summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* discover: Update to reflect generic signed boot APIBrett Grandbois2018-05-302-8/+7
| | | | | Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/security: add in openssl supportBrett Grandbois2018-05-307-291/+849
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor to export a generic API rather than specific gpg_ prefixes by changing gpg.h to security.h and renaming some of the exports. Break out the common and specific functionality into common.c and none.c/gpg.c/openssl.c for no/gpgme/openssl modes respectively. gpgme should work as before OpenSSL support works like this: The pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded raw public key. To follow the current conventions the presence of a PKCS12 file as a lockdown signals decrypt mode because of the presence of the private key, anything else signals signature verification mode. The keyring path is currently ignored but in the future could be used to point to an X509 certificate chain for validity checking. Because of this self-signed certificates are currently supported and really just used as a public key container. Signature verification mode supports: * Cryptographic Message Syntax (CMS) as detached S/MIME, this is really more for consistency for the encryption mode (see below). This mode requires the lockdown file to be an X509 certificate. A sample creation command would be: openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \ -inkey (private key) -signer (recipient certificate) * Raw signature digest as output from openssl dgst -sign command. This mode can have the lockdown file be an X509 certificate or a PEM raw public key but the digest algorithm must be pre-defined by the VERIFY_DIGEST configure argument. The default is SHA256. A sample creation command would be: openssl dgst -sign (private key) -out (outfile) -(digest mode) \ (infile) Decryption mode supports: * CMS signed-envelope as attached S/MIME. This is for consistency with the current expectation of no external file for decryption. Some future enhancement could be to come up with some proprietary external file format containing the cipher used, the encrypted cipher key, and the IV (if necessary). A sample creation command would be: openssl cms -sign -in (infile) -signer (recipient certificate) \ -binary -nocerts -nodetach -inkey (private key) | \ openssl cms -encrypt -(cipher mode) -out (outfile) \ (recipient certificate) The PKCS12 file is expecting the private key to have password of NULL or "" as there is currently no mechanism to supply a custom one. Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* configure: Add signed-boot openssl configuration supportBrett Grandbois2018-05-302-49/+170
| | | | | | | | | | | | | | | | | Change the with-signed-boot option to take the following values: no - disable signed boot (as before) gpgme - configure for gpgme, fail if not found openssl - configure for openssl, fail if not found yes - look first for gpgme then openssl using first found, fail on none this should behave as before if gpgme has been installed fail on any other invalid options add in the ax_check_openssl.m4 macro to facilitate openssl probing Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* po: Regenerate and update bug contactv1.8.0Samuel Mendoza-Jonas2018-05-3011-22/+55
| | | | Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* docker/build-pb: Add --interactive flagGeoff Levand2018-05-232-15/+31
| | | | | Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* docker: Add DOCKER_FROM argGeoff Levand2018-05-234-27/+40
| | | | | | | | | | The dockerfile for each architecture is the same except for the 'FROM' image. Add a new Dockerfile argument DOCKER_FROM that allows for a commom dockerfile. If the docker version is older than 17.05 generate a docker file from the common one. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/boot: abort kexec on any error from validationBrett Grandbois2018-05-231-2/+2
| | | | | | | | | | | gpg_validate_boot_files() can return error codes for a variety of reasons but kexec_load only aborts for signature or decryption failure. In any other failure case like unable to open LOCKDOWN_FILE or do the secure copy the validation is bypassed by an early return but kexec_load does not abort. Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* configure: only test for msgfmt if NLS enabledBrett Grandbois2018-05-141-1/+1
| | | | | | | | in environments where --disable-nls is specified msgfmt is unnecessary and therefore may not be available Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/file: remove mkstemp umask in copy_file_secure_destBrett Grandbois2018-05-041-3/+0
| | | | | | | | | mkstemp will generate the temp file with permissions 0600 so the umask(0644) is causing the file to have permissions of 0000, making signature files unreadable Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/grub: Add cmdline signature support for BLS entriesBrett Grandbois2018-05-041-0/+6
| | | | | | | Follow along the way the linux builtin does it. Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* docker: Add build container filesGeoff Levand2018-05-046-0/+328
