path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* lib/security: add in openssl supportBrett Grandbois2018-05-307-291/+849
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor to export a generic API rather than specific gpg_ prefixes by changing gpg.h to security.h and renaming some of the exports. Break out the common and specific functionality into common.c and none.c/gpg.c/openssl.c for no/gpgme/openssl modes respectively. gpgme should work as before OpenSSL support works like this: The pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded raw public key. To follow the current conventions the presence of a PKCS12 file as a lockdown signals decrypt mode because of the presence of the private key, anything else signals signature verification mode. The keyring path is currently ignored but in the future could be used to point to an X509 certificate chain for validity checking. Because of this self-signed certificates are currently supported and really just used as a public key container. Signature verification mode supports: * Cryptographic Message Syntax (CMS) as detached S/MIME, this is really more for consistency for the encryption mode (see below). This mode requires the lockdown file to be an X509 certificate. A sample creation command would be: openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \ -inkey (private key) -signer (recipient certificate) * Raw signature digest as output from openssl dgst -sign command. This mode can have the lockdown file be an X509 certificate or a PEM raw public key but the digest algorithm must be pre-defined by the VERIFY_DIGEST configure argument. The default is SHA256. A sample creation command would be: openssl dgst -sign (private key) -out (outfile) -(digest mode) \ (infile) Decryption mode supports: * CMS signed-envelope as attached S/MIME. This is for consistency with the current expectation of no external file for decryption. Some future enhancement could be to come up with some proprietary external file format containing the cipher used, the encrypted cipher key, and the IV (if necessary). A sample creation command would be: openssl cms -sign -in (infile) -signer (recipient certificate) \ -binary -nocerts -nodetach -inkey (private key) | \ openssl cms -encrypt -(cipher mode) -out (outfile) \ (recipient certificate) The PKCS12 file is expecting the private key to have password of NULL or "" as there is currently no mechanism to supply a custom one. Signed-off-by: Brett Grandbois <> Signed-off-by: Samuel Mendoza-Jonas <>
* lib/file: remove mkstemp umask in copy_file_secure_destBrett Grandbois2018-05-041-3/+0
| | | | | | | | | mkstemp will generate the temp file with permissions 0600 so the umask(0644) is causing the file to have permissions of 0000, making signature files unreadable Signed-off-by: Brett Grandbois <> Signed-off-by: Samuel Mendoza-Jonas <>
* lib/security: Fix broken if statements in gpg_validate_boot_files()Samuel Mendoza-Jonas2018-03-231-2/+4
| | | | | | | | | | | | | | The patch ccb478ac "Add encrypted file support" removes two result = KEXEC_LOAD_SIGNATURE_FAILURE; statements from after the `if (verify_file_signature)` lines for the kernel and cmdline signatures. This appears to have been a mistake that snuck through testing, and would allow incorrect signatures to pass validation. Also fix up some confusing indenting in the decryption section. Reported-by: Brett Grandbois <> Signed-off-by: Samuel Mendoza-Jonas <>
* lib/file: Avoid off-by-one error in arraySamuel Mendoza-Jonas2018-03-231-1/+1
| | | | | | Fixes Coverity defect CIDs 143606, 143610 Signed-off-by: Samuel Mendoza-Jonas <>
* Minor fixes for make distcheckSamuel Mendoza-Jonas2018-03-231-0/+1
| | | | | | | | Include the CCAN endian.h header in build sources and change the --with-twin-foo options to default off - most users are not building with libtwin so avoid having configure fail for them. Signed-off-by: Samuel Mendoza-Jonas <>
* lib: Fix gpg.h pathSamuel Mendoza-Jonas2018-03-071-1/+1
| | | | Signed-off-by: Samuel Mendoza-Jonas <>
* ui/ncurses: Spawn shell in exit handlerSamuel Mendoza-Jonas2017-10-042-0/+2
| | | | | | | | | In cui_on_exit()_ instead of exiting the program spawn a sh instance. This allows the user to drop to the shell and return without losing any custom boot options, for example. SIGINT still calls cui_abort() to properly exit Petitboot. Signed-off-by: Samuel Mendoza-Jonas <>
