipson lib/relocator: Initialize local relocator subchunk struct to all zeros The way the code is written the tofree variable would never be passed to the free_subchunk() function uninitialized. Coverity cannot determine this and flags the situation as "Using uninitialized value...". The fix is just to initialize the local struct. Fixes: CID 314016 Reviewed-by: Darren Kenny Tested-by: Alec Brown Reviewed-by: Daniel Kiper 2022-07-27 Lu Ken efi/tpm: Add EFI_CC_MEASUREMENT_PROTOCOL support The EFI_CC_MEASUREMENT_PROTOCOL abstracts the measurement for virtual firmware in confidential computing environment. It is similar to the EFI_TCG2_PROTOCOL. It was proposed by Intel and ARM and approved by UEFI organization. It is defined in Intel GHCI specification: https://cdrdv2.intel.com/v1/dl/getContent/726790 . The EDKII header file is available at https://github.com/tianocore/edk2/blob/master/MdePkg/Include/Protocol/CcMeasurement.h . Reviewed-by: Daniel Kiper 2022-07-27 Lu Ken commands/efi/tpm: Use VasEBoot_strcpy() instead of VasEBoot_memcpy() The event description is a string, so using VasEBoot_strcpy() is cleaner than using VasEBoot_memcpy(). Reviewed-by: Daniel Kiper 2022-07-27 Lu Ken commands/efi/tpm: Refine the status of log event 1. Use macro VAS_EBOOT_ERR_NONE instead of hard code 0. 2. Keep lowercase of the first char for the status string of log event. Reviewed-by: Daniel Kiper 2022-07-12 Nicholas Vinson configure: Warn if stack protector is not allowed Introduce ERROR_PLATFORM_NOT_SUPPORT_SSP environment variable to treat the "--enable-stack-protector is only supported on EFI platforms" message as a warning instead of an error. If ERROR_PLATFORM_NOT_SUPPORT_SSP is set to "no" (case-insensitive), then the message will be printed as a warning. Otherwise, it prints as an error. The default behavior is to print the message as an error. For any wrapper build script that has some variation of: for p in SELECTED_VAS_EBOOT_PLATFORMS; do \ configure --enable-stack-protector \ --with-platform${P} ... || die; \ done make The VAS_EBOOT will fail to build if SELECTED_VAS_EBOOT_PLATFORMS contains a platform that does not support SSP. Such wrapper scripts need to work-around this issue by modifying the above for-loop, so it conditionally passes --enable-stack-protector to configure for the proper VAS_EBOOT platform(s). However, if the above example is modified to have to conditionally pass in --enable-stack-protector, its behavior is effectively the same as the proposed change. Additionally, The list of SSP supported platforms is now in 2 places. One in the configure script and one in the build wrapper script. If the second list is not properly maintained it could mistakenly disable SSP for a platform that later gained support for it. Reviewed-by: Daniel Kiper 2022-07-12 Darren Kenny util/VasEBoot-mkfont: Fix tainted loop boundary issues with substitutions With gsub substitutions the offsets should be validated against the number of glyphs in a font face and the memory allocated for the gsub substitution data. Both the number of glyphs and the last address in the allocated data are passed in to process_cursive(), where the number of glyphs validates the end of the range. Enabling memory allocation validation uses two macros, one to simply check the address against the allocated space, and the other to check that the number of items of a given size doesn't extend outside of the allocated space. Fixes: CID 73770 Fixes: CID 314040 Reviewed-by: Daniel Kiper 2022-07-12 Glenn Washburn efi: Add missing header from include/VasEBoot/efi/console_control.h Reviewed-by: Daniel Kiper 2022-07-04 Glenn Washburn disk: Replace code that calculates the log of sector size with VasEBoot_log2ull() Reviewed-by: Daniel Kiper 2022-07-04 Mathieu Desnoyers templates: Remove unused version comparison functions There are no users left of version_find_latest(), version_test_gt(), and version_test_numeric(). Remove those unused helper functions. Using those helper functions is what caused the quadratic sorting performance issues in the first place, so removing them is a net win. Reviewed-by: Robbie Harwood Reviewed-by: Daniel Kiper 2022-07-04 Mathieu Desnoyers templates/kfreebsd: Fix quadratic algorithm for sorting menu items The current implementation of the 10_kfreebsd script implements its menu items sorting in bash with a quadratic algorithm, calling "sed", "sort", "head", and "grep" to compare versions between individual lines, which is annoyingly slow for kernel developers who can easily end up with 50-100 kernels in their boot partition. This fix is ported from the 10_linux script, which has a similar quadratic code pattern. Cc: debian-bsd@lists.debian.org Reviewed-by: Daniel Kiper 2022-07-04 Mathieu Desnoyers templates/hurd: Fix quadratic algorithm for sorting menu items The current implementation of the 10_hurd script implements its menu items sorting in bash with a quadratic algorithm, calling "sed", "sort", "head", and "grep" to compare versions between individual lines, which is annoyingly slow for kernel developers who can easily end up with 50-100 kernels in their boot partition. This fix is ported from the 10_linux script, which has a similar quadratic code pattern. Cc: Samuel Thibault Tested-by: Samuel Thibault Reviewed-by: Daniel Kiper 2022-07-04 Mathieu Desnoyers templates/linux_xen: Fix quadratic algorithm for sorting menu items The current implementation of the 20_linux_xen script implements its menu items sorting in bash with a quadratic algorithm, calling "sed", "sort", "head", and "grep" to compare versions between individual lines, which is annoyingly slow for kernel developers who can easily end up with 50-100 kernels in their boot partition. This fix is ported from the 10_linux script, which has a similar quadratic code pattern. Cc: xen-devel@lists.xenproject.org Tested-by: Jason Andryuk Reviewed-by: Daniel Kiper 2022-07-04 Mathieu Desnoyers templates/linux: Fix quadratic algorithm for sorting menu items The current implementation of the 10_linux script implements its menu items sorting in bash with a quadratic algorithm, calling "sed", "sort", "head", and "grep" to compare versions between individual lines, which is annoyingly slow for kernel developers who can easily end up with 50-100 kernels in /boot. As an example, on a Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, running: /usr/sbin/VasEBoot-mkconfig > /dev/null With 44 kernels in /boot, this command takes 10-15 seconds to complete. After this fix, the same command runs in 5 seconds. With 116 kernels in /boot, this command takes 40 seconds to complete. After this fix, the same command runs in 8 seconds. For reference, the quadratic algorithm here is: while [ "x$list" != "x" ] ; do <--- outer loop linux=`version_find_latest $list` version_find_latest() for i in "$@" ; do <--- inner loop version_test_gt() fork+exec sed version_test_numeric() version_sort fork+exec sort fork+exec head -n 1 fork+exec grep list=`echo $list | tr ' ' '\n' | fgrep -vx "$linux" | tr '\n' ' '` tr fgrep tr So all commands executed under version_test_gt() are executed O(n^2) times where n is the number of kernel images in /boot. Here is the improved algorithm proposed: - Prepare a list with all the relevant information for ordering by a single sort(1) execution. This is done by renaming ".old" suffixes by " 1" and by suffixing all other files with " 2", thus making sure the ".old" entries will follow the non-old entries in reverse-sorted-order. - Call version_reverse_sort on the list (sort -r -V): A single execution of sort(1). For instance, GNU coreutils' sort will reverse-sort the list in O(n*log(n)) with a merge sort. - Replace the " 1" suffixes by ".old", and remove the " 2" suffixes. - Iterate on the reverse-sorted list to output each menu entry item. Therefore, the algorithm proposed has O(n*log(n)) complexity with GNU coreutils' sort compared to the prior O(n^2) complexity. Moreover, the constant time required for each list entry is much less because sorting is done within a single execution of sort(1) rather than requiring O(n^2) executions of sed(1), sort(1), head(1), and grep(1) in sub-shells. Reviewed-by: Robbie Harwood Reviewed-by: Daniel Kiper 2022-07-04 Glenn Washburn docs: Add documentation on detached header option to cryptomount Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2022-07-04 Glenn Washburn cryptodisk: Add support for using detached header files Using the disk read hook mechanism, setup a read hook on the source disk which will read from the given header file during the scan and recovery cryptodisk backend functions. Disk read hooks are executed after the data has been read from the disk. This is okay, because the read hook is given the read buffer before its sent back to the caller. In this case, the hook can then overwrite the data read from the disk device with data from the header file sent in as the read hook data. This is transparent to the read caller. Since the callers of this function have just opened the source disk, there are no current read hooks, so there's no need to save/restore them nor consider if they should be called or not. This hook assumes that the header is at the start of the volume, which is not the case for some formats (e.g. GELI). So GELI will return an error if a detached header is specified. It also can only be used with formats where the detached header file can be written to the first blocks of the volume and the volume could still be unlocked. So the header file can not be formatted differently from the on-disk header. If these assumpts are not met, detached header file processing must be specially handled in the cryptodisk backend module. The hook will be called potentially many times by a backend. This is fine because of the assumptions mentioned and the read hook reads from absolute offsets and is stateless. Also add a --header (short -H) option to cryptomount which takes a file argument. Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2022-07-04 Glenn Washburn disk: Allow read hook callback to take read buffer to potentially modify it It will be desirable in the future to allow having the read hook modify the data passed back from a read function call on a disk or file. This adds that infrastructure and has no impact on code flow for existing uses of the read hook. Also changed is that now when the read hook callback is called it can also indicate what error code should be sent back to the read caller. Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2022-07-04 Glenn Washburn docs: Document undocumented variables Document the variables net__clientid, net__clientuuid, lockdown, and shim_lock in the list of special environment variables. Reviewed-by: Daniel Kiper 2022-07-04 Patrick Steinhardt kern/efi/mm: Implement runtime addition of pages Adjust the interface of VasEBoot_efi_mm_add_regions() to take a set of VAS_EBOOT_MM_ADD_REGION_* flags, which most notably is currently only the VAS_EBOOT_MM_ADD_REGION_CONSECUTIVE flag. This allows us to set the function up as callback for the memory subsystem and have it call out to us in case there's not enough pages available in the current heap. Reviewed-by: Daniel Kiper Tested-by: Patrick Steinhardt 2022-07-04 Patrick Steinhardt kern/efi/mm: Pass up errors from add_memory_regions() The function add_memory_regions() is currently only called on system initialization to allocate a fixed amount of pages. As such, it didn't need to return any errors: in case it failed, we cannot proceed anyway. This will change with the upcoming support for requesting more memory from the firmware at runtime, where it doesn't make sense anymore to fail hard. Refactor the function to return an error to prepare for this. Note that this does not change the behaviour when initializing the memory system because VasEBoot_efi_mm_init() knows to call VasEBoot_fatal() in case VasEBoot_efi_mm_add_regions() returns an error. Reviewed-by: Daniel Kiper Tested-by: Patrick Steinhardt 2022-07-04 Patrick Steinhardt kern/efi/mm: Extract function to add memory regions In preparation of support for runtime-allocating additional memory region, this patch extracts the function to retrieve the EFI memory map and add a subset of it to VAS_EBOOT's own memory regions. Reviewed-by: Daniel Kiper Tested-by: Patrick Steinhardt 2022-07-04 Patrick Steinhardt kern/efi/mm: Always request a fixed number of pages on init When initializing the EFI memory subsystem, we will by default request a quarter of the available memory, bounded by a minimum/maximum value. Given that we're about to extend the EFI memory system to dynamically request additional pages from the firmware as required, this scaling of requested memory based on available memory will not make a lot of sense anymore. Remove this logic as a preparatory patch such that we'll instead defer to the runtime memory allocator. Note that ideally, we'd want to change this after dynamic requesting of pages has been implemented for the EFI platform. But because we'll need to split up initialization of the memory subsystem and the request of pages from the firmware, we'd have to duplicate quite some logic at first only to remove it afterwards again. This seems quite pointless, so we instead have patches slightly out of order. Reviewed-by: Daniel Kiper Tested-by: Patrick Steinhardt 2022-07-04 Patrick Steinhardt mm: Allow dynamically requesting additional memory regions Currently, all platforms will set up their heap on initialization of the platform code. While this works mostly fine, it poses some limitations on memory management on us. Most notably, allocating big chunks of memory in the gigabyte range would require us to pre-request this many bytes from the firmware and add it to the heap from the beginning on some platforms like EFI. As this isn't needed for most configurations, it is inefficient and may even negatively impact some usecases when, e.g., chainloading. Nonetheless, allocating big chunks of memory is required sometimes, where one example is the upcoming support for the Argon2 key derival function in LUKS2. In order to avoid pre-allocating big chunks of memory, this commit implements a runtime mechanism to add more pages to the system. When a given allocation cannot be currently satisfied, we'll call a given callback set up by the platform's own memory management subsystem, asking it to add a memory area with at least "n" bytes. If this succeeds, we retry searching for a valid memory region, which should now succeed. If this fails, we try asking for "n" bytes, possibly spread across multiple regions, in hopes that region merging means that we end up with enough memory for things to work out. Tested-by: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Patrick Steinhardt 2022-07-04 Patrick Steinhardt mm: Drop unused unloading of modules on OOM In VasEBoot_memalign(), there's a commented section which would allow for unloading of unneeded modules in case where there is not enough free memory available to satisfy a request. Given that this code is never compiled in, let's remove it together with VasEBoot_dl_unload_unneeded(). Reviewed-by: Daniel Kiper Tested-by: Patrick Steinhardt 2022-07-04 Daniel Axtens mm: Debug support for region operations This is handy for debugging. Enable with "set debug=regions". Reviewed-by: Daniel Kiper Tested-by: Patrick Steinhardt 2022-07-04 Daniel Axtens mm: When adding a region, merge with region after as well as before On x86_64-efi (at least) regions seem to be added from top down. The mm code will merge a new region with an existing region that comes immediately before the new region. This allows larger allocations to be satisfied that would otherwise be the case. On powerpc-ieee1275, however, regions are added from bottom up. So if we add 3x 32MB regions, we can still only satisfy a 32MB allocation, rather than the 96MB allocation we might otherwise be able to satisfy. * Define 'post_size' as being bytes lost to the end of an allocation due to being given weird sizes from firmware that are not multiples of VAS_EBOOT_MM_ALIGN. * Allow merging of regions immediately _after_ existing regions, not just before. As with the other approach, we create an allocated block to represent the new space and the pass it to VasEBoot_free() to get the metadata right. Tested-by: Stefan Berger Reviewed-by: Daniel Kiper Tested-by: Patrick Steinhardt 2022-06-29 Daniel Axtens mm: Assert that we preserve header vs region alignment VasEBoot_mm_region_init() does: h = (VasEBoot_mm_header_t) (r + 1); where h is a VasEBoot_mm_header_t and r is a VasEBoot_mm_region_t. Cells are supposed to be VAS_EBOOT_MM_ALIGN aligned, but while VasEBoot_mm_dump ensures this vs the region header, VasEBoot_mm_region_init() does not. It's better to be explicit than implicit here: rather than changing VasEBoot_mm_region_init() to ALIGN_UP(), require that the struct is explicitly a multiple of the header size. Reviewed-by: Daniel Kiper Tested-by: Patrick Steinhardt 2022-06-28 Daniel Axtens tests: Only pass SeaBIOS fw_opt for x86 non-EFI platforms This breaks the tests on pseries - just restrict it to x86 platforms that don't specify an EFI. Reviewed-by: Daniel Kiper 2022-06-07 Darren Kenny fs/btrfs: Fix more fuzz issues related to chunks The corpus was generating issues in VasEBoot_btrfs_read_logical() when attempting to iterate over stripe entries in the superblock's bootmapping. In most cases the reason for the failure was that the number of stripes in chunk->nstripes exceeded the possible space statically allocated in superblock bootmapping space. Each stripe entry in the bootmapping block consists of a VasEBoot_btrfs_key followed by a VasEBoot_btrfs_chunk_stripe. Another issue that came up was that while calculating the chunk size, in an earlier piece of code in that function, depending on the data provided in the btrfs file system, it would end up calculating a size that was too small to contain even 1 VasEBoot_btrfs_chunk_item, which is obviously invalid too. Reviewed-by: Daniel Kiper 2022-06-07 Darren Kenny fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing The fuzzer is generating btrfs file systems that have chunks with invalid combinations of stripes and substripes for the given RAID configurations. After examining the Linux kernel fs/btrfs/tree-checker.c code, it appears that sub-stripes should only be applied to RAID10, and in that case there should only ever be 2 of them. Similarly, RAID single should only have 1 stripe, and RAID1/1C3/1C4 should have 2. 3 or 4 stripes respectively, which is what redundancy corresponds. Some of the chunks ended up with a size of 0, which VasEBoot_malloc() still returned memory for and in turn generated ASAN errors later when accessed. While it would be possible to specifically limit the number of stripes, a more correct test was on the combination of the chunk item, and the number of stripes by the size of the chunk stripe structure in comparison to the size of the chunk itself. Reviewed-by: Daniel Kiper 2022-06-07 Darren Kenny fs/btrfs: Fix several fuzz issues with invalid dir item sizing According to the btrfs code in Linux, the structure of a directory item leaf should be of the form: |struct btrfs_dir_item|name|data| in VAS_EBOOT the name len and data len are in the VasEBoot_btrfs_dir_item structure's n and m fields respectively. The combined size of the structure, name and data should be less than the allocated memory, a difference to the Linux kernel's struct btrfs_dir_item is that the VasEBoot_btrfs_dir_item has an extra field for where the name is stored, so we adjust for that too. Reviewed-by: Daniel Kiper 2022-06-07 Sudhakar Kuppusamy fs/f2fs: Do not copy file names that are too long A corrupt f2fs file system might specify a name length which is greater than the maximum name length supported by the VAS_EBOOT f2fs driver. We will allocate enough memory to store the overly long name, but there are only F2FS_NAME_LEN bytes in the source, so we would read past the end of the source. While checking directory entries, do not copy a file name with an invalid length. Reviewed-by: Daniel Kiper 2022-06-07 Sudhakar Kuppusamy fs/f2fs: Do not read past the end of nat bitmap A corrupt f2fs filesystem could have a block offset or a bitmap offset that would cause us to read beyond the bounds of the nat bitmap. Introduce the nat_bitmap_size member in VasEBoot_f2fs_data which holds the size of nat bitmap. Set the size when loading the nat bitmap in nat_bitmap_ptr(), and catch when an invalid offset would create a pointer past the end of the allocated space. Check against the bitmap size in VasEBoot_f2fs_test_bit() test bit to avoid reading past the end of the nat bitmap. Reviewed-by: Daniel Kiper 2022-06-07 Sudhakar Kuppusamy fs/f2fs: Do not read past the end of nat journal entries A corrupt f2fs file system could specify a nat journal entry count that is beyond the maximum NAT_JOURNAL_ENTRIES. Check if the specified nat journal entry count before accessing the array, and throw an error if it is too large. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens net/http: Error out on headers with LF without CR In a similar vein to the previous patch, parse_line() would write a NUL byte past the end of the buffer if there was an HTTP header with a LF rather than a CRLF. RFC-2616 says: Many HTTP/1.1 header field values consist of words separated by LWS or special characters. These special characters MUST be in a quoted string to be used within a parameter value (as defined in section 3.6). We don't support quoted sections or continuation lines, etc. If we see an LF that's not part of a CRLF, bail out. Fixes: CVE-2022-28734 Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens net/http: Fix OOB write for split http headers VAS_EBOOT has special code for handling an http header that is split across two packets. The code tracks the end of line by looking for a "\n" byte. The code for split headers has always advanced the pointer just past the end of the line, whereas the code that handles unsplit headers does not advance the pointer. This extra advance causes the length to be one greater, which breaks an assumption in parse_line(), leading to it writing a NUL byte one byte past the end of the buffer where we reconstruct the line from the two packets. It's conceivable that an attacker controlled set of packets could cause this to zero out the first byte of the "next" pointer of the VasEBoot_mm_region structure following the current_line buffer. Do not advance the pointer in the split header case. Fixes: CVE-2022-28734 Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens net/http: Do not tear down socket if it's already been torn down It's possible for data->sock to get torn down in tcp error handling. If we unconditionally tear it down again we will end up doing writes to an offset of the NULL pointer when we go to tear it down again. Detect if it has been torn down and don't do it again. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens net/tftp: Avoid a trivial UAF Under tftp errors, we print a tftp error message from the tftp header. However, the tftph pointer is a pointer inside nb, the netbuff. Previously, we were freeing the nb and then dereferencing it. Don't do that, use it and then free it later. This isn't really _bad_ per se, especially as we're single-threaded, but it trips up fuzzers. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens net/tftp: Prevent a UAF and double-free from a failed seek A malicious tftp server can cause UAFs and a double free. An attempt to read from a network file is handled by VasEBoot_net_fs_read(). If the read is at an offset other than the current offset, VasEBoot_net_seek_real() is invoked. In VasEBoot_net_seek_real(), if a backwards seek cannot be satisfied from the currently received packets, and the underlying transport does not provide a seek method, then VasEBoot_net_seek_real() will close and reopen the network protocol layer. For tftp, the ->close() call goes to tftp_close() and frees the tftp_data_t file->data. The file->data pointer is not nulled out after the free. If the ->open() call fails, the file->data will not be reallocated and will continue point to a freed memory block. This could happen from a server refusing to send the requisite ack to the new tftp request, for example. The seek and the read will then fail, but the VasEBoot_file continues to exist: the failed seek does not necessarily cause the entire file to be thrown away (e.g. where the file is checked to see if it is gzipped/lzio/xz/etc., a read failure is interpreted as a decompressor passing on the file, not as an invalidation of the entire VasEBoot_file_t structure). This means subsequent attempts to read or seek the file will use the old file->data after free. Eventually, the file will be close()d again and file->data will be freed again. Mark a net_fs file that doesn't reopen as broken. Do not permit read() or close() on a broken file (seek is not exposed directly to the file API - it is only called as part of read, so this blocks seeks as well). As an additional defence, null out the ->data pointer if tftp_open() fails. That would have lead to a simple null pointer dereference rather than a mess of UAFs. This may affect other protocols, I haven't checked. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens net/dns: Don't read past the end of the string we're checking against I don't really understand what's going on here but fuzzing found a bug where we read past the end of check_with. That's a C string, so use VasEBoot_strlen() to make sure we don't overread it. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens net/dns: Fix double-free addresses on corrupt DNS response VasEBoot_net_dns_lookup() takes as inputs a pointer to an array of addresses ("addresses") for the given name, and pointer to a number of addresses ("naddresses"). VasEBoot_net_dns_lookup() is responsible for allocating "addresses", and the caller is responsible for freeing it if "naddresses" > 0. The DNS recv_hook will sometimes set and free the addresses array, for example if the packet is too short: if (ptr + 10 >= nb->tail) { if (!*data->naddresses) VasEBoot_free (*data->addresses); VasEBoot_netbuff_free (nb); return VAS_EBOOT_ERR_NONE; } Later on the nslookup command code unconditionally frees the "addresses" array. Normally this is fine: the array is either populated with valid data or is NULL. But in these sorts of error cases it is neither NULL nor valid and we get a double-free. Only free "addresses" if "naddresses" > 0. It looks like the other use of VasEBoot_net_dns_lookup() is not affected. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens net/netbuff: Block overly large netbuff allocs A netbuff shouldn't be too huge. It's bounded by MTU and TCP segment reassembly. If we are asked to create one that is unreasonably big, refuse. This is a hardening measure: if we hit this code, there's a bug somewhere else that we should catch and fix. This commit: - stops the bug propagating any further. - provides a spot to instrument in e.g. fuzzing to try to catch these bugs. I have put instrumentation (e.g. __builtin_trap() to force a crash) here and have not been able to find any more crashes. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens net/ip: Do IP fragment maths safely We can receive packets with invalid IP fragmentation information. This can lead to rsm->total_len underflowing and becoming very large. Then, in VasEBoot_netbuff_alloc(), we add to this very large number, which can cause it to overflow and wrap back around to a small positive number. The allocation then succeeds, but the resulting buffer is too small and subsequent operations can write past the end of the buffer. Catch the underflow here. Fixes: CVE-2022-28733 Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens normal/charset: Fix array out-of-bounds formatting unicode for display In some cases attempting to display arbitrary binary strings leads to ASAN splats reading the widthspec array out of bounds. Check the index. If it would be out of bounds, return a width of 1. I don't know if that's strictly correct, but we're not really expecting great display of arbitrary binary data, and it's certainly not worse than an OOB read. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens video/readers/jpeg: Block int underflow -> wild pointer write Certain 1 px wide images caused a wild pointer write in VasEBoot_jpeg_ycrcb_to_rgb(). This was caused because in VasEBoot_jpeg_decode_data(), we have the following loop: for (; data->r1 < nr1 && (!data->dri || rst); data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) We did not check if vb * width >= hb * nc1. On a 64-bit platform, if that turns out to be negative, it will underflow, be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so we see data->bitmap_ptr jump, e.g.: 0x6180_0000_0480 to 0x6181_0000_0498 ^ ~--- carry has occurred and this pointer is now far away from any object. On a 32-bit platform, it will decrement the pointer, creating a pointer that won't crash but will overwrite random data. Catch the underflow and error out. Fixes: CVE-2021-3697 Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens video/readers/jpeg: Refuse to handle multiple start of streams An invalid file could contain multiple start of stream blocks, which would cause us to reallocate and leak our bitmap. Refuse to handle multiple start of streams. Additionally, fix a VasEBoot_error() call formatting. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens video/readers/jpeg: Do not reallocate a given huff table Fix a memory leak where an invalid file could cause us to reallocate memory for a huffman table we had already allocated memory for. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens video/readers/jpeg: Abort sooner if a read operation fails Fuzzing revealed some inputs that were taking a long time, potentially forever, because they did not bail quickly upon encountering an I/O error. Try to catch I/O errors sooner and bail out. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens video/readers/png: Sanity check some huffman codes ASAN picked up two OOB global reads: we weren't checking if some code values fit within the cplens or cpdext arrays. Check and throw an error if not. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens video/readers/png: Avoid heap OOB R/W inserting huff table items In fuzzing we observed crashes where a code would attempt to be inserted into a huffman table before the start, leading to a set of heap OOB reads and writes as table entries with negative indices were shifted around and the new code written in. Catch the case where we would underflow the array and bail. Fixes: CVE-2021-3696 Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens video/readers/png: Drop greyscale support to fix heap out-of-bounds write A 16-bit greyscale PNG without alpha is processed in the following loop: for (i = 0; i < (data->image_width * data->image_height); i++, d1 += 4, d2 += 2) { d1[R3] = d2[1]; d1[G3] = d2[1]; d1[B3] = d2[1]; } The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, but there are only 3 bytes allocated for storage. This means that image data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes out of every 4 following the end of the image. This has existed since greyscale support was added in 2013 in commit 3ccf16dff98f (VasEBoot-core/video/readers/png.c: Support grayscale). Saving starfield.png as a 16-bit greyscale image without alpha in the gimp and attempting to load it causes VasEBoot-emu to crash - I don't think this code has ever worked. Delete all PNG greyscale support. Fixes: CVE-2021-3695 Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens video/readers/png: Refuse to handle multiple image headers This causes the bitmap to be leaked. Do not permit multiple image headers. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens video/readers/png: Abort sooner if a read operation fails Fuzzing revealed some inputs that were taking a long time, potentially forever, because they did not bail quickly upon encountering an I/O error. Try to catch I/O errors sooner and bail out. Reviewed-by: Daniel Kiper 2022-06-07 Daniel Axtens kern/file: Do not leak device_name on error in VasEBoot_file_open() If we have an error in VasEBoot_file_open() before we free device_name, we will leak it. Free device_name in the error path and null out the pointer in the good path once we free it there. Reviewed-by: Daniel Kiper 2022-06-07 Julian Andres Klode kern/efi/sb: Reject non-kernel files in the shim_lock verifier We must not allow other verifiers to pass things like the VAS_EBOOT modules. Instead of maintaining a blocklist, maintain an allowlist of things that we do not care about. This allowlist really should be made reusable, and shared by the lockdown verifier, but this is the minimal patch addressing security concerns where the TPM verifier was able to mark modules as verified (or the OpenPGP verifier for that matter), when it should not do so on shim-powered secure boot systems. Fixes: CVE-2022-28735 Reviewed-by: Daniel Kiper 2022-06-07 Chris Coulson loader/efi/chainloader: Use VasEBoot_loader_set_ex() This ports the EFI chainloader to use VasEBoot_loader_set_ex() in order to fix a use-after-free bug that occurs when VasEBoot_cmd_chainloader() is executed more than once before a boot attempt is performed. Fixes: CVE-2022-28736 Reviewed-by: Daniel Kiper 2022-06-07 Chris Coulson commands/boot: Add API to pass context to loader Loaders rely on global variables for saving context which is consumed in the boot hook and freed in the unload hook. In the case where a loader command is executed twice, calling VasEBoot_loader_set() a second time executes the unload hook, but in some cases this runs when the loader's global context has already been updated, resulting in the updated context being freed and potential use-after-free bugs when the boot hook is subsequently called. This adds a new API, VasEBoot_loader_set_ex(), which allows a loader to specify context that is passed to its boot and unload hooks. This is an alternative to requiring that loaders call VasEBoot_loader_unset() before mutating their global context. Reviewed-by: Daniel Kiper 2022-06-07 Chris Coulson loader/efi/chainloader: Simplify the loader state The chainloader command retains the source buffer and device path passed to LoadImage(), requiring the unload hook passed to VasEBoot_loader_set() to free them. It isn't required to retain this state though - they aren't required by StartImage() or anything else in the boot hook, so clean them up before VasEBoot_cmd_chainloader() finishes. Reviewed-by: Daniel Kiper 2022-06-07 Jagannathan Raman fs/zfs/zfs: zfs_mount() - avoid pointer downcasting Coverity reports that while loopis in the following functions uses tainted data as boundary: zfs_mount() -> check_mos_features() -> dnode_get() -> zfs_log2() zfs_mount() -> VasEBoot_memmove() The defect type is "Untrusted loop bound" caused as a result of "tainted_data_downcast". Coverity does not like the pointer downcast here and we need to address it. We believe Coverity flags pointer downcast for the following two reasons: 1. External data: The pointer downcast could indicate that the source is external data, which we need to further sanitize - such as verifying its limits. In this case, the data is read from an external source, which is a disk. But, zio_read(), which reads the data from the disk, sanitizes it using a checksum. checksum is the best facility that ZFS offers to verify external data, and we don't believe a better way exists. Therefore, no further action is possible for this. 2. Corruption due to alignment: downcasting a pointer from a strict type to less strict type could result in data corruption. For example, the following cast would corrupt because uint32_t is 4-byte aligned, and won't be able to point to 0x1003 which is not 4-byte aligned. uint8_t *ptr = 0x1003; uint32_t *word = ptr; (incorrect, alignment issues) This patch converts the "osp" pointer in zfs_mount() from a "void" type to "objset_phys_t" type to address this issue. We are not sure if there are any other reasons why Coverity flags the downcast. However, the fix for alignment issue masks/suppresses any other issues from showing up. Fixes: CID 314023 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-06-07 Jagannathan Raman fs/zfs/zfs: make_mdn() - avoid pointer downcasting Coverity reports that the while loop in the following function uses tainted data as boundary: fill_fs_info() -> dnode_get() -> zfs_log2() The tainted originated from: fill_fs_info() -> make_mdn() The defect type is "Untrusted loop bound" caused as a result of "tainted_data_downcast". Coverity does not like the pointer downcast here and we need to address it. We believe Coverity flags pointer downcast for the following two reasons: 1. External data: The pointer downcast could indicate that the source is external data, which we need to further sanitize - such as verifying its limits. In this case, the data is read from an external source, which is a disk. But, zio_read(), which reads the data from the disk, sanitizes it using a checksum. checksum is the best facility that ZFS offers to verify external data, and we don't believe a better way exists. Therefore, no further action is possible for this. 2. Corruption due to alignment: downcasting a pointer from a strict type to less strict type could result in data corruption. For example, the following cast would corrupt because uint32_t is 4-byte aligned, and won't be able to point to 0x1003 which is not 4-byte aligned. uint8_t *ptr = 0x1003; uint32_t *word = ptr; (incorrect, alignment issues) This patch converts the "osp" pointer in make_mdn() from a "void" type to "objset_phys_t" type to address the issue. We are not sure if there are any other reasons why Coverity flags the downcast. However, the fix for alignment issue masks/suppresses any other issues from showing up. Fixes: CID 314020 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-06-07 Alec Brown util/VasEBoot-module-verifierXX: Add e_shoff check in get_shdr() In util/VasEBoot-module-verifierXX.c, the function get_shdr() is used to obtain the section header at a given index but isn't checking that there is an offset for the section header table. To validate that there is, we can check that e_shoff isn't 0. Reviewed-by: Daniel Kiper Reviewed-by: Darren Kenny 2022-06-07 Alec Brown VasEBoot-core/loader/i386/bsdXX: Avoid downcasting (char *) to (Elf_Shdr *) In bsdXX.c, a couple of untrusted loop bound and untrusted allocation size bugs were flagged by Coverity in the functions VasEBoot_openbsd_find_ramdisk() and VasEBoot_freebsd_load_elfmodule(). These bugs were flagged by coverity because the variable shdr was downcasting from a char pointer to an Elf_Shdr pointer whenever it was used to set the base value in for loops. To avoid this, we need to set shdr as an Elf_Shdr pointer where it is initialized. In the function read_headers(), the function is reading elf section header data from a file and passing it to the variable shdr as data for a char pointer. If we switch the type of shdr to an Elf_Shdr pointer in read_headers() as well as other functions, then we won't need to downcast to an Elf_Shdr pointer. By doing