| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In dc85de97 "Allow load_async_url() to call callback for local paths"
several load_url_result fields of the boot_task struct were deprecated
but were accidentally left in the struct. This caused the now out of
date code in cleanup_cancellations() to go unnoticed since it can return
safely if these fields are NULL. However freeing the boot task can free
the memory associated with each load before it is complete, resulting in
a confusing segfault.
This brings cleanup_cancellations() up to date and along the way
implicitly includes the signature resources in cleanup which were missed
originally.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several pxe-parser tests fail because the test harness's version of
load_async_url() will call the callback directly, but in pxe-parser the
caller checks if the path was local and calls the callback immediately.
Being called twice, a use-after-free occurs in the callback.
For consistency change the load_async_url() semantics such that it is
possible for load_async_url() to call the callback before it returns in
the case of local paths. Callers need to know this is possible, but now
won't need to check to call it manually.
This requires a slight reorganisation of the boot_process() code, since
it checks the result of several asynchronous load operations in the same
callback, and with this change not all of those results will necessarily
be initialised at callback time. Add a list of 'boot_resources' which
carry the required information for the resource and allow the boot
handler to treat different resources generically.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Petitboot provides a method for a user to manually specify a
configuration file that should be retrieved. Petitboot also has a
global proxy configuration.
This patch aims to marry the two so that a custom configuration file
can specify that a specific proxy should be used to access one (or all)
of the options within it.
This makes custom configuration files more powerful as they can point
to files behind proxies without the user needing to also specify the
global proxy for that specific custom configuration file to work.
This adds parsing for a `proxy` option which will apply to all boot
items found after.
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
Add status updates to a persistent list in the discover_server struct,
and send each client the backlog on connect. This avoids clients missing
useful messages from early init. Clients will only show this in the
backlog screen to avoid flooding the client's status line.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Update kexec_load() to preserve output from the call to `kexec -l`. On
error retrieve the resulting error message and update the status line
with it to provide a more informative error message.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
... using the URL which is now present in the load_result.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Capitals where suitable, remove underscore from kexec_load, use
translated strings for payload names.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
Nothing used these, and the serialisation was buggy anyway.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
struct boot_status is a bit misnamed; we report status on things that
aren't just the boot status (eg, discovery).
This change refactors struct boot_status into just struct status. We
give the type enum a name, and shorten the enum values to suit.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit ce54f86 "Add petitboot,tty and track available consoles" added
the petitboot,tty parameter, but the petitboot,console parameter is also
recognised by Petitboot. These are ultimately handled by the 30-add-offb
and 80-set-stdout hooks respectively, but exist for mostly the same
purpose.
We consolidate these down to just the original petitboot,console
parameter. If the contents of petitboot,console have been configured by
Petitboot (ie. it is of the form /dev/dev# [ Description ]) we behave as
normal, otherwise we assume that petitboot,console contains a full
OF path to the intended console device and do not allow it to be
modified. This follows petitboot,console's original intent to be a debug
aid, and takes precedence over any other use.
The 80-set-stdout hook is removed as 30-add-offb now accounts for both
use cases.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
'Console' is more readily understandable and technically more correct
than 'tty' for referring to the interfaces that Petitboot starts a UI on.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In certain cases, such as network booting over an untrusted connection,
it may be useful to fully encrypt and sign the kernel files.
Enable fully encrypted boot using builtin keyring via the addition of
the string "ENCRYPTED" to the first line of the /etc/pb-lockdown file.
This disables detached (plaintext) signature verification.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
kernels and related blobs
This can be used to implement a form of organization-controlled secure boot,
whereby kernels may be loaded from a variety of sources but they will only
boot if a valid signature file is found for each component, and only if the
signature is listed in the /etc/pb-lockdown file.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
(Minor build fixes and gpgme.m4, comment on secure boot in gpg.c)
|
| |
|
|
|
|
|
|
|
| |
If we don't specify command line arguments for the next kernel, kexec
will add the contents of /chosen/bootargs if present. This is unintended
and not obvious to the user, so explicitly add append="" to the kexec
arguments if we have none to add instead.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
If boot_tty is set or a boot command is sent manually from a certain
console, set the boot_tty environment variable to be used by a boot hook
before kexec.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If a call to load_url_async() fails immediately, boot() will free the
boot task and return. If other jobs started by load_url_async()
are still running they will attempt to free their task struct in
load_url_process_exit(), however the original boot task is the parent
context of this process task, resulting in a double-free.
Instead call cleanup_cancellations if an error immediately occurs to
cancel any pending load operations safely before freeing the boot task.