* lib/flash: Update type of size fieldSamuel Mendoza-Jonas2017-08-231-2/+2
| | | | | | | | Skiboot commit c043065 "flash: Make size 64 bit safe" updated the prototype of blocklevel_get_info() to use a uint64_t for the size parameter. Update our usage to reflect this. Signed-off-by: Samuel Mendoza-Jonas <>
* discover: Handle plugin install requestSamuel Mendoza-Jonas2017-08-151-0/+1
| | | | | | | | | Handle "_PLUGIN_INSTALL" requests from clients. Calling the pb-plugin script from pb-discover ensures different clients don't trip over each other. Successfully installed plugins are automatically communicated back to clients once pb-plugin sends a 'plugin' user event. Signed-off-by: Samuel Mendoza-Jonas <>
* Add pb-plugin and pb-exec to pb_system_appsSamuel Mendoza-Jonas2017-08-152-0/+4
| | | | Signed-off-by: Samuel Mendoza-Jonas <>
* lib/process: Add raw stdout modeSamuel Mendoza-Jonas2017-08-152-2/+6
| | | | | | | Allow process users to set 'raw_stdout', which if set skips redirecting and saving output from processes. Signed-off-by: Samuel Mendoza-Jonas <>
* discover/pxe-parser: Recognise plugin sourcesSamuel Mendoza-Jonas2017-08-152-1/+17
| | | | | | | | | | | | | Extend the pxe-parser to recognise 'PLUGIN' as well as the usual 'LABEL' when parsing a config file. 'PLUGIN' will be used to specify an option that provides the location of an installable pb-plugin file, named by the 'TARBALL' label. Since plugin options are discovered via the same mechanism as boot options treat them the same as boot options and at the 'type' field to the boot_option struct to differentiate between them. Signed-off-by: Samuel Mendoza-Jonas <>
* lib: Add plugin_option type and protocolSamuel Mendoza-Jonas2017-08-153-0/+127
| | | | | | | | | | Add a new struct 'plugin_option' to represent pb-plugins that are installed on the system. This consists of plugin metadata and an array of installed executables. This also adds two new pb-protocol actions to advertise the addition of a new plugin_option, and to remove known plugin_options. Signed-off-by: Samuel Mendoza-Jonas <>
* lib/system: Add vgscan, vgchange utilitiesSamuel Mendoza-Jonas2017-07-112-0/+4
| | | | Signed-off-by: Samuel Mendoza-Jonas <>
* discover: Track both configured and current autoboot settingsSamuel Mendoza-Jonas2017-03-152-0/+14
| | | | | | | | | | | | | | | If autoboot is enabled but later disabled or cancelled by, for example, an IPMI override then the nc-config screen will set the autoboot widget as disabled. If the user then makes and saves a change in nc-config, autoboot will also be saved as disabled. This accidental change is particularly awkward if the user is attempting to remove an IPMI override. Instead only ever change the autoboot setting if the user explicitly changes it. Use a new helper function 'config_autoboot_active()' to determine the current autoboot status where needed. Signed-off-by: Samuel Mendoza-Jonas <>
* process: Cancel all asynchronous jobs on reinitv1.4.1Samuel Mendoza-Jonas2017-01-312-0/+23
| | | | | | | | | | | If an asynchronous job is running over a reinit, the process can return and run its callback function after the reinit. This becomes a problem if the callback function accesses pointers that were only valid before the reinit (eg. device structs). If a reinit is requested explicitly stop all active asynchronous jobs and clear their callback functions before the reinit. Signed-off-by: Samuel Mendoza-Jonas <>
* discover: Record IP address of network interfacesSamuel Mendoza-Jonas2016-12-202-1/+8
| | | | | | | | If an interface has a valid IP address (either via DHCP or static config) store it in the interface_info struct so it can be referenced later. Signed-off-by: Samuel Mendoza-Jonas <>
* discover: Maintain a backlog of status updatesSamuel Mendoza-Jonas2016-12-202-1/+15
| | | | | | | | | Add status updates to a persistent list in the discover_server struct, and send each client the backlog on connect. This avoids clients missing useful messages from early init. Clients will only show this in the backlog screen to avoid flooding the client's status line. Signed-off-by: Samuel Mendoza-Jonas <>