this, the issue becomes masked from Coverity's view. In the following patches, we check limits to ensure the data isn't tainted. Also, switched use of (char *) to (VasEBoot_uint8_t *) to give a better indication of pointer arithmetic and not suggest use of a C string. Fixes: CID 314018 Fixes: CID 314030 Fixes: CID 314031 Fixes: CID 314039 Reviewed-by: Daniel Kiper Reviewed-by: Darren Kenny 2022-06-07 Stefan Agner disk/efi/efidisk: Pass buffers with higher alignment Some devices report IoAlign values but seem to require buffers with higher alignment. The UEFI specification is saying: "IoAlign values of 0 and 1 mean that the buffer can be placed anywhere in memory. Otherwise, IoAlign must be a power of 2, and the requirement is that the start address of a buffer must be evenly divisible by IoAlign with no remainder." Some devices report IoAlign of 2, however seem to require 4 bytes aligned buffers. It seems that this got misinterpreted by some vendors assuming IoAlign is 2^IoAlign. There is also such a hint in an example in earlier versions of the Driver Writer's Guide: ScsiPassThruMode.IoAlign = 2; // Data must be alligned on 4-byte boundary Some devices report no alignment requirements at all but seem to read corrupted data or report read errors when passing unaligned buffers. Work around by using an alignment of at least BlockSize (typically 512 bytes) in any case. If IoAlign (interpreted as per UEFI specification) requests a higher alignment than BlockSize, follow IoAlign still. Note: The problem has only noticed with compressed squashfs. It seems that ext4 (and presumably other file system drivers) pass buffers with a higher alignment already. Acked-by: Heinrich Schuchardt Reviewed-by: Daniel Kiper 2022-06-07 Samuel Thibault osdep/hurd/getroot: Use "part:" qualifier When using userland drivers such as rumpdisk, we'd rather make ext2fs use parted-based libstore partitioning support. That can be used for kernelland drivers as well, so we can just make VAS_EBOOT always use the "part:" qualifier to switch ext2fs to it. VasEBoot_util_find_hurd_root_device() then has to understand this syntax and translate it into the /dev/ entry name. Reviewed-by: Daniel Kiper 2022-06-07 Glenn Washburn docs: Add documentation on keyfile option to cryptomount Reviewed-by: Daniel Kiper disk/cryptodisk: Use enum constants as indexes into cryptomount option array Reviewed-by: Daniel Kiper 2022-06-07 John Lane disk/cryptodisk: Add options to cryptomount to support keyfiles Add the options --key-file, --keyfile-offset, and --keyfile-size to cryptomount and code to put read the requested key file data and pass via the cargs struct. Note, key file data is for all intents and purposes equivalent to a password given to cryptomount. So there is no need to enable support for key files in the various crypto backends (e.g. LUKS1) because the key data is passed just as if it were a password. Reviewed-by: Daniel Kiper 2022-06-07 Denis 'GNUtoo' Carikli disk/geli: Unify VasEBoot_cryptodisk_dev function names Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper disk/luks: Unify VasEBoot_cryptodisk_dev function names Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2022-06-07 Glenn Washburn util/probe: Remove unused header includes Reviewed-by: Daniel Kiper commands/macbless: Remove whitespace between N_ macro and open parenthesis Reviewed-by: Daniel Kiper 2022-06-07 Glenn Washburn tests: Add /sbin and /usr/sbin to path in partmap test The partmap test requires no elevated privileges. However, it uses parted which can be used as a normal user, but is usually located in /sbin or /usr/bin (eg. on Debian systems). Whereas the normal user does not usually have /sbin or /usr/sbin added to their path, thus parted will not be found causing the test to abort. Add /sbin and /usr/sbin to the path for the partmap test so that the test can run successfully as an unprivileged user. Reviewed-by: Daniel Kiper 2022-06-07 Glenn Washburn tests: Show host determined fs UUID when hfs UUID test fails On failure, the hfs test should show both the host and VAS_EBOOT determined fs UUID. Prior to this change, both outputs where generated by VAS_EBOOT, which is less helpful in determining the cause of failure. Reviewed-by: Daniel Kiper 2022-05-24 Glenn Washburn docs: Add section for general undocumented commands The section is an itemized list of commands that are not listed else where in the command sections. Reviewed-by: Daniel Kiper 2022-05-24 Glenn Washburn docs: Add under documented loader commands to beginning of loader section Reviewed-by: Daniel Kiper 2022-05-24 Glenn Washburn docs: Create command section for loader commands Move loader commands documented in the general commands list into the loader command section. Reviewed-by: Daniel Kiper 2022-05-24 Glenn Washburn docs: Markup loader commands with @command tag Also, add period to terminate sentence. Reviewed-by: Daniel Kiper 2022-05-24 Glenn Washburn docs: Make note of i386-pc specific usage of halt command The --no-apm option is only available on the i396-pc target. Reviewed-by: Daniel Kiper 2022-05-24 Glenn Washburn docs: Make note that sendkey is only available on i386-pc Reviewed-by: Daniel Kiper docs: Fix spelling typo and remove unnecessary spaces Reviewed-by: Daniel Kiper 2022-05-24 Glenn Washburn net/net: Fix incorrect condition for calling VasEBoot_net_tcp_retransmit() The commit 848724273e4 (net/net: Avoid unnecessary calls to VasEBoot_net_tcp_retransmit()) needs to have its condition inverted to avoid unnecessary calls to VasEBoot_net_tcp_retransmit(). As it is, it creates many unnecessary calls and does not call VasEBoot_net_tcp_retransmit() when needed. The call to VasEBoot_net_tcp_retransmit() should only be made when VasEBoot_net_cards does _not_ equal NULL, meaning that there are potentially network cards that need TCP retransmission. Fixes: 848724273e4 (net/net: Avoid unnecessary calls to VasEBoot_net_tcp_retransmit()) Reviewed-by: Daniel Kiper 2022-05-24 Oskari Pirhonen templates: Improve initramfs detection Add detection for initramfs of the form *.img.old. For example, Gentoo's sys-kernel/genkernel installs it as initramfs-*.img and moves any existing one to initramfs-*.img.old. Apply the same scheme to initrd-*.img and initrd-*.gz files for consistency. Reviewed-by: Daniel Kiper 2022-05-24 Samuel Thibault osdep/hurd: Support device entries with @/dev/disk: qualifier Those are used with non-bootstrap disk drivers, for which libstore has to open /dev/disk before calling device_open on it instead of on the device master port. Normally in that case all /dev/ entries also have the @/dev/disk: qualifier, so we can just drop it. Reviewed-by: Daniel Kiper 2022-05-24 Darren Kenny VasEBoot-mkimage: Creating aarch64 images from x86 host is broken A recent fix that made appears to have broken the ability to create an aarch64 boot image on a x86-based host. This was due to an overzealous testing of the architecture when building VasEBoot-mkimage and removing the code that build an ARM image when not built on ARM. On the occasion remove redundant break. Fixes: 8541f319 (VasEBoot-mkimage: Only check aarch64 relocations when built for aarch64) Tested-by: Selva Ganesan Reviewed-by: Daniel Kiper 2022-05-24 Icenowy Zheng VasEBoot-install: Allow to install to non-EFI ESP when --force Although the EFI specification enforces support for FAT ESP, it's free for EFI implementations to implement support for ESPs with other formats (e.g. ext4, ntfs, etc), and at least U-Boot EFI will support ext4 ESP if U-Boot is built with ext4 support. In some situations a VAS_EBOOT installation on such a non-FAT ESP could be useful (e.g. a NTFS-based USB disk that can dual boot a Windows installation media and a Linux LiveCD). As this is advanced and implementation-dependent behavior, let VasEBoot-install allow this kind of installation, but only when --force is specified. Reviewed-by: Daniel Kiper 2022-04-26 Qiumiao Zhang net: Fix NULL pointer dereference when parsing ICMP6_ROUTER_ADVERTISE messages During UEFI PXE boot in IPv6 network, if the DHCP server adopts stateful automatic configuration, then the client receives a ICMP6_ROUTER_ADVERTISE multicast message from the server. This may be received without the interface having a configured network address, so orig_inf will be NULL, which can lead to a NULL dereference when creating the default route. Actually, in this case, the client obtains the default route through DHCPv6 instead of RA messages. So if orig_inf == NULL and route_inf == NULL, we should not set the default route. Fixes: https://savannah.gnu.org/bugs/?62072 Reviewed-by: Daniel Kiper 2022-04-26 Glenn Washburn tests: Ensure that loopback devices and zfs devices are cleaned up ZFS file systems are not unmounted using umount, but instead by exporting them. So export the ZFS file system that has the same label as the one that was created during the test, if such one exists. This is required to delete the loopback device that uses the ZFS image file. Otherwise the added code to delete all loopback devices setup during the test run will never be able to finish because the loopback device can not be deleted while in use. Reviewed-by: Daniel Kiper 2022-04-26 Glenn Washburn tests: Ensure that mountpoints are unmounted before exiting When all tests complete successfully, filesystems mounted by VasEBoot-fs-tester will be unmounted before exiting. However, on certain test failures the tester will exit with a failure code and not unmount previously mounted filesystems. Now keep track of mounts and umounts and run an exit handler on exit or process interruption that will umount all mounts that haven't already been unmounted. Reviewed-by: Daniel Kiper 2022-04-20 Glenn Washburn docs: Use correct list format Using "*" to prefix list items leads to undesirable display output for at least the generation of the html documentation. Use the @itemize and @item directives to get itemized list output. Also fix some wording and punctuation issues. Reviewed-by: Daniel Kiper 2022-04-20 Glenn Washburn docs: Clarify meaning of "list" and "cond" for "if" and "while" commands respectively It is not clear from the documentation what a "list" is in the context of the "if" command. Note that its a list of simple commands separated by a ";" and that only the exit status of the last command matters. The same is true for the "cond" parameter to the "while" command. Reviewed-by: Daniel Kiper 2022-04-20 Glenn Washburn docs: Add note that drivemap is only available on i386-pc Reviewed-by: Daniel Kiper 2022-04-20 Glenn Washburn tests: Give VasEBoot-fs-tester temp directory a better name Instead of "tmp" the name is prefixed by the name of the scripts (e.g. VasEBoot-fs-tester). A timestamp is added in the name to allow for easily seeing a chronological sorting of runs and the name of the filesystem being tested. The random component is set to the minimal possible, 3 characters, because the timestamp should provide enough uniqueness. Reviewed-by: Daniel Kiper 2022-04-20 Glenn Washburn tests: Disable blkid cache usage Using the blkid cache can cause issues when running many file system tests in parallel. We do not need it, as its only there to improve performance, and using the cache does not provide significant performance improvements. Reviewed-by: Daniel Kiper 2022-04-20 Glenn Washburn configure: Fix default -O2 being added when CFLAGS not set Autoconf will set a default CFLAGS of "-g -O2" if CFLAGS is not set. CFLAGS was defaulted to "" early in configure to prevent this. A recent commit ad9ccf660 (configure: Fix various new autotools warnings) added AC_USE_SYSTEM_EXTENSIONS, which pulls in the autoconf CFLAGS check, before we default CFLAGS and thus setting the autoconf default for CFLAGS. Move the default setting of CFLAGS to before AC_USE_SYSTEM_EXTENSIONS so that autoconf will see CFLAGS as set and not give it a default. CFLAGS is also moved above AC_CONFIG_AUX_DIR, because CFLAGS should be defaulted to "" as soon as possible to catch any autoconf macros that try to use some other default. Regardless, this currently has no effect as that macro does not consider the CFLAGS variable. Reviewed-by: Robbie Harwood Reviewed-by: Daniel Kiper 2022-04-20 Darren Kenny video/readers/jpeg: Fix possible invalid loop boundary condition The value of next_marker is adjusted based on the word sized value read from data->file. The updated next_marker value should reference a location in the file just beyond the huffman table, and as such should not have a value larger than the size of the file. Fixes: CID 73657 Reviewed-by: Daniel Kiper 2022-04-20 Michael Chang lib/reed_solomon: Fix array subscript 0 is outside array bounds The VasEBoot_absolute_pointer() is a compound expression that can only work within a function. We are out of luck here when the pointer variables require global definition due to ATTRIBUTE_TEXT that have to use fully initialized global definition because of the way linkers work. static gf_single_t * const gf_powx ATTRIBUTE_TEXT = (void *) 0x100000; For the reason given above, use GCC diagnostic pragmas to suppress the array-bounds warning. Reviewed-by: Daniel Kiper 2022-04-20 Michael Chang build: Fix -Werror=array-bounds array subscript 0 is outside array bounds The VAS_EBOOT is failing to build with GCC-12 in many places like this: In function 'init_cbfsdisk', inlined from 'VasEBoot_mod_init' at ../../VasEBoot-core/fs/cbfs.c:391:3: ../../VasEBoot-core/fs/cbfs.c:345:7: error: array subscript 0 is outside array bounds of 'VasEBoot_uint32_t[0]' {aka 'unsigned int[]'} [-Werror=array-bounds] 345 | ptr = *(VasEBoot_uint32_t *) 0xfffffffc; | ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is caused by GCC regression in 11/12 [1]. In a nut shell, the warning is about detected invalid accesses at non-zero offsets to NULL pointers. Since hardwired constant address is treated as NULL plus an offset in the same underlying code, the warning is therefore triggered. Instead of inserting #pragma all over the places where literal pointers are accessed to avoid diagnosing array-bounds, we can try to borrow the idea from Linux kernel that the absolute_pointer() macro [2][3] is used to disconnect a pointer using literal address from it's original object, hence GCC won't be able to make assumptions on the boundary while doing pointer arithmetic. With that we can greatly reduce the code we have to cover up by making initial literal pointer assignment to use the new wrapper but not having to track everywhere literal pointers are accessed. This also makes code looks cleaner. Please note the VasEBoot_absolute_pointer() macro requires to be invoked in a function as long as it is compound expression. Some global variables with literal pointers has been changed to local ones in order to use VasEBoot_absolute_pointer() to initialize it. The shuffling is basically done in a selective and careful way that the variable's scope doesn't matter being local or global, for example, the global variable must not get modified at run time throughout. For the record, here's the list of global variables got shuffled in this patch: VasEBoot-core/commands/i386/pc/drivemap.c:int13slot VasEBoot-core/term/i386/pc/console.c:bios_data_area VasEBoot-core/term/ns8250.c:serial_hw_io_addr [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99578 [2] https://elixir.bootlin.com/linux/v5.16.14/source/include/linux/compiler.h#L180 [3] https://elixir.bootlin.com/linux/v5.16.14/source/include/linux/compiler-gcc.h#L31 Reviewed-by: Daniel Kiper 2022-04-20 Michael Chang util/mkimage: Fix dangling pointer may be used error The warning is real as long as dangling pointer to tmp_ may be used if o32 and o64 are both NULL. However that is not going to happen and can be ignored safely because the PE_OHDR is being used in a context that either o32 or o64 must have been properly initialized. Sadly compiler seems not to always optimize that unused tmp_ away so explicit suppression remain needed here. ../util/mkimage.c: In function 'VasEBoot_install_generate_image': ../util/mkimage.c:1422:41: error: dangling pointer to 'tmp_' may be used [-Werror=dangling-pointer=] 1422 | PE_OHDR (o32, o64, header_size) = VasEBoot_host_to_target32 (header_size); ../util/mkimage.c:857:28: note: 'tmp_' declared here 857 | __typeof__((o64)->field) tmp_; \ | ^~~~ Reviewed-by: Daniel Kiper 2022-04-20 Chad Kimes net/drivers/efi/efinet: Configure VLAN from UEFI device used for PXE This patch handles automatic configuration of VLAN when booting from PXE on UEFI hardware. Reviewed-by: Daniel Kiper 2022-04-20 Chad Kimes kern/efi/efi: Print VLAN info in EFI device path Reviewed-by: Daniel Kiper 2022-04-20 Chad Kimes net/net: Add net_set_vlan command Previously there was no way to set the 802.1Q VLAN identifier, despite support for vlantag in the net module. The only location vlantag was being populated was from PXE boot and only for Open Firmware hardware. This commit allows users to manually configure VLAN information for any interface. Example usage: VasEBoot> net_ls_addr efinet1 00:11:22:33:44:55 192.0.2.100 VasEBoot> net_set_vlan efinet1 100 VasEBoot> net_ls_addr efinet1 00:11:22:33:44:55 192.0.2.100 vlan100 VasEBoot> net_set_vlan efinet1 0 efinet1 00:11:22:33:44:55 192.0.2.100 Reviewed-by: Daniel Kiper 2022-04-20 Chad Kimes net/net: Add vlan information to net_ls_addr output Example output: VasEBoot> net_ls_addr efinet1 00:11:22:33:44:55 192.0.2.100 vlan100 Reviewed-by: Daniel Kiper 2022-04-04 Chris Coulson kern/efi/init: Log a console error during a stack check failure The initial implementation of the stack protector just busy looped in __stack_chk_fail in order to reduce the amount of code being executed after the stack has been compromised because of a lack of firmware memory protections. With future firmware implementations incorporating memory protections such as W^X, call in to boot services when an error occurs in order to log a message to the console before automatically rebooting the machine. Reviewed-by: Daniel Kiper 2022-04-04 Alec Brown loader/i386/xnu: Fix uninitialized scalar variable In the function VasEBoot_xnu_boot(), struct VasEBoot_relocator32_state state is called but isn't being initialized. This results in the members VasEBoot_uint32_t ebx, VasEBoot_uint32_t ecx, VasEBoot_uint32_t edx, VasEBoot_uint32_t edi, and VasEBoot_uint32_t esi being filled with junk data from the stack since none of them are being set to any values. We can prevent this by setting state to {0}. Fixes: CID 375035 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-04-04 Alec Brown loader/i386/xnu: Fix uninitialized scalar variable In the function VasEBoot_xnu_boot_resume(), struct VasEBoot_relocator32_state state is called but isn't being initialized. This results in the members VasEBoot_uint32_t ebx, VasEBoot_uint32_t ecx, VasEBoot_uint32_t edx, VasEBoot_uint32_t esi, and VasEBoot_uint32_t edi being filled with junk data from the stack since none of them are being set to any values. We can prevent this by setting state to {0}. Fixes: CID 375031 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-04-04 Alec Brown loader/i386/pc/linux: Fix uninitialized scalar variable In the function VasEBoot_linux16_boot(), struct VasEBoot_relocator16_state state is called but isn't being initialized. This results in the members VasEBoot_uint32_t ebx, VasEBoot_uint32_t edx, VasEBoot_uint32_t esi, and VasEBoot_uint32_t ebp being filled with junk data from the stack since none of them are being set to any values. We can prevent this by setting state to {0}. Fixes: CID 375028 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-04-04 Alec Brown loader/i386/bsd: Fix uninitialized scalar variable In the function VasEBoot_netbsd_setup_video(), struct VasEBoot_netbsd_btinfo_framebuf params is called but isn't being initialized. The member VasEBoot_uint8_t reserved[16] isn't set to any values and is instead filled with junk data from the stack. We can prevent this by setting params to {0}. Fixes: CID 375026 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-04-04 Alec Brown net/net: Fix uninitialized scalar variable In the function VasEBoot_net_ipv6_get_link_local(), VasEBoot_net_network_level_address_t addr is called but isn't being initialized. This results in the member VasEBoot_dns_option_t option being filled with junk data from the stack. We can prevent this by setting the option member in addr to 0. Fixes: CID 375033 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-04-04 Alec Brown net/bootp: Fix uninitialized scalar variable In the function VasEBoot_net_configure_by_dhcp_ack(), VasEBoot_net_network_level_address_t addr is called but isn't being initialized. This results in the member VasEBoot_dns_option_t option being filled with junk data from the stack. To prevent this, we can set the option member in addr to 0. Fixes: CID 375036 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-04-04 Alec Brown net/arp: Fix uninitialized scalar variable In the function VasEBoot_net_arp_receive(), VasEBoot_net_network_level_address_t sender_addr and target_addr are being called but aren't being initialized. In both of these structs, each member is being set to a value except for VasEBoot_dns_option_t option. This results in this member being filled with junk data from the stack. To prevent this, we can set the option member in both structs to 0. Fixes: CID 375030 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-04-04 Glenn Washburn net/tcp: Only call VasEBoot_get_time_ms() when there are sockets to potentially retransmit for If the machine has network cards found, but there are no tcp open sockets (because the user doesn't use the network to boot), then VasEBoot_net_tcp_retransmit() should be a noop. Thus VAS_EBOOT doesn't need to call VasEBoot_get_time_ms(), which does a call into firmware on powerpc-ieee1275, and probably other targets. So only call VasEBoot_get_time_ms() if there are tcp sockets. Aside from improving performance, its also useful to stay out of the firmware as much as possible when debugging via QEMU because its a pain to get back in to VAS_EBOOT execution. VasEBoot_net_tcp_retransmit() can get called very frequently via VasEBoot_net_poll_cards_idle() when VAS_EBOOT is waiting for a keypress (VasEBoot_getkey_noblock() calls VasEBoot_net_poll_cards_idle()). This can be annoying when debugging an issue in VAS_EBOOT on PowerPC in QEMU with GDB when VAS_EBOOT is waiting for a keypress because interrupting via GDB nearly always lands in the OpenBIOS firmware's milliseconds call. Reviewed-by: Daniel Kiper 2022-04-04 Glenn Washburn net/net: Avoid unnecessary calls to VasEBoot_net_tcp_retransmit() In VasEBoot_net_poll_cards_idle_real(), only call VasEBoot_net_tcp_retransmit() if there are network cards found. If there are no network card found, there can be no tcp sockets to transmit on. So no need to go through that logic. Reviewed-by: Daniel Kiper 2022-04-04 Glenn Washburn net/net: Unset VasEBoot_net_poll_cards_idle when net module has been unloaded This looks like it was a copy/paste error. If the net module is unloaded, VasEBoot_net_poll_cards_idle should be NULL so that VAS_EBOOT does not try to call a function which now doesn't exist. Reviewed-by: Daniel Kiper 2022-04-04 Glenn Washburn INSTALL: Add information on using --build when cross-compiling The autoconf 2.65 manual [1] strongly recommends specifying the --build option when the --host is used. Add this to the example and add a note that this is recommended. [1] https://www.gnu.org/software/autoconf/manual/autoconf-2.65/html_node/Hosts-and-Cross_002dCompilation.html Reviewed-by: Daniel Kiper 2022-04-04 Glenn Washburn configure: Whitespace changes to improve readability Reviewed-by: Daniel Kiper 2022-04-04 Glenn Washburn configure: Remove unused CFLAGS definitions These CFLAGS definitions are reset below them before they have a change to affect anything. The exception is the *-emu case, which is put in the next if block, which is the only place its used before getting reset. Reviewed-by: Daniel Kiper 2022-04-04 Glenn Washburn configure: Remove dead code It appears as though the intent of this code is to define abort() and main() symbols for some configure tests. However, it never gets used because the if is only entered when not building for *-emu, but the next if block only runs when building for *-emu. And the if block after that unconditionally resets CFLAGS. So this code can have no effect. Additionally, s/aclocal.m4/acinclude.m4/ and move VasEBoot_ASM_USCORE to put with other marcos defined in acinclude.m4. Reviewed-by: Daniel Kiper 2022-04-04 Glenn Washburn configure: Sort AM_CONDITIONALs alphabetically Reviewed-by: Daniel Kiper 2022-04-04 Glenn Washburn configure: Allow HOST_CC to override CC According to the INSTALL, "The HOST_* variables override not prefixed variables". This change makes it so, instead of previous behavior, which was to ignore the HOST_CC environment variable. Reviewed-by: Daniel Kiper 2022-04-04 Glenn Washburn gdb: Add malloc and free symbols to kernel.exec to improve gdb functionality Add linker flags when linking kernel.exec to have malloc and free point to VasEBoot_malloc() and VasEBoot_free() respectively. Some gdb functionality depends on gdb locating the symbols "malloc" and "free", such as dynamically creating strings for arguments to injected function calls. A trivial example would the gdb command 'p strlen("astring")'. Make sure not to do this on emu platforms, or an infinite loop occurs because emu has a special VasEBoot_malloc() that calls malloc(). Reviewed-by: Daniel Kiper 2022-04-04 Renaud Métrich commands/search: Add new --efidisk-only option for EFI systems When using "search" on EFI systems, we sometimes want to exclude devices that are not EFI disks, e.g. md, lvm. This is typically used when wanting to chainload when having a software raid (md) for EFI partition: with no option, "search --file /EFI/redhat/shimx64.efi" sets root envvar to "md/boot_efi" which cannot be used for chainloading since there is no effective EFI device behind. Reviewed-by: Daniel Kiper 2022-04-04 Renaud Métrich commands/search: Refactor --no-floppy option to have something generic Reviewed-by: Daniel Kiper 2022-04-04 Hans de Goede kern/main: Suppress the "Welcome to VAS_EBOOT!" message in EFI builds VAS_EBOOT EFI builds are now often used in combination with flicker-free boot, but this breaks with upstream VAS_EBOOT because the "Welcome to VAS_EBOOT!" message will kick the EFI fb into text mode and show the msg, breaking the flicker-free experience. EFI systems are so fast, that when the menu or the countdown are enabled the message will be immediately overwritten, so in these cases not printing the message does not matter. And in case when the timeout_style is set to TIMEOUT_STYLE_HIDDEN, the user has asked VAS_EBOOT to be quiet (for example to allow flickfree boot) and thus the message should not be printed. Reviewed-by: Robbie Harwood Reviewed-by: Daniel Kiper 2022-04-04 Hans de Goede normal/menu: Don't show "Booting `%s'" msg when auto-booting with TIMEOUT_STYLE_HIDDEN When the user has asked the menu code to be hidden/quiet and the current entry is being autobooted because the timeout has expired don't show the "Booting `%s'" msg. This is necessary to let flicker-free boots really be flicker free, otherwise the "Booting `%s'" msg will kick the EFI fb into text mode and show the msg, breaking the flicker-free experience. Reviewed-by: Robbie Harwood Reviewed-by: Daniel Kiper 2022-03-21 Hans de Goede term/efi/console: Do not set cursor until the first text output To allow flickerfree boot the EFI console code does not call VasEBoot_efi_set_text_mode(1) until some text is actually output. Depending on if the output text is because of an error loading, e.g. the .cfg file, or because of showing the menu the cursor needs to be on or off when the first text is shown. So far the cursor was hardcoded to being on, but this is causing drawing artifacts + slow drawing of the menu as reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1946969 Handle the cursorstate in the same way as the colorstate to fix this, when no text has been output yet, just cache the cursorstate and then use the last set value when the first text is output. Fixes: 2d7c3abd871f (efi/console: Do not set text-mode until we actually need it) Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1946969 Reviewed-by: Daniel Kiper 2022-03-21 Hans de Goede term/efi/console: Do not set colorstate until the first text output VAS_EBOOT_MOD_INIT(normal) does an unconditional: VasEBoot_env_set ("color_normal", "light-gray/black"); which triggers a VasEBoot_term_setcolorstate() call. The original version of the "efi/console: Do not set text-mode until we actually need it" patch, https://lists.gnu.org/archive/html/VasEBoot-devel/2018-03/msg00125.html, protected against this by caching the requested state in VasEBoot_console_setcolorstate() and then only applying it when the first text output actually happens. During refactoring to move the VasEBoot_console_setcolorstate() up higher in the VasEBoot-core/term/efi/console.c file the code to cache the color-state + bail early was accidentally dropped. Restore the cache the color-state + bail early behavior from the original. Fixes: 2d7c3abd871f (efi/console: Do not set text-mode until we actually need it) Cc: Javier Martinez Canillas Reviewed-by: Daniel Kiper 2022-03-21 Darren Kenny kern/rescue_parser: Ensure that parser allocated memory is not leaked While it would appear unlikely that the memory allocated in *argv in VasEBoot_parser_split_cmdline() would be leaked, we should try ensure that it doesn't leak by calling VasEBoot_free() before we return from VasEBoot_rescue_parse_line(). To avoid a possible double-free, VasEBoot_parser_split_cmdline() is being changed to assign *argv = NULL when we've called VasEBoot_free() in the fail section. Fixes: CID 96680 Reviewed-by: Daniel Kiper 2022-03-21 Darren Kenny VasEBoot-mkimage: Only check aarch64 relocations when built for aarch64 Coverity flagged the switch checks for R_AARCH64_* as being logically dead code, since it could never happen on x86 due to the masking of the values earlier in the code. A check for building on __arm__ (which gcc and clang define) and for MKIMAGE_ELF64 (which VAS_EBOOT defines) has been added to avoid this dead code being built in. Fixes: CID 158599 Reviewed-by: Daniel Kiper 2022-03-21 Daniel Kiper lib/posix_wrap/errno.h: Add __set_errno() macro $ ./configure --target=x86_64-w64-mingw32 --with-platform=efi --host=x86_64-w64-mingw32 $ make [...] cat syminfo.lst | sort | gawk -f ./genmoddep.awk > moddep.lst || (rm -f moddep.lst; exit 1) __imp__errno in regexp is not defined This happens because VasEBoot-core/lib/gnulib/malloc/dynarray_resize.c and VasEBoot-core/lib/gnulib/malloc/dynarray_emplace_enlarge.c (both are used by regexp module) from the latest Gnulib call __set_errno() which originally sets errno variable (Windows builds add __imp__ prefix). Of course it is not defined and VasEBoot_errno should be used instead. Reviewed-by: Daniel Kiper 2022-03-21 Robbie Harwood configure: Fix various new autotools warnings Reviewed-by: Daniel Kiper 2022-03-21 Robbie Harwood gnulib: Handle warnings introduced by updated gnulib - Fix type of size variable in luks2_verify_key() - Avoid redefinition of SIZE_MAX and ATTRIBUTE_ERROR - Work around gnulib's int types on older compilers Reviewed-by: Daniel Kiper 2022-03-21 Robbie Harwood gnulib: Update gnulib version and drop most gnulib patches In addition to the changes carried in our gnulib patches, several Coverity and code hygiene fixes that were previously downstream are also included in this 3-year gnulib increment. Unfortunately, fix-width.patch is retained. Bump minimum autoconf version from 2.63 to 2.64 and automake from 1.11 to 1.14, as required by gnulib. Sync bootstrap script itself with gnulib. Update regexp module for new dynarray dependency. Reviewed-by: Daniel Kiper 2022-03-21 Robbie Harwood gnulib: Drop no-abort.patch Originally added in commit db7337a3d (VasEBoot-core/lib/posix_wrap/stdlib.h (abort): Removed), this patched out all relevant invocations of abort() in gnulib. While it was not documented why at the time, testing suggests that there's no abort() implementation available for gnulib to use. gnulib's position is that the use of abort() is correct here, since it happens when input violates a "shall" from POSIX. Additionally, the code in question is probably not reachable. Since abort() is more friendly to user-space, they prefer to make no change, so we can just carry a define instead (suggested by Paul Eggert). Reviewed-by: Daniel Kiper 2022-03-21 Robbie Harwood gnulib: Drop fix-base64.patch Originally added in commit 9fbdec2f (bootstrap: Add gnulib's base64 module) and subsequently modified in commit 552c9fd08 (gnulib: Fix build of base64 when compiling with memory debugging), fix-base64.patch handled two problems we have using gnulib, which are exercised by the base64 module but not directly caused by it. First, VAS_EBOOT defines its own bool type, while gnulib expects the equivalent of stdbool.h to be present. Rather than patching gnulib, instead use gnulib's stdbool module to provide a bool type if needed (suggested by Simon Josefsson). Second, our config.h doesn't always inherit config-util.h, which is where gnulib-related options like _GL_ATTRIBUTE_CONST end up. fix-base64.h worked around this by defining the attribute away, but this workaround is better placed in config.h itself, not a gnulib patch. Reviewed-by: Daniel Kiper 2022-03-21 Robbie Harwood config: Where present, ensure config-util.h precedes config.h gnulib defines go in config-util.h, and we need to know whether to provide duplicates in config.h or not. Reviewed-by: Daniel Kiper 2022-03-21 Robbie Harwood config.h.in: Use visual indentation Reviewed-by: Daniel Kiper 2022-03-14 Robbie Harwood INSTALL: Drop mention of libusb The commit 9d25b0da9 (Remove emu libusb support.) dropped use of libusb, but did not remove mention of it from INSTALL file. Reviewed-by: Daniel Kiper 2022-03-14 Daniel Kiper INSTALL: Add more cross-compiling Debian packages The mingw-w64-tools is especially important because with out it some Windows builds may fail due to lack of proper pkg-config. Reviewed-by: Robbie Harwood 2022-03-14 Daniel Kiper configure: Drop ${VasEBoot_coredir} unneeded references These are probably stray references left after earlier removals. Reviewed-by: Robbie Harwood 2022-03-14 Daniel Kiper conf/i386-cygwin-img-ld: Do not discard .data and .edata sections $ ./configure --target=i686-w64-mingw32 --with-platform=efi --host=i686-w64-mingw32 [...] checking if __bss_start is defined by the compiler... no checking if edata is defined by the compiler... no checking if _edata is defined by the compiler... no configure: error: none of __bss_start, edata or _edata is defined This happens on machines with quite recent ld due to an error: `edata' referenced in section `.text' of /tmp/cc72w9E4.o: defined in discarded section `.data' of conftest.exe collect2: error: ld returned 1 exit status So, we have to tell linker to not discard .data and .edata sections. The trick comes from ld documentation: 3.6.7 Output Section Discarding The linker will not normally create output sections with no contents. This is for convenience when referring to input sections that may or may not be present in any of the input files. For example: .foo : { *(.foo) } will only create a ‘.foo’ section in the output file if there is a ‘.foo’ section in at least one input file, and if the input sections are not all empty. Other link script directives that allocate space in an output section will also create the output section. So too will assignments to dot even if the assignment does not create space, except for ‘. = 0’, ‘. = . + 0’, ‘. = sym’, ‘. = . + sym’ and ‘. = ALIGN (. != 0, expr, 1)’ when ‘sym’ is an absolute symbol of value 0 defined in the script. This allows you to force output of an empty section with ‘. = .’