Signed-off-by: Sam Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
Since we're operating in the correct locale now, we can send translated
strings in the boot status messages.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, we have a bug when a boot task with more than one load tasks
is cancelled:
1) boot_cancel calls cleanup_cancellations, which performs a
load_url_async_cancel on all load tasks. This sets the load tasks'
states to LOAD_CANCELLED, and signals associated processes.
2) The first load task process completes, we get a load_url_process_exit
callback. This then invokes cleanup_cancellations.
3) cleanup_cancellations then (incorrectly) frees the boot task (and
hence freeing all pending load tasks) as no load tasks are in LOAD_ASYNC
state (we set them all to LOAD_CANCELLED in step 1)
4) The actual completion for the second load task attempts to reference
the now-freed task structure.
This change fixes the issue by handing the LOAD_CANCELLED state properly
- if we find a load task in this state, we consider the boot task still
pending, and delay the free until all loads are complete.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
Rather than #defining _GNU_SOURCE in our .c files, we can define this
from config.h instead.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
We're seeing a crash when boot hooks are specifying new resources, as
boot_hook_update_param will write to a NULL struct load_url_result.
Instead of writing the updated values to the struct, copy the local
parts of the result to a separate string, which the boot hooks are free
to update.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
| |
In commit 823958fb, we change to use struct process, but left in the
check for rc == BOOT_HOOK_EXIT_UPDATE. We actually want to check
process->exit_status here, not rc.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
This change groups the offsetof, container_of and ARRAY_SIZE macros in a
single header file util/util.h.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
| |
Currently, once the boot() function is called, the boot process will
ignore any cancellations.
This change allows boot() to be cancelled, via boot_cancel().
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
| |
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
| |
Now that we can download asynchronously, we can download boot resources
in parallel. This also means we don't need a state machine; we're either
not done (loads are still pending) or done.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, load_url and load_url_async return a filename parameter and a
tempfile flag (indicating whether the file needs to be cleaned after
use).
Instead, encapsulate this data in a struct load_url_result, which the
caller (and async callbacks) can read the status, filename and clean
parameters.
For internal use in load_url and helpers, we add a struct load_task to
hold a pointer to the load_url_result and async data.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
... otherwise we won't clean up local files from earlier boot stages.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
Use the status argument to the URL load callback to check for load
failures.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
We don't need a pointer here, just the status value.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The current boot process handled by boot() function is implemented such
that it blocks on the boot resources being downloaded which blocks
the discover process until the download completes. This patch
re-implements the boot() function using callback mechanism and
asynchronous notifications so that boot() returns to continue the
discover process while the download is in progress.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Neelesh Gupta <neelegup@linux.vnet.ibm.com>
|
| |
|
|
| |
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
It'd be nice to include arbitrary format strings here, so do a
taloc_vasprintf in update_status.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
| |
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
We need boot_task for kexec_reboot.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
This change replaces the pb_run_cmd() function with proper usage of the
process API.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
Replace pb_run_cmd_pipe with process_create / process_run_sync.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
| |
Rather than using the stack for struct boot_task, talloc one instead.
This gives us a short-lived context (active for the boot() process
only), and we don't need to use the externally-provided context
directly.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
| |
If the boot image fails to load, we end up calling talloc_free on an
unitialised are of stack (boot_task.local_initrd).
Move the initialisers a little earlier, so we always NULL pointers
before potentially freeing.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
By exiting with status == 2, boot hooks can update boot data by
printing name=value to stdout.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
| |
Add a method of running pre-boot hooks. Executable files in
/etc/petitboot/boot.d/ are run (in order) before we start the boot
process.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
This keeps all the boot-specific details in one place.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
Updates & fixes by Jeremy Kerr <jk@ozlabs.org>.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
If we're booting from a default option, we don't have a boot command.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
| |
`kexec -e` will just call shutdown, which we've already tried, so it's
likely to fail. Add a further fallback to force a kexec with -e -f
options.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
Now what we have protocol support, send status updates during the boot
process.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change switches the parsers over to populate the resources in
discover_boot_option, rather than the string parameters in boot_option.
To do this, we need a few things:
* Add struct resources to discover_boot_option for the boot_image,
initrd and icon data.
* Have the parsers populate the resources, rather than the strings.
Currently, parsers can all use the devpath resource type.
* Add a resolve_resource callback to parsers; this is how the device
handler will attempt to resolve resources.
* Change load_file to load_url, as we should be only accessing
(resolved) resources by URLs.
This then allows us to remove the mount map, and associated lookup code,
as well as the UUID and label links to devices.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
discover/boot.c: In function ‘boot’:
discover/boot.c:153:13: error: ‘local_initrd’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
Fix typo in boot() routine.
Signed-off-by: Geoff Levand <geoff@infradead.org>
|