* lib/process: Allow process output to be retrieved on each eventSamuel Mendoza-Jonas2016-12-202-5/+43
| | | | | | | | | | | | | | | | Allow a custom callback function to be set when registering the IO waiter for asynchronous processes. To allow output from processes to be parsed as it is received, add process_stdout_custom() which passes a new "line" parameter to process_read_stdout_once() in order to consume output as it appears. Users of a custom IO callback will only have access to the process_info struct which is internal to lib/process; the function procinfo_get_process() is added to allow these callers to access process information. Signed-off-by: Samuel Mendoza-Jonas <>
* types: Remove detail and progress from struct statusJeremy Kerr2016-12-202-21/+1
| | | | | | | Nothing used these, and the serialisation was buggy anyway. Signed-off-by: Jeremy Kerr <> Signed-off-by: Samuel Mendoza-Jonas <>
* types: shorten boot_status definitionsJeremy Kerr2016-12-203-12/+12
| | | | | | | | | | | struct boot_status is a bit misnamed; we report status on things that aren't just the boot status (eg, discovery). This change refactors struct boot_status into just struct status. We give the type enum a name, and shorten the enum values to suit. Signed-off-by: Jeremy Kerr <> Signed-off-by: Samuel Mendoza-Jonas <>
* Support HTTP(S) proxies when downloading resourcesSamuel Mendoza-Jonas2016-11-243-0/+19
| | | | | | | | Allow the user to specify a HTTP and HTTPS proxy server. The discover server will set the http_proxy and https_proxy environment variables, enabling the proxy servers for any further HTTP(S) requests. Signed-off-by: Samuel Mendoza-Jonas <>
* lib/file: Fix errors found by Coverity scanSamuel Mendoza-Jonas2016-10-111-34/+51
| | | | | | | | | | | | | | Fix several errors in copy_file_secure_dest() found by Coverity and some minor formatting issues: 143603: Correctly handle mkstemp() return value 143605: Avoid accessing dest_filename[-1] on readlink() error 143606, 143610: Avoid accessing dest_filename[sizeof(dest_filename)] 143607: Fix incorrectly passing sizeof(pointer) to fread() 143608, 143611: Cleanup resources on early exit 143609: Explicitly set umask before calling mkstemp() Signed-off-by: Samuel Mendoza-Jonas <>
* Consolidate petitboot,tty and petitboot,consoleSamuel Mendoza-Jonas2016-09-083-0/+9
| | | | | | | | | | | | | | | | | | | | Commit ce54f86 "Add petitboot,tty and track available consoles" added the petitboot,tty parameter, but the petitboot,console parameter is also recognised by Petitboot. These are ultimately handled by the 30-add-offb and 80-set-stdout hooks respectively, but exist for mostly the same purpose. We consolidate these down to just the original petitboot,console parameter. If the contents of petitboot,console have been configured by Petitboot (ie. it is of the form /dev/dev# [ Description ]) we behave as normal, otherwise we assume that petitboot,console contains a full OF path to the intended console device and do not allow it to be modified. This follows petitboot,console's original intent to be a debug aid, and takes precedence over any other use. The 80-set-stdout hook is removed as 30-add-offb now accounts for both use cases. Signed-off-by: Samuel Mendoza-Jonas <>
* Use 'consoles' instead of 'tty' to refer to interfacesSamuel Mendoza-Jonas2016-09-083-30/+30
| | | | | | | 'Console' is more readily understandable and technically more correct than 'tty' for referring to the interfaces that Petitboot starts a UI on. Signed-off-by: Samuel Mendoza-Jonas <>
* discover: Avoid writing network overrides to NVRAMSamuel Mendoza-Jonas2016-09-083-0/+11
| | | | | | | | Explicitly keep track of whether the current interface config was set by an IPMI network override, and avoid overwriting any saved config unless the override was marked persistent. Signed-off-by: Samuel Mendoza-Jonas <>
* Add encrypted file supporttpearson@raptorengineering.com2016-08-262-28/+275
| | | | | | | | | | | | In certain cases, such as network booting over an untrusted connection, it may be useful to fully encrypt and sign the kernel files. Enable fully encrypted boot using builtin keyring via the addition of the string "ENCRYPTED" to the first line of the /etc/pb-lockdown file. This disables detached (plaintext) signature verification. Signed-off-by: Timothy Pearson <> Signed-off-by: Samuel Mendoza-Jonas <>