. This change does not impact generated binaries because the conf/i386-cygwin-img-ld.sc linker script is used only when you run configure. Reviewed-by: Robbie Harwood 2022-03-14 Daniel Kiper commands/i386/pc/sendkey: Fix "writing 1 byte into a region of size 0" build error Latest GCC may complain in that way: commands/i386/pc/sendkey.c: In function ‘VasEBoot_sendkey_postboot’: commands/i386/pc/sendkey.c:223:21: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] 223 | *((char *) 0x41a) = 0x1e; | ~~~~~~~~~~~~~~~~~~^~~~~~ The volatile keyword addition helps and additionally assures us the compiler will not optimize out fixed assignments. Reviewed-by: Robbie Harwood 2022-03-14 Daniel Kiper loader/i386/bsd: Initialize ptr variable in VasEBoot_bsd_add_meta() Latest GCC may complain in that way: In file included from ../include/VasEBoot/disk.h:31, from ../include/VasEBoot/file.h:26, from ../include/VasEBoot/loader.h:23, from loader/i386/bsd.c:19: loader/i386/bsd.c: In function ‘VasEBoot_cmd_openbsd’: ../include/VasEBoot/misc.h:71:10: error: ‘ptr’ may be used uninitialized in this function [-Werror=maybe-uninitialized] 71 | return VasEBoot_memmove (dest, src, n); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ loader/i386/bsd.c:266:9: note: ‘ptr’ was declared here 266 | void *ptr; | ^~~ So, let's fix it by assigning NULL to ptr in VasEBoot_bsd_add_meta(). Reviewed-by: Robbie Harwood 2022-03-14 Daniel Kiper osdep/windows/platform: Disable gcc9 -Waddress-of-packed-member $ ./configure --target=x86_64-w64-mingw32 --with-platform=efi --host=x86_64-w64-mingw32 $ make [...] In file included from VasEBoot-core/osdep/platform.c:4: VasEBoot-core/osdep/windows/platform.c: In function ‘VasEBoot_install_register_efi’: VasEBoot-core/osdep/windows/platform.c:382:41: error: taking address of packed member of ‘struct VasEBoot_efi_file_path_device_path’ may result in an unaligned pointer value [-Werror=address-of-packed-member] 382 | path16_len = VasEBoot_utf8_to_utf16 (filep->path_name, | ~~~~~^~~~~~~~~~~ Disable the -Wadress-of-packaed-member diagnostic for VasEBoot_utf8_to_utf16() call which contains filep->path_name reference. It seems safe because the structure is defined according to the UEFI spec and we hope authors did not make any mistake... :-) This fix is similar to the fix in the commit 8e8723a6b (f2fs: Disable gcc9 -Waddress-of-packed-member). Reviewed-by: Robbie Harwood 2022-03-14 Glenn Washburn po: Un-transliterate the %zu format code Commit 45bffae13 (util/resolve: Bail with error if moddep.lst file line is too long) uses the %zu format specifier which has not been used in any translated strings yet. So the sed scripts used for transliterating certain languages need to be updated otherwise creation of the message indexes will fail on an unknown format code. This is essentially the same issue fixed for the %m format code in commit 2e246b6f (po: Fix replacement of %m in sed programs). Also reorder transliteration lines to be more lexicographically ordered. Reviewed-by: Daniel Kiper 2022-03-14 Daniel Axtens net: Check against nb->tail in VasEBoot_netbuff_pull() VAS_EBOOT netbuff structure members track 2 different things: the extent of memory allocated for the packet, and the extent of memory currently being worked on. This works out in the structure as follows: nb->head: beginning of the allocation nb->data: beginning of the working data nb->tail: end of the working data nb->end: end of the allocation The head and end pointers are set in VasEBoot_netbuff_alloc() and do not change. The data and tail pointers are initialised to point at start of the allocation (that is, head == data == tail initially), and are then manipulated by VasEBoot_netbuff_*() functions. Key functions are as follows: - VasEBoot_netbuff_put(): "put" more data into the packet - advance nb->tail - VasEBoot_netbuff_unput(): trim the tail of the packet - retract nb->tail - VasEBoot_netbuff_pull(): "consume" some packet data - advance nb->data - VasEBoot_netbuff_reserve(): reserve space for future headers - advance nb->data and nb->tail - VasEBoot_netbuff_push(): "un-consume" data to allow headers to be written - retract nb->data Each of those functions does some form of error checking. For example, VasEBoot_netbuff_put() does not allow nb->tail to exceed nb->end, and VasEBoot_netbuff_push() does not allow nb->data to be before nb->head. However, VasEBoot_netbuff_pull()'s error checking is a bit weird. It advances nb->data and checks that it does not exceed nb->end. That allows you to get into the situation where nb->data > nb->tail, which should not be. Make VasEBoot_netbuff_pull() check against both nb->tail and nb->end. In theory just checking against ->tail should be sufficient but the extra check should be cheap and seems like good defensive practice. Reviewed-by: Daniel Kiper 2022-03-14 Fabian Vogt VasEBoot-mount: Add support for libfuse3 The libfuse 3.0.0 got released in 2016, with some API changes compared to 2.x. This commit introduces support for 3.x while keeping it compatible with 2.6 as a fallback still. To detect fuse3, switch configure over to use pkg-config, which is simpler yet more reliable than looking for library and header manually. Also set FUSE_USE_VERSION that way, as it depends on the used libfuse version. Now that the CFLAGS are read from pkg-config, use just , which works with 2.x as well as 3.x and is recommended by libfuse upstream. One behavior change of libfuse3 is that FUSE_ATOMIC_O_TRUNC is set by default, which means that open with O_TRUNC is passed as-is instead of calling the truncate operation. With libfuse2, truncate failed with -ENOSYS and that was returned to the application. To make O_TRUNC fail with libfuse3, return -EROFS explicitly if writing was requested. Reviewed-by: Daniel Kiper 2022-03-14 Elyes Haouas include: Remove trailing whitespaces Reviewed-by: Daniel Kiper util: Remove trailing whitespaces Reviewed-by: Daniel Kiper video: Remove trailing whitespaces Reviewed-by: Daniel Kiper tests: Remove trailing whitespaces Reviewed-by: Daniel Kiper term: Remove trailing whitespaces Reviewed-by: Daniel Kiper script: Remove trailing whitespaces Reviewed-by: Daniel Kiper partmap: Remove trailing whitespaces Reviewed-by: Daniel Kiper osdep: Remove trailing whitespaces Reviewed-by: Daniel Kiper normal: Remove trailing whitespaces Reviewed-by: Daniel Kiper net: Remove trailing whitespaces Reviewed-by: Daniel Kiper loader: Remove trailing whitespaces Reviewed-by: Daniel Kiper lib: Remove trailing whitespaces Reviewed-by: Daniel Kiper kern: Remove trailing whitespaces Reviewed-by: Daniel Kiper io: Remove trailing whitespaces Reviewed-by: Daniel Kiper gfxmenu: Remove trailing whitespaces Reviewed-by: Daniel Kiper gfxmenu: Remove trailing whitespaces Reviewed-by: Daniel Kiper fs: Remove trailing whitespaces Reviewed-by: Daniel Kiper font: Remove trailing whitespaces Reviewed-by: Daniel Kiper disk: Remove trailing whitespaces Reviewed-by: Daniel Kiper commands: Remove trailing whitespaces Reviewed-by: Daniel Kiper bus: Remove trailing whitespaces Reviewed-by: Daniel Kiper 2022-03-07 Chad Kimes net/ethernet: Fix VLAN networking on little-endian systems VLAN configuration seems to have never worked on little-endian systems. This is likely because VLANTAG_IDENTIFIER is not byte-swapped before copying into the net buffer, nor is inf->vlantag. We can resolve this by using VasEBoot_cpu_to_be16{_compile_time}() and its inverse when copying VLAN info to/from the net buffer. Reviewed-by: Daniel Kiper 2022-03-07 Heinrich Schuchardt commands/efi/lsefisystab: Short text EFI_IMAGE_SECURITY_DATABASE_GUID The EFI_IMAGE_SECURITY_DATABASE_GUID is used for the image execution information table (cf. UEFI specification 2.9, 32.5.3.1 Using The Image Execution Information Table). The lsefisystab command is used to display installed EFI configuration tables. Currently it only shows the GUID but not a short text for the table. Provide a short text for the EFI_IMAGE_SECURITY_DATABASE_GUID. Reviewed-by: Daniel Kiper 2022-03-07 Glenn Washburn tests: Fix whitespace formatting Reviewed-by: Daniel Kiper 2022-03-07 Peter Jones ChangeLog: Retire ChangeLog-2015 ChangeLog-2015 has been untouched for over 7 years now, and any information in it is purely for historical purposes. At the same time, grepping for code winds up matching this file quite a bit, almost never accomplishing anything other than cluttering up your grep results. We don't need this in the main repo, and "git show" will find it if you're looking at the old history of commits on some file. This patch deletes it and the Makefile.am rule to distribute it. Reviewed-by: Daniel Axtens Reviewed-by: Robbie Harwood Reviewed-by: Javier Martinez Canillas Reviewed-by: Daniel Kiper 2022-03-07 Peter Levine templates: Properly handle multiple initrd paths in 30_os-prober os-prober now effectively handles multiple paths passed to initrd, but VasEBoot-mkconfig still truncates off any subsequent space-delimited paths. Support proper parsing of space-delimited initrd paths passed from os-prober for distributions, like Manjaro, that require it. Fixes: https://savannah.gnu.org/bugs/?47681 Reviewed-by: Daniel Kiper 2022-03-07 Samuel Thibault templates: Add support for pci-arbiter and rumpdisk on Hurd This adds pci-arbiter and rumpdisk as bootstrap modules whenever they are available. This opens the path for fully-userland disk support. Reviewed-by: Daniel Kiper 2022-03-07 Glenn Washburn mm: Temporarily disable VasEBoot_mm_debug while calling VasEBoot_vprintf() in VasEBoot_printf() To prevent infinite recursion when VasEBoot_mm_debug is on, disable it when calling VasEBoot_vprintf(). One such call loop is: VasEBoot_vprintf() -> parse_printf_args() -> parse_printf_arg_fmt() -> VasEBoot_debug_calloc() -> VasEBoot_printf() -> VasEBoot_vprintf(). Reviewed-by: Daniel Kiper 2022-03-07 Glenn Washburn mm: Export VasEBoot_mm_dump() and VasEBoot_mm_dump_free() These functions may be useful within modules as well. Export them so that modules can use them. Reviewed-by: Daniel Kiper 2022-03-07 Glenn Washburn configure: Properly handle MM_DEBUG Define MM_DEBUG in config.h when --enable-mm-debug is passed to configure. It was being defined in config-util.h which only gets used when building VAS_EBOOT utilities for the host side. The enabling of debugging for memory management in include/VasEBoot/mm.h explicitly does not happen when compiling for the VAS_EBOOT utilities. So this debugging code effectively could never be enabled. Note, that MM_DEBUG is defined in an #if directive because the enabling of debugging checks if MM_DEBUG is defined, not what its value is. So even if MM_DEBUG were defined to nothing, the debugging code would still be enabled. Reviewed-by: Daniel Kiper 2022-03-07 Fangrui Song configure: Replace -Wl,-r,-d with -Wl,-r and add -fno-common In GNU ld and ld.lld, -d is used with -r to allocate space to COMMON symbols. This behavior is presumably to work around legacy projects which inspect relocatable output by themselves and do not handle COMMON symbols. The VAS_EBOOT does not do this. See https://github.com/llvm/llvm-project/issues/53660 -d is quite useless and ld.lld 15.0.0 will make -d no-op. COMMON symbols have special symbol resolution semantics which can cause surprise (see https://maskray.me/blog/2022-02-06-all-about-common-symbols). GCC<10 and Clang<11 defaulted to -fcommon. Just use -fno-common to avoid COMMON symbols. Reviewed-by: Daniel Kiper 2022-03-07 Glenn Washburn tests: Add check-native and check-nonnative make targets This allows for testing only tests that run directly on the build machine or only tests that run in a virtualized environment. When testing multiple targets on the same build machine the native tests only need to be run once for all targets. Whereas, the nonnative tests must be run for each target because the test is potentially compiled differently for each target. Reviewed-by: Daniel Kiper 2022-03-07 Renaud Métrich commands/search: Fix bug stopping iteration when --no-floppy is used When using --no-floppy and a floppy was encountered, iterate_device() was returning 1, causing the iteration to stop instead of continuing. Reviewed-by: Daniel Kiper 2022-03-07 Glenn Washburn Revert "iee1275/datetime: Fix off-by-1 error." This is causing the test VasEBoot_cmd_date() to fail because the returned date is one day more than it should be. This reverts commit 607d66116 (iee1275/datetime: Fix off-by-1 error.). Tested-by: Daniel Axtens Reviewed-by: Daniel Kiper 2022-02-08 Glenn Washburn tests: Remove $((BASE#NUM)) bashism in VasEBoot-fs-tester This bashism allows converting NUM in base BASE to decimal. Its not needed because the only place its used is to convert from hexidecimal and this can also be done with the more portable $((0xHEXNUM)) syntax. Reviewed-by: Daniel Kiper 2022-02-08 Glenn Washburn tests: Skip pata_test on i386-efi In comparison to other i386 targets, on i386-efi the Q35 QEMU machine type is used to do the testing to be able to make use of the EFI firmware in QEMU. On the Q35 machine type there is no way to use ATA to communicate with an IDE, only AHCI. Reviewed-by: Daniel Kiper 2022-02-08 Glenn Washburn tests: Do not remove image file on error in pata_test The image file can be useful in debugging an issue when the test fails. Reviewed-by: Daniel Kiper 2022-02-08 Alec Brown util/VasEBoot-module-verifierXX: Validate elf section header table index for section name string table In VasEBoot-module-verifierXX.c, the function find_section() uses the value from VasEBoot_target_to_host16 (e->e_shstrndx) to obtain the section header table index of the section name string table, but it wasn't being checked if the value was there. According to the elf(5) manual page, "If the index of section name string table section is larger than or equal to SHN_LORESERVE (0xff00), this member holds SHN_XINDEX (0xffff) and the real index of the section name string table section is held in the sh_link member of the initial entry in section header table. Otherwise, the sh_link member of the initial entry in section header table contains the value zero." Since this check wasn't being made, the function get_shstrndx() is being added to make this check and use e_shstrndx if it doesn't have SHN_XINDEX as a value, else use sh_link. We also need to make sure e_shstrndx isn't greater than or equal to SHN_LORESERVE and sh_link isn't less than SHN_LORESERVE. Note that it may look as though the argument *arch isn't being used, it's actually required in order to use the macros VasEBoot_target_to_host*(x) which are unwinded to VasEBoot_target_to_host*_real(arch, (x)) based on defines earlier in the file. Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-02-08 Alec Brown util/VasEBoot-module-verifierXX: Validate number of elf section header table entries In VasEBoot-module-verifierXX.c, VasEBoot_target_to_host16 (e->e_shnum) is used to obtain the number of section header table entries, but it wasn't being checked if the value was there. According to the elf(5) manual page, "If the number of entries in the section header table is larger than or equal to SHN_LORESERVE (0xff00), e_shnum holds the value zero and the real number of entries in the section header table is held in the sh_size member of the intial entry in section header table. Otherwise, the sh_size member of the initial entry in the section header table holds the value zero." Since this check wasn't being made, the function get_shnum() is being added to make this check and use whichever member doesn't have a value of zero. If both are zero, then we must return an error. We also need to make sure that e_shnum doesn't have a value greater than or equal to SHN_LORESERVE and sh_size isn't less than SHN_LORESERVE. Note that it may look as though the argument *arch isn't being used, it's actually required in order to use the macros VasEBoot_target_to_host*(x) which are unwinded to VasEBoot_target_to_host*_real(arch, (x)) based on defines earlier in the file. Fixes: CID 314021 Fixes: CID 314027 Fixes: CID 314033 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-02-08 Alec Brown util/VasEBoot-module-verifierXX: Add function to calculate section headers Added the function get_shdr() which returns the section header at a given index parameter passed into this function. This helps traverse the section header table and reduces repeated calls to lengthy equations used to obtain section headers. Note that it may look as though the argument *arch isn't being used, it's actually required in order to use the macros VasEBoot_target_to_host*(x) which are unwinded to VasEBoot_target_to_host*_real(arch, (x)) based on defines earlier in the file. Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-02-08 Alec Brown fs/affs: Fix resource leaks In commit 178ac5107389 (affs: Fix memory leaks), fixes were made to VasEBoot_affs_iterate_dir() to prevent memory leaks from occurring after it returns without freeing node. However, there were still some instances where node was causing a memory leak when the function returns after calling VasEBoot_affs_create_node(). In this function, new memory is allocated to node but doesn't get freed until the hook() function is called near the end. Before hook() is called, node should be freed in VasEBoot_affs_create_node() before returning out of it. Fixes: 178ac5107389 (affs: Fix memory leaks) Fixes: CID 73759 Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2022-02-08 Heinrich Schuchardt RISC-V: Adjust -march flags for binutils 2.38 As of version 2.38 binutils defaults to ISA specification version 2019-12-13. This version of the specification has has separated the the csr read/write (csrr*/csrw*) instructions and the fence.i from the I extension and put them into separate Zicsr and Zifencei extensions. This implies that we have to adjust the -march flag passed to the compiler accordingly. Reviewed-by: Daniel Kiper 2022-02-08 Heinrich Schuchardt efi: Correct struct VasEBoot_efi_boot_services The UEFI specification defines that the EFI_BOOT_SERVICES.Exit(() service may return EFI_SUCCESS or EFI_INVALID_PARAMETER. So it cannot be __attribute__((noreturn)). Reviewed-by: Daniel Kiper 2022-02-08 Glenn Washburn conf/Makefile.common: Order alphabetically variables Reviewed-by: Daniel Kiper 2022-02-08 Stephen Balousek net/http: Allow use of non-standard TCP/IP ports Allow the use of HTTP servers listening on ports other 80. This is done with an extension to the http notation: (http[,server[,port]]) - or - (http[,server[:port]]) Reviewed-by: Daniel Kiper 2022-02-08 Glenn Washburn Makefile: Only look for @MARKER@ at the start of a line when generating libVasEBoot_a_init.lst Under certain conditions libVasEBoot.pp gets generated with a such that it contains a bunch of CPP defines, at least one of which contains "@MARKER@". This line should not be used when generating libVasEBoot_a_init.lst, otherwise we get compiler errors like: libVasEBoot_a_init.c:22:18: error: stray ‘#’ in program 22 | extern void VasEBoot_#define_init (void); | ^ libVasEBoot_a_init.c:22:19: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘define_init’ 22 | extern void VasEBoot_#define_init (void); | ^~~~~~~~~~~ libVasEBoot_a_init.c:23:18: error: stray ‘#’ in program 23 | extern void VasEBoot_#define_fini (void); | ^ libVasEBoot_a_init.c:23:19: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘define_fini’ 23 | extern void VasEBoot_#define_fini (void); | ^~~~~~~~~~~ ... When generating libVasEBoot_a_init.lst only lines starting with "@MARKER@" are desired. Reviewed-by: Daniel Kiper 2022-02-08 Glenn Washburn gentpl.py: Fix issue where sometimes marker files have CPP defines When generating video.lst, modules whose marker file contains the string VIDEO_LIST_MARKER are selected. But when the marker file contains the CPP defines, one of the defines is VIDEO_LIST_MARKER and is present in all marker files, so they are all selected. By removing the defines, the correct modules are selected. Reviewed-by: Daniel Kiper 2022-02-08 Glenn Washburn util/resolve: Bail with error if moddep.lst file line is too long The code reads each line into a buffer of size 1024 and does not check if the line is longer. So a line longer than 1024 will be read as a valid line followed by an invalid line. Then an error confusing to the user is sent with the test "invalid line format". But the line format is perfectly fine, the problem is in VAS_EBOOT's parser. Check if we've hit a line longer than the size of the buffer, and if so send a more correct and reasonable error. Reviewed-by: Daniel Kiper 2022-02-08 Glenn Washburn util/resolve: Do not read past the end of the array in read_dep_list() If the last non-NULL byte of "buf" is not a white-space character (such as when a read line is longer than the size of "buf"), then "p" will eventually point to the byte after the last byte in "buf". After which "p" will be dereferenced in the while conditional leading to an out of bounds read. Make sure that "p" is inside "buf" before dereferencing it. Reviewed-by: Daniel Kiper 2022-02-07 Glenn Washburn kern/misc: Allow selective disabling of debug facility names Sometimes you only know which debug logging facility names you want to turn off, not necessarily all the ones you want enabled. This patch allows the debug string to contain facility names in the $debug variable which are prefixed with a "-" to disable debug log messages for that conditional. Say you want all debug logging on except for btrfs and scripting, then do: "set debug=all,-btrfs,-scripting" Note, that only the last occurrence of the facility name with or without a leading "-" is considered. So simply appending ",-facilityname" to the $debug variable will disable that conditional. To illustrate, the command "set debug=all,-btrfs,-scripting,btrfs" will enable btrfs. Also, add documentation explaining this new behavior. Reviewed-by: Daniel Kiper 2022-02-07 Glenn Washburn cryptodisk: Fix Coverity use after free bug The Coverity output is: *** CID 366905: Memory - illegal accesses (USE_AFTER_FREE) /VasEBoot-core/disk/cryptodisk.c: 1064 in VasEBoot_cryptodisk_scan_device_real() 1058 cleanup: 1059 if (askpass) 1060 { 1061 cargs->key_len = 0; 1062 VasEBoot_free (cargs->key_data); 1063 } >>> CID 366905: Memory - illegal accesses (USE_AFTER_FREE) >>> Using freed pointer "dev". 1064 return dev; 1065 } 1066 1067 #ifdef VAS_EBOOT_UTIL 1068 #include 1069 VasEBoot_err_t Here the "dev" variable can point to a freed cryptodisk device if the function VasEBoot_cryptodisk_insert() fails. This can happen only on a OOM condition, but when this happens VasEBoot_cryptodisk_insert() calls VasEBoot_free on the passed device. Since VasEBoot_cryptodisk_scan_device_real() assumes that VasEBoot_cryptodisk_insert() is always successful, it will return the device, though the device was freed. Change VasEBoot_cryptodisk_insert() to not free the passed device on failure. Then on VasEBoot_cryptodisk_insert() failure, free the device pointer. This is done by going to the label "error", which will call cryptodisk_close() to free the device and set the device pointer to NULL, so that a pointer to freed memory is not returned. Fixes: CID 366905 Reviewed-by: Daniel Kiper 2021-12-23 Daniel Axtens mm: Document VasEBoot_mm_init_region() The VasEBoot_mm_init_region() does some things that seem magical, especially around region merging. Make it a bit clearer. Reviewed-by: Daniel Kiper 2021-12-23 Daniel Axtens mm: Document VasEBoot_free() The VasEBoot_free() possesses a surprising number of quirks, and also uses single-letter variable names confusingly to iterate through the free list. Document what's going on. Use prev and cur to iterate over the free list. Reviewed-by: Daniel Kiper 2021-12-23 Daniel Axtens mm: VasEBoot_real_malloc(): Make small allocs comment match code Small allocations move the region's *first pointer. The comment says that this happens for allocations under 64K. The code says it's for allocations under 32K. Commit 45bf8b3a7549 changed the code intentionally: make the comment match. Fixes: 45bf8b3a7549 (* VasEBoot-core/kern/mm.c (VasEBoot_real_malloc): Decrease cut-off of moving the) Reviewed-by: Daniel Kiper 2021-12-23 Daniel Axtens mm: Clarify VasEBoot_real_malloc() When iterating through the singly linked list of free blocks, VasEBoot_real_malloc() uses p and q for the current and previous blocks respectively. This isn't super clear, so swap to using prev and cur. This makes another quirk more obvious. The comment at the top of VasEBoot_real_malloc() might lead you to believe that the function will allocate from *first if there is space in that block. It actually doesn't do that, and it can't do that with the current data structures. If we used up all of *first, we would need to change the ->next of the previous block to point to *first->next, but we can't do that because it's a singly linked list and we don't have access to *first's previous block. What VasEBoot_real_malloc() actually does is set *first to the initial previous block, and *first->next is the block we try to allocate from. That allows us to keep all the data structures consistent. Document that. Reviewed-by: Daniel Kiper 2021-12-23 Daniel Axtens mm: Document VAS_EBOOT internal memory management structures I spent more than a trivial quantity of time figuring out pre_size and whether a memory region's size contains the header cell or not. Document the meanings of all the properties. Hopefully now no-one else has to figure it out! Reviewed-by: Daniel Kiper 2021-12-23 Michael Chang fs/btrfs: Use full btrfs bootloader area Up to now VAS_EBOOT can only embed to the first 64 KiB before primary superblock of btrfs, effectively limiting the VAS_EBOOT core size. That could consequently pose restrictions to feature enablement like advanced zstd compression. This patch attempts to utilize full unused area reserved by btrfs for the bootloader outlined in the document [1]: The first 1MiB on each device is unused with the exception of primary superblock that is on the offset 64KiB and spans 4KiB. Apart from that, adjacent sectors to superblock and first block group are not used for embedding in case of overflow and logged access to adjacent sectors could be useful for tracing it up. This patch has been tested to provide out of the box support for btrfs zstd compression with which VAS_EBOOT has been installed to the partition. [1] https://btrfs.wiki.kernel.org/index.php/Manpage/btrfs(5)#BOOTLOADER_SUPPORT Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn tests: Refactor building xorriso command for iso9660 tests The iso9660 tests test creating isos with different combinations of Joliet, Rock Ridge, and ISO 9660 conformance level. Refactor xorriso argument generation for more readability and extensibility. Reviewed-by: Thomas Schmitt Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn cryptodisk: Improve handling of partition name in cryptomount password prompt Call VasEBoot_partition_get_name() unconditionally to initialize the part variable. Then part will only be NULL when VasEBoot_partition_get_name() errors. Note that when source->partition is NULL, then VasEBoot_partition_get_name() returns an allocated empty string. So no comma or partition will be printed, as desired. Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn cryptodisk: Move global variables into VasEBoot_cryptomount_args struct Note that cargs.search_uuid does not need to be initialized in various parts of the cryptomount argument parsing, just once when cargs is declared with a struct initializer. The previous code used a global variable which would retain the value across cryptomount invocations. Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn cryptodisk: Refactor password input out of crypto dev modules into cryptodisk The crypto device modules should only be setting up the crypto devices and not getting user input. This has the added benefit of simplifying the code such that three essentially duplicate pieces of code are merged into one. Add documentation of passphrase option for cryptomount as it is now usable. Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn cryptodisk: Add infrastructure to pass data from cryptomount to cryptodisk modules Previously, the cryptomount arguments were passed by global variable and function call argument, neither of which are ideal. This change passes data via a VasEBoot_cryptomount_args struct, which can be added to over time as opposed to continually adding arguments to the cryptodisk scan and recover_key. As an example, passing a password as a cryptomount argument is implemented. However, the backends are not implemented, so testing this will return a not implemented error. Also, add comments to cryptomount argument parsing to make it more obvious which argument states are being handled. Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn cryptodisk: Improve cryptomount -u error message When a cryptmount is specified with a UUID, but no cryptodisk backends find a disk with that UUID, return a more detailed message giving telling the user that they might not have a needed cryptobackend module loaded. Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn cryptodisk: Improve error messaging in cryptomount invocations Update such that "cryptomount -u UUID" will not print two error messages when an invalid passphrase is given and the most relevant error message will be displayed. Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn cryptodisk: Return failure in cryptomount when no cryptodisk modules are loaded This displays an error notifying the user that they'll want to load a backend module to make cryptomount useful. Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn cryptodisk: Refactor to discard have_it global The global "have_it" was never used by the crypto-backends, but was used to determine if a crypto-backend successfully mounted a cryptodisk with a given UUID. This is not needed however, because VasEBoot_device_iterate() will return 1 if and only if VasEBoot_cryptodisk_scan_device() returns 1. And VasEBoot_cryptodisk_scan_device() will now only return 1 if a search_uuid has been specified and a cryptodisk was successfully setup by a crypto-backend or a cryptodisk of the requested UUID is already open. To implement this VasEBoot_cryptodisk_scan_device_real() is modified to return a cryptodisk or NULL on failure and having the appropriate VasEBoot_errno set to indicated failure. Note that VasEBoot_cryptodisk_scan_device_real() will fail now with a new errno VAS_EBOOT_ERR_BAD_MODULE when none of the cryptodisk backend modules succeed in identifying the source disk. With this change VasEBoot_device_iterate() will return 1 when a crypto device is successfully decrypted or when the source device has already been successfully opened. Prior to this change, trying to mount an already successfully opened device would trigger an error with the message "no such cryptodisk found", which is at best misleading. The mount should silently succeed in this case, which is what happens with this patch. Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn luks2: Add debug message to align with luks and geli modules Reviewed-by: Daniel Kiper configure: Fix misspelled variable BUILD_LDFAGS -> BUILD_LDFLAGS Reviewed-by: Daniel Kiper 2021-12-23 Michael Chang VasEBoot-mkconfig: Restore umask for the VasEBoot.cfg The commit ab2e53c8a (VasEBoot-mkconfig: Honor a symlink when generating configuration by VasEBoot-mkconfig) has inadvertently discarded umask for creating VasEBoot.cfg in the process of running VasEBoot-mkconfig. The resulting wrong permission (0644) would allow unprivileged users to read VAS_EBOOT configuration file content. This presents a low confidentiality risk as VasEBoot.cfg may contain non-secured plain-text passwords. This patch restores the missing umask and sets the creation file mode to 0600 preventing unprivileged access. Fixes: CVE-2021-3981 Reviewed-by: Daniel Kiper 2021-12-23 Heinrich Schuchardt efi: Create the VasEBoot_efi_close_protocol() library function Create a library function for CloseProtocol() and use it for the SNP driver. Reviewed-by: Daniel Kiper 2021-12-23 Heinrich Schuchardt efinet: Correct closing of SNP protocol In the context of the implementation of the EFI_LOAD_FILE2_PROTOCOL for the initial ramdisk it was observed that opening the SNP protocol failed. https://lists.gnu.org/archive/html/VasEBoot-devel/2021-10/msg00020.html This is due to an incorrect call to CloseProtocol(). The first parameter of CloseProtocol() is the handle, not the interface. We call OpenProtocol() with ControllerHandle == NULL. Hence we must also call CloseProtcol() with ControllerHandel == NULL. Each call of OpenProtocol() for the same network card handle is expected to return the same interface pointer. If we want to close the protocol which we opened non-exclusively when searching for a card, we have to do this before opening the protocol exclusively. As there is no guarantee that we successfully open the protocol add checks in the transmit and receive functions. Reported-by: Andreas Schwab Reviewed-by: Daniel Kiper 2021-12-23 Colin Watson minilzo: Update to minilzo-2.10 minilzo fails to build on a number of Debian release architectures (armel, mips64el, mipsel, ppc64el) with errors such as: ../../VasEBoot-core/lib/minilzo/minilzo.c: In function 'lzo_memops_get_le16': ../../VasEBoot-core/lib/minilzo/minilzo.c:3479:11: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing] 3479 | * (lzo_memops_TU2p) (lzo_memops_TU0p) (dd) = * (const lzo_memops_TU2p) (const lzo_memops_TU0p) (ss); \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../../VasEBoot-core/lib/minilzo/minilzo.c:3530:5: note: in expansion of macro 'LZO_MEMOPS_COPY2' 3530 | LZO_MEMOPS_COPY2(&v, ss); | ^~~~~~~~~~~~~~~~ The latest upstream version is 2.10, so updating to it seems like a good idea on general principles, and it fixes builds on all the above architectures. The update procedure documented in the VAS_EBOOT Developers Manual worked; I just updated the version numbers to make it clear that it's been executed recently. Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn docs: Add documentation on packages for building documentation Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn docs: Fix broken links in development docs Use the Git Book as a reference for documentation on Git as no other link was provided. Other links were broken because they used @url instead of @uref and needed a comma separator between link and link text. Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn docs: Update development docs to include information on running test suite Add a section with minimal description on setting up and running the test suite with a link to the INSTALL documentation which is a little more detailed in terms of package requirements. Reviewed-by: Daniel Kiper 2021-12-23 Glenn Washburn docs: Add sentence on where Debian packages can be searched for online Reviewed-by: Daniel Kiper 2021-12-23 Qu Wenruo fs/btrfs: Make extent item iteration to handle gaps The VAS_EBOOT btrfs implementation can't handle two very basic btrfs file layouts: 1. Mixed inline/regualr extents # mkfs.btrfs -f test.img # mount test.img /mnt/btrfs # xfs_io -f -c "pwrite 0 1k" -c "sync" -c "falloc 0 4k" \ -c "pwrite 4k 4k" /mnt/btrfs/file # umount /mnt/btrfs # ./VasEBoot-fstest ./VasEBoot-fstest --debug=btrfs ~/test.img hex "/file" Such mixed inline/regular extents case is not recommended layout, but all existing tools and kernel can handle it without problem. 2. NO_HOLES feature # mkfs.btrfs -f test.img -O no_holes # mount test.img /mnt/btrfs # xfs_io -f -c "pwrite 0 4k" -c "pwrite 8k 4k" /mnt/btrfs/file # umount /mnt/btrfs # ./VasEBoot-fstest ./VasEBoot-fstest --debug=btrfs ~/test.img hex "/file" NO_HOLES feature is going to be the default mkfs feature in the incoming v5.15 release, and kernel has support for it since v4.0. The way VAS_EBOOT btrfs code iterates through file extents relies on no gap between extents. If any gap is hit, then VAS_EBOOT btrfs will error out, without any proper reason to help debug the bug. This is a bad assumption, since a long long time ago btrfs has a new feature called NO_HOLES to allow btrfs to skip the padding hole extent to reduce metadata usage. The NO_HOLES feature is already stable since kernel v4.0 and is going to be the default mkfs feature in the incoming v5.15 btrfs-progs release. When there is a extent gap, instead of error out, just try next item. This is still not ideal, as kernel/progs/U-boot all do the iteration item by item, not relying on the file offset continuity. But it will be way more time consuming to correct the whole behavior than starting from scratch to build a proper designed btrfs module for VAS_EBOOT. Reviewed-by: Daniel Kiper 2021-11-22 Alec Brown disk/ldm: Fix resource leak Commit 23e39f50ca7a (disk/ldm: Make sure comp data is freed before exiting from make_vg()) fixed several spots in make_vg() where comp data was leaking memory when an error was being handled but missed one. To avoid leaking memory, comp should be freed when an error is being handled after comp has been successfully allocated memory in the for loop. Fixes: 23e39f50ca7a (disk/ldm: Make sure comp data is freed before exiting from make_vg()) Fixes: CID 73804 Reviewed-by: Daniel Kiper 2021-11-22 Alec Brown commands/probe: Fix resource leaks Commit 1fc860bb76bb (commands/probe: Fix a resource leak when probing disks), missed other cases where VasEBoot_device_close() should be called before a return statement is called. Also found that VasEBoot_disk_close() wasn't being called when an error is being returned. To avoid conflict with VasEBoot_errno, VasEBoot_error_push() should be called before either VasEBoot_device_close() or VasEBoot_disk_close() is called and VasEBoot_error_pop() should be called before VasEBoot_errno is returned. Fixes: 1fc860bb76bb (commands/probe: Fix a resource leak when probing disks) Fixes: CID 292443 Reviewed-by: Daniel Kiper 2021-11-22 Michael Chang templates: Filter out POSIX locale for translation The POSIX locale is default or native operating system's locale identical to the C locale, so no translation to human speaking languages are provided. For this reason we should filter out LANG=POSIX as well as LANG=C upon generating VasEBoot.cfg to avoid looking up for it's gettext's message catalogs that will consequently result in an unpleasant message: error: file `/boot/VasEBoot/locale/POSIX.gmo' not found Reviewed-by: Daniel Kiper 2021-11-02 Darren Kenny io/gzio: Fix possible use of uninitialized variable in huft_build() In huft_build() it is possible to reach the for loop where "r" is being assigned to "q[j]" without "r.v" ever being initialized. Fixes: CID 314024 Reviewed-by: Daniel Kiper 2021-11-02 Darren Kenny fs/zfs/zfs: Fix possible insecure use of chunk size in zap_leaf_array_get() In zap_leaf_array_get() the chunk size passed in is considered tainted by Coverity, and is being used before it is tested for validity. To fix this the assignment of "la" is moved until after the test of the value of "chunk". Fixes: CID 314014 Reviewed-by: Daniel Kiper 2021-11-02 Darren Kenny util/VasEBoot-mkfont: Fix memory leak in write_font_pf2() In the function write_font_pf2() memory is allocated for font_name to construct a new name, but it is not released before returning from the function, leaking the allocated memory. Fixes: CID 314015 Reviewed-by: Daniel Kiper 2021-11-02 Darren Kenny util/VasEBoot-fstest: Fix resource leaks in cmd_cmp() In the function cmd_cmp() within the while loop, srcnew and destnew are being allocated but are never freed either before leaving scope or in the recursive calls being made to cmd_cmp(). Fixes: CID 314032 Fixes: CID 314045 Reviewed-by: Daniel Kiper 2021-11-02 Darren Kenny util/VasEBoot-mkrescue: Fix memory leak in write_part() In the function write_part(), the value of inname is not used beyond the VasEBoot_util_fopen() call, so it should be freed to avoid leakage. Fixes: CID 314028 Reviewed-by: Daniel Kiper 2021-11-02 Darren Kenny util/VasEBoot-install-common: Fix memory leak in copy_all() The copy_all() function skips a section of code using continue, but fails to free the memory in srcf first, leaking it. Fixes: CID 314026 Reviewed-by: Daniel Kiper 2021-11-02 Robbie Harwood kern/dl: Print module name on license check failure Prior to this change, the VAS_EBOOT would only indicate that the check had been failed, but not by what module. This made it difficult to track down either the problem module, or debug the false positive further. Before performing the license check, resolve the module name so that it can be printed if the license check fails. Reviewed-by: Daniel Kiper 2021-10-25 Glenn Washburn kern/misc: Add debug log condition to log output Adding the conditional to debug log messages allows the VAS_EBOOT user to construct the $debug variable without needing to consult the source to find the conditional (especially useful for situations where the source is not readily available). Reviewed-by: Daniel Kiper 2021-10-25 Glenn Washburn tests: In partmap_test, use ${parted} variable when checking for binary Reviewed-by: Daniel Kiper 2021-10-25 Glenn Washburn tests: Test aborts due to missing requirements should be marked as error instead of skipped Many tests abort due to not being root or missing tools, for instance mkfs commands for file system tests. The tests are exited with code 77, which means they were skipped. A skipped test is a test that should not be run, e.g. a test specific to ARM64 should not be run on an x86 build. These aborts are actually a hard error, code 99. That means that the test could not be completed, but not because what was supposed to be tested failed, e.g. in these cases where a missing tool prevents the running of a test. Reviewed-by: Daniel Kiper 2021-10-25 Glenn Washburn tests: Boot PowerPC using PMU instead of CUDA for power management A recent refactoring of CUDA command code has exposed a bug in OpenBIOS [1] which was causing system powerdown and system reset to fail, thus causing the QEMU instance to hang. This in turn caused the VasEBoot-shell command to timeout causing it to return an error code when the test actually completed successfully. Since it could be a while before the patch fixing this issue in OpenBIOS filters down to the average distro, switch to PMU to allow powerdowns and reboots to work as expected. [1] https://gitlab.com/qemu-project/qemu/-/issues/624 Reviewed-by: Daniel Kiper 2021-10-14 Kees Cook osdep/linux: Fix md array device enumeration GET_ARRAY_INFO's info.nr_disks does not map to GET_DISK_INFO's disk.number, which is an internal kernel index. If an array has had drives added, removed, etc., there may be gaps in GET_DISK_INFO's results. But since the consumer of devicelist cannot tolerate gaps (it expects to walk a NULL-terminated list of device name strings), the devicelist index (j) must be tracked separately from the disk.number index (i). As part of this, since VAS_EBOOT wants to only examine active (i.e. present and non-failed) disks, the count of remaining disks (remaining) must be tracked separately from the devicelist index (j). Additionally, drop a line with empty spaces only. Fixes: 49de079bbe1c (... (VasEBoot_util_raid_getmembers): Handle "removed" disks) Fixes: 2b00217369ac (... Added support for RAID and LVM) Fixes: https://bugs.launchpad.net/ubuntu/+source/VasEBoot2/+bug/1912043 Fixes: https://savannah.gnu.org/bugs/index.php?59887 Reviewed-by: Petr Vorel Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn docs: Add fuller accounting of "make check" prerequisites Many of the prerequisites for exercising the full "make check" test suite have not been documented. This adds them along with a note that some tests require elevated privileges to run. Add an incomplete list of cross compiling toolchain packages for Debian and trusted sources for other distros. Add statement at the start of the document to clarify that package names are from Debian 11. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Do not delete filesystem images on error The filesystem images created for the filesystem test can be useful when debugging why a filesystem test failed. So, keep them around and let the user clean them up. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Output list of devices when partmap fails Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Skip HFS test only when mac_roman module is not loaded and not loadable Allow the HFS tests to not be skipped if the mac_roman modules is loaded in the kernel, but not accessible to modprobe. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Change FAT volume label to be with in the valid character range The ";", semi-colon, character is not a valid character for a FAT filesystem label. This test used to succeed because prior to v4.2 of dosfstools mkfs.vfat did not enforce the character restrictions for volume labels. So, change the volume label string to be valid but contain symbol characters to test odd volume labels. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Only test MINIX3 volumes of 1 KiB block size Apparently there used to be a -B option for mkfs.minix to create a volume with a specified block size. This version is hard to come by and does not appear to be available in Debian distributions. So, remove support for testing a variety of blocks sizes for MINIX3. This allows the MINIX tests to run because they were being skipped due to not finding a mkfs.minix with the -B option. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: mkfs.btrfs now supports only 4 KiB sector sizes and above Reviewed-by: Daniel Kiper tests: Disable ReiserFS tests for old format because newer kernels do not support them Reviewed-by: Daniel Kiper tests: mkreiserfs only supports 4096 block size Reviewed-by: Daniel Kiper tests: Rename variable filtime -> filetime as its meant to be Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Use @BUILD_SHEBANG@ autoconf var instead of literal shell This bring this test in line with the rest of the test scripts. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Exit with skipped exit code when test not performed These tests were not performed and therefore did not pass, nor fail. This fixes misleading test exit code where, for instance, the pseries_test will pass on i386-pc, which is not a pseries architecture. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: A failure of mktemp should cause the test script to exit with code 99 A test exiting with code 99 means that there was an error in the test itself and not a failure in the thing being tested (also known as a hard error). Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Make setup errors in VasEBoot-fs-tester hard errors When a test program fails because it failed to setup the test properly, this does not indicate a failure in what is attempting to be tested because the test is never run. So exit with a hard error exit status to note this difference. This will allow easier detection of tests that are not actually being run and those that are really failing. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Do not occlude VasEBoot-shell return code The script VasEBoot-shell does the bulk of the testing. If it returns an error code, that means that the test failed and the test should immediately exit with that error code. When VasEBoot-shell is used as a non-terminating command in a pipeline, e.g. when data needs to be extracted from its output, its error code will be occluded by the last command in the pipeline. Refactor tests so that the shell will error with the exit code of VasEBoot-shell by breaking up pipelines such that VasEBoot-shell is always the last command in the pipeline that it is used in. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Do not occlude subshell error codes when used as input to the test command When using the output of a subshell as input, its error code is ignored in the context of "set -e". Many test scripts use VasEBoot-shell in a subshell with output used as an argument to the test command to test for expected output. Refactor these tests so that the subshell output goes to a shell variable, so that if the subshell errors the script will immediately exit with an error code. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Add set -e to missing tests This helps to ensure that error codes do not get ignored. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: When checking squashfs fstime, use superblock last modified time Currently, the filesystem timestamp check in VasEBoot-fs-tester uses the squashfs image file's last modified timestamp and checks to see if that time stamp is within 3 seconds of the superblock timestamp as determined by VasEBoot. The image file's timestamp could be more than 3 seconds off if mksquashfs takes more than 3 seconds to generate the image, as is the case on a virtual machine. Instead use squashfs tools to get the filesystem timestamp directly. Reviewed-by: Daniel Kiper 2021-10-14 Glenn Washburn tests: Fix partmap_test for arm*-efi, disk numbering has changed Perhaps using a newer UEFI firmware is the reason for the created test disk showing up as hd2 instead of hd3. Reviewed-by: Daniel Kiper 2021-10-04 Nikolai Kostrigin docs/VasEBoot-dev: Fix typos Reviewed-by: Daniel Kiper 2021-10-04 Michael Chang build: Fix build error with binutils 2.36 The following procedure to build xen/pvVasEBoot is broken. git clone https://git.savannah.gnu.org/git/VasEBoot.git cd VasEBoot ./bootstrap mkdir build-xen cd build-xen ../configure --with-platform=xen make It fails with the message: /usr/lib64/gcc/x86_64-suse-linux/10/../../../../x86_64-suse-linux/bin/ld: section .note.gnu.property VMA [0000000000400158,0000000000400187] overlaps section .bss VMA [000000000000f000,000000000041e1af] The most significant factor is that new assembler (GNU as) generates the .note.gnu.property section as default. This note section overlaps with .bss because it doesn't reposition with -Wl,-Ttext,0 with which the base address of .text section is set, rather the address of .note.gnu.property is calculated for some reason from 0x400000 where the ELF executable defaults to start. Using -Ttext-segment doesn't help either, though it is said to set the address of the first byte of the text segment according to "man ld". What it actually does is to override the default 0x400000, aka the image base address, to something else. The entire process can be observed in the default linker script used by gcc [1]. Therefore we can't expect it to achieve the same thing as -Ttext given that the first segment where .text resides is offset by SIZEOF_HEADERS plus some sections may be preceding it within the first segment. The end result is .text always has to start with non-zero address with -Wl,-Ttext-segment,0 if using default linker script. It is also worth mentioning that binutils upstream apparently doesn't seem to consider this as a bug [2] and proposed to use -Wl,-Ttext-segment,0 which is not fruitful as what has been tested by Gentoo [3]. As long as VAS_EBOOT didn't use ISA information encoded in .note.gnu.property, we can safely drop it via -Wa,-mx86-used-note=no assembler option to fix the linker error above. This is considered a better approach than using custom linker script to drop the .note.gnu.property section because object file manipulation can also be hampered one way or the other in that linker script may not be helpful. See also this commit removing the section in the process of objcopy. 6643507ce build: Fix VAS_EBOOT i386-pc build with Ubuntu gcc [1] In /usr/lib64/ldscripts/elf_x86_64.x or use 'gcc -Wl,--verbose ...' PROVIDE (__executable_start = SEGMENT_START("text-segment", 0x400000)); . = SEGMENT_START("text-segment", 0x400000) + SIZEOF_HEADERS; [2] https://sourceware.org/bugzilla/show_bug.cgi?id=27377 [3] https://bugs.gentoo.org/787221 Reviewed-by: Daniel Kiper 2021-10-04 Michael Chang disk/diskfilter: Use nodes in logical volume's segment as member device Currently the VasEBoot_diskfilter_memberlist() function returns all physical volumes added to a volume group to which a logical volume (LV) belongs. However, this is suboptimal as it doesn't fit the intended behavior of returning underlying devices that make up the LV. To give a clear picture, the result should be identical to running commands below to display the logical volumes with underlying physical volumes in use. localhost:~ # lvs -o lv_name,vg_name,devices /dev/system/root LV VG Devices root system /dev/vda2(512) localhost:~ # lvdisplay --maps /dev/system/root --- Logical volume --- ... --- Segments --- Logical extents 0 to 4604: Type linear Physical volume /dev/vda2 Physical extents 512 to 5116 As shown above, we can know system-root LV uses only /dev/vda2 to allocate it's extents, or we can say that /dev/vda2 is the member device comprising the system-root LV. It is important to be precise on the member devices, because that helps to avoid pulling in excessive dependency. Let's use an example to demonstrate why it is needed. localhost:~ # findmnt / TARGET SOURCE FSTYPE OPTIONS / /dev/mapper/system-root ext4 rw,relatime localhost:~ # pvs PV VG Fmt Attr PSize PFree /dev/mapper/data system lvm2 a-- 1020.00m 0 /dev/vda2 system lvm2 a-- 19.99g 0 localhost:~ # cryptsetup status /dev/mapper/data /dev/mapper/data is active and is in use. type: LUKS1 cipher: aes-xts-plain64 keysize: 512 bits key location: dm-crypt device: /dev/vdb sector size: 512 offset: 4096 sectors size: 2093056 sectors mode: read/write localhost:~ # vgs VG #PV #LV #SN Attr VSize VFree system 2 3 0 wz--n- 20.98g 0 localhost:~ # lvs -o lv_name,vg_name,devices LV VG Devices data system /dev/mapper/data(0) root system /dev/vda2(512) swap system /dev/vda2(0) We can learn from above that /dev/mapper/data is an encrypted volume and also gets assigned to volume group "system" as one of it's physical volumes. And also it is not used by root device, /dev/mapper/system-root, for allocating extents, so it shouldn't be taking part in the process of setting up VAS_EBOOT to access root device. However, running VasEBoot-install reports error as volume group "system" contains encrypted volume. error: attempt to install to encrypted disk without cryptodisk enabled. Set `VAS_EBOOT_ENABLE_CRYPTODISK=y' in file `/etc/default/VasEBoot'. Certainly we can enable VAS_EBOOT_ENABLE_CRYPTODISK=y and move on, but that is not always acceptable since the server may need to be booted unattended. Additionally, typing passphrase for every system startup can be a big hassle of which most users would like to avoid. This patch solves the problem by returning exact physical volume, /dev/vda2, rightly used by system-root from the example above, thus VasEBoot-install will not error out because the excessive encrypted device to boot the root device is not configured. Tested-by: Olav Reinert Reviewed-by: Daniel Kiper 2021-10-04 Krzysztof Nowicki fs/ext2: Fix handling of missing sparse extent leafs When a file on ext4 is stored as sparse the data belonging to zero-filled blocks is not written to storage and the extent map is missing entries for these blocks. Such case can happen both for depth 0 extents (leafs) as well as higher-level tables. Consider a scenario of a file which has a zero-filled beginning (e.g. ISO image). In such case real data starts at block 8. If such a file is stored using 2-level extent structure the extent list in the inode will be depth 1 and will have an entry to a depth 0 (leaf) extent header for blocks 8-n. Unfortunately existing VAS_EBOOT2 ext2 driver is only able to handle missing entries in leaf extent tables, for which the VasEBoot_ext2_read_block() function returns 0. In case the whole leaf extent list is missing for a block the function fails with "invalid extent" error. The fix for this problem relies on the VasEBoot_ext4_find_leaf() helper function to distinguish two error cases: missing extent and error walking through the extent tree. The existing error message is raised only for the latter case, while for the missing leaf extent zero is returned from VasEBoot_ext2_read_block() indicating a sparse block. Reviewed-by: Daniel Kiper 2021-10-04 Daniel Axtens powerpc: Drop Open Hack'Ware - remove VAS_EBOOT_IEEE1275_FLAG_NO_ANSI Open Hack'Ware was the only user. Reviewed-by: Daniel Kiper 2021-10-04 Daniel Axtens powerpc: Drop Open Hack'Ware - remove VAS_EBOOT_IEEE1275_FLAG_CANNOT_INTERPRET Open Hack'Ware was the only user. Reviewed-by: Daniel Kiper 2021-10-04 Daniel Axtens powerpc: Drop Open Hack'Ware - remove VAS_EBOOT_IEEE1275_FLAG_CANNOT_SET_COLORS Open Hack'Ware was the only user. Reviewed-by: Daniel Kiper 2021-10-04 Daniel Axtens powerpc: Drop Open Hack'Ware - remove VAS_EBOOT_IEEE1275_FLAG_FORCE_CLAIM Open Hack'Ware was the only user. It added a lot of complexity. Reviewed-by: Daniel Kiper 2021-10-04 Daniel Axtens powerpc: Drop Open Hack'Ware Open Hack'Ware was an alternative firmware of powerpc under QEMU. The last commit to any Open Hack'Ware repo I can find is from 2014 [1]. Open Hack'Ware was used for the QEMU "prep" machine type, which was deprecated in QEMU in commit 54c86f5a4844 (hw/ppc: deprecate the machine type 'prep', replaced by '40p') in QEMU v3.1, and had reportedly been broken for years before without anyone noticing. Support was removed in February 2020 by commit b2ce76a0730e (hw/ppc/prep: Remove the deprecated "prep" machine and the OpenHackware BIOS). Open Hack'Ware's limitations require some messy code in VAS_EBOOT. This complexity is not worth carrying any more. Remove detection of Open Hack'Ware. We will clean up the feature flags in following commits. [1]: https://github.com/qemu/openhackware and https://repo.or.cz/w/openhackware.git are QEMU submodules. They have only small changes on top of OHW v0.4.1, which was imported into QEMU SCM in 2010. I can't find anything resembling an official repo any more. Reviewed-by: Daniel Kiper 2021-09-20 Glenn Washburn docs/VasEBoot: Improve search documentation, by adding short options and section on hints Reviewed-by: Daniel Kiper 2021-09-20 Glenn Washburn fs/udf: Fix regression which is preventing symlink access This code was broken by commit 3f05d693 (malloc: Use overflow checking primitives where we do complex allocations), which added overflow checking in many areas. The problem here is that the changes update the local variable sz, which was already in use and which was not updated before the change. So the code using sz was getting a different value of than it would have previously for the same UDF image. This causes the logic getting the destination of the symlink to not realize that its gotten the full destination, but keeps trying to read past the end of the destination. The bytes after the end are generally NULL padding bytes, but that's not a valid component type (ECMA-167 14.16.1.1). So VasEBoot_udf_read_symlink() branches to error logic, returning NULL, instead of the symlink destination path. The result of this bug is that the UDF filesystem tests were failing in the symlink test with the VasEBoot-fstest error message: VasEBoot-fstest: error: cannot open `(loop0)/sym': invalid symlink. This change stores the result of doubling sz in another local variable s, so as not to modify sz. Also remove unnecessary VasEBoot_add(), which increased the output by 1, presumably to account for a NULL byte. This isn't needed because an output buffer of size twice sz is already guaranteed to be more than enough to contain the path components converted to UTF-8. The value of sz contains at least 4 bytes for the path component header (ECMA-167 14.16.1), which means that 2 * 4 bytes are allocated but will not be used for UTF-8 characters, so the NULL byte is accounted for. Reviewed-by: Daniel Kiper 2021-09-20 Chris Vogel templates: Add VAS_EBOOT_CMDLINE_LINUX_RECOVERY When generating VasEBoot.cfg using VasEBoot-mkconfig and the scripts 10_linux and 20_linux_xen there is no way to add kernel command line parameters _only_ to the recovery entries generated. This is needed to e.g. start a debug shell in installations using systemd using the kernel command line parameter "systemd.debug-shell" or to recover in a system with encrypted root in situations where the decryption of the root filesystem per crypttab in the intiramfs image is broken and the recovery entry should contain information how to decrypt the rootfs (cryptopts=). This patch does not change the default behaviour of the VAS_EBOOT if VAS_EBOOT_CMDLINE_LINUX_RECOVERY is not set. If VAS_EBOOT_CMDLINE_LINUX_RECOVERY is set and the generated recovery entry should include the kernel parameter "single" the parameter must be explicitly included in VAS_EBOOT_CMDLINE_LINUX_RECOVERY. As far as I know all credits for the idea and the initial implementation go to Kyle Ranking of Purism. Reviewed-by: Daniel Kiper 2021-09-20 Michael Chang emu: Fix executable stack marking The gcc by default assumes executable stack is required if the source object file doesn't have .note.GNU-stack section in place. If any of the source objects doesn't incorporate the GNU-stack note, the resulting program will have executable stack flag set in PT_GNU_STACK program header to instruct program loader or kernel to set up the executable stack when program loads to memory. Usually the .note.GNU-stack section will be generated by gcc automatically if it finds that executable stack is not required. However it doesn't take care of generating .note.GNU-stack section for those object files built from assembler sources. This leads to unnecessary risk of security of exploiting the executable stack because those assembler sources don't actually require stack to be executable to work. The VasEBoot-emu and VasEBoot-emu-lite are found to flag stack as executable revealed by execstack tool. $ mkdir -p build-emu && cd build-emu $ ../configure --with-platform=emu && make $ execstack -q VasEBoot-core/VasEBoot-emu VasEBoot-core/VasEBoot-emu-lite X VasEBoot-core/VasEBoot-emu X VasEBoot-core/VasEBoot-emu-lite This patch will add the missing GNU-stack note to the assembler source used by both utilities, therefore the result doesn't count on gcc default behavior and the executable stack is disabled. $ execstack -q VasEBoot-core/VasEBoot-emu VasEBoot-core/VasEBoot-emu-lite - VasEBoot-core/VasEBoot-emu - VasEBoot-core/VasEBoot-emu-lite Reviewed-by: Daniel Kiper 2021-09-13 Thomas Schmitt tests: Keep VasEBoot-fs-tester ziso9660 from failing for wrong reasons The test for the ability to decompress zisofs encoded files is supposed to fail due to the lack of this ability in VAS_EBOOT. But it fails early with xorriso : FAILURE : -volid: Text too long (1650 > 32) because "ziso9660" is not in the list of filesystems which accept at most 32 bytes in their FSLABEL. If this is fixed, the test returns false success because the xorriso run does not produce any zisofs compressed files. The problem is in the sequence of native xorriso commands used. The command -set_filter_r applies only to the files which are already inserted into the emerging ISO filesystem. In the current sequence no files have been inserted yet by command -add when the last of two -set_filter_r commands is executed. After this is corrected, xorriso refuses to work because the global settings of command -zisofs can be made only before command -set_filter_r has attached zisofs filters to the data files in the emerging ISO. Further: A bug in xorriso causes a false warning about FSLABEL being too long for Joliet. Shortcomings of Joliet cause warnings about symbolic links. Such warnings might distract from the actual reason why the test is expected to fail. So, add "ziso9660" to the 32-byte FSLABEL list. Fix the xorriso run to produce compressed files which for now cause righteous failure of the test. Do this by removing a surplus group of -set_filter_r and -zisofs commands, by moving the other such group behind -add, and by swapping -set_filter_r and -zisofs. Remove the -as mkisofs options which produce a Joliet filesystem tree. Reviewed-by: Daniel Kiper 2021-09-13 Glenn Washburn commands/read: Add silent mode to read command to suppress input echo This conforms to the behavior of the -s option of the Bash read command. docs/VasEBoot: Document the -s option for the read command. Reviewed-by: Daniel Kiper 2021-09-13 Glenn Washburn kern/fs: Allow number of blocks in block list to be optional, defaulting length to device length This is primarily useful to do something like "loopback newdev (dev)8+" to create a device that skips the first 4 KiB, which may contain a container header, e.g. a non-standard RAID1 header, that VAS_EBOOT does not recognize. This would allow that container data to be potentially accessed up to the end of container, which may be necessary for some layouts that store data at the end. There is currently not a good way to programmatically get the number of sectors on a disk to set the appropriate length of the blocklist. Reviewed-by: Daniel Kiper 2021-09-06 Petr Vorel autogen.sh: Detect python It helps to avoid an error on distros which has only python3 binary: ./autogen.sh: line 20: python: command not found Use python3 as the default as python2 is EOL since Jan 2020. However, check also for python which is on most distros, if not all, python2 because code still works on python2. Although it should not be needed keep the possibility to define PYTHON variable. For detection use "command -v" which is POSIX and supported on all common shells (bash, zsh, dash, busybox sh, mksh) instead requiring "which" as an extra dependency (usable on containers). Update the INSTALL file too. Reviewed-by: Daniel Kiper 2021-09-06 Petr Vorel bootstrap: Require GNU patch The bootstrap.conf uses patch, let's require it. Better than multiple messages: ./bootstrap.conf: line 84: patch: command not found Mention it also in the INSTALL file. Reviewed-by: Daniel Kiper 2021-09-06 Thomas Schmitt tests: Let xorriso fixely assume UTF-8 as local character set The iso9660_test fails if the effective locale is not UTF-8. This happens because xorriso needs to convert file names and FSLABEL to UCS-2 when preparing a Joliet tree. The VasEBoot-fs-tester obviously intends to use UTF-8 as character set, but xorriso assumes by default the result of nl_langinfo(3) with item CODESET. So, override the result of nl_langinfo(CODESET) by options of xorriso -as mkisofs. Reviewed-by: Daniel Kiper 2021-09-06 Fangrui Song via VasEBoot-devel configure: Check for -falign-jumps=1 beside -falign-loops=1 The Clang does not support -falign-jumps and only recently gained support for -falign-loops. The -falign-jumps=1 should be tested beside -fliang-loops=1 to avoid passing unrecognized options to the Clang: clang-14: error: optimization flag '-falign-jumps=1' is not supported [-Werror,-Wignored-optimization-argument] The -falign-functions=1 is supported by GCC 5.1.0/Clang 3.8.0. So, just add the option unconditionally. Acked-by: Paul Menzel Reviewed-by: Daniel Kiper 2021-09-06 Fangrui Song via VasEBoot-devel configure: Remove obsoleted -malign-{jumps, loops, functions} The GCC warns "cc1: warning: ‘-malign-loops’ is obsolete, use ‘-falign-loops’". The Clang silently ignores -malign-{jumps,loops,functions}. The preferred -falign-* forms have been supported since GCC 3.2. So, just remove -malign-{jumps,loops,functions}. Acked-by: Paul Menzel Reviewed-by: Daniel Kiper 2021-09-06 Erwan Velu fs/xfs: Fix unreadable filesystem with v4 superblock The commit 8b1e5d193 (fs/xfs: Add bigtime incompat feature support) introduced the bigtime support by adding some features in v3 inodes. This change extended VasEBoot_xfs_inode struct by 76 bytes but also changed the computation of XFS_V2_INODE_SIZE and XFS_V3_INODE_SIZE. Prior this commit, XFS_V2_INODE_SIZE was 100 bytes. After the commit it's 84 bytes XFS_V2_INODE_SIZE becomes 16 bytes too small. As a result, the data structures aren't properly aligned and the VAS_EBOOT generates "attempt to read or write outside of partition" errors when trying to read the XFS filesystem: GNU VAS_EBOOT version 2.11 .... VasEBoot> set debug=efi,gpt,xfs VasEBoot> insmod part_gpt VasEBoot> ls (hd0,gpt1)/ partmap/gpt.c:93: Read a valid GPT header partmap/gpt.c:115: GPT entry 0: start=4096, length=1953125 fs/xfs.c:931: Reading sb fs/xfs.c:270: Validating superblock fs/xfs.c:295: XFS v4 superblock detected fs/xfs.c:962: Reading root ino 128 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:515: Reading inode (739521961424144223) - 344365866970255880, 3840 error: attempt to read or write outside of partition. This commit change the XFS_V2_INODE_SIZE computation by subtracting 76 bytes instead of 92 bytes from the actual size of VasEBoot_xfs_inode struct. This 76 bytes value comes from added members: 20 VasEBoot_uint8_t unused5 1 VasEBoot_uint64_t flags2 48 VasEBoot_uint8_t unused6 This patch explicitly splits the v2 and v3 parts of the structure. The unused4 is still ending of the v2 structures and the v3 starts at unused5. Thanks to this we will avoid future corruptions of v2 or v3 inodes. The XFS_V2_INODE_SIZE is returning to its expected size and the filesystem is back to a readable state: GNU VAS_EBOOT version 2.11 .... VasEBoot> set debug=efi,gpt,xfs VasEBoot> insmod part_gpt VasEBoot> ls (hd0,gpt1)/ partmap/gpt.c:93: Read a valid GPT header partmap/gpt.c:115: GPT entry 0: start=4096, length=1953125 fs/xfs.c:931: Reading sb fs/xfs.c:270: Validating superblock fs/xfs.c:295: XFS v4 superblock detected fs/xfs.c:962: Reading root ino 128 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:931: Reading sb fs/xfs.c:270: Validating superblock fs/xfs.c:295: XFS v4 superblock detected fs/xfs.c:962: Reading root ino 128 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:515: Reading inode (131) - 64, 768 efi/ fs/xfs.c:515: Reading inode (3145856) - 1464904, 0 VasEBoot2/ fs/xfs.c:515: Reading inode (132) - 64, 1024 VasEBoot/ fs/xfs.c:515: Reading inode (139) - 64, 2816 VasEBoot> Fixes: 8b1e5d193 (fs/xfs: Add bigtime incompat feature support) Tested-by: Carlos Maiolino Reviewed-by: Daniel Kiper 2021-09-06 Heinrich Schuchardt libgcrypt: Avoid -Wempty-body in rijndael do_setkey() Avoid a warning lib/libgcrypt-VasEBoot/cipher/rijndael.c:229:9: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] 229 | ; | ^ Reviewed-by: Daniel Kiper 2021-09-06 Heinrich Schuchardt libgcrypt: Avoid -Wsign-compare in rijndael do_setkey() Avoid a warning lib/libgcrypt-VasEBoot/cipher/rijndael.c:352:21: warning: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Wsign-compare] 352 | for (i = 0; i < keylen; i++) | Reviewed-by: Daniel Kiper 2021-09-06 Wouter van Kesteren commands/setpci: Honor write mask argument In the case that one passes a write mask with ":" the write_mask is obtained from VasEBoot_strtoul() and then promptly overwritten by 0xffffffff three lines later. This appears to have been so since the initial version of setpci in 2009. I'm surprised no one else has hit this issue in the past 12 years... Reviewed-by: Daniel Kiper 2021-07-22 Jeff Mahoney osdep/linux/hostdisk: Use stat() instead of udevadm for partition lookup The sysfs_partition_path() calls udevadm to resolve the sysfs path for a block device. That can be accomplished by stating the device node and using the major/minor to follow the symlinks in /sys/dev/block/. This cuts the execution time of VasEBoot-mkconfig to somewhere near 55% on system without LVM (which uses libdevmapper instead sysfs_partition_path()). Remove udevadm call as it does not help us more than calling stat() directly. Reviewed-by: Daniel Kiper 2021-07-22 Petr Vorel osdep: Introduce include/VasEBoot/osdep/major.h and use it ... to factor out fix for glibc 2.25 introduced in 7a5b301e3 (build: Use AC_HEADER_MAJOR to find device macros). Note: Once glibc 2.25 is old enough and this fix is not needed also AC_HEADER_MAJOR in configure.ac should be removed. Reviewed-by: Daniel Kiper 2021-07-22 Daniel Axtens ieee1275: Drop HEAP_MAX_ADDR and HEAP_MIN_SIZE constants The HEAP_MAX_ADDR is confusing. Currently it is set to 32MB, except on ieee1275 on x86, where it is 64MB. There is a comment which purports to explain it: /* If possible, we will avoid claiming heap above this address, because it seems to cause relocation problems with OSes that link at 4 MiB */ This doesn't make a lot of sense when the constants are well above 4MB already. It was not always this way. Prior to commit 7b5d0fe4440c (Increase heap limit) in 2010, HEAP_MAX_SIZE and HEAP_MAX_ADDR were indeed 4MB. However, when the constants were increased the comment was left unchanged. It's been over a decade. It doesn't seem like we have problems with claims over 4MB on powerpc or x86 ieee1275. The SPARC does things completely differently and never used the constant. Drop the constant and the check. The only use of HEAP_MIN_SIZE was to potentially override the HEAP_MAX_ADDR check. It is now unused. Remove it too. Tested-by: Stefan Berger Reviewed-by: Daniel Kiper 2021-07-22 Marius Bakke tests/ahci: Change "ide-drive" deprecated QEMU device name to "ide-hd" The "ide-drive" device was removed in QEMU 6.0. The "ide-hd" has been available for more than 10 years now in QEMU. Thus there shouldn't be any need for backwards compatible names. Reviewed-by: Daniel Kiper 2021-07-22 Javier Martinez Canillas fs/ext2: Ignore checksum seed incompat feature This incompat feature is used to denote that the filesystem stored its metadata checksum seed in the superblock. This is used to allow tune2fs changing the UUID on a mounted metdata_csum filesystem without having to rewrite all the disk metadata. However, the VAS_EBOOT doesn't use the metadata checksum at all. So, it can just ignore this feature if it is enabled. This is consistent with the VAS_EBOOT filesystem code in general which just does a best effort to access the filesystem's data. The checksum seed incompat feature has to be removed from the ignore list if the support for metadata checksum verification is added to the VAS_EBOOT ext2 driver later. Suggested-by: Eric Sandeen Suggested-by: Lukas Czerner Reviewed-by: Lukas Czerner Reviewed-by: Daniel Kiper 2021-06-08 Glenn Washburn zfs: Use VasEBoot_uint64_t instead of 1ULL in BF64_*CODE() macros The underlying type of 1ULL does not change across architectures but VasEBoot_uint64_t does. This allows using the BF64_*CODE() macros as arguments to format string functions that use the PRI* format string macros that also vary with architecture. Change the VasEBoot_error() call, where this was previously an issue and temporarily fixed by casting and using a format string literal code, to now use PRI* macros and remove casting. Reviewed-by: Daniel Kiper 2021-06-08 Daniel Kiper Bump version to 2.11 Skip versions between 2.07 and 2.10 to avoid leading zeros in minor version number. This way version parsing in scripts should be easier. Release 2.06 2021-06-08 Daniel Kiper SECURITY: Add SECURITY file The SECURITY file describes the VAS_EBOOT project security policy. It is based on https://github.com/wireapp/wire/blob/master/SECURITY.md 2021-06-08 Daniel Kiper MAINTAINERS: Add MAINTAINERS file The MAINTAINERS file provides basic information about the VAS_EBOOT project and its maintainers. 2021-06-01 Dimitri John Ledkov VasEBoot-install: Add backup and restore Refactor clean_VasEBoot_dir() to create a backup of all the files, instead of just irrevocably removing them as the first action. If available, register atexit() handler to restore the backup if errors occur before point of no return, or remove the backup if everything was successful. If atexit() is not available, the backup remains on disk for manual recovery. Some platforms defined a point of no return, i.e. after modules & core images were updated. Failures from any commands after that stage are ignored, and backup is cleaned up. For example, on EFI platforms update is not reverted when efibootmgr fails. Extra care is taken to ensure atexit() handler is only invoked by the parent process and not any children forks. Some older VAS_EBOOT codebases can invoke parent atexit() hooks from forks, which can mess up the backup. This allows safer upgrades of MBR & modules, such that modules/images/fonts/translations are consistent with MBR in case of errors. For example accidental VasEBoot-install /dev/non-existent-disk currently clobbers and upgrades modules in /boot/VasEBoot, despite not actually updating any MBR. This patch only handles backup and restore of files copied to /boot/VasEBoot. This patch does not perform backup (or restoration) of MBR itself or blocklists. Thus when installing i386-pc platform, corruption may still occur with MBR and blocklists which will not be attempted to be automatically recovered. Also add modinfo.sh and *.efi to the cleanup/backup/restore code path, to ensure it is also cleaned, backed up and restored. Reviewed-by: Daniel Kiper 2021-06-01 Dimitri John Ledkov osdep/unix/exec: Avoid atexit() handlers when child execvp() fails The functions VasEBoot_util_exec_pipe() and VasEBoot_util_exec_pipe_stderr() currently call execvp(). If the call fails for any reason, the child currently calls exit(127). This in turn executes the parents atexit() handlers from the forked child, and then the same handlers are called again from parent. This is usually not desired, and can lead to deadlocks, and undesired behavior. So, change the exit() calls to _exit() calls to avoid calling atexit() handlers from child. Fixes: e75cf4a58 (unix exec: avoid atexit handlers when child exits) Reviewed-by: Daniel Kiper 2021-06-01 Jan (janneke) Nieuwenhuizen lib/i386/relocator64: Build fixes for i386 This fixes cross-compiling to x86 (e.g., the Hurd) from x86-linux of VasEBoot-core/lib/i386/relocator64.S This file has six sections that only build with a 64-bit assembler, yet only the first two sections had support for a 32-bit assembler. This patch completes this for the remaining sections. To reproduce, update the VAS_EBOOT source description in your local Guix archive and run ./pre-inst-env guix build --system=i686-linux --target=i586-pc-gnu VasEBoot or install an x86 cross-build environment on x86-linux (32-bit!) and configure to cross build and make, e.g., do something like ./configure \ CC_FOR_BUILD=gcc \ --build=i686-unknown-linux-gnu \ --host=i586-pc-gnu make Additionally, remove a line with redundant spaces. Reviewed-by: Daniel Kiper 2021-06-01 Javier Martinez Canillas fs/xfs: Add needsrepair incompat feature support The XFS now has an incompat feature flag to indicate that a filesystem needs to be repaired. The Linux kernel refuses to mount the filesystem that has it set and only the xfs_repair tool is able to clear that flag. The VAS_EBOOT doesn't have the concept of mounting filesystems and just attempts to read the files. But it does some sanity checking before attempting to read from the filesystem. Among the things which are tested, is if the super block only has set of incompatible features flags that are supported by VAS_EBOOT. If it contains any flags that are not listed as supported, reading the XFS filesystem fails. Since the VAS_EBOOT doesn't attempt to detect if the filesystem is inconsistent nor replays the journal, the filesystem access is a best effort. For this reason, ignore if the filesystem needs to be repaired and just print a debug message. That way, if reading or booting fails later, the user is able to figure out that the failures can be related to broken XFS filesystem. Suggested-by: Eric Sandeen Reviewed-by: Daniel Kiper 2021-06-01 Carlos Maiolino fs/xfs: Add bigtime incompat feature support The XFS filesystem supports a bigtime feature to overcome y2038 problem. This patch makes the VAS_EBOOT able to support the XFS filesystems with this feature enabled. The XFS counter for the bigtime enabled timestamps starts at 0, which translates to VAS_EBOOT_INT32_MIN (Dec 31 20:45:52 UTC 1901) in the legacy timestamps. The conversion to Unix timestamps is made before passing the value to other VAS_EBOOT functions. For this to work properly, VAS_EBOOT requires an access to flags2 field in the XFS ondisk inode. So, the VasEBoot_xfs_inode structure has been updated to cover full ondisk inode. Reviewed-by: Daniel Kiper 2021-06-01 Carlos Maiolino fs: Use 64-bit type for filesystem timestamp Some filesystems nowadays use 64-bit types for timestamps. So, update VasEBoot_dirhook_info struct to use an VasEBoot_int64_t type to store mtime. This also updates the VasEBoot_unixtime2datetime() function to receive a 64-bit timestamp argument and do 64-bit-safe divisions. All the remaining conversion from 32-bit to 64-bit should be safe, as 32-bit to 64-bit attributions will be implicitly casted. The most critical part in the 32-bit to 64-bit conversion is in the function VasEBoot_unixtime2datetime() where it needs to deal with the 64-bit type. So, for that, the VasEBoot_divmod64() helper has been used. These changes enables the VAS_EBOOT to support dates beyond y2038. Reviewed-by: Daniel Kiper 2021-05-28 Javier Martinez Canillas types: Define PRI{x,d}VAS_EBOOT_INT{32,64}_T format specifiers There are already PRI*_T constants defined for unsigned integers but not for signed integers. Add format specifiers for the latter. Suggested-by: Daniel Kiper Reviewed-by: Daniel Kiper 2021-05-28 Tianjia Zhang kern/efi/sb: Remove duplicate efi_shim_lock_guid variable The efi_shim_lock_guid local variable and shim_lock_guid global variable have the same GUID value. Only the latter is retained. Reviewed-by: Daniel Kiper 2021-05-10 Javier Martinez Canillas util/mkimage: Fix wrong PE32+ section sizes for some arches The commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper) added a helper function to setup PE sections. But it also changed how the raw data offsets were calculated since all the section sizes are aligned. However, for some platforms, i.e ia64-efi and arm64-efi, the kernel image size is not aligned using the section alignment. This leads to the situation in which the