| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently if signed-boot is enabled in configure the presence of the
LOCKDOWN_FILE is used as a runtime determination to perform the actual
verification. In some environments this may be acceptable or even the
intended operation but in other environments could be a security hole
since the removal of the file will then cause boot task verification.
Add a 'hard_lockdown' enable flag to generate a HARD_LOCKDOWN
preprocessor definition to force the system to always do a signed boot
verification for each boot task, which in the case of a missing file the
boot will fail.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
| |
Explicitly rescan SCSI devices on reinit rather than just remounting
them in case a device did not init properly on boot.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor to export a generic API rather than specific gpg_ prefixes by
changing gpg.h to security.h and renaming some of the exports.
Break out the common and specific functionality into common.c and
none.c/gpg.c/openssl.c for no/gpgme/openssl modes respectively.
gpgme should work as before
OpenSSL support works like this:
The pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded
raw public key. To follow the current conventions the presence of a
PKCS12 file as a lockdown signals decrypt mode because of the presence
of the private key, anything else signals signature verification mode.
The keyring path is currently ignored but in the future could be used to
point to an X509 certificate chain for validity checking. Because of
this self-signed certificates are currently supported and really just
used as a public key container.
Signature verification mode supports:
* Cryptographic Message Syntax (CMS) as detached S/MIME, this is really
more for consistency for the encryption mode (see below). This mode
requires the lockdown file to be an X509 certificate.
A sample creation command would be:
openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \
-inkey (private key) -signer (recipient certificate)
* Raw signature digest as output from openssl dgst -sign command. This
mode can have the lockdown file be an X509 certificate or a PEM raw
public key but the digest algorithm must be pre-defined by the
VERIFY_DIGEST configure argument. The default is SHA256.
A sample creation command would be:
openssl dgst -sign (private key) -out (outfile) -(digest mode) \
(infile)
Decryption mode supports:
* CMS signed-envelope as attached S/MIME. This is for consistency with
the current expectation of no external file for decryption. Some
future enhancement could be to come up with some proprietary external
file format containing the cipher used, the encrypted cipher key, and
the IV (if necessary).
A sample creation command would be:
openssl cms -sign -in (infile) -signer (recipient certificate) \
-binary -nocerts -nodetach -inkey (private key) | \
openssl cms -encrypt -(cipher mode) -out (outfile) \
(recipient certificate)
The PKCS12 file is expecting the private key to have password of NULL or
"" as there is currently no mechanism to supply a custom one.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
| |
mkstemp will generate the temp file with permissions 0600 so the
umask(0644) is causing the file to have permissions of 0000, making
signature files unreadable
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch ccb478ac "Add encrypted file support" removes two
result = KEXEC_LOAD_SIGNATURE_FAILURE;
statements from after the `if (verify_file_signature)` lines for the
kernel and cmdline signatures. This appears to have been a mistake that
snuck through testing, and would allow incorrect signatures to pass
validation.
Also fix up some confusing indenting in the decryption section.
Reported-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
| |
Fixes Coverity defect CIDs 143606, 143610
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
Include the CCAN endian.h header in build sources and change the
--with-twin-foo options to default off - most users are not building
with libtwin so avoid having configure fail for them.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
| |
In cui_on_exit()_ instead of exiting the program spawn a sh instance.
This allows the user to drop to the shell and return without losing any
custom boot options, for example.
SIGINT still calls cui_abort() to properly exit Petitboot.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
Skiboot commit c043065 "flash: Make size 64 bit safe" updated the
prototype of blocklevel_get_info() to use a uint64_t for the size
parameter. Update our usage to reflect this.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
| |
Handle "_PLUGIN_INSTALL" requests from clients. Calling the pb-plugin
script from pb-discover ensures different clients don't trip over each
other. Successfully installed plugins are automatically communicated
back to clients once pb-plugin sends a 'plugin' user event.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
| |
Allow process users to set 'raw_stdout', which if set skips redirecting
and saving output from processes.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend the pxe-parser to recognise 'PLUGIN' as well as the usual 'LABEL'
when parsing a config file. 'PLUGIN' will be used to specify an option
that provides the location of an installable pb-plugin file, named by
the 'TARBALL' label.
Since plugin options are discovered via the same mechanism as boot
options treat them the same as boot options and at the 'type' field to
the boot_option struct to differentiate between them.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
| |
Add a new struct 'plugin_option' to represent pb-plugins that are
installed on the system. This consists of plugin metadata and an array
of installed executables.