* Add support for GPG signature enforcement on bootedtpearson@raptorengineering.com2016-08-267-1/+513
| | | | | | | | | | | | | kernels and related blobs This can be used to implement a form of organization-controlled secure boot, whereby kernels may be loaded from a variety of sources but they will only boot if a valid signature file is found for each component, and only if the signature is listed in the /etc/pb-lockdown file. Signed-off-by: Timothy Pearson <> Signed-off-by: Samuel Mendoza-Jonas <> (Minor build fixes and gpgme.m4, comment on secure boot in gpg.c)
* lib: Add support for tracking boot consolesSamuel Mendoza-Jonas2016-06-283-2/+49
| | | | | | | | | | Add tty_list and boot_tty to the config struct to keep track of available console interfaces and the default console to set as primary respectively. Also add a tty field to the boot_command struct so that the current console can be sent to the discover server during a manual boot command. Signed-off-by: Samuel Mendoza-Jonas <>
* discover/pxe-parser: Retrieve configs asynchronouslySamuel Mendoza-Jonas2016-06-284-2/+4
| | | | | | | | | | | | | | | | | | Depending on the configuration of the DHCP server and the network, tftp requests made by the pxe parser can timeout. The pxe parser makes these requests synchronously so several timeouts can block the server completely for several minutes, leaving the server unresponsive to UI requests. Rework the pxe parser such that it handles the result of each tftp request in a callback, which can complete after iterate_parsers() has returned. Each callback is allocated its own conf_context which takes a talloc reference on the discover_context so that each callback can commit new boot options after the initial iterate loop has completed. This also means talloc_unlink must be used instead by the original parent of the discover_context. Signed-off-by: Samuel Mendoza-Jonas <>
* lib/pb-config: Properly initialise interface_configSamuel Mendoza-Jonas2016-06-271-1/+4
| | | | | | | | | | | The addition of the "url" field is not reflected in config_copy_interface() which leaves the pointer uninitialised, causing a potential segfault later on. Copy the field from the source config, and use talloc_zero() for the interface_config struct to prevent this more generally. Signed-off-by: Samuel Mendoza-Jonas <>
* lib/flash: fix resource leak in flash_setup_buffer() error pathsAndrew Donnellan2016-05-061-5/+8
| | | | | | | | | | | Some error paths in flash_setup_buffer() fail to free the flash_info struct or close the open ffs before they return. Change them to goto the cleanup code at the end. Separate the cleanup code into separate labels depending on whether we need to call ffs_close(), arch_flash_close() and talloc_free(). Signed-off-by: Andrew Donnellan <> Signed-off-by: Samuel Mendoza-Jonas <>
* Add checks for libflash and libdevmapperSamuel Mendoza-Jonas2016-04-051-1/+1
| | | | | | | | | libdevmapper is a hard dependency since snapshots were introduced, so add an unconditional configure-time check for it. Also add a check for libflash library and headers if --enable-mtd is set. Signed-off-by: Samuel Mendoza-Jonas <>
* lib/fold: Catch error case from mbrtowc()Sam Mendoza-Jonas2016-03-151-3/+4
| | | | | | | | | | | | | The assert() statement in fold_text() only evaluates in a debug build. If mbrtowc() encounters an error return the portion of the string that has been parsed and stop. This avoids an issue with glibc 2.22 where previous calls to setlocale() failed and set an unsuitable locale. Since the error was not caught this resulted in an infinite loop when trying to access the Language screen. Signed-off-by: Sam Mendoza-Jonas <>
* lib/flash: Fix version side being interpreted backwardsSam Mendoza-Jonas2016-03-051-1/+1
| | | | Signed-off-by: Sam Mendoza-Jonas <>
* Use 'Primary' instead of 'Current' for flash sidesSam Mendoza-Jonas2016-02-262-12/+12
| | | | | | | | | | | | When queried libflash will return the 'first' flash side (ie. the one with the lowest TOC address), however we label this the 'Current' side which is incorrect if the machine has booted from the alternate side. A future fix will inlcude additional platform logic to determine which flash side is current; in the interim label the first flash side as 'Primary' instead of 'Current'. Signed-off-by: Sam Mendoza-Jonas <>