| | | | | | | | | Add dockerfiles and helper scripts that create a docker image with the tools needed to build petitboot. See the docker/README.md file for more info. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* configure: Add test for msgfmtGeoff Levand2018-05-011-0/+3
| | | | | Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* travis: Enable ppc64le Travis buildsAndrew Donnellan2018-05-011-0/+3
| | | | | | | | | Travis now supports building on ppc64le. Given that Power machines are currently the largest use case of petitboot, it seems appropriate that we enable this. Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/syslinux-parser: filter out duplicate conf filesBrett Grandbois2018-04-191-0/+37
| | | | | | | | | in case insensitive filesystems like vfat the duplicate conf file list will create duplicate boot options. to filter that out strore the struct stat of each parsed conf file and compare inodes Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/syslinux-parser: clean up boot option list entriesBrett Grandbois2018-04-191-1/+6
| | | | | | | | in finalize loop or we can get duplicate boot entries as well as the memory leak Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/grub: Allow to set a default index for BLS entriesJavier Martinez Canillas2018-04-183-4/+59
| | | | | | | | | | | | When the BLS support was added, the conclusion was that default indexes didn't apply for BLS snippets. But for GRUB 2 the indexes refers to the boot menu entries in memory, regardless of how these were generated. Since in GRUB 2 is valid to set a default index even for menu entries generated from BLS fragments, allow this to also be done in Petitboot. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/grub: Don't add discover context boot options in blscfg handlerJavier Martinez Canillas2018-04-181-1/+2
| | | | | | | | | Instead of adding a boot option explicitly, just add it to the grub script boot option list and increment the number of options. That way BLS entries will be known by the grub script handler and can check if is a valid index. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/grub: Reverse BLS entries sorting to match Petitboot's boot orderJavier Martinez Canillas2018-04-181-1/+1
| | | | | | | | | | | | The BLS entries were sorted so that the latest entry was at the top in the Petitboot UI, since it matches how menu entries are sorted in GRUB2 config and the GRUB2 UI. But in the Petitboot's UI, the latest entry is expected to be at the bottom and the older one at the top. Sort the BLS entries to match what's expected. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/grub: Allow to choose a different BLS directoryJavier Martinez Canillas2018-03-291-2/+7
| | | | | | | | | | The default path to search for BootLoaderSpec configuration files is /loader/entries but in some setups a different directory may be used. So allow this to be chosen by using a blsdir GRUB environment variable. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/platform-powerpc: change sys/fcntl.h to fcntl.hBrett Grandbois2018-03-231-1/+1
| | | | | | | for musl libc Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* ui/common/discover-client: explicit #include <string.h>Brett Grandbois2018-03-231-0/+1
| | | | | | | for musl libc Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/discover-server: explicit #include <string.h>Brett Grandbois2018-03-231-0/+1
| | | | | | | for musl libc Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/grub: Add blscfg command support to parse BootLoaderSpec filesJavier Martinez Canillas2018-03-2313-2/+511
| | | | | | | | | | | | | | | | | The BootLoaderSpec (BLS) defines a file format for boot configurations, so bootloaders can parse these files and create their boot menu entries by using the information provided by them [0]. This allow to configure the boot items as drop-in files in a directory instead of having to parse and modify a bootloader configuration file. The GRUB 2 bootloader provides a blscfg command that parses these files and creates menu entries using this information. Add support for it. [0]: https://www.freedesktop.org/wiki/Specifications/BootLoaderSpec/ Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/security: Fix broken if statements in gpg_validate_boot_files()Samuel Mendoza-Jonas2018-03-231-2/+4
| | | | | | | | | | | | | | The patch ccb478ac "Add encrypted file support" removes two result = KEXEC_LOAD_SIGNATURE_FAILURE; statements from after the `if (verify_file_signature)` lines for the kernel and cmdline signatures. This appears to have been a mistake that snuck through testing, and would allow incorrect signatures to pass validation. Also fix up some confusing indenting in the decryption section. Reported-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/file: Avoid off-by-one error in arraySamuel Mendoza-Jonas2018-03-231-1/+1
| | | | | | Fixes Coverity defect CIDs 143606, 143610 Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/pxe-parser: Avoid potential null dereferenceSamuel Mendoza-Jonas2018-03-231-2/+4