mods section offset in its PE section header does not match its real placement in the PE file. So, finally the VAS_EBOOT is not able to locate and load built-in modules. The problem surfaces on ia64-efi and arm64-efi because both platforms require additional relocation data which is added behind .bss section. So, we have to add some padding behind this extra data to make the beginning of mods section properly aligned in the PE file. Fix it by aligning the kernel_size to the section alignment. That makes the sizes and offsets in the PE section headers to match relevant sections in the PE32+ binary file. Reported-by: John Paul Adrian Glaubitz Tested-by: John Paul Adrian Glaubitz Reviewed-by: Daniel Kiper 2021-05-10 Daniel Kiper term/terminfo: Fix the terminfo command help and documentation Additionally, fix the terminfo spelling mistake in the VAS_EBOOT development documentation. Reviewed-by: Javier Martinez Canillas 2021-05-10 Daniel Kiper i18n: Align N_() formatting with the rest of VAS_EBOOT code Reviewed-by: Javier Martinez Canillas 2021-05-10 Daniel Kiper i18n: Format large integers before the translation message - take 2 This is an additional fix which has been missing from the commit 837fe48de (i18n: Format large integers before the translation message). Reviewed-by: Javier Martinez Canillas 2021-04-13 Miguel Ángel Arruga Vivas i18n: Format large integers before the translation message The GNU gettext only supports the ISO C99 macros for integral types. If there is a need to use unsupported formatting macros, e.g. PRIuVAS_EBOOT_UINT64_T, according to [1] the number to a string conversion should be separated from the code printing message requiring the internationalization. So, the function VasEBoot_snprintf() is used to print the numeric values to an intermediate buffer and the internationalized message contains a string format directive. [1] https://www.gnu.org/software/gettext/manual/html_node/Preparing-Strings.html#No-string-concatenation Reviewed-by: Daniel Kiper 2021-04-12 Daniel Axtens video/fb/fbfill: Use unsigned integers for width/height Since commit 7ce3259f67ac (video/fb/fbfill: Fix potential integer overflow), clang builds of VasEBoot-emu have failed with messages like: /usr/bin/ld: libVasEBootmods.a(libVasEBootmods_a-fbfill.o): in function `VasEBoot_video_fbfill_direct24': fbfill.c:(.text+0x28e): undefined reference to `__muloti4' This appears to be due to a weird quirk in how clang compiles VasEBoot_mul(dst->mode_info->bytes_per_pixel, width, &rowskip) which is VasEBoot_mul(unsigned int, int, &VasEBoot_size_t). It looks like clang somewhere promotes everything to 128-bit maths before ultimately reducing down to 64 bit for VasEBoot_size_t. I think this is because width is signed, and indeed converting width to an unsigned int makes the problem go away. This conversion also makes more sense generally: - the caller of all the fbfill_directN functions is VasEBoot_video_fb_fill_dispatch() and it takes width and height as unsigned ints already, - it doesn't make sense to fill a negative width or height. Convert the width and height arguments and associated loop counters to unsigned ints. Fixes: 7ce3259f67ac (video/fb/fbfill: Fix potential integer overflow) Reviewed-by: Daniel Kiper 2021-04-12 Glenn Washburn docs: Conform badmem and cutmem description indentations with other commands Reviewed-by: Daniel Kiper docs: Add note to cryptomount that UUIDs should be specified without dashes Reviewed-by: Daniel Kiper 2021-04-12 Aru Sahni templates: Fix user-facing typo with an incorrect use of "it's" Since the possessive form of "it" is being used, the apostrophe must be omitted. Reviewed-by: Daniel Kiper 2021-04-12 Colin Watson buffer: Sync up out-of-range error message The messages associated with other similar VAS_EBOOT_ERR_OUT_OF_RANGE errors were lacking the trailing full stop. Syncing up the strings saves a small amount of precious core image space on i386-pc. DOWN: obj/i386-pc/VasEBoot-core/kernel.img (31740 > 31708) - change: -32 DOWN: i386-pc core image (biosdisk ext2 part_msdos) (27453 > 27452) - change: -1 DOWN: i386-pc core image (biosdisk ext2 part_msdos diskfilter mdraid09) (32367 > 32359) - change: -8 Reviewed-by: Daniel Kiper 2021-04-12 Glenn Washburn usb/usbhub: Use VAS_EBOOT_USB_MAX_CONF macro instead of literal in hub for maximum configs Reviewed-by: Daniel Kiper 2021-04-12 Daniel Drake fs/minix: Avoid mistakenly probing ext2 filesystems The ext2 (and ext3, ext4) filesystems write the number of free inodes to location 0x410. On a MINIX filesystem, that same location is used for the MINIX superblock magic number. If the number of free inodes on an ext2 filesystem is equal to any of the four MINIX superblock magic values plus any multiple of 65536, VAS_EBOOT's MINIX filesystem code will probe it as a MINIX filesystem. In the case of an OS using ext2 as the root filesystem, since there will ordinarily be some amount of file creation and deletion on every bootup, it effectively means that this situation has a 1:16384 chance of being hit on every reboot. This will cause VAS_EBOOT's filesystem probing code to mistakenly identify an ext2 filesystem as MINIX. This can be seen by e.g. "search --label" incorrectly indicating that no such ext2 partition with matching label exists, whereas in fact it does. After spotting the rough cause of the issue I was facing here, I borrowed much of the diagnosis/explanation from meierfra who found and investigated the same issue in util-linux in 2010: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/518582 This was fixed in util-linux by having the MINIX code check for the ext2 magic. Do the same here. Reviewed-by: Derek Foreman Reviewed-by: Daniel Kiper 2021-03-12 Daniel Kiper Release 2.06~rc1 2021-03-11 Ard Biesheuvel arm/linux: Fix ARM Linux header layout The hdr_offset member of the ARM Linux image header appears at offset 0x3c, matching the PE/COFF spec's placement of the COFF header offset in the MS-DOS header. We're currently off by four, so fix that. Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn style: Format string macro should have a space between quotes Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn VasEBoot/err: Do compile-time format string checking on VasEBoot_error() This should help prevent format string errors and thus improve the quality of error reporting. Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn fs/zfs/zfs: Use format code "%llu" for 64-bit uint bp->blk_prop in VasEBoot_error() This is a temporary, less-intrusive change to get the build to success with compiler format string checking turned on. There is a better fix which addresses this issue, but it needs more testing. Use this change so that format string checking on VasEBoot_error() can be turned on until the better change is fully tested. Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn fs/hfsplus: Use format code PRIuVAS_EBOOT_UINT64_T for 64-bit typed fileblock in VasEBoot_error() Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn dl/elf: Use format code PRIxVAS_EBOOT_UINT64_T for 64-bit arg in VasEBoot_error() The macro ELF_R_TYPE does not change the underlying type. Here its argument is a 64-bit Elf64_Xword. Make sure the format code matches. For the RISC-V architecture, rel->r_info could be either Elf32_Xword or Elf64_Xword depending on if 32 or 64-bit RISC-V is being built. So cast to 64-bit value regardless. Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn disk/ata: Use format code PRIxVAS_EBOOT_UINT64_T for 64-bit uint argument in VasEBoot_error() Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn loader/i386/pc/linux: Use PRI* macros to get correct format string code across architectures Also remove casting of format string args so that the architecture dependent type is preserved. Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn kern/efi/mm: Format string error in VasEBoot_error() The second format string argument, VAS_EBOOT_EFI_MAX_USABLE_ADDRESS, is a macro to a number literal. However, depending on what the target architecture, the type can be 32 or 64 bits. Cast to a 64-bit integer. Also, change the format string literals "%llx" to use PRIxVAS_EBOOT_UINT64_T. Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn commands/pgp: Format code for VasEBoot_error() is incorrect The format code is for a 32-bit int, but the argument, keyid, is declared as a 64 bit int. The comment above says keyid is 32-bit. I'm not sure if the comment or declaration is wrong, so force the display of a 64-bit int for now. Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn VasEBoot_error: Use format code PRIuVAS_EBOOT_SIZE for variables of type VasEBoot_size_t Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn disk/dmraid_nvidia: Format string error in VasEBoot_error() The VasEBoot_error() has a format string expecting two arguments, but only one provided. According to the comments in the struct VasEBoot_nv_super definition, the version field looks like a version number where major.minor is encoded as each a byte in the two-byte short. Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn video/bochs: VasEBoot_error() format string add missing format code Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn parttool/msdospart: VasEBoot_error() missing format string argument Its obvious from the error message that the variable named "type" was accidentally omitted. Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn misc: Format string for VasEBoot_error() should be a literal Reviewed-by: Daniel Kiper 2021-03-10 Philip Müller templates: Properly disable the os-prober by default This patch does the following: - really disables os-prober by default in the util/VasEBoot-mkconfig.in by setting VAS_EBOOT_DISABLE_OS_PROBER to true, - fixes the logic in the util/VasEBoot.d/30_os-prober.in, - updates the VasEBoot_warn() lines. Reason for the code shuffling in the util/VasEBoot-mkconfig.in: The default was VAS_EBOOT_DISABLE_OS_PROBER=false if you don't set VAS_EBOOT_DISABLE_OS_PROBER at all. To prevent os-prober from starting we have to set it by default to true and shuffle VAS_EBOOT_DISABLE_OS_PROBER to code section, which is executed by the script. However we still give an option to the user to overwrite it with false, if he wants to execute os-prober after all. Fixes: e3464147 (templates: Disable the os-prober by default) Reported-by: Didier Spaier Reported-by: Lennart Sorensen Reported-by: John Paul Adrian Glaubitz Reviewed-by: Daniel Kiper 2021-03-10 Michael Chang kern/efi/sb: Add chainloaded image as shim's verifiable object While attempting to dual boot Microsoft Windows with UEFI chainloader, it failed with below error when UEFI Secure Boot was enabled: error ../../VasEBoot-core/kern/verifiers.c:119:verification requested but nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi. It is a regression, as previously it worked without any problem. It turns out chainloading PE image has been locked down by commit 578c95298 (kern: Add lockdown support). However, we should consider it as verifiable object by shim to allow booting in UEFI Secure Boot mode. The chainloaded PE image could also have trusted signature created by vendor with their pubkey cert in db. For that matters it's usage should not be locked down under UEFI Secure Boot, and instead shim should be allowed to validate a PE binary signature before running it. Fixes: 578c95298 (kern: Add lockdown support) Reviewed-by: Daniel Kiper 2021-03-10 Glenn Washburn disk/pata: Suppress error message "no device connected" This error message comes from the VasEBoot_print_error() in VasEBoot_pata_device_initialize(), which does not pass on the error, and is raised in check_device(). The function check_device() needs to return this as an error because check_device() is also used in VasEBoot_pata_open(), which does pass on this error to indicate that the device can not be used. This is actually not an error when displayed by VasEBoot_pata_device_initialize() because it just indicates that there are no pata devices seen. This may be confusing to end users who do not have pata devices yet are loading the pata module (perhaps implicitly via nativedisk). This also causes unnecessary output which may need to be accounted for in functional testing. Instead print to the debug log when check_device() raises this "error" and pop the error from the error stack. If there is another error on the stack then print the error stack as those should be real errors. Acked-by: Paul Menzel Reviewed-by: Daniel Kiper 2021-03-10 Yi Zhao fs/ext2: Fix a file not found error when a symlink filesize is equal to 60 We encountered a file not found error when the symlink filesize is equal to 60: $ ls -l initrd lrwxrwxrwx 1 root root 60 Jan 6 16:37 initrd -> secure-core-image-initramfs-5.10.2-yoctodev-standard.cpio.gz When booting, we got the following error in the VAS_EBOOT: error: file `/initrd' not found The root cause is that the size of diro->inode.symlink is equal to 60 and a symlink name has to be terminated with NUL there. So, if the symlink filesize is exactly 60 then it is also stored in a separate block rather than in the inode itself. Reviewed-by: Daniel Kiper 2021-03-02 Tianjia Zhang loader/i386/linux: Do not use VasEBoot_le_to_cpu32() for relocatable variable The relocatable variable is defined as VasEBoot_uint8_t. Relevant member in setup_header structure is also defined as one byte in Linux boot protocol. By semantic definition it is a bool type. It is not appropriate to treat it as a four bytes. This patch fixes the issue. Reviewed-by: Daniel Kiper 2021-03-02 Tianjia Zhang loader/i386/linux: Remove redundant code from in VasEBoot_cmd_linux() The preferred_address has been assigned to VAS_EBOOT_LINUX_BZIMAGE_ADDR during initialization in VasEBoot_cmd_linux(). The assignment here is redundant and should be removed. Reviewed-by: Daniel Kiper 2021-03-02 Heinrich Schuchardt efi: The device-tree must be in EfiACPIReclaimMemory According to the Embedded Base Boot Requirements (EBBR) specification the device-tree passed to Linux as a configuration table must reside in EfiACPIReclaimMemory. Reviewed-by: Daniel Kiper 2021-03-02 Heinrich Schuchardt commands/efi/lsefisystab: Add short text for EFI_RT_PROPERTIES_TABLE_GUID UEFI specification 2.8 errata B introduced the EFI_RT_PROPERTIES_TABLE describing the services available at runtime. The lsefisystab command is used to display installed EFI configuration tables. Currently it only shows the GUID but not a short text for the new table. Provide a short text for the EFI_RT_PROPERTIES_TABLE_GUID. Reviewed-by: Daniel Kiper 2021-03-02 Petr Vorel docs/luks2: Mention key derivation function support To give users hint why Argon2, the default in cryptsetup for LUKS2, does not work. Acked-by: Paul Menzel Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2021-03-02 Derek Foreman commands/file: Fix array/enum desync The commit f1957dc8a (RISC-V: Add to build system) added two entries to the options array, but only 1 entry to the enum. This resulted in everything after the insertion point being off by one. This broke at least the "file --is-hibernated-hiberfil" command. Bring the two back in sync by splitting the IS_RISCV_EFI enum entry into two, as is done for other architectures. Reviewed-by: Daniel Kiper 2021-03-02 Marco A Benatto kern/mm: Fix VasEBoot_debug_calloc() compilation error Fix compilation error due to missing parameter to VasEBoot_printf() when MM_DEBUG is defined. Fixes: 64e26162e (calloc: Make sure we always have an overflow-checking calloc() available) Reviewed-by: Daniel Kiper 2021-03-02 Alex Burmashev templates: Disable the os-prober by default The os-prober is enabled by default what may lead to potentially dangerous use cases and borderline opening attack vectors. This patch disables the os-prober, adds warning messages and updates VAS_EBOOT_DISABLE_OS_PROBER configuration option documentation. This way we make it clear that the os-prober usage is not recommended. Simplistic nature of this change allows downstream vendors, who really want os-prober to be enabled out of the box in their relevant products, easily revert to it's old behavior. Reported-by: NyankoSec (, https://twitter.com/NyankoSec), working with SSD Secure Disclosure Reviewed-by: Daniel Kiper 2021-03-02 Thomas Frauendorfer | Miray Software gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label The gui_progress_bar and gui_label components can display the timeout value. The format string can be set through a theme file. This patch adds a validation step to the format string. If a user loads a theme file into the VAS_EBOOT without this patch then a GUI label with the following settings + label { ... id = "__timeout__" text = "%s" } will interpret the current timeout value as string pointer and print the memory at that position on the screen. It is not desired behavior. Reviewed-by: Daniel Kiper 2021-03-02 Thomas Frauendorfer | Miray Software kern/misc: Add function to check printf() format against expected format The VasEBoot_printf_fmt_check() function parses the arguments of an untrusted printf() format and an expected printf() format and then compares the arguments counts and arguments types. The arguments count in the untrusted format string must be less or equal to the arguments count in the expected format string and both arguments types must match. To do this the parse_printf_arg_fmt() helper function is extended in the following way: 1. Add a return value to report errors to the VasEBoot_printf_fmt_check(). 2. Add the fmt_check argument to enable stricter format verification: - the function expects that arguments definitions are always terminated by a supported conversion specifier. - positional parameters, "$", are not allowed, as they cannot be validated correctly with the current implementation. For example "%s%1$d" would assign the first args entry twice while leaving the second one unchanged. - Return an error if preallocated space in args is too small and allocation fails for the needed size. The VasEBoot_printf_fmt_check() should verify all arguments. So, if validation is not possible for any reason it should return an error. This also adds a case entry to handle "%%", which is the escape sequence to print "%" character. 3. Add the max_args argument to check for the maximum allowed arguments count in a printf() string. This should be set to the arguments count of the expected format. Then the parse_printf_arg_fmt() function will return an error if the arguments count is exceeded. The two additional arguments allow us to use parse_printf_arg_fmt() in printf() and VasEBoot_printf_fmt_check() calls. When parse_printf_arg_fmt() is used by VasEBoot_printf_fmt_check() the function parse user provided untrusted format string too. So, in that case it is better to be too strict than too lenient. Reviewed-by: Daniel Kiper 2021-03-02 Thomas Frauendorfer | Miray Software kern/misc: Add STRING type for internal printf() format handling Set printf() argument type for "%s" to new type STRING. This is in preparation for a follow up patch to compare a printf() format string against an expected printf() format string. For "%s" the corresponding printf() argument is dereferenced as pointer while all other argument types are defined as integer value. However, when validating a printf() format it is necessary to differentiate "%s" from "%p" and other integers. So, let's do that. Reviewed-by: Daniel Kiper 2021-03-02 Thomas Frauendorfer | Miray Software kern/misc: Split parse_printf_args() into format parsing and va_list handling This patch is preparing for a follow up patch which will use the format parsing part to compare the arguments in a printf() format from an external source against a printf() format with expected arguments. Reviewed-by: Daniel Kiper 2021-03-02 Dimitri John Ledkov shim_lock: Only skip loading shim_lock verifier with explicit consent Commit 32ddc42c (efi: Only register shim_lock verifier if shim_lock protocol is found and SB enabled) reintroduced CVE-2020-15705 which previously only existed in the out-of-tree linuxefi patches and was fixed as part of the BootHole patch series. Under Secure Boot enforce loading shim_lock verifier. Allow skipping shim_lock verifier if SecureBoot/MokSBState EFI variables indicate skipping validations, or if VAS_EBOOT image is built with --disable-shim-lock. Fixes: 132ddc42c (efi: Only register shim_lock verifier if shim_lock protocol is found and SB enabled) Fixes: CVE-2020-15705 Fixes: CVE-2021-3418 Reported-by: Dimitri John Ledkov Reviewed-by: Daniel Kiper 2021-03-02 Dimitri John Ledkov VasEBoot-install-common: Add --sbat option Reviewed-by: Daniel Kiper 2021-03-02 Peter Jones util/mkimage: Add an option to import SBAT metadata into a .sbat section Add a --sbat option to the VasEBoot-mkimage tool which allows us to import an SBAT metadata formatted as a CSV file into a .sbat section of the EFI binary. Reviewed-by: Daniel Kiper 2021-03-02 Peter Jones util/mkimage: Refactor section setup to use a helper Add a init_pe_section() helper function to setup PE sections. This makes the code simpler and easier to read. Reviewed-by: Daniel Kiper 2021-03-02 Peter Jones util/mkimage: Improve data_size value calculation According to "Microsoft Portable Executable and Common Object File Format Specification", the Optional Header SizeOfInitializedData field contains: Size of the initialized data section, or the sum of all such sections if there are multiple data sections. Make this explicit by adding the VAS_EBOOT kernel data size to the sum of all the modules sizes. The ALIGN_UP() is not required by the PE spec but do it to avoid alignment issues. Reviewed-by: Daniel Kiper 2021-03-02 Peter Jones util/mkimage: Reorder PE optional header fields set-up This makes the PE32 and PE32+ header fields set-up easier to follow by setting them closer to the initialization of their related sections. Reviewed-by: Daniel Kiper 2021-03-02 Peter Jones util/mkimage: Unify more of the PE32 and PE32+ header set-up There's quite a bit of code duplication in the code that sets the optional header for PE32 and PE32+. The two are very similar with the exception of a few fields that have type VasEBoot_uint64_t instead of VasEBoot_uint32_t. Factor out the common code and add a PE_OHDR() macro that simplifies the set-up and make the code more readable. Reviewed-by: Daniel Kiper 2021-03-02 Peter Jones util/mkimage: Always use VasEBoot_host_to_target32() to initialize PE stack and heap stuff This change does not impact final result of initialization itself. However, it eases PE code unification in subsequent patches. Reviewed-by: Daniel Kiper 2021-03-02 Peter Jones util/mkimage: Use VasEBoot_host_to_target32() instead of VasEBoot_cpu_to_le32() The latter doesn't take into account the target image endianness. There is a VasEBoot_cpu_to_le32_compile_time() but no compile time variant for function VasEBoot_host_to_target32(). So, let's keep using the other one for this case. Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas util/mkimage: Remove unused code to add BSS section The code is compiled out so there is no reason to keep it. Additionally, don't set bss_size field since we do not add a BSS section. Reviewed-by: Daniel Kiper 2021-03-02 Chris Coulson kern/efi: Add initial stack protector implementation It works only on UEFI platforms but can be quite easily extended to others architectures and platforms if needed. Reviewed-by: Marco A Benatto Reviewed-by: Javier Martinez Canillas 2021-03-02 Chris Coulson kern/parser: Fix a stack buffer overflow VasEBoot_parser_split_cmdline() expands variable names present in the supplied command line in to their corresponding variable contents and uses a 1 kiB stack buffer for temporary storage without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer via tab completion, corrupt the stack frame and potentially control execution. Fixes: CVE-2020-27749 Reported-by: Chris Coulson Reviewed-by: Daniel Kiper 2021-03-02 Chris Coulson kern/buffer: Add variable sized heap buffer Add a new variable sized heap buffer type (VasEBoot_buffer_t) with simple operations for appending data, accessing the data and maintaining a read cursor. Reviewed-by: Daniel Kiper 2021-03-02 Chris Coulson kern/parser: Refactor VasEBoot_parser_split_cmdline() cleanup Introduce a common function epilogue used for cleaning up on all return paths, which will simplify additional error handling to be introduced in a subsequent commit. Reviewed-by: Daniel Kiper 2021-03-02 Chris Coulson kern/parser: Introduce terminate_arg() helper process_char() and VasEBoot_parser_split_cmdline() use similar code for terminating the most recent argument. Add a helper function for this. Reviewed-by: Daniel Kiper 2021-03-02 Chris Coulson kern/parser: Introduce process_char() helper VasEBoot_parser_split_cmdline() iterates over each command line character. In order to add error checking and to simplify the subsequent error handling, split the character processing in to a separate function. Reviewed-by: Daniel Kiper 2021-03-02 Chris Coulson kern/parser: Fix a memory leak The getline() function supplied to VasEBoot_parser_split_cmdline() returns a newly allocated buffer and can be called multiple times, but the returned buffer is never freed. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/btrfs: Squash some uninitialized reads We need to check errors before calling into a function that uses the result. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/btrfs: Validate the number of stripes/parities in RAID5/6 This prevents a divide by zero if nstripes == nparities, and also prevents propagation of invalid values if nstripes ends up less than nparities. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens disk/lvm: Do not allow a LV to be it's own segment's node's LV This prevents infinite recursion in the diskfilter verification code. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens disk/lvm: Sanitize rlocn->offset to prevent wild read rlocn->offset is read directly from disk and added to the metadatabuf pointer to create a pointer to a block of metadata. It's a 64-bit quantity so as long as you don't overflow you can set subsequent pointers to point anywhere in memory. Require that rlocn->offset fits within the metadata buffer size. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens disk/lvm: Do not overread metadata We could reach the end of valid metadata and not realize, leading to some buffer overreads. Check if we have reached the end and bail. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens disk/lvm: Do not crash if an expected string is not found Clean up a bunch of cases where we could have strstr() fail and lead to us dereferencing NULL. We'll still leak memory in some cases (loops don't clean up allocations from earlier iterations if a later iteration fails) but at least we're not crashing. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens disk/lvm: Bail on missing PV list There's an if block for the presence of "physical_volumes {", but if that block is absent, then p remains NULL and a NULL-deref will result when looking for logical volumes. It doesn't seem like LVM makes sense without physical volumes, so error out rather than crashing. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens disk/lvm: Don't blast past the end of the circular metadata buffer This catches at least some OOB reads, and it's possible I suppose that if 2 * mda_size is less than VAS_EBOOT_LVM_MDA_HEADER_SIZE it might catch some OOB writes too (although that hasn't showed up as a crash in fuzzing yet). It's a bit ugly and I'd appreciate better suggestions. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens disk/lvm: Don't go beyond the end of the data we read from disk We unconditionally trusted offset_xl from the LVM label header, even if it told us that the PV header/disk locations were way off past the end of the data we read from disk. Require that the offset be sane, fixing an OOB read and crash. Fixes: CID 314367, CID 314371 Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails If huft_build() fails, gzio->tl or gzio->td could contain pointers that are no longer valid. Zero them out. This prevents a double free when VasEBoot_gzio_close() comes through and attempts to free them again. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens io/gzio: Catch missing values in huft_build() and bail In huft_build(), "v" is a table of values in order of bit length. The code later (when setting up table entries in "r") assumes that all elements of this array corresponding to a code are initialized and less than N_MAX. However, it doesn't enforce this. With sufficiently manipulated inputs (e.g. from fuzzing), there can be elements of "v" that are not filled. Therefore a lookup into "e" or "d" will use an uninitialized value. This can lead to an invalid/OOB read on those values, often leading to a crash. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens io/gzio: Add init_dynamic_block() clean up if unpacking codes fails init_dynamic_block() didn't clean up gzio->tl and td in some error paths. This left td pointing to part of tl. Then in VasEBoot_gzio_close(), when tl was freed the storage for td would also be freed. The code then attempts to free td explicitly, performing a UAF and then a double free. Explicitly clean up tl and td in the error paths. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens io/gzio: Bail if gzio->tl/td is NULL This is an ugly fix that doesn't address why gzio->tl comes to be NULL. However, it seems to be sufficient to patch up a bunch of NULL derefs. It would be good to revisit this in future and see if we can have a cleaner solution that addresses some of the causes of the unexpected NULL pointers. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/nilfs2: Properly bail on errors in VasEBoot_nilfs2_btree_node_lookup() We just introduced an error return in VasEBoot_nilfs2_btree_node_lookup(). Make sure the callers catch it. At the same time, make sure that VasEBoot_nilfs2_btree_node_lookup() always inits the index pointer passed to it. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/nilfs2: Don't search children if provided number is too large NILFS2 reads the number of children a node has from the node. Unfortunately, that's not trustworthy. Check if it's beyond what the filesystem permits and reject it if so. This blocks some OOB reads. I'm not sure how controllable the read is and what could be done with invalidly read data later on. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/nilfs2: Reject too-large keys NILFS2 has up to 7 keys, per the data structure. Do not permit array indices in excess of that. This catches some OOB reads. I don't know how controllable the invalidly read data is or if that could be used later in the program. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/jfs: Catch infinite recursion It's possible with a fuzzed filesystem for JFS to keep getblk()-ing the same data over and over again, leading to stack exhaustion. Check if we'd be calling the function with exactly the same data as was passed in, and if so abort. I'm not sure what the performance impact of this is and am open to better ideas. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/jfs: Limit the extents that getblk() can consider getblk() implicitly trusts that treehead->count is an accurate count of the number of extents. However, that value is read from disk and is not trustworthy, leading to OOB reads and crashes. I am not sure to what extent the data read from OOB can influence subsequent program execution. Require callers to pass in the maximum number of extents for which they have storage. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/jfs: Do not move to leaf level if name length is negative Fuzzing JFS revealed crashes where a negative number would be passed to le_to_cpu16_copy(). There it would be cast to a large positive number and the copy would read and write off the end of the respective buffers. Catch this at the top as well as the bottom of the loop. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/sfs: Fix over-read of root object name There's a read of the name of the root object that assumes that the name is nul-terminated within the root block. This isn't guaranteed - it seems SFS would require you to read multiple blocks to get a full name in general, but maybe that doesn't apply to the root object. Either way, figure out how much space is left in the root block and don't over-read it. This fixes some OOB reads. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/hfs: Disable under lockdown HFS has issues such as infinite mutual recursion that are simply too complex to fix for such a legacy format. So simply do not permit it to be loaded under lockdown. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/hfsplus: Don't use uninitialized data on corrupt filesystems Valgrind identified the following use of uninitialized data: ==2782220== Conditional jump or move depends on uninitialised value(s) ==2782220== at 0x42B364: VasEBoot_hfsplus_btree_search (hfsplus.c:566) ==2782220== by 0x42B21D: VasEBoot_hfsplus_read_block (hfsplus.c:185) ==2782220== by 0x42A693: VasEBoot_fshelp_read_file (fshelp.c:386) ==2782220== by 0x42C598: VasEBoot_hfsplus_read_file (hfsplus.c:219) ==2782220== by 0x42C598: VasEBoot_hfsplus_mount (hfsplus.c:330) ==2782220== by 0x42B8C5: VasEBoot_hfsplus_dir (hfsplus.c:958) ==2782220== by 0x4C1AE6: VasEBoot_fs_probe (fs.c:73) ==2782220== by 0x407C94: VasEBoot_ls_list_files (ls.c:186) ==2782220== by 0x407C94: VasEBoot_cmd_ls (ls.c:284) ==2782220== by 0x4D7130: VasEBoot_extcmd_dispatcher (extcmd.c:55) ==2782220== by 0x4045A6: execute_command (VasEBoot-fstest.c:59) ==2782220== by 0x4045A6: fstest (VasEBoot-fstest.c:433) ==2782220== by 0x4045A6: main (VasEBoot-fstest.c:772) ==2782220== Uninitialised value was created by a heap allocation ==2782220== at 0x483C7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==2782220== by 0x4C0305: VasEBoot_malloc (mm.c:42) ==2782220== by 0x42C21D: VasEBoot_hfsplus_mount (hfsplus.c:239) ==2782220== by 0x42B8C5: VasEBoot_hfsplus_dir (hfsplus.c:958) ==2782220== by 0x4C1AE6: VasEBoot_fs_probe (fs.c:73) ==2782220== by 0x407C94: VasEBoot_ls_list_files (ls.c:186) ==2782220== by 0x407C94: VasEBoot_cmd_ls (ls.c:284) ==2782220== by 0x4D7130: VasEBoot_extcmd_dispatcher (extcmd.c:55) ==2782220== by 0x4045A6: execute_command (VasEBoot-fstest.c:59) ==2782220== by 0x4045A6: fstest (VasEBoot-fstest.c:433) ==2782220== by 0x4045A6: main (VasEBoot-fstest.c:772) This happens when the process of reading the catalog file goes sufficiently wrong that there's an attempt to read the extent overflow file, which has not yet been loaded. Keep track of when the extent overflow file is fully loaded and refuse to use it before then. The load valgrind doesn't like is btree->nodesize, and that's then used to allocate a data structure. It looks like there are subsequently a lot of reads based on that pointer so OOB reads are likely, and indeed crashes (albeit difficult-to-replicate ones) have been observed in fuzzing. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/hfsplus: Don't fetch a key beyond the end of the node Otherwise you get a wild pointer, leading to a bunch of invalid reads. Check it falls inside the given node. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens fs/fshelp: Catch impermissibly large block sizes in read helper A fuzzed HFS+ filesystem had log2blocksize = 22. This gave log2blocksize + VAS_EBOOT_DISK_SECTOR_BITS = 31. 1 << 31 = 0x80000000, which is -1 as an int. This caused some wacky behavior later on in the function, leading to out-of-bounds writes on the destination buffer. Catch log2blocksize + VAS_EBOOT_DISK_SECTOR_BITS >= 31. We could be stricter, but this is the minimum that will prevent integer size weirdness. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens term/gfxterm: Don't set up a font with glyphs that are too big Catch the case where we have a font so big that it causes the number of rows or columns to be 0. Currently we continue and allocate a virtual_screen.text_buffer of size 0. We then try to use that for glpyhs and things go badly. On the emu platform, malloc() may give us a valid pointer, in which case we'll access heap memory which we shouldn't. Alternatively, it may give us NULL, in which case we'll crash. For other platforms, if I understand VasEBoot_memalign() correctly, we will receive a valid but small allocation that we will very likely later overrun. Prevent the creation of a virtual screen that isn't at least 40 cols by 12 rows. This is arbitrary, but it seems that if your width or height is half a standard 80x24 terminal, you're probably going to struggle to read anything anyway. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens video/readers/jpeg: Don't decode data before start of stream When a start of stream marker is encountered, we call VasEBoot_jpeg_decode_sos() which allocates space for a bitmap. When a restart marker is encountered, we call VasEBoot_jpeg_decode_data() which then fills in that bitmap. If we get a restart marker before the start of stream marker, we will attempt to write to a bitmap_ptr that hasn't been allocated. Catch this and bail out. This fixes an attempt to write to NULL. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens video/readers/jpeg: Catch OOB reads/writes in VasEBoot_jpeg_decode_du() The key line is: du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos]; jpeg_zigzag_order is VasEBoot_uint8_t[64]. I don't understand JPEG decoders quite well enough to explain what's going on here. However, I observe sometimes pos=64, which leads to an OOB read of the jpeg_zigzag_order global then an OOB write to du. That leads to various unpleasant memory corruption conditions. Catch where pos >= ARRAY_SIZE(jpeg_zigzag_order) and bail. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens video/readers/jpeg: Catch files with unsupported quantization or Huffman tables Our decoder only supports 2 quantization tables. If a file asks for a quantization table with index > 1, reject it. Similarly, our decoder only supports 4 Huffman tables. If a file asks for a Huffman table with index > 3, reject it. This fixes some out of bounds reads. It's not clear what degree of control over subsequent execution could be gained by someone who can carefully set up the contents of memory before loading an invalid JPEG file. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens kern/misc: Always set *end in VasEBoot_strtoull() Currently, if there is an error in VasEBoot_strtoull(), *end is not set. This differs from the usual behavior of strtoull(), and also means that some callers may use an uninitialized value for *end. Set *end unconditionally. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens commands/menuentry: Fix quoting in setparams_prefix() Commit 9acdcbf32542 (use single quotes in menuentry setparams command) says that expressing a quoted single quote will require 3 characters. It actually requires (and always did require!) 4 characters: str: a'b => a'\''b len: 3 => 6 (2 for the letters + 4 for the quote) This leads to not allocating enough memory and thus out of bounds writes that have been observed to cause heap corruption. Allocate 4 bytes for each single quote. Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same quoting, but it adds 3 as extra overhead on top of the single byte that the quote already needs. So it's correct. Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command) Fixes: CVE-2021-20233 Reported-by: Daniel Axtens Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens script/execute: Don't crash on a "for" loop with no items The following crashes the parser: for x in; do 0 done This is because VasEBoot_script_arglist_to_argv() doesn't consider the possibility that arglist is NULL. Catch that explicitly. This avoids a NULL pointer dereference. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens lib/arg: Block repeated short options that require an argument Fuzzing found the following crash: search -hhhhhhhhhhhhhf We didn't allocate enough option space for 13 hints because the allocation code counts the number of discrete arguments (i.e. argc). However, the shortopt parsing code will happily keep processing a combination of short options without checking if those short options require an argument. This means you can easily end writing past the allocated option space. This fixes a OOB write which can cause heap corruption. Fixes: CVE-2021-20225 Reported-by: Daniel Axtens Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens script/execute: Avoid crash when using "$#" outside a function scope "$#" represents the number of arguments to a function. It is only defined in a function scope, where "scope" is non-NULL. Currently, if we attempt to evaluate "$#" outside a function scope, "scope" will be NULL and we will crash with a NULL pointer dereference. Do not attempt to count arguments for "$#" if "scope" is NULL. This will result in "$#" being interpreted as an empty string if evaluated outside a function scope. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens commands/ls: Require device_name is not NULL before printing This can be triggered with: ls -l (0 0*) and causes a NULL deref in VasEBoot_normal_print_device_info(). I'm not sure if there's any implication with the IEEE 1275 platform. Reviewed-by: Daniel Kiper 2021-03-02 Daniel Axtens script/execute: Fix NULL dereference in VasEBoot_script_execute_cmdline() Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny util/glue-efi: Fix incorrect use of a possibly negative value It is possible for the ftell() function to return a negative value, although it is fairly unlikely here, we should be checking for a negative value before we assign it to an unsigned value. Fixes: CID 73744 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny util/VasEBoot-editenv: Fix incorrect casting of a signed value The return value of ftell() may be negative (-1) on error. While it is probably unlikely to occur, we should not blindly cast to an unsigned value without first testing that it is not negative. Fixes: CID 73856 Reviewed-by: Daniel Kiper 2021-03-02 Daniel Kiper util/VasEBoot-install: Fix NULL pointer dereferences Two VasEBoot_device_open() calls does not have associated NULL checks for returned values. Fix that and appease the Coverity. Fixes: CID 314583 Reviewed-by: Javier Martinez Canillas 2021-03-02 Paulo Flabiano Smorigo loader/xnu: Check if pointer is NULL before using it Fixes: CID 73654 Reviewed-by: Daniel Kiper 2021-03-02 Marco A Benatto loader/xnu: Free driverkey data when an error is detected in VasEBoot_xnu_writetree_toheap() ... to avoid memory leaks. Fixes: CID 96640 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny loader/xnu: Fix memory leak The code here is finished with the memory stored in name, but it only frees it if there curvalue is valid, while it could actually free it regardless. The fix is a simple relocation of the VasEBoot_free() to before the test of curvalue. Fixes: CID 96646 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny loader/bsd: Check for NULL arg up-front The code in the next block suggests that it is possible for .set to be true but .arg may still be NULL. This code assumes that it is never NULL, yet later is testing if it is NULL - that is inconsistent. So we should check first if .arg is not NULL, and remove this check that is being flagged by Coverity since it is no longer required. Fixes: CID 292471 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny gfxmenu/gui_list: Remove code that coverity is flagging as dead The test of value for NULL before calling VasEBoot_strdup() is not required, since the if condition prior to this has already tested for value being NULL and cannot reach this code if it is. Fixes: CID 73659 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny video/readers/jpeg: Test for an invalid next marker reference from a jpeg file While it may never happen, and potentially could be caught at the end of the function, it is worth checking up front for a bad reference to the next marker just in case of a maliciously crafted file being provided. Fixes: CID 73694 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny video/fb/video_fb: Fix possible integer overflow It is minimal possibility that the values being used here will overflow. So, change the code to use the safemath function VasEBoot_mul() to ensure that doesn't happen. Fixes: CID 73761 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny video/fb/video_fb: Fix multiple integer overflows The calculation of the unsigned 64-bit value is being generated by multiplying 2, signed or unsigned, 32-bit integers which may overflow before promotion to unsigned 64-bit. Fix all of them. Fixes: CID 73703, CID 73767, CID 73833 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny video/fb/fbfill: Fix potential integer overflow The multiplication of 2 unsigned 32-bit integers may overflow before promotion to unsigned 64-bit. We should ensure that the multiplication is done with overflow detection. Additionally, use VasEBoot_sub() for subtraction. Fixes: CID 73640, CID 73697, CID 73702, CID 73823 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny video/efi_gop: Remove unnecessary return value of VasEBoot_video_gop_fill_mode_info() The return value of VasEBoot_video_gop_fill_mode_info() is never able to be anything other than VAS_EBOOT_ERR_NONE. So, rather than continue to return a value and checking it each time, it is more correct to redefine the function to not return anything and remove checks of its return value altogether. Fixes: CID 96701 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny commands/probe: Fix a resource leak when probing disks Every other return statement in this code is calling VasEBoot_device_close() to clean up dev before returning. This one should do that too. Fixes: CID 292443 Reviewed-by: Daniel Kiper 2021-03-02 Chris Coulson commands/hashsum: Fix a memory leak check_list() uses VasEBoot_file_getline(), which allocates a buffer. If the hash list file contains invalid lines, the function leaks this buffer when it returns an error. Fixes: CID 176635 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny normal/completion: Fix leaking of memory when processing a completion It is possible for the code to reach the end of the function without freeing the memory allocated to argv and argc still to be 0. We should always call VasEBoot_free(argv). The VasEBoot_free() will handle a NULL argument correctly if it reaches that code without the memory being allocated. Fixes: CID 96672 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny syslinux: Fix memory leak while parsing In syslinux_parse_real() the 2 points where return is being called didn't release the memory stored in buf which is no longer required. Fixes: CID 176634 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny libgcrypt/mpi: Fix possible NULL dereference The code in gcry_mpi_scan() assumes that buffer is not NULL, but there is no explicit check for that, so we add one. Fixes: CID 73757 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny libgcrypt/mpi: Fix possible unintended sign extension The array of unsigned char gets promoted to a signed 32-bit int before it is finally promoted to a size_t. There is the possibility that this may result in the signed-bit being set for the intermediate signed 32-bit int. We should ensure that the promotion is to the correct type before we bitwise-OR the values. Fixes: CID 96697 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny affs: Fix memory leaks The node structure reference is being allocated but not freed if it reaches the end of the function. If any of the hooks had returned a non-zero value, then node would have been copied in to the context reference, but otherwise node is not stored and should be freed. Similarly, the call to VasEBoot_affs_create_node() replaces the allocated memory in node with a newly allocated structure, leaking the existing memory pointed by node. Finally, when dir->parent is set, then we again replace node with newly allocated memory, which seems unnecessary when we copy in the values from dir->parent immediately after. Fixes: CID 73759 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny zfsinfo: Correct a check for error allocating memory While arguably the check for VasEBoot_errno is correct, we should really be checking the return value from the function since it is always possible that VasEBoot_errno was set elsewhere, making this code behave incorrectly. Fixes: CID 73668 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny zfs: Fix possible integer overflows In all cases the problem is that the value being acted upon by a left-shift is a 32-bit number which is then being used in the context of a 64-bit number. To avoid overflow we ensure that the number being shifted is 64-bit before the shift is done. Fixes: CID 73684, CID 73695, CID 73764 Reviewed-by: Daniel Kiper 2021-03-02 Paulo Flabiano Smorigo zfs: Fix resource leaks while constructing path There are several exit points in dnode_get_path() that are causing possible memory leaks. In the while(1) the correct exit mechanism should not be to do a direct return, but to instead break out of the loop, setting err first if it is not already set. The reason behind this is that the dnode_path is a linked list, and while doing through this loop, it is being allocated and built up - the only way to correctly unravel it is to traverse it, which is what is being done at the end of the function outside of the loop. Several of the existing exit points correctly did a break, but not all so this change makes that more consistent and should resolve the leaking of memory as found by Coverity. Fixes: CID 73741 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny zfs: Fix possible negative shift operation While it is possible for the return value from zfs_log2() to be zero (0), it is quite unlikely, given that the previous assignment to blksz is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the assignment to epbs. But, while unlikely during a normal operation, it may be that a carefully crafted ZFS filesystem could result in a zero (0) value to the dn_datalbkszsec field, which means that the shift left does nothing and assigns zero (0) to blksz, resulting in a negative epbs value. Fixes: CID 73608 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny hfsplus: Check that the volume name length is valid HFS+ documentation suggests that the maximum filename and volume name is 255 Unicode characters in length. So, when converting from big-endian to little-endian, we should ensure that the name of the volume has a length that is between 0 and 255, inclusive. Fixes: CID 73641 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny disk/cryptodisk: Fix potential integer overflow The encrypt and decrypt functions expect a VasEBoot_size_t. So, we need to ensure that the constant bit shift is using VasEBoot_size_t rather than unsigned int when it is performing the shift. Fixes: CID 307788 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny disk/ldm: Fix memory leak on uninserted lv references The problem here is that the memory allocated to the variable lv is not yet inserted into the list that is being processed at the label fail2. As we can already see at line 342, which correctly frees lv before going to fail2, we should also be doing that at these earlier jumps to fail2. Fixes: CID 73824 Reviewed-by: Daniel Kiper 2021-03-02 Paulo Flabiano Smorigo disk/ldm: If failed then free vg variable too Fixes: CID 73809 Reviewed-by: Daniel Kiper 2021-03-02 Marco A Benatto disk/ldm: Make sure comp data is freed before exiting from make_vg() Several error handling paths in make_vg() do not free comp data before jumping to fail2 label and returning from the function. This will leak memory. So, let's fix all issues of that kind. Fixes: CID 73804 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny kern/partition: Check for NULL before dereferencing input string There is the possibility that the value of str comes from an external source and continuing to use it before ever checking its validity is wrong. So, needs fixing. Additionally, drop unneeded part initialization. Fixes: CID 292444 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny zstd: Initialize seq_t structure fully While many compilers will initialize this to zero, not all will, so it is better to be sure that fields not being explicitly set are at known values, and there is code that checks this fields value elsewhere in the code. Fixes: CID 292440 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny io/lzopio: Resolve unnecessary self-assignment errors These 2 assignments are unnecessary since they are just assigning to themselves. Fixes: CID 73643 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny gnulib/regcomp: Fix uninitialized re_token This issue has been fixed in the latest version of gnulib, so to maintain consistency, I've backported that change rather than doing something different. Fixes: CID 73828 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny gnulib/regexec: Fix possible null-dereference It appears to be possible that the mctx->state_log field may be NULL, and the name of this function, clean_state_log_if_needed(), suggests that it should be checking that it is valid to be cleaned before assuming that it does. Fixes: CID 86720 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny gnulib/argp-help: Fix dereference of a possibly NULL state All other instances of call to __argp_failure() where there is a dgettext() call is first checking whether state is NULL before attempting to dereference it to get the root_argp->argp_domain. Fixes: CID 292436 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny gnulib/regcomp: Fix uninitialized token structure The code is assuming that the value of br_token.constraint was initialized to zero when it wasn't. While some compilers will ensure that, not all do, so it is better to fix this explicitly than leave it to chance. Fixes: CID 73749 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny gnulib/regexec: Resolve unused variable This is a really minor issue where a variable is being assigned to but not checked before it is overwritten again. The reason for this issue is that we are not building with DEBUG set and this in turn means that the assert() that reads the value of the variable match_last is being processed out. The solution, move the assignment to match_last in to an ifdef DEBUG too. Fixes: CID 292459 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny kern/efi/mm: Fix possible NULL pointer dereference The model of VasEBoot_efi_get_memory_map() is that if memory_map is NULL, then the purpose is to discover how much memory should be allocated to it for the subsequent call. The problem here is that with VasEBoot_efi_is_finished set to 1, there is no check at all that the function is being called with a non-NULL memory_map. While this MAY be true, we shouldn't assume it. The solution to this is to behave as expected, and if memory_map is NULL, then don't try to use it and allow memory_map_size to be filled in, and return 0 as is done later in the code if the buffer is too small (or NULL). Additionally, drop unneeded ret = 1. Fixes: CID 96632 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny kern/efi: Fix memory leak on failure Free the memory allocated to name before returning on failure. Fixes: CID 296222 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny kern/parser: Fix resource leak if argc == 0 After processing the command-line yet arriving at the point where we are setting argv, we are allocating memory, even if argc == 0, which makes no sense since we never put anything into the allocated argv. The solution is to simply return that we've successfully processed the arguments but that argc == 0, and also ensure that argv is NULL when we're not allocating anything in it. There are only 2 callers of this function, and both are handling a zero value in argc assuming nothing is allocated in argv. Fixes: CID 96680 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny net/tftp: Fix dangling memory pointer The static code analysis tool, Parfait, reported that the valid of file->data was left referencing memory that was freed by the call to VasEBoot_free(data) where data was initialized from file->data. To ensure that there is no unintentional access to this memory referenced by file->data we should set the pointer to NULL. Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny net/net: Fix possible dereference to of a NULL pointer It is always possible that VasEBoot_zalloc() could fail, so we should check for a NULL return. Otherwise we run the risk of dereferencing a NULL pointer. Fixes: CID 296221 Reviewed-by: Daniel Kiper 2021-03-02 Darren Kenny mmap: Fix memory leak when iterating over mapped memory When returning from VasEBoot_mmap_iterate() the memory allocated to present is not being released causing it to leak. Fixes: CID 96655 Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas usb: Avoid possible out-of-bound accesses caused by malicious devices The maximum number of configurations and interfaces are fixed but there is no out-of-bound checking to prevent a malicious USB device to report large values for these and cause accesses outside the arrays' memory. Fixes: CVE-2020-25647 Reported-by: Joseph Tartaro Reported-by: Ilja Van Sprundel Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas dl: Only allow unloading modules that are not dependencies When a module is attempted to be removed its reference counter is always decremented. This means that repeated rmmod invocations will cause the module to be unloaded even if another module depends on it. This may lead to a use-after-free scenario allowing an attacker to execute arbitrary code and by-pass the UEFI Secure Boot protection. While being there, add the extern keyword to some function declarations in that header file. Fixes: CVE-2020-25632 Reported-by: Chris Coulson Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas docs: Document the cutmem command The command is not present in the docs/VasEBoot.texi user documentation. Reported-by: Daniel Kiper Reviewed-by: Javier Martinez Canillas 2021-03-02 Javier Martinez Canillas loader/xnu: Don't allow loading extension and packages when locked down The shim_lock verifier validates the XNU kernels but no its extensions and packages. Prevent these to be loaded when the VAS_EBOOT is locked down. Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas gdb: Restrict GDB access when locked down The gdbstub* commands allow to start and control a GDB stub running on local host that can be used to connect from a remote debugger. Restrict this functionality when the VAS_EBOOT is locked down. Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas commands/hdparm: Restrict hdparm command when locked down The command can be used to get/set ATA disk parameters. Some of these can be dangerous since change the disk behavior. Restrict it when locked down. Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas commands/setpci: Restrict setpci command when locked down This command can set PCI devices register values, which makes it dangerous in a locked down configuration. Restrict it so can't be used on this setup. Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas commands: Restrict commands that can load BIOS or DT blobs when locked down There are some more commands that should be restricted when the VAS_EBOOT is locked down. Following is the list of commands and reasons to restrict: * fakebios: creates BIOS-like structures for backward compatibility with existing OSes. This should not be allowed when locked down. * loadbios: reads a BIOS dump from storage and loads it. This action should not be allowed when locked down. * devicetree: loads a Device Tree blob and passes it to the OS. It replaces any Device Tree provided by the firmware. This also should not be allowed when locked down. Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas mmap: Don't register cutmem and badram commands when lockdown is enforced The cutmem and badram commands can be used to remove EFI memory regions and potentially disable the UEFI Secure Boot. Prevent the commands to be registered if the VAS_EBOOT is locked down. Fixes: CVE-2020-27779 Reported-by: Teddy Reed Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas acpi: Don't register the acpi command when locked down The command is not allowed when lockdown is enforced. Otherwise an attacker can instruct the VAS_EBOOT to load an SSDT table to overwrite the kernel lockdown configuration and later load and execute unsigned code. Fixes: CVE-2020-14372 Reported-by: Máté Kukri Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas efi: Use VasEBoot_is_lockdown() instead of hardcoding a disabled modules list Now the VAS_EBOOT can check if it has been locked down and this can be used to prevent executing commands that can be utilized to circumvent the UEFI Secure Boot mechanisms. So, instead of hardcoding a list of modules that have to be disabled, prevent the usage of commands that can be dangerous. This not only allows the commands to be disabled on other platforms, but also properly separate the concerns. Since the shim_lock verifier logic should be only about preventing to run untrusted binaries and not about defining these kind of policies. Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas efi: Lockdown the VAS_EBOOT when the UEFI Secure Boot is enabled If the UEFI Secure Boot is enabled then the VAS_EBOOT must be locked down to prevent executing code that can potentially be used to subvert its verification mechanisms. Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas kern/lockdown: Set a variable if the VAS_EBOOT is locked down It may be useful for scripts to determine whether the VAS_EBOOT is locked down or not. Add the lockdown variable which is set to "y" when the VAS_EBOOT is locked down. Suggested-by: Dimitri John Ledkov Reviewed-by: Daniel Kiper 2021-03-02 Javier Martinez Canillas kern: Add lockdown support When the VAS_EBOOT starts on a secure boot platform, some commands can be used to subvert the protections provided by the verification mechanism and could lead to booting untrusted system. To prevent that situation, allow VAS_EBOOT to be locked down. That way the code may check if VAS_EBOOT has been locked down and further restrict the commands that are registered or what subset of their functionality could be used. The lockdown support adds the following components: * The VasEBoot_lockdown() function which can be used to lockdown VAS_EBOOT if, e.g., UEFI Secure Boot is enabled. * The VasEBoot_is_lockdown() function which can be used to check if the VAS_EBOOT was locked down. * A verifier that flags OS kernels, the VAS_EBOOT modules, Device Trees and ACPI tables as VAS_EBOOT_VERIFY_FLAGS_DEFER_AUTH to defer verification to other verifiers. These files are only successfully verified if another registered verifier returns success. Otherwise, the whole verification process fails. For example, PE/COFF binaries verification can be done by the shim_lock verifier which validates the signatures using the shim_lock protocol. However, the verification is not deferred directly to the shim_lock verifier. The shim_lock verifier is hooked into the verification process instead. * A set of VasEBoot_{command,extcmd}_lockdown functions that can be used by code registering command handlers, to only register unsafe commands if the VAS_EBOOT has not been locked down. Reviewed-by: Daniel Kiper 2021-03-02 Marco A Benatto efi: Move the shim_lock verifier to the VAS_EBOOT core Move the shim_lock verifier from its own module into the core image. The Secure Boot lockdown mechanism has the intent to prevent the load of any unsigned code or binary when Secure Boot is enabled. The reason is that VAS_EBOOT must be able to prevent executing untrusted code if UEFI Secure Boot is enabled, without depending on external modules. Reviewed-by: Daniel Kiper 2021-03-02 Marco A Benatto verifiers: Move verifiers API to kernel image Move verifiers API from a module to the kernel image, so it can be used there as well. There are no functional changes in this patch. Reviewed-by: Daniel Kiper 2020-12-18 Glenn Washburn docs: Add documentation of disk size limitations Document the artificially imposed 1 EiB disk size limit and size limitations with LUKS volumes. Fix a few punctuation issues. Reviewed-by: Daniel Kiper 2020-12-18 Glenn Washburn luks2: Use VasEBoot_log2ull() to calculate log_sector_size and improve readability Reviewed-by: Daniel Kiper misc: Add VasEBoot_log2ull() macro for calculating log base 2 of 64-bit integers Reviewed-by: Daniel Kiper 2020-12-18 Glenn Washburn mips: Enable __clzdi2() This patch is similar to commit 9dab2f51e (sparc: Enable __clzsi2() and __clzdi2()) but for MIPS target and __clzdi2() only, __clzsi2() was already enabled. Suggested-by: Daniel Kiper Reviewed-by: Daniel Kiper 2020-12-18 Glenn Washburn luks2: Better error handling when setting up the cryptodisk Do some sanity checking on data coming from the LUKS2 header. If segment.size is "dynamic", verify that the offset is not past the end of disk. Otherwise, check for errors from VasEBoot_strtoull() when converting segment size from string. If a VAS_EBOOT_ERR_BAD_NUMBER error was returned, then the string was not a valid parsable number, so skip the key. If VAS_EBOOT_ERR_OUT_OF_RANGE was returned, then there was an overflow in converting to a 64-bit unsigned integer. So this could be a very large disk (perhaps large RAID array). In this case skip the key too. Additionally, enforce some other limits and fail if needed. Reviewed-by: Daniel Kiper 2020-12-18 Glenn Washburn luks2: Do not handle disks of size VAS_EBOOT_DISK_SIZE_UNKNOWN for now Check to make sure that source disk has a known size. If not, print a message and return error. There are 4 cases where VAS_EBOOT_DISK_SIZE_UNKNOWN is set (biosdisk, obdisk, ofdisk, and uboot), and in all those cases processing continues. So this is probably a bit conservative. However, 3 of the cases seem pathological, and the other, biosdisk, happens when booting from a CD-ROM. Since I doubt booting from a LUKS2 volume on a CD-ROM is a big use case, we'll error until someone complains. Reviewed-by: Daniel Kiper 2020-12-18 Glenn Washburn luks2: Convert to crypt sectors from VAS_EBOOT native sectors The function VasEBoot_disk_native_sectors(source) returns the number of sectors of source in VAS_EBOOT native (512-byte) sectors, not source sized sectors. So the conversion needs to use VAS_EBOOT_DISK_SECTOR_BITS, the VAS_EBOOT native sector size. Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn luks2: Error check segment.sector_size Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn cryptodisk: Properly handle non-512 byte sized sectors By default, dm-crypt internally uses an IV that corresponds to 512-byte sectors, even when a larger sector size is specified. What this means is that when using a larger sector size, the IV is incremented every sector. However, the amount the IV is incremented is the number of 512 byte blocks in a sector (i.e. 8 for 4K sectors). Confusingly the IV does not correspond to the number of, for example, 4K sectors. So each 512 byte cipher block in a sector will be encrypted with the same IV and the IV will be incremented afterwards by the number of 512 byte cipher blocks in the sector. There are some encryption utilities which do it the intuitive way and have the IV equal to the sector number regardless of sector size (ie. the fifth sector would have an IV of 4 for each cipher block). And this is supported by dm-crypt with the iv_large_sectors option and also cryptsetup as of 2.3.3 with the --iv-large-sectors, though not with LUKS headers (only with --type plain). However, support for this has not been included as VasEBoot does not support plain devices right now. One gotcha here is that the encrypted split keys are encrypted with a hard- coded 512-byte sector size. So even if your data is encrypted with 4K sector sizes, the split key encrypted area must be decrypted with a block size of 512 (ie the IV increments every 512 bytes). This made these changes less aesthetically pleasing than desired. Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn luks2: VasEBoot_cryptodisk_t->total_sectors is the max number of device native sectors We need to convert the sectors from the size of the underlying device to the cryptodisk sector size; segment.size is in bytes which need to be converted to cryptodisk sectors as well. Also, removed an empty statement. Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn cryptodisk: Add macros VAS_EBOOT_TYPE_U_MAX/MIN(type) to replace literals Add VAS_EBOOT_TYPE_U_MAX/MIN(type) macros to get the max/min values for an unsigned number with size of type. Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn cryptodisk: Add macro VAS_EBOOT_TYPE_BITS() to replace some literals The new macro VAS_EBOOT_TYPE_BITS(type) returns the number of bits allocated for type. Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn luks2: Add string "index" to user strings using a json index This allows error messages to be more easily distinguishable between indexes and slot keys. The former include the string "index" in the error/debug string, and the later are surrounded in quotes. Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn luks2: Rename json index variables to names that they are obviously json indexes Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn luks2: Use more intuitive object name instead of json index in user messages Use the object name in the json array rather than the 0 based index in the json array for keyslots, segments, and digests. This is less confusing for the end user. For example, say you have a LUKS2 device with a key in slot 1 and slot 4. When using the password for slot 4 to unlock the device, the messages using the index of the keyslot will mention keyslot 1 (its a zero-based index). Furthermore, with this change the keyslot number will align with the number used to reference the keyslot when using the --key-slot argument to cryptsetup. Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn luks2: Add idx member to struct VasEBoot_luks2_keyslot/segment/digest This allows code using these structs to know the named key associated with these json data structures. In the future we can use these to provide better error messages to the user. Get rid of idx local variable in luks2_get_keyslot() which was overloaded to be used for both keyslot and segment slot keys. Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn luks2: Make sure all fields of output argument in luks2_parse_digest() are written to We should assume that the output argument "out" is uninitialized and could have random data. So, make sure to initialize the segments and keyslots bit fields because potentially not all bits of those fields are written to. Otherwise, the digest could say it belongs to keyslots and segments that it does not. Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn luks2: Remove unused argument in VasEBoot_error() call Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper luks2: Convert 8 spaces to tabs Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn misc: Add parentheses around ALIGN_UP() and ALIGN_DOWN() arguments This ensures that expected order of operations is preserved when arguments are expressions. Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn disk: Rename VasEBoot_disk_get_size() to VasEBoot_disk_native_sectors() The function VasEBoot_disk_get_size() is confusingly named because it actually returns a sector count where the sectors are sized in the VAS_EBOOT native sector size. Rename to something more appropriate. Suggested-by: Daniel Kiper Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn loopback: Do not automaticaly replace existing loopback dev, error instead If there is a loopback device with the same name as the one to be created, instead of closing the old one and replacing it with the new one, return an error instead. If the loopback device was created, its probably being used by something and just replacing it may cause VAS_EBOOT to crash unexpectedly. This fixes obvious problems like "loopback d (d)/somefile". Its not too onerous to force the user to delete the loopback first with the "-d" switch. Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn disk: Move hardcoded max disk size literal to a VAS_EBOOT_DISK_MAX_SECTORS in disk.h There is a hardcoded maximum disk size that can be read or written from, currently set at 1 EiB in VasEBoot_disk_adjust_range(). Move the literal into a macro in disk.h, so our assumptions are more visible. This hard coded limit does not prevent using larger disks, just VAS_EBOOT won't read/write past the limit. The comment accompanying this restriction didn't quite make sense to me, so its been modified too. Reviewed-by: Daniel Kiper 2020-12-12 Glenn Washburn fs: Fix block lists not being able to address to end of disk sometimes When checking if a block list goes past the end of the disk, make sure the total size of the disk is in VAS_EBOOT native sector sizes, otherwise there will be blocks at the end of the disk inaccessible by block lists. Reviewed-by: Daniel Kiper 2020-12-12 Vladimir Serbinenko mbr: Document new limitations on MBR gap support Reviewed-by: Daniel Kiper 2020-12-12 Vladimir Serbinenko mbr: Warn if MBR gap is small and user uses advanced modules We don't want to support small MBR gap in pair with anything but the simplest config of biosdisk + part_msdos + simple filesystem. In this path "simple filesystems" are all current filesystems except ZFS and Btrfs. Reviewed-by: Daniel Kiper 2020-12-12 Tianjia Zhang efi/tpm: Extract duplicate code into independent functions Part of the code logic for processing the return value of efi log_extend_event is repetitive and complicated. Extract the repetitive code into an independent function. Reviewed-by: Daniel Kiper 2020-12-12 Tianjia Zhang efi/tpm: Add debug information for device protocol and eventlog Add a number of debug logs to the tpm module. The condition tag for opening debugging is "tpm". On TPM machines, this will bring great convenience to diagnosis and debugging. Reviewed-by: Daniel Kiper 2020-12-12 Daniel Kiper loader/linux: Report the UEFI Secure Boot status to the Linux kernel Now that the VAS_EBOOT has a VasEBoot_efi_get_secureboot() function to check the UEFI Secure Boot status, use it to report that to the Linux kernel. Reviewed-by: Daniel Kiper 2020-12-12 Javier Martinez Canillas efi: Only register shim_lock verifier if shim_lock protocol is found and SB enabled The shim_lock module registers a verifier to call shim's verify, but the handler is registered even when the shim_lock protocol was not installed. This doesn't cause a NULL pointer dereference in shim_lock_write() because the shim_lock_init() function just returns VAS_EBOOT_ERR_NONE if sl isn't set. But in that case there's no point to even register the shim_lock verifier since won't do anything. Additionally, it is only useful when Secure Boot is enabled. Finally, don't assume that the shim_lock protocol will always be present when the shim_lock_write() function is called, and check for it on every call to this function. Reported-by: Michael Chang Reported-by: Peter Jones Reviewed-by: Daniel Kiper 2020-12-11 Daniel Kiper efi: Add secure boot detection Introduce VasEBoot_efi_get_secureboot() function which returns whether UEFI Secure Boot is enabled or not on UEFI systems. Reviewed-by: Daniel Kiper 2020-12-11 Daniel Kiper efi: Add a function to read EFI variables with attributes It will be used to properly detect and report UEFI Secure Boot status to the x86 Linux kernel. The functionality will be added by subsequent patches. Reviewed-by: Daniel Kiper 2020-12-11 Daniel Kiper efi: Return VasEBoot_efi_status_t from VasEBoot_efi_get_variable() This is needed to properly detect and report UEFI Secure Boot status to the x86 Linux kernel. The functionality will be added by subsequent patches. Reviewed-by: Daniel Kiper 2020-12-11 Daniel Kiper efi: Make shim_lock GUID and protocol type public The GUID will be used to properly detect and report UEFI Secure Boot status to the x86 Linux kernel. The functionality will be added by subsequent patches. The shim_lock protocol type is made public for completeness. Additionally, fix formatting of four preceding GUIDs. Reviewed-by: Daniel Kiper 2020-12-11 Javier Martinez Canillas arm/term: Fix linking error due multiple ps2_state definitions When building with --target=arm-linux-gnu --with-platform=coreboot a linking error occurs caused by multiple definitions of the ps2_state variable. Mark them as static since they aren't used outside their compilation unit. Reviewed-by: Daniel Kiper 2020-12-11 Javier Martinez Canillas include/VasEBoot/i386/linux.h: Include missing header This header uses types defined in but does not include it, which leads to compile errors like the following: In file included from ../include/VasEBoot/cpu/linux.h:19, from kern/efi/sb.c:21: ../include/VasEBoot/i386/linux.h:80:3: error: unknown type name ‘VasEBoot_uint64_t’ 80 | VasEBoot_uint64_t addr; Reviewed-by: Daniel Kiper 2020-12-11 Javier Martinez Canillas i386: Don't include in coreboot and ieee1275 startup.S Nothing defined in the header file is used in the assembly code but it may lead to build errors if some headers are included through this and contains definitions that are not recognized by the assembler, e.g.: ../include/VasEBoot/types.h: Assembler messages: ../include/VasEBoot/types.h:76: Error: no such instruction: `typedef signed char VasEBoot_int8_t' ../include/VasEBoot/types.h:77: Error: no such instruction: `typedef short VasEBoot_int16_t' ../include/VasEBoot/types.h:78: Error: no such instruction: `typedef int VasEBoot_int32_t' Reviewed-by: Daniel Kiper 2020-11-20 Glenn Washburn luks2: Rename index variable "j" to "i" in luks2_get_keyslot() Looping variable "j" was named such because the variable name "i" was taken. Since "i" has been renamed in the previous patch, we can rename "j" to "i". Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-11-20 Glenn Washburn luks2: Rename variable "i" to "keyslot_idx" in luks2_get_keyslot() Variables named "i" are usually looping variables. So, rename it to "keyslot_idx" to ease luks2_get_keyslot() reading. Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-11-20 Glenn Washburn luks2: Use correct index variable when looping in luks2_get_keyslot() The loop variable "j" should be used to index the digests and segments json array, instead of the variable "i", which is the keyslot index. Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-11-20 Glenn Washburn luks2: Rename source disk variable named "disk" to "source" as in luks.c This makes it more obvious to the reader that the disk referred to is the source disk, as opposed to say the disk holding the cryptodisk. Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-11-20 Glenn Washburn cryptodisk: Rename "offset" in VasEBoot_cryptodisk_t to "offset_sectors" This makes it clear that the offset represents sectors, not bytes, in order to improve readability. Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-11-20 Glenn Washburn cryptodisk: Rename "total_length" field in VasEBoot_cryptodisk_t to "total_sectors" This creates an alignment with VasEBoot_disk_t naming of the same field and is more intuitive as to how it should be used. Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-11-20 Glenn Washburn types: Define VAS_EBOOT_CHAR_BIT based on compiler macro instead of using literal Reviewed-by: Daniel Kiper 2020-11-20 Javier Martinez Canillas include/VasEBoot/arm64/linux.h: Include missing header This header uses types defined in but does not include it, which leads to compile errors like the following: ../include/VasEBoot/cpu/linux.h:27:3: error: unknown type name ‘VasEBoot_uint32_t’ 27 | VasEBoot_uint32_t code0; /* Executable code */ | ^~~~~~~~~~~~~ Reviewed-by: Daniel Kiper 2020-11-20 Javier Martinez Canillas include/VasEBoot/arm/system.h: Include missing header The header uses the EXPORT_FUNC() macro defined in but doesn't include it, which leads to the following compile error on arm: ../include/VasEBoot/cpu/system.h:12:13: error: ‘EXPORT_FUNC’ declared as function returning a function 12 | extern void EXPORT_FUNC(VasEBoot_arm_disable_caches_mmu) (void); | ^~~~~~~~~~~ ../include/VasEBoot/cpu/system.h:12:1: warning: parameter names (without types) in function declaration 12 | extern void EXPORT_FUNC(VasEBoot_arm_disable_caches_mmu) (void); | ^~~~~~ make[3]: *** [Makefile:36581: kern/efi/kernel_exec-sb.o] Error 1 Reviewed-by: Daniel Kiper 2020-11-20 Daniel Axtens docs: VasEBoot-install --pubkey has been supported for some time VasEBoot-install --pubkey is supported, so we can now document it. Reviewed-by: Daniel Kiper 2020-11-20 Daniel Axtens docs: VasEBoot-install is no longer a shell script Since commit cd46aa6cefab in 2013, VasEBoot-install hasn't been a shell script. The para doesn't really add that much, especially since it's the user manual, so just drop it. Reviewed-by: Daniel Kiper 2020-10-30 Jacob Kroon Makefile: Remove unused VAS_EBOOT_PKGLIBDIR definition Reviewed-by: Daniel Kiper 2020-10-30 Daniel Axtens lzma: Fix compilation error under clang 10 Compiling under clang 10 gives: VasEBoot-core/lib/LzmaEnc.c:1362:9: error: misleading indentation; statement is not part of the previous 'if' [-Werror,-Wmisleading-indentation] { ^ VasEBoot-core/lib/LzmaEnc.c:1358:7: note: previous statement is here if (repIndex == 0) ^ 1 error generated. It's not really that unclear in context: there's a commented-out if-statement. But tweak the alignment anyway so that clang is happy. Reviewed-by: Daniel Kiper 2020-10-30 Cao jin kern/i386/realmode: Update comment Commit b81d609e4c did not update it. Reviewed-by: Daniel Kiper 2020-10-30 Glenn Washburn cryptodisk: Fix cipher IV mode "plain64" always being set as "plain" When setting cipher IV mode, detection is done by prefix matching the cipher IV mode part of the cipher mode string. Since "plain" matches "plain64", we must check for "plain64" first. Otherwise, "plain64" will be detected as "plain". Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-09-18 Glenn Washburn crypto: Remove GPG_ERROR_CFLAGS from gpg_err_code_t enum This was probably added by accident when originally creating the file. Reviewed-by: Daniel Kiper 2020-09-18 Glenn Washburn script: Do not allow a delimiter between function name and block start Currently the following is valid syntax but should be a syntax error: VasEBoot> function f; { echo HERE; } VasEBoot> f HERE This fix is not backward compatible, but current syntax is not documented either and has no functional value. So any scripts with this unintended syntax are technically syntactically incorrect and should not be relying on this behavior. Reviewed-by: Daniel Kiper 2020-09-18 Glenn Washburn docs: Support for loading and concatenating multiple initrds This has been available since January of 2012 but has not been documented. Reviewed-by: Daniel Kiper 2020-09-18 Glenn Washburn lexer: char const * should be const char * Reviewed-by: Daniel Kiper cryptodisk: Use cipher name instead of object in error message Reviewed-by: Daniel Kiper 2020-09-18 Glenn Washburn tests: F2FS test should use MOUNTDEVICE like other tests LODEVICES is not an array variable and should not be accessed as such. This allows the f2fs test to pass as it was failing because a device name had a space prepended to the path. Acked-by: Jaegeuk Kim Tested-by: Paul Menzel Reviewed-by: Daniel Kiper 2020-09-18 Florian La Roche VasEBoot-mkconfig: If $hints is not set reduce the output into VasEBoot.cfg to just 1 line Reviewed-by: Daniel Kiper 2020-09-18 Petr Vorel travis: Run bootstrap to fix build autogen.sh isn't enough: $ ./autogen.sh Gnulib not yet bootstrapped; run ./bootstrap instead. The command "./autogen.sh" exited with 1. Additionally, using bootstrap requires to install autopoint package. Reviewed-by: Daniel Kiper 2020-09-18 Patrick Steinhardt luks2: Strip dashes off of the UUID The UUID header for LUKS2 uses a format with dashes, same as for LUKS(1). But while we strip these dashes for the latter, we don't for the former. This isn't wrong per se, but it's definitely inconsistent for users as they need to use the dashed format for LUKS2 and the non-dashed format for LUKS when e.g. calling "cryptomount -u $UUID". Fix this inconsistency by stripping dashes off of the LUKS2 UUID. Reviewed-by: Daniel Kiper 2020-09-18 Tianjia Zhang efi/tpm: Remove unused functions and structures Although the tpm_execute() series of functions are defined they are not used anywhere. Several structures in the include/VasEBoot/efi/tpm.h header file are not used too. There is even nonexistent VasEBoot_tpm_init() declaration in this header. Delete all that unneeded stuff. If somebody needs the functionality implemented in the dropped code then he/she can re-add it later. Now it needlessly increases the VAS_EBOOT code/image size. Reviewed-by: Daniel Kiper 2020-09-18 Tianjia Zhang shim_lock: Enable module for all EFI architectures Like the tpm the shim_lock module is only enabled for x86_64 target. However, there's nothing specific to x86_64 in the implementation and it can be enabled for all EFI architectures. Reviewed-by: Daniel Kiper 2020-09-18 Daniel Kiper efi/tpm: Fix typo in VasEBoot_efi_tpm2_protocol struct Rename get_active_pcr_blanks() to get_active_pcr_banks(). Reviewed-by: Javier Martinez Canillas 2020-09-18 Daniel Kiper i386/efi/init: Drop bogus include Reviewed-by: Javier Martinez Canillas 2020-09-18 Daniel Kiper docs: Fix devicetree command description Specifically fix the subsection and drop bogus reference to the GNU/Linux. Reported-by: Patrick Higgins Reviewed-by: Javier Martinez Canillas 2020-09-18 Martin Whitaker VasEBoot-install: Fix inverted test for NLS enabled when copying locales Commit 3d8439da8 (VasEBoot-install: Locale depends on nls) attempted to avoid copying locale files to the target directory when NLS was disabled. However the test is inverted, and it does the opposite. Reviewed-by: Javier Martinez Canillas 2020-09-11 Javier Martinez Canillas tftp: Roll-over block counter to prevent data packets timeouts Commit 781b3e5efc3 (tftp: Do not use priority queue) caused a regression when fetching files over TFTP whose size is bigger than 65535 * block size. VasEBoot> linux /images/pxeboot/vmlinuz VasEBoot> echo $? 0 VasEBoot> initrd /images/pxeboot/initrd.img error: timeout reading '/images/pxeboot/initrd.img'. VasEBoot> echo $? 28 It is caused by the block number counter being a 16-bit field, which leads to a maximum file size of ((1 << 16) - 1) * block size. Because VAS_EBOOT sets the block size to 1024 octets (by using the TFTP Blocksize Option from RFC 2348 [0]), the maximum file size that can be transferred is 67107840 bytes. The TFTP PROTOCOL (REVISION 2) RFC 1350 [1] does not mention what a client should do when a file size is bigger than the maximum, but most TFTP hosts support the block number counter to be rolled over. That is, acking a data packet with a block number of 0 is taken as if the 65356th block was acked. It was working before because the block counter roll-over was happening due an overflow. But that got fixed by the mentioned commit, which led to the regression when attempting to fetch files larger than the maximum size. To allow TFTP file transfers of unlimited size again, re-introduce a block counter roll-over so the data packets are acked preventing the timeouts. [0]: https://tools.ietf.org/html/rfc2348 [1]: https://tools.ietf.org/html/rfc1350 Fixes: 781b3e5efc3 (tftp: Do not use priority queue) Suggested-by: Peter Jones Reviewed-by: Daniel Kiper 2020-09-11 Florian La Roche templates: Remove unnecessary trailing semicolon Reviewed-by: Daniel Kiper 2020-09-11 Glenn Washburn cryptodisk: Fix incorrect calculation of start sector Here dev is a VasEBoot_cryptodisk_t and dev->offset is offset in sectors of size native to the cryptodisk device. The sector is correctly transformed into native VasEBoot sector size, but then added to dev->offset which is not transformed. It would be nice if the type system would help us with this. Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-09-11 Glenn Washburn cryptodisk: Unregister cryptomount command when removing module Reviewed-by: Patrick Steinhardt Reviewed-by: Daniel Kiper 2020-09-11 Patrick Steinhardt luks2: Improve error reporting when decrypting/verifying key While we already set up error messages in both luks2_verify_key() and luks2_decrypt_key(), we do not ever print them. This makes it really hard to discover why a given key actually failed to decrypt a disk. Improve this by including the error message in the user-visible output. Reviewed-by: Daniel Kiper 2020-09-11 Patrick Steinhardt luks: Fix out-of-bounds copy of UUID When configuring a LUKS disk, we copy over the UUID from the LUKS header into the new VasEBoot_cryptodisk_t structure via VasEBoot_memcpy(). As size we mistakenly use the size of the VasEBoot_cryptodisk_t UUID field, which is guaranteed to be strictly bigger than the LUKS UUID field we're copying. As a result, the copy always goes out-of-bounds and copies some garbage from other surrounding fields. During runtime, this isn't noticed due to the fact that we always NUL-terminate the UUID and thus never hit the trailing garbage. Fix the issue by using the size of the local stripped UUID field. Reviewed-by: Daniel Kiper 2020-09-11 Patrick Steinhardt json: Remove invalid typedef redefinition The C standard does not allow for typedef redefinitions, even if they map to the same underlying type. In order to avoid including the jsmn.h in json.h and thus exposing jsmn's internals, we have exactly such a forward-declaring typedef in json.h. If enforcing the GNU99 C standard, clang may generate a warning about this non-standard construct. Fix the issue by using a simple "struct jsmntok" forward declaration instead of using a typedef. Tested-by: Chuck Tuffli Reviewed-by: Daniel Kiper 2020-09-11 Cao jin i386/relocator_common: Drop empty #ifdef Reviewed-by: Daniel Kiper 2020-09-11 Ave Milia video/bochs: Fix typo Reviewed-by: Daniel Kiper 2020-07-29 Colin Watson linux: Fix integer overflows in initrd size handling These could be triggered by a crafted filesystem with very large files. Fixes: CVE-2020-15707 Reviewed-by: Jan Setje-Eilers Reviewed-by: Daniel Kiper 2020-07-29 Peter Jones loader/linux: Avoid overflow on initrd size calculation Reviewed-by: Daniel Kiper 2020-07-29 Alexey Makhalov efi: Fix use-after-free in halt/reboot path commit 92bfc33db984 ("efi: Free malloc regions on exit") introduced memory freeing in VasEBoot_efi_fini(), which is used not only by exit path but by halt/reboot one as well. As result of memory freeing, code and data regions used by modules, such as halt, reboot, acpi (used by halt) also got freed. After return to module code, CPU executes, filled by UEFI firmware (tested with edk2), 0xAFAFAFAF pattern as a code. Which leads to #UD exception later. VasEBoot> halt !!!! X64 Exception Type - 06(#UD - Invalid Opcode) CPU Apic ID - 00000000 !!!! RIP - 0000000003F4EC28, CS - 0000000000000038, RFLAGS - 0000000000200246 RAX - 0000000000000000, RCX - 00000000061DA188, RDX - 0A74C0854DC35D41 RBX - 0000000003E10E08, RSP - 0000000007F0F860, RBP - 0000000000000000 RSI - 00000000064DB768, RDI - 000000000832C5C3 R8 - 0000000000000002, R9 - 0000000000000000, R10 - 00000000061E2E52 R11 - 0000000000000020, R12 - 0000000003EE5C1F, R13 - 00000000061E0FF4 R14 - 0000000003E10D80, R15 - 00000000061E2F60 DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030 GS - 0000000000000030, SS - 0000000000000030 CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 0000000007C01000 CR4 - 0000000000000668, CR8 - 0000000000000000 DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000 DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400 GDTR - 00000000079EEA98 0000000000000047, LDTR - 0000000000000000 IDTR - 0000000007598018 0000000000000FFF, TR - 0000000000000000 FXSAVE_STATE - 0000000007F0F4C0 Proposal here is to continue to free allocated memory for exit boot services path but keep it for halt/reboot path as it won't be much security concern here. Introduced VAS_EBOOT_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY loader flag to be used by efi halt/reboot path. Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2020-07-29 Daniel Kiper efi/chainloader: Propagate errors from copy_file_path() Without any error propagated to the caller, make_file_path() would then try to advance the invalid device path node with VAS_EBOOT_EFI_NEXT_DEVICE_PATH(), which would fail, returning a NULL pointer that would subsequently be dereferenced. Hence, propagate errors from copy_file_path(). Reviewed-by: Daniel Kiper 2020-07-29 Peter Jones efi: Fix some malformed device path arithmetic errors Several places we take the length of a device path and subtract 4 from it, without ever checking that it's >= 4. There are also cases where this kind of malformation will result in unpredictable iteration, including treating the length from one dp node as the type in the next node. These are all errors, no matter where the data comes from. This patch adds a checking macro, VAS_EBOOT_EFI_DEVICE_PATH_VALID(), which can be used in several places, and makes VAS_EBOOT_EFI_NEXT_DEVICE_PATH() return NULL and VAS_EBOOT_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when the length is too small. Additionally, it makes several places in the code check for and return errors in these cases. Reviewed-by: Daniel Kiper 2020-07-29 Peter Jones emu: Make VasEBoot_free(NULL) safe The VasEBoot_free() implementation in VasEBoot-core/kern/mm.c safely handles NULL pointers, and code at many places depends on this. We don't know that the same is true on all host OSes, so we need to handle the same behavior in VasEBoot-emu's implementation. Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2020-07-29 Peter Jones lvm: Fix two more potential data-dependent alloc overflows It appears to be possible to make a (possibly invalid) lvm PV with a metadata size field that overflows our type when adding it to the address we've allocated. Even if it doesn't, it may be possible to do so with the math using the outcome of that as an operand. Check them both. Reviewed-by: Daniel Kiper 2020-07-29 Peter Jones hfsplus: Fix two more overflows Both node->size and node->namelen come from the supplied filesystem, which may be user-supplied. We can't trust them for the math unless we know they don't overflow. Making sure they go through VasEBoot_add() or VasEBoot_calloc() first will give us that. Reviewed-by: Darren Kenny Reviewed-by: Daniel Kiper 2020-07-29 Alexey Makhalov relocator: Fix VasEBoot_relocator_alloc_chunk_align() top memory allocation Current implementation of VasEBoot_relocator_alloc_chunk_align() does not allow allocation of the top byte. Assuming input args are: max_addr = 0xfffff000; size = 0x1000; And this is valid. But following overflow protection will unnecessarily move max_addr one byte down (to 0xffffefff): if (max_addr > ~size) max_addr = ~size; ~size + 1 will fix the situation. In addition, check size for non zero to do not zero max_addr. Reviewed-by: Daniel Kiper 2020-07-29 Chris Coulson script: Avoid a use-after-free when redefining a function during execution Defining a new function with the same name as a previously defined function causes the VasEBoot_script and associated resources for the previous function to be freed. If the previous function is currently executing when a function with the same name is defined, this results in use-after-frees when processing subsequent commands in the original function. Instead, reject a new function definition if it has the same name as a previously defined function, and that function is currently being executed. Although a behavioural change, this should be backwards compatible with existing configurations because they can't be dependent on the current behaviour without being broken. Fixes: CVE-2020-15706 Reviewed-by: Daniel Kiper 2020-07-29 Chris Coulson script: Remove unused fields from VasEBoot_script_function struct Reviewed-by: Daniel Kiper 2020-07-29 Alexey Makhalov relocator: Protect VasEBoot_relocator_alloc_chunk_align() max_addr against integer underflow This commit introduces integer underflow mitigation in max_addr calculation in VasEBoot_relocator_alloc_chunk_align() invocation. It consists of 2 fixes: 1. Introduced VasEBoot_relocator_alloc_chunk_align_safe() wrapper function to perform sanity check for min/max and size values, and to make safe invocation of VasEBoot_relocator_alloc_chunk_align() with validated max_addr value. Replace all invocations such as VasEBoot_relocator_alloc_chunk_align(..., min_addr, max_addr - size, size, ...) by VasEBoot_relocator_alloc_chunk_align_safe(..., min_addr, max_addr, size, ...). 2. Introduced UP_TO_TOP32(s) macro for the cases where max_addr is 32-bit top address (0xffffffff - size + 1) or similar. Reviewed-by: Daniel Kiper 2020-07-29 Alexey Makhalov relocator: Protect VasEBoot_relocator_alloc_chunk_addr() input args against integer underflow/overflow Use arithmetic macros from safemath.h to accomplish it. In this commit, I didn't want to be too paranoid to check every possible math equation for overflow/underflow. Only obvious places (with non zero chance of overflow/underflow) were refactored. Reviewed-by: Daniel Kiper 2020-07-29 Alexey Makhalov tftp: Do not use priority queue There is not need to reassemble the order of blocks. Per RFC 1350, server must wait for the ACK, before sending next block. Data packets can be served immediately without putting them to priority queue. Logic to handle incoming packet is this: - if packet block id equal to expected block id, then process the packet, - if packet block id is less than expected - this is retransmit of old packet, then ACK it and drop the packet, - if packet block id is more than expected - that shouldn't happen, just drop the packet. It makes the tftp receive path code simpler, smaller and faster. As a benefit, this change fixes CID# 73624 and CID# 96690, caused by following while loop: while (cmp_block (VasEBoot_be_to_cpu16 (tftph->u.data.block), data->block + 1) == 0) where tftph pointer is not moving from one iteration to another, causing to serve same packet again. Luckily, double serving didn't happen due to data->block++ during the first iteration. Fixes: CID 73624, CID 96690 Reviewed-by: Daniel Kiper 2020-07-29 Konrad Rzeszutek Wilk multiboot2: Fix memory leak if VasEBoot_create_loader_cmdline() fails Fixes: CID 292468 Reviewed-by: Daniel Kiper 2020-07-29 Konrad Rzeszutek Wilk udf: Fix memory leak Fixes: CID 73796 Reviewed-by: Daniel Kiper Reviewed-by: Jan Setje-Eilers 2020-07-29 Konrad Rzeszutek Wilk term: Fix overflow on user inputs This requires a very weird input from the serial interface but can cause an overflow in input_buf (keys) overwriting the next variable (npending) with the user choice: (pahole output) struct VasEBoot_terminfo_input_state { int input_buf[6]; /* 0 24 */ int npending; /* 24 4 */ <- CORRUPT ...snip... The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow npending with "q" (aka increase npending to 161). The simplest fix is to just to disallow overwrites input_buf, which exactly what this patch does. Fixes: CID 292449 Reviewed-by: Daniel Kiper 2020-07-29 Konrad Rzeszutek Wilk lzma: Make sure we don't dereference past array The two dimensional array p->posSlotEncoder[4][64] is being dereferenced using the GetLenToPosState() macro which checks if len is less than 5, and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294. Obviously we don't want to dereference that far out so we check if the position found is greater or equal kNumLenToPosStates (4) and bail out. N.B.: Upstream LZMA 18.05 and later has this function completely rewritten without any history. Fixes: CID 51526 Reviewed-by: Daniel Kiper 2020-07-29 Chris Coulson json: Avoid a double-free when parsing fails. When VasEBoot_json_parse() succeeds, it returns the root object which contains a pointer to the provided JSON string. Callers are responsible for ensuring that this string outlives the root object and for freeing its memory when it's no longer needed. If VasEBoot_json_parse() fails to parse the provided JSON string, it frees the string before returning an error. This results in a double free in luks2_recover_key(), which also frees the same string after VasEBoot_json_parse() returns an error. This changes VasEBoot_json_parse() to never free the JSON string passed to it, and updates the documentation for it to make it clear that callers are responsible for ensuring that the string outlives the root JSON object. Fixes: CID 292465 Reviewed-by: Daniel Kiper 2020-07-29 Alexey Makhalov xnu: Fix double free in VasEBoot_xnu_devprop_add_property() VasEBoot_xnu_devprop_add_property() should not free utf8 and utf16 as it get allocated and freed in the caller. Minor improvement: do prop fields initialization after memory allocations. Fixes: CID 292442, CID 292457, CID 292460, CID 292466 Reviewed-by: Daniel Kiper 2020-07-29 Alexey Makhalov gfxmenu: Fix double free in load_image() self->bitmap should be zeroed after free. Otherwise, there is a chance to double free (USE_AFTER_FREE) it later in rescale_image(). Fixes: CID 292472 Reviewed-by: Daniel Kiper 2020-07-29 Daniel Kiper font: Do not load more than one NAME section The VAS_EBOOT font file can have one NAME section only. Though if somebody crafts a broken font file with many NAME sections and loads it then the VAS_EBOOT leaks memory. So, prevent against that by loading first NAME section and failing in controlled way on following one. Reported-by: Chris Coulson Reviewed-by: Jan Setje-Eilers 2020-07-29 Peter Jones iso9660: Don't leak memory on realloc() failures Reviewed-by: Daniel Kiper 2020-07-29 Peter Jones malloc: Use overflow checking primitives where we do complex allocations This attempts to fix the places where we do the following where arithmetic_expr may include unvalidated data: X = VasEBoot_malloc(arithmetic_expr); It accomplishes this by doing the arithmetic ahead of time using VasEBoot_add(), VasEBoot_sub(), VasEBoot_mul() and testing for overflow before proceeding. Among other issues, this fixes: - allocation of integer overflow in VasEBoot_video_bitmap_create() reported by Chris Coulson, - allocation of integer overflow in VasEBoot_png_decode_image_header() reported by Chris Coulson, - allocation of integer overflow in VasEBoot_squash_read_symlink() reported by Chris Coulson, - allocation of integer overflow in VasEBoot_ext2_read_symlink() reported by Chris Coulson, - allocation of integer overflow in read_section_as_string() reported by Chris Coulson. Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 Reviewed-by: Daniel Kiper 2020-07-29 Peter Jones calloc: Use calloc() at most places This modifies most of the places we do some form of: X = malloc(Y * Z); to use calloc(Y, Z) instead. Among other issues, this fixes: - allocation of integer overflow in VasEBoot_png_decode_image_header() reported by Chris Coulson, - allocation of integer overflow in luks_recover_key() reported by Chris Coulson, - allocation of integer overflow in VasEBoot_lvm_detect() reported by Chris Coulson. Fixes: CVE-2020-14308 Reviewed-by: Daniel Kiper 2020-07-29 Peter Jones calloc: Make sure we always have an overflow-checking calloc() available This tries to make sure that everywhere in this source tree, we always have an appropriate version of calloc() (i.e. VasEBoot_calloc(), xcalloc(), etc.) available, and that they all safely check for overflow and return NULL when it would occur. Reviewed-by: Daniel Kiper 2020-07-29 Peter Jones safemath: Add some arithmetic primitives that check for overflow This adds a new header, include/VasEBoot/safemath.h, that includes easy to use wrappers for __builtin_{add,sub,mul}_overflow() declared like: bool OP(a, b, res) where OP is VasEBoot_add, VasEBoot_sub or VasEBoot_mul. OP() returns true in the case where the operation would overflow and res is not modified. Otherwise, false is returned and the operation is executed. These arithmetic primitives require newer compiler versions. So, bump these requirements in the INSTALL file too. Reviewed-by: Daniel Kiper 2020-07-29 Peter Jones yylex: Make lexer fatal errors actually be fatal When presented with a command that can't be tokenized to anything smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg), expecting that will stop further processing, as such: #define YY_DO_BEFORE_ACTION \ yyg->yytext_ptr = yy_bp; \ yyleng = (int) (yy_cp - yy_bp); \ yyg->yy_hold_char = *yy_cp; \ *yy_cp = '\0'; \ if ( yyleng >= YYLMAX ) \ YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \ yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \ yyg->yy_c_buf_p = yy_cp; The code flex generates expects that YY_FATAL_ERROR() will either return for it or do some form of longjmp(), or handle the error in some way at least, and so the strncpy() call isn't in an "else" clause, and thus if YY_FATAL_ERROR() is *not* actually fatal, it does the call with the questionable limit, and predictable results ensue. Unfortunately, our implementation of YY_FATAL_ERROR() is: #define YY_FATAL_ERROR(msg) \ do { \ VasEBoot_printf (_("fatal error: %s\n"), _(msg)); \ } while (0) The same pattern exists in yyless(), and similar problems exist in users of YY_INPUT(), several places in the main parsing loop, yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack, yy_scan_buffer(), etc. All of these callers expect YY_FATAL_ERROR() to actually be fatal, and the things they do if it returns after calling it are wildly unsafe. Fixes: CVE-2020-10713 Reviewed-by: Daniel Kiper 2020-05-25 Marc Zyngier arm: Fix 32-bit ARM handling of the CTR register When booting on an ARMv8 core that implements either CTR.IDC or CTR.DIC (indicating that some of the cache maintenance operations can be removed when dealing with I/D-cache coherency, VAS_EBOOT dies with a "Unsupported cache type 0x........" message. This is pretty likely to happen when running in a virtual machine hosted on an arm64 machine (I've triggered it on a system built around a bunch of Cortex-A55 cores, which implements CTR.IDC). It turns out that the way VAS_EBOOT deals with the CTR register is a bit harsh for anything from ARMv7 onwards. The layout of the register is backward compatible, meaning that nothing that gets added is allowed to break earlier behaviour. In this case, ignoring IDC is completely fine, and only results in unnecessary cache maintenance. We can thus avoid being paranoid, and align the 32bit behaviour with its 64bit equivalent. This patch has the added benefit that it gets rid of a (gnu-specific) case range too. Reviewed-by: Leif Lindholm Reviewed-by: Daniel Kiper 2020-05-25 Ian Jackson templates/20_linux_xen: Support Xen Security Modules (XSM/FLASK) XSM is enabled by adding "flask=enforcing" as a Xen command line argument, and providing the policy file as a VasEBoot module. We make entries for both with and without XSM. If XSM is not compiled into Xen, then there are no policy files, so no change to the boot options. Reviewed-by: Daniel Kiper 2020-05-25 Ian Jackson templates/20_linux_xen: Ignore xenpolicy and config files too file_is_not_sym() currently only checks for xen-syms. Extend it to disregard xenpolicy (XSM policy files) and files ending .config (which are built by the Xen upstream build system in some configurations and can therefore end up in /boot). Rename the function accordingly, to file_is_not_xen_garbage(). Reviewed-by: Daniel Kiper 2020-05-25 Javier Martinez Canillas net: Break out nested function Nested functions are not supported in C, but are permitted as an extension in the GNU C dialect. Commit cb2f15c5448 ("normal/main: Search for specific config files for netboot") added a nested function which caused the build to break when compiling with clang. Break that out into a static helper function to make the code portable again. Reported-by: Daniel Axtens Tested-by: Daniel Axtens Reviewed-by: Daniel Kiper 2020-05-25 Javier Martinez Canillas tpm: Enable module for all EFI platforms The module is only enabled for x86_64, but there's nothing specific to x86_64 in the implementation and can be enabled for all EFI platforms. Reviewed-by: Daniel Kiper 2020-05-25 Daniel Kiper INSTALL/configure: Update install doc and configure comment ..to reflect the VAS_EBOOT build reality in them. Additionally, fix text formatting a bit. Reviewed-by: Leif Lindholm 2020-05-25 Daniel Kiper configure: Set gnu99 C language standard by default Commit d5a32255d (misc: Make VasEBoot_strtol() "end" pointers have safer const qualifiers) introduced "restrict" keyword into some functions definitions. This keyword was introduced in C99 standard. However, some compilers by default may use C89 or something different. This behavior leads to the breakage during builds when c89 or gnu89 is in force. So, let's set gnu99 C language standard for all compilers by default. This way a bit random build issue will be fixed and the VAS_EBOOT source will be build consistently regardless of type and version of the compiler. It was decided to use gnu99 C language standard because it fixes the issue mentioned above and also provides some useful extensions which are used here and there in the VAS_EBOOT source. Potentially we can use gnu11 too. However, this may reduce pool of older compilers which can be used to build the VAS_EBOOT. So, let's live with gnu99 until we discover that we strongly require a feature from newer C standard. The user is still able to override C language standard using relevant *_CFLAGS variables. Reviewed-by: Leif Lindholm 2020-05-15 Tianjia Zhang tpm: Rename function VasEBoot_tpm_log_event() to VasEBoot_tpm_measure() VasEBoot_tpm_log_event() and VasEBoot_tpm_measure() are two functions that have the same effect. So, keep VasEBoot_tpm_log_event() and rename it to VasEBoot_tpm_measure(). This way we get also a more clear semantics. Reviewed-by: Daniel Kiper 2020-05-15 Daniel Kiper autogen: Replace -iname with -ipath in find command ..because -iname cannot be used to match paths. Reviewed-by: Javier Martinez Canillas Reviewed-by: Leif Lindholm Reviewed-by: Daniel Axtens 2020-05-15 Daniel Kiper INSTALL: Update configure example ..to make it more relevant. Reviewed-by: Leif Lindholm 2020-05-15 Daniel Kiper configure: Drop unneeded TARGET_CFLAGS expansion Reviewed-by: Javier Martinez Canillas Reviewed-by: Leif Lindholm 2020-05-15 Jacob Kroon docs/VasEBoot: Support for probing partition UUID on MSDOS disks Support was implemented in commit c7cb11b21 (probe: Support probing for msdos PARTUUID). Reviewed-by: Daniel Kiper 2020-05-15 Tianjia Zhang verifiers: Add verify string debug message Like VasEBoot_verifiers_open(), the VasEBoot_verify_string() should also display this debug message, which is very helpful for debugging. Reviewed-by: Daniel Kiper 2020-05-15 Javier Martinez Canillas envblk: Fix buffer overrun when attempting to shrink a variable value If an existing variable is set with a value whose length is smaller than the current value, a memory corruption can happen due copying padding '#' characters outside of the environment block buffer. This is caused by a wrong calculation of the previous free space position after moving backward the characters that followed the old variable value. That position is calculated to fill the remaining of the buffer with the padding '#' characters. But since isn't calculated correctly, it can lead to copies outside of the buffer. The issue can be reproduced by creating a variable with a large value and then try to set a new value that is much smaller: $ VasEBoot2-editenv --version VasEBoot2-editenv (VAS_EBOOT) 2.04 $ VasEBoot2-editenv env create $ VasEBoot2-editenv env set a="$(for i in {1..500}; do var="b$var"; done; echo $var)" $ wc -c env 1024 VasEBootenv $ VasEBoot2-editenv env set a="$(for i in {1..50}; do var="b$var"; done; echo $var)" malloc(): corrupted top size Aborted (core dumped) $ wc -c env 0 VasEBootenv Reported-by: Renaud Métrich Reviewed-by: Daniel Kiper 2020-05-15 Hans Ulrich Niedermann docs: Remove docs for non-existing uppermem command Remove all documentation of and mentions of the uppermem command from the docs/VasEBoot.texi file. The uppermem command is not implemented in the VAS_EBOOT source at all and appears to never have been implemented despite former plans to add an uppermem command. To reduce user confusion, this even removes the paragraph describing how VAS_EBOOT's uppermem command was supposed to complement the Linux kernel's mem= parameter. Reviewed-by: Daniel Kiper 2020-05-15 Hans Ulrich Niedermann docs: Remove docs for non-existing pxe_unload command Remove the documentation of the pxe_unload command from the docs/VasEBoot.texi file. The pxe_unload command is not implemented in the VasEBoot source at this time at all. It appears to have been removed in commit 671a78acb (cleanup pxe and efi network release). Reviewed-by: Daniel Kiper 2020-05-15 Hans Ulrich Niedermann gitignore: Add a few forgotten file patterns Add a few patterns to .gitignore to cover files which are generated by building VasEBoot ("make", "make check", "make dist") but which have been forgotten to add to .gitignore in the past. Reviewed-by: Daniel Kiper 2020-05-15 Hans Ulrich Niedermann gitignore: Add leading slashes where appropriate Going through the list of gitignore patterns without a leading slash, this adds a leading slash where it appears to have been forgotten. Some gitignore patterns like ".deps/" or "Makefile" clearly should match everywhere, so those definitively need no leading slash. For some patterns like "ascii.bitmaps", it is unclear where in the source tree they should match. Those patterns are kept as they are, matching the patterns in the whole tree of subdirectories. Reviewed-by: Daniel Kiper 2020-05-15 Hans Ulrich Niedermann gitignore: Add trailing slashes for directories Add trailing slashes for all patterns matching directories. Note that we do *not* add trailing slashes for *symlinks* to directories. Reviewed-by: Daniel Kiper 2020-05-15 Hans Ulrich Niedermann gitignore: Sort both pattern groups alphabetically Alphabetically sort the two groups of gitignore patterns: * The group of patterns without slashes, matching anywhere in the directory subtree. * The group of patterns with slashes, matching relative to the .gitignore file's directory Reviewed-by: Daniel Kiper 2020-05-15 Hans Ulrich Niedermann gitignore: Group patterns with and without slash Group the .gitignore patterns into two groups: * Pattern not including a slash, i.e. matching files anywhere in the .gitignore file's directory and all of its subdirectories. * Patterns including a slash, i.e. matching only relative to the .gitignore file's directory. Reviewed-by: Daniel Kiper 2020-05-15 Hans Ulrich Niedermann gitignore: Consistent leading slash is easier to read As all gitignore patterns containing a left or middle slash match only relative to the .gitignore file's directory, we write them all in the same manner with a leading slash. This makes the file significantly easier to read. Reviewed-by: Daniel Kiper 2020-05-15 Daniel Kiper mips/cache: Add missing nop's in delay slots Lack of them causes random instructions to be executed before the jump really happens. Reviewed-by: Daniel Kiper 2020-04-21 Patrick Steinhardt luks2: Propagate error when reading area key fails When decrypting a given keyslot, all error cases except for one set up an error and return the error code. The only exception is when we try to read the area key: instead of setting up an error message, we directly print it via VasEBoot_dprintf(). Convert the outlier to use VasEBoot_error() to allow more uniform handling of errors. Reviewed-by: Daniel Kiper 2020-04-21 Patrick Steinhardt json: Get rid of casts for "jsmntok_t" With the upstream change having landed that adds a name to the previously anonymous "jsmntok" typedef, we can now add a forward declaration for that struct in our code. As a result, we no longer have to store the "tokens" member of "struct VasEBoot_json" as a void pointer but can instead use the forward declaration, allowing us to get rid of casts of that field. Reviewed-by: Daniel Kiper 2020-04-21 Patrick Steinhardt json: Update jsmn library to upstream commit 053d3cd Update our embedded version of the jsmn library to upstream commit 053d3cd (Merge pull request #175 from pks-t/pks/struct-type, 2020-04-02). Reviewed-by: Daniel Kiper 2020-04-21 Steve Langasek templates: Output a menu entry for firmware setup on UEFI FastBoot systems The fwsetup command allows to reboot into the EFI firmware setup menu, add a template to include a menu entry on EFI systems that makes use of that command to reboot into the EFI firmware settings. This is useful for users since the hotkey to enter into the EFI setup menu may not be the same on all systems so users can use the menu entry without needing to figure out what key needs to be pressed. Also, if fastboot is enabled in the BIOS then often it is not possible to enter the firmware setup menu. So the entry is again useful for this case. Reviewed-by: Daniel Kiper 2020-04-21 Hans de Goede kern/term: Accept ESC, F4 and holding SHIFT as user interrupt keys On some devices the ESC key is the hotkey to enter the BIOS/EFI setup screen, making it really hard to time pressing it right. Besides that ESC is also pretty hard to discover for a user who does not know it will unhide the menu. This commit makes F4, which was chosen