| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor to export a generic API rather than specific gpg_ prefixes by
changing gpg.h to security.h and renaming some of the exports.
Break out the common and specific functionality into common.c and
none.c/gpg.c/openssl.c for no/gpgme/openssl modes respectively.
gpgme should work as before
OpenSSL support works like this:
The pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded
raw public key. To follow the current conventions the presence of a
PKCS12 file as a lockdown signals decrypt mode because of the presence
of the private key, anything else signals signature verification mode.
The keyring path is currently ignored but in the future could be used to
point to an X509 certificate chain for validity checking. Because of
this self-signed certificates are currently supported and really just
used as a public key container.
Signature verification mode supports:
* Cryptographic Message Syntax (CMS) as detached S/MIME, this is really
more for consistency for the encryption mode (see below). This mode
requires the lockdown file to be an X509 certificate.
A sample creation command would be:
openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \
-inkey (private key) -signer (recipient certificate)
* Raw signature digest as output from openssl dgst -sign command. This
mode can have the lockdown file be an X509 certificate or a PEM raw
public key but the digest algorithm must be pre-defined by the
VERIFY_DIGEST configure argument. The default is SHA256.
A sample creation command would be:
openssl dgst -sign (private key) -out (outfile) -(digest mode) \
(infile)
Decryption mode supports:
* CMS signed-envelope as attached S/MIME. This is for consistency with
the current expectation of no external file for decryption. Some
future enhancement could be to come up with some proprietary external
file format containing the cipher used, the encrypted cipher key, and
the IV (if necessary).
A sample creation command would be:
openssl cms -sign -in (infile) -signer (recipient certificate) \
-binary -nocerts -nodetach -inkey (private key) | \
openssl cms -encrypt -(cipher mode) -out (outfile) \
(recipient certificate)
The PKCS12 file is expecting the private key to have password of NULL or
"" as there is currently no mechanism to supply a custom one.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the with-signed-boot option to take the following values:
no - disable signed boot (as before)
gpgme - configure for gpgme, fail if not found
openssl - configure for openssl, fail if not found
yes - look first for gpgme then openssl using first found, fail on none
this should behave as before if gpgme has been installed
fail on any other invalid options
add in the ax_check_openssl.m4 macro to facilitate openssl probing
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
| |
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
| |
The dockerfile for each architecture is the same except for the 'FROM' image.
Add a new Dockerfile argument DOCKER_FROM that allows for a commom dockerfile.
If the docker version is older than 17.05 generate a docker file from
the common one.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
| |
gpg_validate_boot_files() can return error codes for a variety of
reasons but kexec_load only aborts for signature or decryption failure.
In any other failure case like unable to open LOCKDOWN_FILE or do the
secure copy the validation is bypassed by an early return but kexec_load
does not abort.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
in environments where --disable-nls is specified msgfmt is unnecessary
and therefore may not be available
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
| |
mkstemp will generate the temp file with permissions 0600 so the
umask(0644) is causing the file to have permissions of 0000, making
signature files unreadable
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
| |
Follow along the way the linux builtin does it.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
| |
Add dockerfiles and helper scripts that create a docker image
with the tools needed to build petitboot. See the docker/README.md
file for more info.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
| |
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
| |
Travis now supports building on ppc64le. Given that Power machines are
currently the largest use case of petitboot, it seems appropriate that we
enable this.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
| |
in case insensitive filesystems like vfat the duplicate conf file list
will create duplicate boot options. to filter that out strore the
struct stat of each parsed conf file and compare inodes
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
in finalize loop or we can get duplicate boot entries as well as the
memory leak
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the BLS support was added, the conclusion was that default indexes
didn't apply for BLS snippets. But for GRUB 2 the indexes refers to the
boot menu entries in memory, regardless of how these were generated.
Since in GRUB 2 is valid to set a default index even for menu entries
generated from BLS fragments, allow this to also be done in Petitboot.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
| |
Instead of adding a boot option explicitly, just add it to the grub script
boot option list and increment the number of options. That way BLS entries
will be known by the grub script handler and can check if is a valid index.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The BLS entries were sorted so that the latest entry was at the top in the
Petitboot UI, since it matches how menu entries are sorted in GRUB2 config
and the GRUB2 UI.
But in the Petitboot's UI, the latest entry is expected to be at the bottom
and the older one at the top. Sort the BLS entries to match what's expected.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
| |
The default path to search for BootLoaderSpec configuration files is
/loader/entries but in some setups a different directory may be used.
So allow this to be chosen by using a blsdir GRUB environment variable.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
| |
for musl libc
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
| |
for musl libc
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
| |
for musl libc
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The BootLoaderSpec (BLS) defines a file format for boot configurations,
so bootloaders can parse these files and create their boot menu entries
by using the information provided by them [0].
This allow to configure the boot items as drop-in files in a directory
instead of having to parse and modify a bootloader configuration file.
The GRUB 2 bootloader provides a blscfg command that parses these files
and creates menu entries using this information. Add support for it.
[0]: https://www.freedesktop.org/wiki/Specifications/BootLoaderSpec/
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch ccb478ac "Add encrypted file support" removes two
result = KEXEC_LOAD_SIGNATURE_FAILURE;
statements from after the `if (verify_file_signature)` lines for the
kernel and cmdline signatures. This appears to have been a mistake that
snuck through testing, and would allow incorrect signatures to pass
validation.
Also fix up some confusing indenting in the decryption section.
