FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F13.1.0 2021-09-03T20:45:16Z 2021-09-03T20:45:16Z Toomas Soome tsoome@FreeBSD.org 2021-08-10T19:46:40Z urn:sha1:343da8f5e98ffac6a7c02fc5f8dd74290e267be0 With commit 97cbd5e722389a575e820c4e03f38053308f08ea, the SOPEN_MAX was removed from stand.h. We would need better mechanism there. (cherry picked from commit ee6dc333e1a1af08afa3d14b83e963e4cf90b77b) PR: 258211 2020-08-21T00:27:06Z Simon J. Gerraty sjg@FreeBSD.org 2020-08-21T00:27:06Z urn:sha1:0929924b610c8365202e04e3482ecda88e895a1a When files are read from .rc or .4th, verify_file is asked to guess the severity (VE_TRY,VE_WANT,VE_MUST) Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks 2020-07-19T23:56:19Z Simon J. Gerraty sjg@FreeBSD.org 2020-07-19T23:56:19Z urn:sha1:f2be828f97b28345280dec700f02034086dda979 2020-07-19T23:54:00Z Simon J. Gerraty sjg@FreeBSD.org 2020-07-19T23:54:00Z urn:sha1:e17f5b1d307b7b8910d67883e57a9604305906d5 2020-06-12T21:55:30Z Simon J. Gerraty sjg@FreeBSD.org 2020-06-12T21:55:30Z urn:sha1:3e6e3de0aa0a25d4e2ddc43e19ed4686353ceb44 The loader.ve.hashed list can easily exceed KENV_MVALLEN. If so, bump kenv_mvallen to a multiple of KENV_MVALLEN to accommodate the value. Reviewed by: stevek MFC after: 1 week 2020-04-07T16:56:34Z Simon J. Gerraty sjg@FreeBSD.org 2020-04-07T16:56:34Z urn:sha1:723f9041769c9b7310bd16d4a9a2d8e8eeca350f On slow platforms, it helps to spread the hashing load over time so that tftp does not timeout. Also, some .4th files are too big to fit in cache of pkgfs, so increase cache size and ensure fully populated. Reviewed by: stevek MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24287 2020-03-25T19:12:19Z Simon J. Gerraty sjg@FreeBSD.org 2020-03-25T19:12:19Z urn:sha1:53f151f90603580d0c0a8fa1840ba1262958a7c1 We need a valid st_dev, st_ino and st_mtime to correctly track which files have been verified and to update our notion of time. ve_utc_set(): ignore utc if it would jump our current time by more than VE_UTC_MAX_JUMP (20 years). Allow testing of install command via userboot. Need to fix its stat implementation too. bhyveload also needs stat fixed - due to change to userboot.h Call ve_error_get() from vectx_close() when hash is wrong. Track the names of files we have hashed into pcr For the purposes of measured boot, it is important to be able to reproduce the hash reflected in loader.ve.pcr so loader.ve.hashed provides a list of names in the order they were added. Reviewed by: imp MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D24027 2020-03-08T17:42:42Z Simon J. Gerraty sjg@FreeBSD.org 2020-03-08T17:42:42Z urn:sha1:afc571b1a6fb341b0e3f603d4f3a2538093e91f5 The vectx API, computes the hash for verifying a file as it is read. This avoids the overhead of reading files twice - once to verify, then again to load. For doing an install via loader, avoiding the need to rewind large files is critical. This API is only used for modules, kernel and mdimage as these are the biggest files read by the loader. The reduction in boot time depends on how expensive the I/O is on any given platform. On a fast VM we see 6% improvement. For install via loader the first file to be verified is likely to be the kernel, so some of the prep work (finding manifest etc) done by verify_file() needs to be factored so it can be reused for vectx_open(). For missing or unrecognized fingerprint entries, we fail in vectx_open() unless verifying is disabled. Otherwise fingerprint check happens in vectx_close() and since this API is only used for files which must be verified (VE_MUST) we panic if we get an incorrect hash. Reviewed by: imp,tsoome MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D23827 2019-12-20T21:56:28Z Simon J. Gerraty sjg@FreeBSD.org 2019-12-20T21:56:28Z urn:sha1:0e47020f7f20c9ecf5d796497064f1ff124fbfa6 Reviewed by: emaste MFC after: 1 week 2019-12-11T17:37:53Z Simon J. Gerraty sjg@FreeBSD.org 2019-12-11T17:37:53Z urn:sha1:2c9a9dfc187d171de6b92654d71b977f067ed641 Update a bunch of Makefile.depend files as a result of adding Makefile.depend.options files Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22494