| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a few mappings to specify temporary autoboot settings:
F10: Only autoboot from disk
F11: Only autoboot from USB devices
F12: Only autoboot from network
These use the new code to prevent cancelling autoboot.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
Allow some keys to not cancel the default-boot process.
For the moment, this is just the screen refresh (ctrl+L).
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Handle incoming requests for temporary autoboot settings.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
[indenting fixup]
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
A future change will want to match autoboot option settings, so abstract
this into its own function.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
Add a new message format for a temporarily-applied autoboot setting.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we boot a machine before external (network) dependencies are properly
configured, it will have tried once to download configuration, and
possibly failed due to that configuration not being present.
This change introduces a periodic requery of network resources. After a
timeout, petitboot will either re-acquire its DHCP lease (causing any
downloads to be re-processed, possibly with different parameters from
the new lease), or re-download a statically defined URL.
This timeout defaults to five minutes (similar to pxelinux), and is
configurable by DHCP option 211, "reboot time".
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
[added test stub]
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
We have a few cases where the english translations have matched against
strings with/without colon suffixes.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Check for some required parameters in the 'dhcp' handler, and in the
'add' handler return an error if parse_user_event() fails rather than
charging ahead into a segfault.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Drop the requirement for the ID_NET_NAME_PATH property since it prevents
Petitboot from recognising virtio network devices, and is not otherwise
used.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fields from a BootLoaderSpec file can contain environment variables,
in GRUB 2 these are show verbatim and are evaluated later when an entry
is selected. But on Petitboot these have to be expanded before creating
the GRUB 2 resources and show in the UI the values after the evaluation.
The current blscfg handler had a very limited support for variables, it
only had support for the options field and also didn't take into account
that variables could be mixed with literal values.
So for example the following fields were not expanded correctly:
linux $bootprefix/vmlinuz
options $kernelopts foo=bar
options foo=bar $kernelopts
options $kernelopts $debugopts
Also change some of the tests to cover mixing variables and literals.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currenlty the BLS fragments are only searched in the /loader/entries
directory, but this assumes that there is a boot partition mounted
in /boot. This may not always be the case, /boot may not be a mount
point and just a directory inside the root partition.
To cover this case, Petitboot tries to find a GRUB 2 config file in
different paths. So let's do the same for the BLS files directory.
Also change some of the unit tests to use /boot/loader/entries as a
BLS directory instead of /loader/entries.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Both the test files and directories added into the test harness are stored
into the same file list. So the parser_scandir() stub compares the absolute
file path of the files and the directory to scan, to know if a file belongs
to the directory.
Files whose absolute file path length isn't bigger than the directory to
scan should just be ignored, since it means they can't be from that dir.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In signed-boot environments consistent handling of kernel commandline
options is essential as they must be pre-signed. In the syslinux parser
ensure that in the absence of a global APPEND they are processed
exactly as found and not with the leading space that the current APPEND
processing has as a shortcut.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently if signed-boot is enabled in configure the presence of the
LOCKDOWN_FILE is used as a runtime determination to perform the actual
verification. In some environments this may be acceptable or even the
intended operation but in other environments could be a security hole
since the removal of the file will then cause boot task verification.
Add a 'hard_lockdown' enable flag to generate a HARD_LOCKDOWN
preprocessor definition to force the system to always do a signed boot
verification for each boot task, which in the case of a missing file the
boot will fail.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GCC 8 produces the following warning for network.c:
In function ‘network_handle_nlmsg’,
inlined from ‘network_netlink_process’ at ../discover/network.c:726:3:
../discover/network.c:568:3: warning: ‘strncpy’ output may be truncated copying 15 bytes from a string of length 16 [-Wstringop-truncation]
strncpy(interface->name, ifname, sizeof(interface->name) - 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../discover/network.c:586:3: warning: ‘strncpy’ output may be truncated copying 15 bytes from a string of length 16 [-Wstringop-truncation]
strncpy(interface->name, ifname, sizeof(interface->name) - 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The code is safe since interface is allocated with talloc_zero() and we
could use -Wno-stringop-truncation to hide this but since this is the
only offender instead just copy the whole IFNAMSIZ bytes and explicitly
terminate the ifname buffer to be safe.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
Explicitly rescan SCSI devices on reinit rather than just remounting
them in case a device did not init properly on boot.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
I was seeing list corruption and segfaults in pb-discover on my Talos
II when using both yaboot and kboot config files on the same device.