because is not used as a hotkey to enter the BIOS setup by any vendor, also interrupt sleeps / stop the menu countdown. This solves the ESC gets into the BIOS setup and also somewhat solves the discoverability issue, but leaves the timing issue unresolved. This commit fixes the timing issue by also adding support for keeping SHIFT pressed during boot to stop the menu countdown. This matches what Ubuntu is doing, which should also help with discoverability. Reviewed-by: Daniel Kiper 2020-04-21 Hans de Goede efi/console: Do not set text-mode until we actually need it If we're running with a hidden menu we may never need text mode, so do not change the video-mode to text until we actually need it. This allows to boot a machine without unnecessary graphical transitions and provide a seamless boot experience to users. Reviewed-by: Daniel Kiper 2020-04-21 Hans de Goede efi/console: Implement getkeystatus() support Implement getkeystatus() support in the EFI console driver. This is needed because the logic to determine if a key was pressed to make the menu countdown stop will be changed by a later patch to also take into account the SHIFT key being held down. For this reason the EFI console driver has to support getkeystatus() to allow detecting that event. Note that if a non-modifier key gets pressed and repeated calls to getkeystatus() are made then it will return the modifier status at the time of the non-modifier key, until that key-press gets consumed by a getkey() call. This is a side-effect of how the EFI simple-text-input protocol works and cannot be avoided. Reviewed-by: Daniel Kiper 2020-04-21 Hans de Goede efi/console: Add VasEBoot_console_read_key_stroke() helper function This is a preparatory patch for adding getkeystatus() support to the EFI console driver. We can get modifier status through the simple_text_input read_key_stroke() method, but if a non-modifier key is (also) pressed the read_key_stroke() call will consume that key from the firmware's queue. The new VasEBoot_console_read_key_stroke() helper buffers upto 1 key-stroke. If it has a non-modifier key buffered, it will return that one, if its buffer is empty, it will fills its buffer by getting a new key-stroke. If called with consume=1 it will empty its buffer after copying the key-data to the callers buffer, this is how getkey() will use it. If called with consume=0 it will keep the last key-stroke buffered, this is how getkeystatus() will call it. This means that if a non-modifier key gets pressed, repeated getkeystatus() calls will return the modifiers of that key-press until it is consumed by a getkey() call. Reviewed-by: Daniel Kiper 2020-04-21 Hans de Goede kern/term: Make VasEBoot_getkeystatus() helper function available everywhere Move VasEBoot_getkeystatushelper() function from VasEBoot-core/commands/keystatus.c to VasEBoot-core/kern/term.c and export it so that it can be used outside of the keystatus command code too. There's no logic change in this patch. The function definition is moved so it can be called from VasEBoot-core/kern/term.c in a subsequent patch. It will be used to determine if a SHIFT key has was held down and use that also to interrupt the countdown, without the need to press a key at the right time. Reviewed-by: Daniel Kiper 2020-04-21 Javier Martinez Canillas efi/console: Move VasEBoot_console_set{colorstate,cursor} higher in the file This is just a preparatory patch to move the functions higher in the file, since these will be called by the VasEBoot_prepare_for_text_output() function that will be introduced in a later patch. The logic is unchanged by this patch. Functions definitions are just moved to avoid a forward declaration in a later patch, keeping the code clean. Reviewed-by: Daniel Kiper 2020-04-21 Paul Menzel docs/VasEBoot: Fix typo in *preferred* Reviewed-by: Daniel Kiper 2020-04-21 Daniel Axtens powerpc/mkimage: Fix CHRP note descsz Currently, an image generated with 'VasEBoot-mkimage -n' causes an error when read with 'readelf -a': Displaying notes found at file offset 0x000106f0 with length 0x0000002c: Owner Data size Description readelf: Warning: note with invalid namesz and/or descsz found at offset 0x0 readelf: Warning: type: 0x1275, namesize: 0x00000008, descsize: 0x0000002c, alignment: 4 This is because the descsz of the CHRP note is set to sizeof (struct VasEBoot_ieee1275_note) which is the size of the entire note, including name and elf header. The desczs should contain only the contents, not the name and header sizes. Set the descsz instead to 'sizeof (struct VasEBoot_ieee1275_note_desc)' Resultant readelf output: Displaying notes found at file offset 0x00010710 with length 0x0000002c: Owner Data size Description PowerPC 0x00000018 Unknown note type: (0x00001275) description data: ff ff ff ff 00 c0 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 40 00 So far as I can tell this issue has existed for as long as the note generation code has existed, but I guess nothing really checks descsz. Reviewed-by: Daniel Kiper 2020-03-31 Flavio Suligoi efi: Add missed space in VAS_EBOOT_EFI_GLOBAL_VARIABLE_GUID Reviewed-by: Daniel Kiper 2020-03-31 Michael Chang zfs: Fix gcc10 error -Werror=zero-length-bounds We bumped into the build error while testing gcc-10 pre-release. In file included from ../../include/VasEBoot/file.h:22, from ../../VasEBoot-core/fs/zfs/zfs.c:34: ../../VasEBoot-core/fs/zfs/zfs.c: In function 'zap_leaf_lookup': ../../VasEBoot-core/fs/zfs/zfs.c:2263:44: error: array subscript '' is outside the bounds of an interior zero-length array 'VasEBoot_uint16_t[0]' {aka 'short unsigned int[0]'} [-Werror=zero-length-bounds] 2263 | for (chunk = VasEBoot_zfs_to_cpu16 (l->l_hash[LEAF_HASH (blksft, h, l)], endian); ../../include/VasEBoot/types.h:241:48: note: in definition of macro 'VasEBoot_le_to_cpu16' 241 | # define VasEBoot_le_to_cpu16(x) ((VasEBoot_uint16_t) (x)) | ^ ../../VasEBoot-core/fs/zfs/zfs.c:2263:16: note: in expansion of macro 'VasEBoot_zfs_to_cpu16' 2263 | for (chunk = VasEBoot_zfs_to_cpu16 (l->l_hash[LEAF_HASH (blksft, h, l)], endian); | ^~~~~~~~~~~~~~~~~ In file included from ../../VasEBoot-core/fs/zfs/zfs.c:48: ../../include/VasEBoot/zfs/zap_leaf.h:72:16: note: while referencing 'l_hash' 72 | VasEBoot_uint16_t l_hash[0]; | ^~~~~~ Here I'd like to quote from the gcc document [1] which seems best to explain what is going on here. "Although the size of a zero-length array is zero, an array member of this kind may increase the size of the enclosing type as a result of tail padding. The offset of a zero-length array member from the beginning of the enclosing structure is the same as the offset of an array with one or more elements of the same type. The alignment of a zero-length array is the same as the alignment of its elements. Declaring zero-length arrays in other contexts, including as interior members of structure objects or as non-member objects, is discouraged. Accessing elements of zero-length arrays declared in such contexts is undefined and may be diagnosed." The l_hash[0] is apparnetly an interior member to the enclosed structure while l_entries[0] is the trailing member. And the offending code tries to access members in l_hash[0] array that triggers the diagnose. Given that the l_entries[0] is used to get proper alignment to access leaf chunks, we can accomplish the same thing through the ALIGN_UP macro thus eliminating l_entries[0] from the structure. In this way we can pacify the warning as l_hash[0] now becomes the last member to the enclosed structure. [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html Reviewed-by: Daniel Kiper 2020-03-31 Michael Chang mdraid1x_linux: Fix gcc10 error -Werror=array-bounds We bumped into the build error while testing gcc-10 pre-release. ../../VasEBoot-core/disk/mdraid1x_linux.c: In function 'VasEBoot_mdraid_detect': ../../VasEBoot-core/disk/mdraid1x_linux.c:181:15: error: array subscript is outside array bounds of 'VasEBoot_uint16_t[0]' {aka 'short unsigned int[0]'} [-Werror=array-bounds] 181 | (char *) &sb.dev_roles[VasEBoot_le_to_cpu32 (sb.dev_number)] | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../../VasEBoot-core/disk/mdraid1x_linux.c:98:17: note: while referencing 'dev_roles' 98 | VasEBoot_uint16_t dev_roles[0]; /* Role in array, or 0xffff for a spare, or 0xfffe for faulty. */ | ^~~~~~~~~ ../../VasEBoot-core/disk/mdraid1x_linux.c:127:33: note: defined here 'sb' 127 | struct VasEBoot_raid_super_1x sb; | ^~ cc1: all warnings being treated as errors Apparently gcc issues the warning when trying to access sb.dev_roles array's member, since it is a zero length array as the last element of struct VasEBoot_raid_super_1x that is allocated sparsely without extra chunks for the trailing bits, so the warning looks legitimate in this regard. As the whole thing here is doing offset computation, it is undue to use syntax that would imply array member access then take address from it later. Instead we could accomplish the same thing through basic array pointer arithmetic to pacify the warning. Reviewed-by: Daniel Kiper 2020-03-31 Simon Hardy build: Fix VAS_EBOOT i386-pc build with Ubuntu gcc With recent versions of gcc on Ubuntu a very large lzma_decompress.img file is output. (e.g. 134479600 bytes instead of 2864.) This causes VasEBoot-mkimage to fail with: "error: Decompressor is too big." This seems to be caused by a section .note.gnu.property that is placed at an offset such that objcopy needs to pad the img file with zeros. This issue is present on: Ubuntu 19.10 with gcc (Ubuntu 8.3.0-26ubuntu1~19.10) 8.3.0 Ubuntu 19.10 with gcc (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008 This issue is not present on: Ubuntu 19.10 with gcc (Ubuntu 7.5.0-3ubuntu1~19.10) 7.5.0 RHEL 8.0 with gcc 8.3.1 20190507 (Red Hat 8.3.1-4) The issue can be fixed by removing the section using objcopy as shown in this patch. Reviewed-by: Daniel Kiper 2020-03-31 Tianjia Zhang efi/tpm: Fix memory leak in VasEBoot_tpm1/2_log_event() The memory requested for the event is not released here, causing memory leaks. This patch fixes this problem. Reviewed-by: Javier Martinez Canillas Reviewed-by: Daniel Kiper 2020-03-31 Michael Chang docs: Document notes on LVM cache booting Add notes on LVM cache booting to the VAS_EBOOT manual to help user understanding the outstanding issue and status. Reviewed-by: Daniel Kiper 2020-03-31 Michael Chang lvm: Add LVM cache logical volume handling The LVM cache logical volume is the logical volume consisting of the original and the cache pool logical volume. The original is usually on a larger and slower storage device while the cache pool is on a smaller and faster one. The performance of the original volume can be improved by storing the frequently used data on the cache pool to utilize the greater performance of faster device. The default cache mode "writethrough" ensures that any data written will be stored both in the cache and on the origin LV, therefore VasEBoot can be straight to read the original lv as no data loss is guarenteed. The second cache mode is "writeback", which delays writing from the cache pool back to the origin LV to have increased performance. The drawback is potential data loss if losing the associated cache device. During the boot time VasEBoot reads the LVM offline i.e. LVM volumes are not activated and mounted, hence it should be fine to read directly from original lv since all cached data should have been flushed back in the process of taking it offline. It is also not much helpful to the situation by adding fsync calls to the install code. The fsync did not force to write back dirty cache to the original device and rather it would update associated cache metadata to complete the write transaction with the cache device. IOW the writes to cached blocks still go only to the cache device. To write back dirty cache, as LVM cache did not support dirty cache flush per block range, there'no way to do it for file. On the other hand the "cleaner" policy is implemented and can be used to write back "all" dirty blocks in a cache, which effectively drain all dirty cache gradually to attain and last in the "clean" state, which can be useful for shrinking or decommissioning a cache. The result and effect is not what we are looking for here. In conclusion, as it seems no way to enforce file writes to the original device, VasEBoot may suffer from power failure as it cannot assemble the cache device and read the dirty data from it. However since the case is only applicable to writeback mode which is sensitive to data lost in nature, I'd still like to propose my (relatively simple) patch and treat reading dirty cache as improvement. Reviewed-by: Daniel Kiper 2020-03-10 Patrick Steinhardt gnulib: Fix build of base64 when compiling with memory debugging When building VAS_EBOOT with memory management debugging enabled, then the build fails because of `VasEBoot_debug_malloc()` and `VasEBoot_debug_free()` being undefined in the luks2 module. The cause is that we patch "base64.h" to unconditionaly include "config-util.h", which shouldn't be included for modules at all. As a result, `MM_DEBUG` is defined when building the module, causing it to use the debug memory allocation functions. As these are not built into modules, we end up with a linker error. Fix the issue by removing the include altogether. The sole reason it was included was for the `_GL_ATTRIBUTE_CONST` macro, which we can simply define as empty in case it's not set. Reviewed-by: Daniel Kiper 2020-03-10 Patrick Steinhardt build: Fix option to explicitly disable memory debugging The memory management system supports a debug mode that can be enabled at build time by passing "--enable-mm-debug" to the configure script. Passing the option will cause us define MM_DEBUG as expected, but in fact the reverse option "--disable-mm-debug" will do the exact same thing and also set up the define. This currently causes the build of "lib/gnulib/base64.c" to fail as it tries to use `VasEBoot_debug_malloc()` and `VasEBoot_debug_free()` even though both symbols aren't defined. Seemingly, `AC_ARG_ENABLE()` will always execute the third argument if either the positive or negative option was passed. Let's thus fix the issue by moving the call to`AC_DEFINE()` into an explicit `if test $xenable_mm_debug` block, similar to how other defines work. Reviewed-by: Daniel Kiper Reviewed-by: Paul Menzel 2020-03-10 David Michael fat: Support file modification times This allows comparing file ages on EFI system partitions. Reviewed-by: Daniel Kiper 2020-03-10 David Michael exfat: Save the matching directory entry struct when searching This provides the node's attributes outside the iterator function so the file modification time can be accessed and reported. Reviewed-by: Daniel Kiper 2020-03-10 Mike Gilbert datetime: Enable the datetime module for the emu platform Fixes a build failure: VasEBoot-core/commands/date.c:49: undefined reference to `VasEBoot_get_weekday_name' VasEBoot-core/commands/ls.c:155: undefined reference to `VasEBoot_unixtime2datetime' Bug: https://bugs.gentoo.org/711512 Reviewed-by: Javier Martinez Canillas Tested-by: Javier Martinez Canillas Reviewed-by: Daniel Kiper 2020-03-10 John Paul Adrian Glaubitz build: Add soft-float handling for SuperH (sh4) While VAS_EBOOT has no platform support for SuperH (sh4) yet, this change adds the target-specific handling of soft-floats such that the VAS_EBOOT utilities can be built on this target. Reviewed-by: Daniel Kiper 2020-03-10 Peter Jones efi: Fix the type of VasEBoot_efi_status_t Currently, in some builds with some checkers, we see: 1. VasEBoot-core/disk/efi/efidisk.c:601: error[shiftTooManyBitsSigned]: Shifting signed 64-bit value by 63 bits is undefined behaviour This is because VasEBoot_efi_status_t is defined as VasEBoot_efi_intn_t, which is signed, and shifting into the sign bit is not defined behavior. UEFI fixed this in the spec in 2.3: 2.3 | Change the defined type of EFI_STATUS from INTN to UINTN | May 7, 2009 And the current EDK2 code has: MdePkg/Include/Base.h-// MdePkg/Include/Base.h-// Status codes common to all execution phases MdePkg/Include/Base.h-// MdePkg/Include/Base.h:typedef UINTN RETURN_STATUS; MdePkg/Include/Base.h- MdePkg/Include/Base.h-/** MdePkg/Include/Base.h- Produces a RETURN_STATUS code with the highest bit set. MdePkg/Include/Base.h- MdePkg/Include/Base.h- @param StatusCode The status code value to convert into a warning code. MdePkg/Include/Base.h- StatusCode must be in the range 0x00000000..0x7FFFFFFF. MdePkg/Include/Base.h- MdePkg/Include/Base.h- @return The value specified by StatusCode with the highest bit set. MdePkg/Include/Base.h- MdePkg/Include/Base.h-**/ MdePkg/Include/Base.h-#define ENCODE_ERROR(StatusCode) ((RETURN_STATUS)(MAX_BIT | (StatusCode))) MdePkg/Include/Base.h- MdePkg/Include/Base.h-/** MdePkg/Include/Base.h- Produces a RETURN_STATUS code with the highest bit clear. MdePkg/Include/Base.h- MdePkg/Include/Base.h- @param StatusCode The status code value to convert into a warning code. MdePkg/Include/Base.h- StatusCode must be in the range 0x00000000..0x7FFFFFFF. MdePkg/Include/Base.h- MdePkg/Include/Base.h- @return The value specified by StatusCode with the highest bit clear. MdePkg/Include/Base.h- MdePkg/Include/Base.h-**/ MdePkg/Include/Base.h-#define ENCODE_WARNING(StatusCode) ((RETURN_STATUS)(StatusCode)) MdePkg/Include/Base.h- MdePkg/Include/Base.h-/** MdePkg/Include/Base.h- Returns TRUE if a specified RETURN_STATUS code is an error code. MdePkg/Include/Base.h- MdePkg/Include/Base.h- This function returns TRUE if StatusCode has the high bit set. Otherwise, FALSE is returned. MdePkg/Include/Base.h- MdePkg/Include/Base.h- @param StatusCode The status code value to evaluate. MdePkg/Include/Base.h- MdePkg/Include/Base.h- @retval TRUE The high bit of StatusCode is set. MdePkg/Include/Base.h- @retval FALSE The high bit of StatusCode is clear. MdePkg/Include/Base.h- MdePkg/Include/Base.h-**/ MdePkg/Include/Base.h-#define RETURN_ERROR(StatusCode) (((INTN)(RETURN_STATUS)(StatusCode)) < 0) ... Uefi/UefiBaseType.h:typedef RETURN_STATUS EFI_STATUS; This patch makes VasEBoot's implementation match the Edk2 declaration with regards to the signedness of the type. Reviewed-by: Daniel Kiper 2020-03-10 Peter Jones efi/gop: Add debug output on GOP probing Add debug information to EFI GOP video driver probing function. Reviewed-by: Daniel Kiper 2020-03-10 Peter Jones efi/uga: Use video instead of fb as debug condition All other video drivers use "video" as the debug condition instead of "fb" so change this in the efi/uga driver to make it consistent with the others. Reviewed-by: Daniel Kiper 2020-03-10 Peter Jones efi: Print error messages to VasEBoot_efi_allocate_pages_real() No messages were printed in this function, add some to ease debugging. Also, the function returns a void * pointer so return NULL instead of 0 to make the code more readable. Reviewed-by: Daniel Kiper 2020-03-10 Andrei Borzenkov efi/uga: Use 64 bit for fb_base We get 64 bit from PCI BAR but then truncate by assigning to 32 bit. Make sure to check that pointer does not overflow on 32 bit platform. Closes: 50931 Reviewed-by: Daniel Kiper 2020-03-10 Alexander Graf efi/gop: Add support for BLT_ONLY adapters EFI GOP has support for multiple different bitness types of frame buffers and for a special "BLT only" type which is always defined to be RGBx. Because VasEBoot2 doesn't ever directly access the frame buffer but instead only renders graphics via the BLT interface anyway, we can easily support these adapters. The reason this has come up now is the emerging support for virtio-gpu in OVMF. That adapter does not have the notion of a memory mapped frame buffer and thus is BLT only. Reviewed-by: Daniel Kiper 2020-03-10 Peter Jones normal/completion: Fix possible NULL pointer dereference Coverity Scan reports that the VasEBoot_strrchr() function can return NULL if the character is not found. Check if that's the case for dirfile pointer. Reviewed-by: Daniel Kiper 2020-03-10 Peter Jones kern: Add VasEBoot_debug_enabled() Add a VasEBoot_debug_enabled() helper function instead of open coding it. Reviewed-by: Daniel Kiper 2020-03-10 Peter Jones Makefile: Make libVasEBoot.pp depend on config-util.h If you build with "make -j48" a lot, sometimes you see: gcc -E -DHAVE_CONFIG_H -I. -I.. -Wall -W -DVAS_EBOOT_UTIL=1 -D_FILE_OFFSET_BITS=64 -I./include -DVAS_EBOOT_FILE=\"VasEBoot_script.tab.h\" -I. -I.. -I. -I.. -I../include -I./include -I../VasEBoot-core/lib/libgcrypt-VasEBoot/src/ -I../VasEBoot-core/lib/minilzo -I../VasEBoot-core/lib/xzembed -DMINILZO_HAVE_CONFIG_H -Wall -W -DVAS_EBOOT_UTIL=1 -D_FILE_OFFSET_BITS=64 -I./include -DVAS_EBOOT_FILE=\"VasEBoot_script.tab.h\" -I. -I.. -I. -I.. -I../include -I./include -I../VasEBoot-core/lib/libgcrypt-VasEBoot/src/ -I./VasEBoot-core/gnulib -I../VasEBoot-core/gnulib -I/builddir/build/BUILD/VasEBoot-2.02/VasEBoot-aarch64-efi-2.02 -D_FILE_OFFSET_BITS=64 \ -D'VAS_EBOOT_MOD_INIT(x)=@MARKER@x@' VasEBoot_script.tab.h VasEBoot_script.yy.h ../VasEBoot-core/commands/blocklist.c ../VasEBoot-core/commands/macbless.c ../VasEBoot-core/commands/xnu_uuid.c ../VasEBoot-core/commands/testload.c ../VasEBoot-core/commands/ls.c ../VasEBoot-core/disk/dmraid_nvidia.c ../VasEBoot-core/disk/loopback.c ../VasEBoot-core/disk/lvm.c ../VasEBoot-core/disk/mdraid_linux.c ../VasEBoot-core/disk/mdraid_linux_be.c ../VasEBoot-core/disk/mdraid1x_linux.c ../VasEBoot-core/disk/raid5_recover.c ../VasEBoot-core/disk/raid6_recover.c ../VasEBoot-core/font/font.c ../VasEBoot-core/gfxmenu/font.c ../VasEBoot-core/normal/charset.c ../VasEBoot-core/video/fb/fbblit.c ../VasEBoot-core/video/fb/fbutil.c ../VasEBoot-core/video/fb/fbfill.c ../VasEBoot-core/video/fb/video_fb.c ../VasEBoot-core/video/video.c ../VasEBoot-core/video/capture.c ../VasEBoot-core/video/colors.c ../VasEBoot-core/unidata.c ../VasEBoot-core/io/bufio.c ../VasEBoot-core/fs/affs.c ../VasEBoot-core/fs/afs.c ../VasEBoot-core/fs/bfs.c ../VasEBoot-core/fs/btrfs.c ../VasEBoot-core/fs/cbfs.c ../VasEBoot-core/fs/cpio.c ../VasEBoot-core/fs/cpio_be.c ../VasEBoot-core/fs/odc.c ../VasEBoot-core/fs/newc.c ../VasEBoot-core/fs/ext2.c ../VasEBoot-core/fs/fat.c ../VasEBoot-core/fs/exfat.c ../VasEBoot-core/fs/fshelp.c ../VasEBoot-core/fs/hfs.c ../VasEBoot-core/fs/hfsplus.c ../VasEBoot-core/fs/hfspluscomp.c ../VasEBoot-core/fs/iso9660.c ../VasEBoot-core/fs/jfs.c ../VasEBoot-core/fs/minix.c ../VasEBoot-core/fs/minix2.c ../VasEBoot-core/fs/minix3.c ../VasEBoot-core/fs/minix_be.c ../VasEBoot-core/fs/minix2_be.c ../VasEBoot-core/fs/minix3_be.c ../VasEBoot-core/fs/nilfs2.c ../VasEBoot-core/fs/ntfs.c ../VasEBoot-core/fs/ntfscomp.c ../VasEBoot-core/fs/reiserfs.c ../VasEBoot-core/fs/romfs.c ../VasEBoot-core/fs/sfs.c ../VasEBoot-core/fs/squash4.c ../VasEBoot-core/fs/tar.c ../VasEBoot-core/fs/udf.c ../VasEBoot-core/fs/ufs2.c ../VasEBoot-core/fs/ufs.c ../VasEBoot-core/fs/ufs_be.c ../VasEBoot-core/fs/xfs.c ../VasEBoot-core/fs/zfs/zfscrypt.c ../VasEBoot-core/fs/zfs/zfs.c ../VasEBoot-core/fs/zfs/zfsinfo.c ../VasEBoot-core/fs/zfs/zfs_lzjb.c ../VasEBoot-core/fs/zfs/zfs_lz4.c ../VasEBoot-core/fs/zfs/zfs_sha256.c ../VasEBoot-core/fs/zfs/zfs_fletcher.c ../VasEBoot-core/lib/envblk.c ../VasEBoot-core/lib/hexdump.c ../VasEBoot-core/lib/LzFind.c ../VasEBoot-core/lib/LzmaEnc.c ../VasEBoot-core/lib/crc.c ../VasEBoot-core/lib/adler32.c ../VasEBoot-core/lib/crc64.c ../VasEBoot-core/normal/datetime.c ../VasEBoot-core/normal/misc.c ../VasEBoot-core/partmap/acorn.c ../VasEBoot-core/partmap/amiga.c ../VasEBoot-core/partmap/apple.c ../VasEBoot-core/partmap/sun.c ../VasEBoot-core/partmap/plan.c ../VasEBoot-core/partmap/dvh.c ../VasEBoot-core/partmap/sunpc.c ../VasEBoot-core/partmap/bsdlabel.c ../VasEBoot-core/partmap/dfly.c ../VasEBoot-core/script/function.c ../VasEBoot-core/script/lexer.c ../VasEBoot-core/script/main.c ../VasEBoot-core/script/script.c ../VasEBoot-core/script/argv.c ../VasEBoot-core/io/gzio.c ../VasEBoot-core/io/xzio.c ../VasEBoot-core/io/lzopio.c ../VasEBoot-core/kern/ia64/dl_helper.c ../VasEBoot-core/kern/arm/dl_helper.c ../VasEBoot-core/kern/arm64/dl_helper.c ../VasEBoot-core/lib/minilzo/minilzo.c ../VasEBoot-core/lib/xzembed/xz_dec_bcj.c ../VasEBoot-core/lib/xzembed/xz_dec_lzma2.c ../VasEBoot-core/lib/xzembed/xz_dec_stream.c ../util/misc.c ../VasEBoot-core/kern/command.c ../VasEBoot-core/kern/device.c ../VasEBoot-core/kern/disk.c ../VasEBoot-core/lib/disk.c ../util/getroot.c ../VasEBoot-core/osdep/unix/getroot.c ../VasEBoot-core/osdep/getroot.c ../VasEBoot-core/osdep/devmapper/getroot.c ../VasEBoot-core/osdep/relpath.c ../VasEBoot-core/kern/emu/hostdisk.c ../VasEBoot-core/osdep/devmapper/hostdisk.c ../VasEBoot-core/osdep/hostdisk.c ../VasEBoot-core/osdep/unix/hostdisk.c ../VasEBoot-core/osdep/exec.c ../VasEBoot-core/osdep/sleep.c ../VasEBoot-core/osdep/password.c ../VasEBoot-core/kern/emu/misc.c ../VasEBoot-core/kern/emu/mm.c ../VasEBoot-core/kern/env.c ../VasEBoot-core/kern/err.c ../VasEBoot-core/kern/file.c ../VasEBoot-core/kern/fs.c ../VasEBoot-core/kern/list.c ../VasEBoot-core/kern/misc.c ../VasEBoot-core/kern/partition.c ../VasEBoot-core/lib/crypto.c ../VasEBoot-core/disk/luks.c ../VasEBoot-core/disk/geli.c ../VasEBoot-core/disk/cryptodisk.c ../VasEBoot-core/disk/AFSplitter.c ../VasEBoot-core/lib/pbkdf2.c ../VasEBoot-core/commands/extcmd.c ../VasEBoot-core/lib/arg.c ../VasEBoot-core/disk/ldm.c ../VasEBoot-core/disk/diskfilter.c ../VasEBoot-core/partmap/gpt.c ../VasEBoot-core/partmap/msdos.c ../VasEBoot-core/fs/proc.c ../VasEBoot-core/fs/archelp.c > libVasEBoot.pp || (rm -f libVasEBoot.pp; exit 1) rm -f stamp-h1 touch ../config-util.h.in cd . && /bin/sh ./config.status config-util.h config.status: creating config-util.h In file included from ../include/VasEBoot/mm.h:25:0, from ../include/VasEBoot/disk.h:29, from ../include/VasEBoot/file.h:26, from ../VasEBoot-core/fs/btrfs.c:21: ./config.h:38:10: fatal error: ./config-util.h: No such file or directory #include ^~~~~~~~~~~~~~~ compilation terminated. make: *** [Makefile:13098: libVasEBoot.pp] Error 1 This is because libVasEBoot.pp is built with -DVAS_EBOOT_UTIL=1, which means it'll try to include config-util.h, but a parallel make is actually building that file. I think. Reviewed-by: Daniel Kiper 2020-03-10 Peter Jones efi: Print more debug info in our module loader The function that searches the mods section base address does not have any debug information. Add some debugging outputs that could be useful. Reviewed-by: Daniel Kiper 2020-03-10 Peter Jones linux/getroot: Handle rssd storage device names The Micron PCIe SSDs Linux driver (mtip32xx) exposes block devices as /dev/rssd[a-z]+[0-9]*. Add support for these rssd device names. Reviewed-by: Daniel Kiper 2020-03-10 Julian Andres Klode smbios: Add a --linux argument to apply linux modalias-like filtering Linux creates modalias strings by filtering out non-ASCII, space, and colon characters. Provide an option that does the same filtering so people can create a modalias string in VAS_EBOOT, and then match their modalias patterns against it. Reviewed-by: Daniel Kiper 2020-03-10 Mike Gilbert po: Fix replacement of %m in sed programs When running make dist, I hit this error: rm -f en@arabic.gmo && /usr/bin/gmsgfmt -c --statistics --verbose -o en@arabic.gmo en@arabic.po en@arabic.po:5312: 'msgstr' is not a valid C format string, unlike 'msgid'. Reason: The character that terminates the directive number 3 is not a valid conversion specifier. /usr/bin/gmsgfmt: found 1 fatal error This was caused by "%m" being replaced with foreign Unicode characters. For example: msgid "cannot rename the file %s to %s: %m" msgstr "ﺹﺎﻨﻧﻮﺗ ﺮﻌﻧﺎﻤﻋ ﺖﻬﻋ ﻒִﻴﻠﻋ %s ﺕﻭ %s: %ﻡ" Mimic the workaround used for "%s" by reversing the replacement of "%m" at the end of the sed programs. Reviewed-by: Daniel Kiper 2020-03-10 Colin Watson gettext: Restore patches to po/Makefile.in.in These were inadvertently lost during the conversion to Gnulib (gnulib: Upgrade Gnulib and switch to bootstrap tool; commit 35b909062). The files in po/gettext-patches/ can be imported using "git am" on top of the gettext tag corresponding to AM_GNU_GETTEXT_VERSION in configure.ac (currently 0.18.3). They handle translation of messages in shell files, make msgfmt output in little-endian format, and arrange to use @SHELL@ rather than /bin/sh. There were some changes solely for the purpose of distributing extra files; for ease of maintenance, I've added these to conf/Makefile.extra-dist instead. Fixes: https://savannah.gnu.org/bugs/?57298 Reviewed-by: Daniel Kiper 2020-02-28 Peter Jones misc: Make VasEBoot_strtol() "end" pointers have safer const qualifiers Currently the string functions VasEBoot_strtol(), VasEBoot_strtoul(), and VasEBoot_strtoull() don't declare the "end" pointer in such a way as to require the pointer itself or the character array to be immutable to the implementation, nor does the C standard do so in its similar functions, though it does require us not to change any of it. The typical declarations of these functions follow this pattern: long strtol(const char * restrict nptr, char ** restrict endptr, int base); Much of the reason for this is historic, and a discussion of that follows below, after the explanation of this change. (VAS_EBOOT currently does not include the "restrict" qualifiers, and we name the arguments a bit differently.) The implementation is semantically required to treat the character array as immutable, but such accidental modifications aren't stopped by the compiler, and the semantics for both the callers and the implementation of these functions are sometimes also helped by adding that requirement. This patch changes these declarations to follow this pattern instead: long strtol(const char * restrict nptr, const char ** const restrict endptr, int base); This means that if any modification to these functions accidentally introduces either an errant modification to the underlying character array, or an accidental assignment to endptr rather than *endptr, the compiler should generate an error. (The two uses of "restrict" in this case basically mean strtol() isn't allowed to modify the character array by going through *endptr, and endptr isn't allowed to point inside the array.) It also means the typical use case changes to: char *s = ...; const char *end; long l; l = strtol(s, &end, 10); Or even: const char *p = str; while (p && *p) { long l = strtol(p, &p, 10); ... } This fixes 26 places where we discard our attempts at treating the data safely by doing: const char *p = str; long l; l = strtol(p, (char **)&ptr, 10); It also adds 5 places where we do: char *p = str; while (p && *p) { long l = strtol(p, (const char ** const)&p, 10); ... /* more calls that need p not to be pointer-to-const */ } While moderately distasteful, this is a better problem to have. With one minor exception, I have tested that all of this compiles without relevant warnings or errors, and that /much/ of it behaves correctly, with gcc 9 using 'gcc -W -Wall -Wextra'. The one exception is the changes in VasEBoot-core/osdep/aros/hostdisk.c , which I have no idea how to build. Because the C standard defined type-qualifiers in a way that can be confusing, in the past there's been a slow but fairly regular stream of churn within our patches, which add and remove the const qualifier in many of the users of these functions. This change should help avoid that in the future, and in order to help ensure this, I've added an explanation in misc.h so that when someone does get a compiler warning about a type error, they have the fix at hand. The reason we don't have "const" in these calls in the standard is purely anachronistic: C78 (de facto) did not have type qualifiers in the syntax, and the "const" type qualifier was added for C89 (I think; it may have been later). strtol() appears to date from 4.3BSD in 1986, which means it could not be added to those functions in the standard without breaking compatibility, which is usually avoided. The syntax chosen for type qualifiers is what has led to the churn regarding usage of const, and is especially confusing on string functions due to the lack of a string type. Quoting from C99, the syntax is: declarator: pointer[opt] direct-declarator direct-declarator: identifier ( declarator ) direct-declarator [ type-qualifier-list[opt] assignment-expression[opt] ] ... direct-declarator [ type-qualifier-list[opt] * ] ... pointer: * type-qualifier-list[opt] * type-qualifier-list[opt] pointer type-qualifier-list: type-qualifier type-qualifier-list type-qualifier ... type-qualifier: const restrict volatile So the examples go like: const char foo; // immutable object const char *foo; // mutable pointer to object char * const foo; // immutable pointer to mutable object const char * const foo; // immutable pointer to immutable object const char const * const foo; // XXX extra const keyword in the middle const char * const * const foo; // immutable pointer to immutable // pointer to immutable object const char ** const foo; // immutable pointer to mutable pointer // to immutable object Making const left-associative for * and right-associative for everything else may not have been the best choice ever, but here we are, and the inevitable result is people using trying to use const (as they should!), putting it at the wrong place, fighting with the compiler for a bit, and then either removing it or typecasting something in a bad way. I won't go into describing restrict, but its syntax has exactly the same issue as with const. Anyway, the last example above actually represents the *behavior* that's required of strtol()-like functions, so that's our choice for the "end" pointer. Reviewed-by: Daniel Kiper 2020-02-28 Mike Gilbert build: Disable PIE in TARGET_CCASFLAGS if needed PIE should be disabled in assembly sources as well, or else VAS_EBOOT will fail to boot. Bug: https://bugs.gentoo.org/667852 Reviewed-by: Daniel Kiper Tested-by: John Paul Adrian Glaubitz 2020-02-28 Mike Gilbert build: Move TARGET_* assignments earlier On a 32-bit SPARC userland, configure fails to compile assembly and the build fails: checking for options to compile assembly... configure: error: could not compile assembly config.log shows: asm-tests/sparc64.S: Assembler messages: asm-tests/sparc64.S:5: Error: Architecture mismatch on "lduw [%o4+4],%o4". asm-tests/sparc64.S:5: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.) asm-tests/sparc64.S:7: Error: Architecture mismatch on "stw %o5,[%o3]". asm-tests/sparc64.S:7: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.) asm-tests/sparc64.S:8: Error: Architecture mismatch on "bne,pt %icc,1b ,pt %icc,1b". asm-tests/sparc64.S:8: (Requires v9|v9a|v9b|v9c|v9d|v9e|v9v|v9m|m8; requested architecture is sparclite.) Simply moving these blocks earlier in configure.ac is sufficient to ensure that the tests are executed with the appropriate flags (specifically -m64 in this case). Bug: https://bugs.gentoo.org/667850 Reviewed-by: Daniel Kiper Tested-by: John Paul Adrian Glaubitz 2020-02-28 Patrick Steinhardt luks2: Add missing newline to debug message The debug message printed when decryption with a keyslot fails is missing its trailing newline. Add it to avoid mangling it with subsequent output. Reviewed-by: Daniel Kiper 2020-02-18 Michael Chang verifiers: Fix calling uninitialized function pointer The necessary check for NULL before use of function ver->close is not taking place in the failure path. This patch simply adds the missing check and fixes the problem that VAS_EBOOT hangs indefinitely after booting rogue image without valid signature if secure boot is turned on. Now it displays like this for booting rogue UEFI image: error: bad shim signature error: you need to load the kernel first Press any key to continue... and then you can go back to boot menu by pressing any key or after a few seconds expired. Reviewed-by: Javier Martinez Canillas Reviewed-by: Daniel Kiper 2020-02-18 Peter Jones VasEBoot-editenv: Make VasEBoot-editenv chase symlinks including those across devices The VasEBoot-editenv create command will wrongly overwrite /boot/VasEBoot2/VasEBootenv with a regular file if VasEBootenv is a symbolic link. But instead, it should create a new file in the path the symlink points to. This lets /boot/VasEBoot2/VasEBootenv be a symlink to /boot/efi/EFI/fedora/VasEBootenv even when they're different mount points, which allows VasEBoot2-editenv to be the same across platforms (i.e. UEFI vs BIOS). For example, in Fedora the VAS_EBOOT EFI builds have prefix set to /EFI/fedora (on the EFI System Partition), but for BIOS machine it'll be /boot/VasEBoot2 (which may or may not be its own mountpoint). With this patch, on EFI machines we can make /boot/VasEBoot2/VasEBootenv a symlink to /boot/efi/EFI/fedora/VasEBootenv, and the same copy of VasEBoot-set-default will work on both kinds of systems. Windows doesn't implement a readlink primitive, so the current behaviour is maintained for this operating system. Reviewed-by: Adam Jackson Reviewed-by: Daniel Kiper 2020-02-18 Peter Jones VasEBoot-editenv: Add VasEBoot_util_readlink() Currently VasEBoot-editenv and related tools are not able to follow symbolic links when finding their config file. For example the VasEBoot-editenv create command will wrongly overwrite a symlink in /boot/VasEBoot2/VasEBootenv with a new regular file, instead of creating a file in the path the symlink points to. A following patch will change that and add support in VasEBoot-editenv to follow symbolic links when finding the VasEBoot environment variables file. Add a VasEBoot_util_readlink() helper function that is just a wrapper around the platform specific function to read the value of a symbolic link. This helper function will be used by the following patch for VasEBoot-editenv. The helper function is not added for Windows, since this operating system doesn't have a primitive to read the contents of a symbolic link. Reviewed-by: Adam Jackson Reviewed-by: Daniel Kiper 2020-02-18 Robert Marshall docs: Update info with VasEBoot.cfg netboot selection order Add documentation to the VAS_EBOOT manual that specifies the order netboot clients use to select a VAS_EBOOT configuration file. Also explain that the feature is enabled by default but can be disabled by setting the "feature_net_search_cfg" environment variable to "n" in an embedded configuration file. Reviewed-by: Daniel Kiper 2020-02-18 Paulo Flabiano Smorigo normal/main: Search for specific config files for netboot This patch implements a search for a specific configuration when the config file is on a remoteserver. It uses the following order: 1) DHCP client UUID option. 2) MAC address (in lower case hexadecimal with dash separators); 3) IP (in upper case hexadecimal) or IPv6; 4) The original VasEBoot.cfg file. This procedure is similar to what is used by pxelinux and yaboot: http://www.syslinux.org/wiki/index.php/PXELINUX#config It is enabled by default but can be disabled by setting the environment variable "feature_net_search_cfg" to "n" in an embedded configuration. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=873406 Reviewed-by: Daniel Kiper 2020-02-18 Paulo Flabiano Smorigo net/dhcp: Set net__client{id, uuid} variables from DHCP options This patch sets a net__clientid and net__clientuuid VAS_EBOOT environment variables, using the DHCP client ID and UUID options if these are found. In the same way than net__