This also adds two new pb-protocol actions to advertise the addition of
a new plugin_option, and to remove known plugin_options.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If autoboot is enabled but later disabled or cancelled by, for example,
an IPMI override then the nc-config screen will set the autoboot widget
as disabled. If the user then makes and saves a change in nc-config,
autoboot will also be saved as disabled. This accidental change is
particularly awkward if the user is attempting to remove an IPMI
override.
Instead only ever change the autoboot setting if the user explicitly
changes it. Use a new helper function 'config_autoboot_active()' to
determine the current autoboot status where needed.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If an asynchronous job is running over a reinit, the process can return
and run its callback function after the reinit. This becomes a problem
if the callback function accesses pointers that were only valid before
the reinit (eg. device structs).
If a reinit is requested explicitly stop all active asynchronous jobs
and clear their callback functions before the reinit.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
If an interface has a valid IP address (either via DHCP or static
config) store it in the interface_info struct so it can be referenced
later.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
| |
Add status updates to a persistent list in the discover_server struct,
and send each client the backlog on connect. This avoids clients missing
useful messages from early init. Clients will only show this in the
backlog screen to avoid flooding the client's status line.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow a custom callback function to be set when registering the IO
waiter for asynchronous processes.
To allow output from processes to be parsed as it is received, add
process_stdout_custom() which passes a new "line" parameter to
process_read_stdout_once() in order to consume output as it appears.
Users of a custom IO callback will only have access to the process_info
struct which is internal to lib/process; the function
procinfo_get_process() is added to allow these callers to access process
information.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
| |
Nothing used these, and the serialisation was buggy anyway.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
| |
struct boot_status is a bit misnamed; we report status on things that
aren't just the boot status (eg, discovery).
This change refactors struct boot_status into just struct status. We
give the type enum a name, and shorten the enum values to suit.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
Allow the user to specify a HTTP and HTTPS proxy server. The discover
server will set the http_proxy and https_proxy environment variables,
enabling the proxy servers for any further HTTP(S) requests.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix several errors in copy_file_secure_dest() found by Coverity and some
minor formatting issues:
143603: Correctly handle mkstemp() return value
143605: Avoid accessing dest_filename[-1] on readlink() error
143606, 143610: Avoid accessing dest_filename[sizeof(dest_filename)]
143607: Fix incorrectly passing sizeof(pointer) to fread()
143608, 143611: Cleanup resources on early exit
143609: Explicitly set umask before calling mkstemp()
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit ce54f86 "Add petitboot,tty and track available consoles" added
the petitboot,tty parameter, but the petitboot,console parameter is also
recognised by Petitboot. These are ultimately handled by the 30-add-offb
and 80-set-stdout hooks respectively, but exist for mostly the same
purpose.
We consolidate these down to just the original petitboot,console
parameter. If the contents of petitboot,console have been configured by
Petitboot (ie. it is of the form /dev/dev# [ Description ]) we behave as
normal, otherwise we assume that petitboot,console contains a full
OF path to the intended console device and do not allow it to be
modified. This follows petitboot,console's original intent to be a debug
aid, and takes precedence over any other use.
The 80-set-stdout hook is removed as 30-add-offb now accounts for both
use cases.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
| |
'Console' is more readily understandable and technically more correct
than 'tty' for referring to the interfaces that Petitboot starts a UI on.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
Explicitly keep track of whether the current interface config was set by
an IPMI network override, and avoid overwriting any saved config unless
the override was marked persistent.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In certain cases, such as network booting over an untrusted connection,
it may be useful to fully encrypt and sign the kernel files.
Enable fully encrypted boot using builtin keyring via the addition of
the string "ENCRYPTED" to the first line of the /etc/pb-lockdown file.
This disables detached (plaintext) signature verification.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
kernels and related blobs
This can be used to implement a form of organization-controlled secure boot,
whereby kernels may be loaded from a variety of sources but they will only
boot if a valid signature file is found for each component, and only if the
signature is listed in the /etc/pb-lockdown file.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
(Minor build fixes and gpgme.m4, comment on secure boot in gpg.c)
|
|
|
|
|
|
|
|
|
|
| |
Add tty_list and boot_tty to the config struct to keep track of
available console interfaces and the default console to set as primary
respectively.