My assumption is that discover_context_add_boot_option() was being
called on the same pointer more than once.
So, null the pointer right after the call. The ownership was transferred
anyway so the parsers should not keep it around.
Signed-off-by: Brandon Bergren <git@bdragon.rtk0.net>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
| |
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
| |
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
| |
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor to export a generic API rather than specific gpg_ prefixes by
changing gpg.h to security.h and renaming some of the exports.
Break out the common and specific functionality into common.c and
none.c/gpg.c/openssl.c for no/gpgme/openssl modes respectively.
gpgme should work as before
OpenSSL support works like this:
The pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded
raw public key. To follow the current conventions the presence of a
PKCS12 file as a lockdown signals decrypt mode because of the presence
of the private key, anything else signals signature verification mode.
The keyring path is currently ignored but in the future could be used to
point to an X509 certificate chain for validity checking. Because of
this self-signed certificates are currently supported and really just
used as a public key container.
Signature verification mode supports:
* Cryptographic Message Syntax (CMS) as detached S/MIME, this is really
more for consistency for the encryption mode (see below). This mode
requires the lockdown file to be an X509 certificate.
A sample creation command would be:
openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \
-inkey (private key) -signer (recipient certificate)
* Raw signature digest as output from openssl dgst -sign command. This
mode can have the lockdown file be an X509 certificate or a PEM raw
public key but the digest algorithm must be pre-defined by the
VERIFY_DIGEST configure argument. The default is SHA256.
A sample creation command would be:
openssl dgst -sign (private key) -out (outfile) -(digest mode) \
(infile)
Decryption mode supports:
* CMS signed-envelope as attached S/MIME. This is for consistency with
the current expectation of no external file for decryption. Some
future enhancement could be to come up with some proprietary external
file format containing the cipher used, the encrypted cipher key, and
the IV (if necessary).
A sample creation command would be:
openssl cms -sign -in (infile) -signer (recipient certificate) \
-binary -nocerts -nodetach -inkey (private key) | \
openssl cms -encrypt -(cipher mode) -out (outfile) \
(recipient certificate)
The PKCS12 file is expecting the private key to have password of NULL or
"" as there is currently no mechanism to supply a custom one.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change the with-signed-boot option to take the following values:
no - disable signed boot (as before)
gpgme - configure for gpgme, fail if not found
openssl - configure for openssl, fail if not found
yes - look first for gpgme then openssl using first found, fail on none
this should behave as before if gpgme has been installed
fail on any other invalid options
add in the ax_check_openssl.m4 macro to facilitate openssl probing
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
| |
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
| |
The dockerfile for each architecture is the same except for the 'FROM' image.
Add a new Dockerfile argument DOCKER_FROM that allows for a commom dockerfile.
If the docker version is older than 17.05 generate a docker file from
the common one.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
gpg_validate_boot_files() can return error codes for a variety of
reasons but kexec_load only aborts for signature or decryption failure.
In any other failure case like unable to open LOCKDOWN_FILE or do the
secure copy the validation is bypassed by an early return but kexec_load
does not abort.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
in environments where --disable-nls is specified msgfmt is unnecessary
and therefore may not be available
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
mkstemp will generate the temp file with permissions 0600 so the
umask(0644) is causing the file to have permissions of 0000, making
signature files unreadable
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
Follow along the way the linux builtin does it.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
Add dockerfiles and helper scripts that create a docker image
with the tools needed to build petitboot. See the docker/README.md
file for more info.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
| |
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
Travis now supports building on ppc64le. Given that Power machines are
currently the largest use case of petitboot, it seems appropriate that we
enable this.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
in case insensitive filesystems like vfat the duplicate conf file list
will create duplicate boot options. to filter that out strore the
struct stat of each parsed conf file and compare inodes
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
in finalize loop or we can get duplicate boot entries as well as the
memory leak
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When the BLS support was added, the conclusion was that default indexes
didn't apply for BLS snippets. But for GRUB 2 the indexes refers to the
boot menu entries in memory, regardless of how these were generated.