Reported-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
| |
Fixes Coverity defect CIDs 143606, 143610
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
| |
Fixes Coverity defect CID 149918
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
Include the CCAN endian.h header in build sources and change the
--with-twin-foo options to default off - most users are not building
with libtwin so avoid having configure fail for them.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In dc85de97 "Allow load_async_url() to call callback for local paths"
several load_url_result fields of the boot_task struct were deprecated
but were accidentally left in the struct. This caused the now out of
date code in cleanup_cancellations() to go unnoticed since it can return
safely if these fields are NULL. However freeing the boot task can free
the memory associated with each load before it is complete, resulting in
a confusing segfault.
This brings cleanup_cancellations() up to date and along the way
implicitly includes the signature resources in cleanup which were missed
originally.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When result is null, we may end up in the error handling path where we
try to dereference null to call cleanup_local. This adds a check for
result.
Found with scan-build.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
[Fixed up commit message typo]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clang has a problem with list_for_each_entry:
test/parser/utils.c:290:36: error: variable 'file' is used uninitialized whenever 'for' loop exits because its condition is false [-Werror,-Wsometimes-uninitialized]
list_for_each_entry(&test->files, f, list) {
^
./lib/list/list.h:30:3: note: expanded from macro 'list_for_each_entry'
_pos; _pos = list_next_entry(_list, _pos, _member))
^~~~
test/parser/utils.c:300:7: note: uninitialized use occurs here
if (!file) {
^~~~
test/parser/utils.c:290:36: note: remove the condition if it is always true
list_for_each_entry(&test->files, f, list) {
^
./lib/list/list.h:30:3: note: expanded from macro 'list_for_each_entry'
_pos; _pos = list_next_entry(_list, _pos, _member))
^
test/parser/utils.c:288:28: note: initialize the variable 'file' to silence this warning
struct test_file *f, *file;
^
= NULL
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang errors out about an unused have_busybox function:
discover/paths.c:44:13: error: unused function 'have_busybox' [-Werror,-Wunused-function]
static bool have_busybox(void)
^
Move have_busybox() to inside the #ifndef PETITBOOT_TEST scope to
eliminate the warning and avoid having #ifdefs in load_url_async().
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
[Moved definition into #ifndef PETITBOOT_TEST instead of using
#ifdef at the call site]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ui/ncurses/nc-cui.c:967:58: warning: size argument in 'strncmp' call is a comparison [-Wmemsize-comparison]
if (strncmp(cod->opt->id, "dummy", strlen("dummy") == 0 &&
~~~~~~~~~~~~~~~~~~~~~^~
ui/ncurses/nc-cui.c:967:6: note: did you mean to compare the result of 'strncmp' instead?
if (strncmp(cod->opt->id, "dummy", strlen("dummy") == 0 &&
^
There appears to be two bonus conditions inside the length field. I
chose to drop the pointless strncmp(foo, bar, strlen(bar)), as this is
equivalent to strcmp(foo, bar).
Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
[Fixed up commit message typo]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clang says this:
discover/device-handler.c:1564:27: warning: size argument in 'strncmp' call is a comparison [-Wmemsize-comparison]
strlen(opt->version) == 0)) {
~~~~~~~~~~~~~~~~~~~~~^~~~
discover/device-handler.c:1563:5: note: did you mean to compare the result of 'strncmp' instead?
strncmp(opt->version, tmp->version,
^
It looks like it's correct. However, we can go one better and drop the
pointless strncmp(foo, bar, strlen(bar)), as this is equivalent to
strcmp(foo, bar).
Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
The linux,stdout-path property was deprecated in favour of stdout-path
in the v3.14 kernel. 'stdout-path' takes priority in newer kernels but
older kernels won't be aware of it, so set both at boot time.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
| |
Make sure the URL field is a valid URL before allowing the user to
proceed.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we have a static network config with a URL set but not a gateway we
can confuse the URL as the gateway due to how we write the network
string in NVRAM.
To avoid changing the parameter format if we only have one of the two
tokens check whether or not it's actually a URL; the gateway and the URL
will have distinct formats.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The boot option editor screen segfaults on a system info update since it
loses track of which fields actually exist.
The boot editor screen's setup and drawing logic is a bit different from
other screens, so to fix this bug and preserve the maintainer's sanity,
bring the screen setup and redraw into line with other screens. This
includes a full teardown of the widgets on update, so save the content
of any textboxes on update so the user's changes are not lost.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several pxe-parser tests fail because the test harness's version of
load_async_url() will call the callback directly, but in pxe-parser the
caller checks if the path was local and calls the callback immediately.
Being called twice, a use-after-free occurs in the callback.
For consistency change the load_async_url() semantics such that it is
possible for load_async_url() to call the callback before it returns in
the case of local paths. Callers need to know this is possible, but now
won't need to check to call it manually.
This requires a slight reorganisation of the boot_process() code, since
it checks the result of several asynchronous load operations in the same
callback, and with this change not all of those results will necessarily
be initialised at callback time. Add a list of 'boot_resources' which
carry the required information for the resource and allow the boot
handler to treat different resources generically.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
| |
Fixes Coverity defect CID 182828.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
It is possible to have autoboot enabled with an empty boot order.
Currently this acts as if autoboot is disabled, but it likely makes more
sense to the user for this to behave as "autoboot any device".
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
When drawing the screen's help line clear each character after the new
help line to avoid stale parts of the previous screen's help line
remaining on the screen.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
| |
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
| |
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
| |
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
| |
The Yocto wic grub support will generate a grub.cfg with no whitespace
between the ending quote of the menuentry label and the opening bracket.
There doesn't seem to be anything in the specification that this is
illegal so accept it here.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
| |
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
| |
add missing #inlcude <locale.h>
musl libc can segfault with a NULL format string so need to add a
redundant "%s", "" to keep it happy
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
| |
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
| |
Fixes build warnings like these when building 32 bit programs:
warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument has type ‘uint64_t’
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|