* Retrieve BMC version info via IPMISam Mendoza-Jonas2016-02-102-1/+43
| | | | | | | | On BMC machines the "Get Device ID" and "Get BMC Golden Side Version" IPMI commands are available. If possible retrieve some interesting version numbers and display them in the System Information screen. Signed-off-by: Sam Mendoza-Jonas <>
* Display VERSION partition info on BMC machinesSamuel Mendoza-Jonas2016-02-092-0/+43
| | | | | | | | | | On supported platforms read the VERSION partition on startup and display the available versions strings in the System Information screen. This adds a skeleton hostboot.c to support possible additional BMC platform support. Signed-off-by: Sam Mendoza-Jonas <>
* lib/flash: Add support for platform versionsSamuel Mendoza-Jonas2016-02-094-1/+273
| | | | | | | | | | | | | Add basic libflash support to read the VERSION partition on BMC machines. This adds a dependency on the libflash shared library from Skiboot. The MTD partition is accessed through the libflash helper functions. Once read into a buffer, the VERSION partition is a simple list of newline-terminated version strings. Some BMC platforms may have two 'sides' to flash - these are interpreted as the "current" and "other" sides depending on which one the current Petitboot is running from. Signed-off-by: Sam Mendoza-Jonas <>
* lib: Add CCAN headers for endian helpersSamuel Mendoza-Jonas2016-02-096-0/+550
| | | | Signed-off-by: Sam Mendoza-Jonas <>
* lib/talloc: Avoid early exit before va_end()Samuel Mendoza-Jonas2016-02-091-1/+3
| | | | | | Fixes Coverity defect #30486 Signed-off-by: Sam Mendoza-Jonas <>
* lib/pb-protocol: Fix NULL dereference on non-powerpcSamuel Mendoza-Jonas2015-12-211-1/+4
| | | | | | | | If not running on a powerpc platform the bmc_mac pointer remains NULL. If this is the case set an address of zero when serialising rather than dereferencing the pointer. Signed-off-by: Samuel Mendoza-Jonas <>
* ui: add URL for static configurations to load a specified fileNishanth Aravamudan2015-12-182-0/+7
| | | | | | | | | | | | In certain configurations, e.g. automation, we want to use static networking but load a particular file, automatically and parse it as a pxelinux config file. Currently, we support something like this for DHCP based booting, but not static. Add a URL field to the UI for static configurations and reuse the logic from device_handler_process_url() to load the specified file. Signed-off-by: Nishanth Aravamudan <> Signed-off-by: Samuel Mendoza-Jonas <>
* lib/talloc: Add missing va_end() callsSamuel Mendoza-Jonas2015-12-181-0/+2
| | | | | | Fixes Coverity defects #30485 and #30486 Signed-off-by: Samuel Mendoza-Jonas <>
* Add BMC interface MAC to system info outputJack Miller2015-12-152-1/+18
| | | | | | Useful for identifying the initial BMC traffic on the network. Signed-off-by: Jack Miller <>
* Consolidate display string for optical devicesSamuel Mendoza-Jonas2015-08-311-1/+1
| | | | | | | Instead of using 'Optical' in some places and 'CD/DVD' in others, simply use 'CD/DVD' for all cases. Signed-off-by: Samuel Mendoza-Jonas <>
* Recognise storage devices on USB busSamuel Mendoza-Jonas2015-08-312-0/+7
| | | | | | | | Users may want to prioritise USB-attached storage devices differently to other devices. Detect if a device is USB-attached and add a new device type to identify it. Signed-off-by: Samuel Mendoza-Jonas <>
* lib/i18n: Move strncols to i18n.cSamuel Mendoza-Jonas2015-08-313-0/+53
| | | | | | Make the strncols() helper available generally to i18n-concerned code. Signed-off-by: Samuel Mendoza-Jonas <>
* lib/fold: Handle extra mbrtowc return caseSamuel Mendoza-Jonas2015-08-251-2/+3
| | | | | | | | Commit 9781a370 ("Handle mblen return code when n is zero.") in glibc changes the return value for when the number of bytes ('n') is zero. Add an extra condition to detect if we've reached the end of the buffer. Signed-off-by: Samuel Mendoza-Jonas <>
* discover: Add disable param for dm-snapshotsSamuel Mendoza-Jonas2015-08-181-0/+1
| | | | | | | Add a debug-style nvram parameter to disallow the use of device-mapper snapshots. Signed-off-by: Samuel Mendoza-Jonas <>
OpenPOWER on IntegriCloud