Since in GRUB 2 is valid to set a default index even for menu entries
generated from BLS fragments, allow this to also be done in Petitboot.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
Instead of adding a boot option explicitly, just add it to the grub script
boot option list and increment the number of options. That way BLS entries
will be known by the grub script handler and can check if is a valid index.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The BLS entries were sorted so that the latest entry was at the top in the
Petitboot UI, since it matches how menu entries are sorted in GRUB2 config
and the GRUB2 UI.
But in the Petitboot's UI, the latest entry is expected to be at the bottom
and the older one at the top. Sort the BLS entries to match what's expected.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
| |
The default path to search for BootLoaderSpec configuration files is
/loader/entries but in some setups a different directory may be used.
So allow this to be chosen by using a blsdir GRUB environment variable.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
for musl libc
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
for musl libc
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
for musl libc
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The BootLoaderSpec (BLS) defines a file format for boot configurations,
so bootloaders can parse these files and create their boot menu entries
by using the information provided by them [0].
This allow to configure the boot items as drop-in files in a directory
instead of having to parse and modify a bootloader configuration file.
The GRUB 2 bootloader provides a blscfg command that parses these files
and creates menu entries using this information. Add support for it.
[0]: https://www.freedesktop.org/wiki/Specifications/BootLoaderSpec/
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch ccb478ac "Add encrypted file support" removes two
result = KEXEC_LOAD_SIGNATURE_FAILURE;
statements from after the `if (verify_file_signature)` lines for the
kernel and cmdline signatures. This appears to have been a mistake that
snuck through testing, and would allow incorrect signatures to pass
validation.
Also fix up some confusing indenting in the decryption section.
Reported-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
| |
Fixes Coverity defect CIDs 143606, 143610
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
| |
Fixes Coverity defect CID 149918
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Include the CCAN endian.h header in build sources and change the
--with-twin-foo options to default off - most users are not building
with libtwin so avoid having configure fail for them.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In dc85de97 "Allow load_async_url() to call callback for local paths"
several load_url_result fields of the boot_task struct were deprecated
but were accidentally left in the struct. This caused the now out of
date code in cleanup_cancellations() to go unnoticed since it can return
safely if these fields are NULL. However freeing the boot task can free
the memory associated with each load before it is complete, resulting in
a confusing segfault.
This brings cleanup_cancellations() up to date and along the way
implicitly includes the signature resources in cleanup which were missed
originally.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When result is null, we may end up in the error handling path where we
try to dereference null to call cleanup_local. This adds a check for
result.
Found with scan-build.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
[Fixed up commit message typo]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clang has a problem with list_for_each_entry:
test/parser/utils.c:290:36: error: variable 'file' is used uninitialized whenever 'for' loop exits because its condition is false [-Werror,-Wsometimes-uninitialized]
list_for_each_entry(&test->files, f, list) {
^
./lib/list/list.h:30:3: note: expanded from macro 'list_for_each_entry'
_pos; _pos = list_next_entry(_list, _pos, _member))
^~~~
test/parser/utils.c:300:7: note: uninitialized use occurs here
if (!file) {
^~~~
test/parser/utils.c:290:36: note: remove the condition if it is always true
list_for_each_entry(&test->files, f, list) {
^
./lib/list/list.h:30:3: note: expanded from macro 'list_for_each_entry'
_pos; _pos = list_next_entry(_list, _pos, _member))
^
test/parser/utils.c:288:28: note: initialize the variable 'file' to silence this warning
struct test_file *f, *file;
^
= NULL
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang errors out about an unused have_busybox function:
discover/paths.c:44:13: error: unused function 'have_busybox' [-Werror,-Wunused-function]
static bool have_busybox(void)
^
Move have_busybox() to inside the #ifndef PETITBOOT_TEST scope to
eliminate the warning and avoid having #ifdefs in load_url_async().
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
[Moved definition into #ifndef PETITBOOT_TEST instead of using
#ifdef at the call site]
|