| | | | | | Fixes Coverity defect CID 149918 Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* Minor fixes for make distcheckSamuel Mendoza-Jonas2018-03-232-2/+3
| | | | | | | | Include the CCAN endian.h header in build sources and change the --with-twin-foo options to default off - most users are not building with libtwin so avoid having configure fail for them. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/boot: Fix stale boot cancellation codev1.7.1Samuel Mendoza-Jonas2018-03-072-16/+5
| | | | | | | | | | | | | | | | In dc85de97 "Allow load_async_url() to call callback for local paths" several load_url_result fields of the boot_task struct were deprecated but were accidentally left in the struct. This caused the now out of date code in cleanup_cancellations() to go unnoticed since it can return safely if these fields are NULL. However freeing the boot task can free the memory associated with each load before it is complete, resulting in a confusing segfault. This brings cleanup_cancellations() up to date and along the way implicitly includes the signature resources in cleanup which were missed originally. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover: pxe: Avoid dereferencing null pointerJoel Stanley2018-03-071-1/+1
| | | | | | | | | | | | | When result is null, we may end up in the error handling path where we try to dereference null to call cleanup_local. This adds a check for result. Found with scan-build. Signed-off-by: Joel Stanley <joel@jms.id.au> Reviewed-by: Cyril Bur <cyrilbur@gmail.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> [Fixed up commit message typo]
* test/parser: Fixed uninitialized variable warningJoel Stanley2018-03-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Clang has a problem with list_for_each_entry: test/parser/utils.c:290:36: error: variable 'file' is used uninitialized whenever 'for' loop exits because its condition is false [-Werror,-Wsometimes-uninitialized] list_for_each_entry(&test->files, f, list) { ^ ./lib/list/list.h:30:3: note: expanded from macro 'list_for_each_entry' _pos; _pos = list_next_entry(_list, _pos, _member)) ^~~~ test/parser/utils.c:300:7: note: uninitialized use occurs here if (!file) { ^~~~ test/parser/utils.c:290:36: note: remove the condition if it is always true list_for_each_entry(&test->files, f, list) { ^ ./lib/list/list.h:30:3: note: expanded from macro 'list_for_each_entry' _pos; _pos = list_next_entry(_list, _pos, _member)) ^ test/parser/utils.c:288:28: note: initialize the variable 'file' to silence this warning struct test_file *f, *file; ^ = NULL Signed-off-by: Joel Stanley <joel@jms.id.au> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover: Fix unused function warningJoel Stanley2018-03-071-9/+6
| | | | | | | | | | | | | | | | clang errors out about an unused have_busybox function: discover/paths.c:44:13: error: unused function 'have_busybox' [-Werror,-Wunused-function] static bool have_busybox(void) ^ Move have_busybox() to inside the #ifndef PETITBOOT_TEST scope to eliminate the warning and avoid having #ifdefs in load_url_async(). Signed-off-by: Joel Stanley <joel@jms.id.au> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> [Moved definition into #ifndef PETITBOOT_TEST instead of using #ifdef at the call site]
* ncurses: Fix bad strncmpJoel Stanley2018-03-071-2/+2
| | | | | | | | | | | | | | | | | | ui/ncurses/nc-cui.c:967:58: warning: size argument in 'strncmp' call is a comparison [-Wmemsize-comparison] if (strncmp(cod->opt->id, "dummy", strlen("dummy") == 0 && ~~~~~~~~~~~~~~~~~~~~~^~ ui/ncurses/nc-cui.c:967:6: note: did you mean to compare the result of 'strncmp' instead? if (strncmp(cod->opt->id, "dummy", strlen("dummy") == 0 && ^ There appears to be two bonus conditions inside the length field. I chose to drop the pointless strncmp(foo, bar, strlen(bar)), as this is equivalent to strcmp(foo, bar). Signed-off-by: Joel Stanley <joel@jms.id.au> Reviewed-by: Cyril Bur <cyrilbur@gmail.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> [Fixed up commit message typo]
* discover: Fix bad check of version stringJoel Stanley2018-03-071-2/+1
| | | | | | | | | | | | | | | | | | | Clang says this: discover/device-handler.c:1564:27: warning: size argument in 'strncmp' call is a comparison [-Wmemsize-comparison] strlen(opt->version) == 0)) { ~~~~~~~~~~~~~~~~~~~~~^~~~ discover/device-handler.c:1563:5: note: did you mean to compare the result of 'strncmp' instead? strncmp(opt->version, tmp->version, ^ It looks like it's correct. However, we can go one better and drop the pointless strncmp(foo, bar, strlen(bar)), as this is equivalent to strcmp(foo, bar). Signed-off-by: Joel Stanley <joel@jms.id.au> Reviewed-by: Cyril Bur <cyrilbur@gmail.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* utils/hooks: Set stdout-path propertySamuel Mendoza-Jonas2018-03-071-8/+7
| | | | | | | | The linux,stdout-path property was deprecated in favour of stdout-path in the v3.14 kernel. 'stdout-path' takes priority in newer kernels but older kernels won't be aware of it, so set both at boot time. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib: Fix gpg.h pathSamuel Mendoza-Jonas2018-03-071-1/+1
| | | | Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* ui/ncurses: Validate URL fieldv1.7.0Samuel Mendoza-Jonas2018-02-273-0/+18
| | | | | | | Make sure the URL field is a valid URL before allowing the user to proceed. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/platform-powerpc: Avoid confusing gateway and URLSamuel Mendoza-Jonas2018-02-271-10/+19
| | | | | | | | | | | | If we have a static network config with a URL set but not a gateway we can confuse the URL as the gateway due to how we write the network string in NVRAM. To avoid changing the parameter format if we only have one of the two tokens check whether or not it's actually a URL; the gateway and the URL will have distinct formats. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* ui/ncurses: Fix boot editor segfault on updateSamuel Mendoza-Jonas2018-02-271-37/+71
| | | | | | | | | | | | | The boot option editor screen segfaults on a system info update since it loses track of which fields actually exist. The boot editor screen's setup and drawing logic is a bit different from other screens, so to fix this bug and preserve the maintainer's sanity, bring the screen setup and redraw into line with other screens. This includes a full teardown of the widgets on update, so save the content of any textboxes on update so the user's changes are not lost. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover: Allow load_async_url() to call callback for local pathsSamuel Mendoza-Jonas2018-02-274-98/+83
| | | | | | | | | | | | | | | | | | | | | Several pxe-parser tests fail because the test harness's version of load_async_url() will call the callback directly, but in pxe-parser the caller checks if the path was local and calls the callback immediately. Being called twice, a use-after-free occurs in the callback. For consistency change the load_async_url() semantics such that it is possible for load_async_url() to call the callback before it returns in the case of local paths. Callers need to know this is possible, but now won't need to check to call it manually. This requires a slight reorganisation of the boot_process() code, since it checks the result of several asynchronous load operations in the same callback, and with this change not all of those results will necessarily be initialised at callback time. Add a list of 'boot_resources' which carry the required information for the resource and allow the boot handler to treat different resources generically. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/syslinux-parser: Fix missing comma in ignored names.Samuel Mendoza-Jonas2018-02-221-1/+1
| | | | | | Fixes Coverity defect CID 182828. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/device-handler: Treat empty boot order as 'boot any'Samuel Mendoza-Jonas2018-02-122-3/+6
| | | | | | | | It is possible to have autoboot enabled with an empty boot order. Currently this acts as if autoboot is disabled, but it likely makes more sense to the user for this to behave as "autoboot any device". Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* ui/ncurses: Clear remaining space when drawing help lineSamuel Mendoza-Jonas2018-02-121-1/+5
| | | | | | | | When drawing the screen's help line clear each character after the new help line to avoid stale parts of the previous screen's help line remaining on the screen. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* syslinux: add syslinux parser supportBrett Grandbois2018-02-0910-3/+702
| | | | | Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* test/parser: test no whitespace on grub menuentryBrett Grandbois2018-02-082-0/+39
| | | | | Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* grub2/grub2: add Yocto paths to default grub2 conf search pathsBrett Grandbois2018-02-081-0/+2
| | | | | Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* grub2/grub2-parser: accept no whitespace in grub menuentryBrett Grandbois2018-02-081-1/+1
| | | | | | | | | | The Yocto wic grub support will generate a grub.cfg with no whitespace between the ending quote of the menuentry label and the opening bracket. There doesn't seem to be anything in the specification that this is illegal so accept it here. Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* ncurses/nc-cui: fix unreferenced assertion variableBrett Grandbois2018-02-081-1/+2
| | | | | Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* ncurses/nc-cui: musl libc fixesBrett Grandbois2018-02-081-1/+2
| | | | | | | | | | add missing #inlcude <locale.h> musl libc can segfault with a NULL format string so need to add a redundant "%s", "" to keep it happy Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/pb-discover: #include <locale.h> for musl libcBrett Grandbois2018-02-081-0/+1
| | | | | Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* printf: Fix format type warningsGeoff Levand2018-01-103-5/+7
| | | | | | | | | Fixes build warnings like these when building 32 bit programs: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument has type ‘uint64_t’ Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
OpenPOWER on IntegriCloud