Also add a tty field to the boot_command struct so that the current
console can be sent to the discover server during a manual boot command.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the configuration of the DHCP server and the network, tftp
requests made by the pxe parser can timeout. The pxe parser makes these
requests synchronously so several timeouts can block the server
completely for several minutes, leaving the server unresponsive to UI
requests.
Rework the pxe parser such that it handles the result of each tftp
request in a callback, which can complete after iterate_parsers() has
returned. Each callback is allocated its own conf_context which takes a
talloc reference on the discover_context so that each callback can
commit new boot options after the initial iterate loop has completed.
This also means talloc_unlink must be used instead by the original
parent of the discover_context.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The addition of the "url" field is not reflected in
config_copy_interface() which leaves the pointer uninitialised, causing
a potential segfault later on.
Copy the field from the source config, and use talloc_zero() for the
interface_config struct to prevent this more generally.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Some error paths in flash_setup_buffer() fail to free the flash_info struct
or close the open ffs before they return. Change them to goto the cleanup
code at the end. Separate the cleanup code into separate labels depending
on whether we need to call ffs_close(), arch_flash_close() and
talloc_free().
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
| |
libdevmapper is a hard dependency since snapshots were introduced, so
add an unconditional configure-time check for it.
Also add a check for libflash library and headers if --enable-mtd is
set.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The assert() statement in fold_text() only evaluates in a debug build.
If mbrtowc() encounters an error return the portion of the string that
has been parsed and stop.
This avoids an issue with glibc 2.22 where previous calls to
setlocale() failed and set an unsuitable locale. Since the error was not
caught this resulted in an infinite loop when trying to access the
Language screen.
Signed-off-by: Sam Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
| |
Signed-off-by: Sam Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When queried libflash will return the 'first' flash side (ie. the one
with the lowest TOC address), however we label this the 'Current' side
which is incorrect if the machine has booted from the alternate side.
A future fix will inlcude additional platform logic to determine which
flash side is current; in the interim label the first flash side as
'Primary' instead of 'Current'.
Signed-off-by: Sam Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
On BMC machines the "Get Device ID" and "Get BMC Golden Side Version"
IPMI commands are available. If possible retrieve some interesting
version numbers and display them in the System Information screen.
Signed-off-by: Sam Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
| |
On supported platforms read the VERSION partition on startup and display
the available versions strings in the System Information screen.
This adds a skeleton hostboot.c to support possible additional BMC
platform support.
Signed-off-by: Sam Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add basic libflash support to read the VERSION partition on BMC
machines. This adds a dependency on the libflash shared library from
Skiboot.
The MTD partition is accessed through the libflash helper functions.
Once read into a buffer, the VERSION partition is a simple list of
newline-terminated version strings. Some BMC platforms may have two
'sides' to flash - these are interpreted as the "current" and "other"
sides depending on which one the current Petitboot is running from.
Signed-off-by: Sam Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
| |
Signed-off-by: Sam Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
| |
Fixes Coverity defect #30486
Signed-off-by: Sam Mendoza-Jonas <sam@mendozajonas.com>
|
|
|
|
|
|
|
|
| |
If not running on a powerpc platform the bmc_mac pointer remains NULL.
If this is the case set an address of zero when serialising rather
than dereferencing the pointer.
Signed-off-by: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In certain configurations, e.g. automation, we want to use static
networking but load a particular file, automatically and parse it as a
pxelinux config file. Currently, we support something like this for DHCP
based booting, but not static. Add a URL field to the UI for static
configurations and reuse the logic from device_handler_process_url() to
load the specified file.
Signed-off-by: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Signed-off-by: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>
|
|
|
|
|
|
| |
Fixes Coverity defects #30485 and #30486
Signed-off-by: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>
|
|
|
|
|
|
| |
Useful for identifying the initial BMC traffic on the network.
Signed-off-by: Jack Miller <jack@codezen.org>
|
|
|
|
|
|
|
| |
Instead of using 'Optical' in some places and 'CD/DVD' in others, simply
use 'CD/DVD' for all cases.
Signed-off-by: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>
|
|
|
|
|
|
|
|
| |
Users may want to prioritise USB-attached storage devices differently to
other devices. Detect if a device is USB-attached and add a new device
type to identify it.
Signed-off-by: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>
|
|
|
|
|
|
| |
Make the strncols() helper available generally to i18n-concerned code.
Signed-off-by: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>
|