summaryrefslogtreecommitdiffstats
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* lib: Add AUTH_MSG_DECRYPTSamuel Mendoza-Jonas2019-03-064-0/+29
| | | | | | | | | Extend the auth_message struct to support the AUTH_MSG_DECRYPT operation, allowing the existing authentications methods to be used for passing a disk password from the UI to pb-discover. In addition add DEVICE_TYPE_LUKS to identify encrypted disk devices. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/process: Add option to pipe to process stdinSamuel Mendoza-Jonas2019-03-062-0/+34
| | | | | | | | If pipe_stdin exists, create a second pipe to write to the child process's STDIN. This allows Petitboot to pipe information to a process, for example piping a LUKS password to cryptsetup. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/system: Add cryptsetup utilitySamuel Mendoza-Jonas2019-03-062-0/+2
| | | | Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/url: Include port in pb_url_to_string()v1.10.1Samuel Mendoza-Jonas2019-02-011-4/+11
| | | | | | | | And include a pxe-parser test which uses a port in the path prefix to exercise this. This could cause PXE discovery failures if parameters such as pathprefix included a port in the URL. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* ui/ncurses: Add option to clear IPMI boot mailboxSamuel Mendoza-Jonas2018-12-132-0/+7
| | | | | | | | If there is an IPMI boot mailbox configuration present display a message in the System Configuration screen and provide the option to clear the mailbox. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/platform-powerpc: read bootdev config from IPMI boot mailboxSamuel Mendoza-Jonas2018-12-131-0/+1
| | | | | | | | | | | | The IPMI Get System Boot Options commands includes parameter 7, the "boot initiator mailbox". This can be used to hold arbitrary data to influence the boot order. Use this to provide an alternate bootdev configuration to Petitboot that will override the one saved to NVRAM. This provides more fine grained override options than the existing device-type based overrides. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* ui/ncurses: Keep track of the default boot optionSamuel Mendoza-Jonas2018-12-032-0/+7
| | | | | | | | | Keep track of the default boot option, and prefix its display name with a '(*)' to point it out to the user. This avoids having to authenticate with pb-discover even if only booting the default option. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/platform-powerpc: Read and write password hash from NVRAMSamuel Mendoza-Jonas2018-12-031-0/+1
| | | | | | | | | If petitboot,password exists set it as the root password. This will be the password used to authenticate clients. This is the *hash* of a password as it would appear in /etc/shadow, not the password itself. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/pb-protocol: Add PB_PROTOCOL_ACTION_AUTHENTICATESamuel Mendoza-Jonas2018-12-032-0/+114
| | | | | | | | Add a new "authenticate" action. Depending on the 'op' field this is either a) an authentication request, b) a response indicating the result, or c) a request to change the password. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/crypt: Add helpers for operating on /etc/shadowSamuel Mendoza-Jonas2018-12-033-0/+275
| | | | | | | | Provides helper functions for reading, writing, and checking against /etc/shadow. The main use case if for authenticating clients against the "system" password, which is set as the root password. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover: Nicely format IPMI response buffersv1.9.2Samuel Mendoza-Jonas2018-11-162-0/+18
| | | | | | | | | | | | | | | A few places where we print out the response buffer from an IPMI command weren't updated when log timestamps were added, resulting in very hard to read output. Add a little helper to format buffers and use it to print these with only one timestamp. Example: [04:59:01] ipmi_get_bmc_versions: BMC version resp [0][16]: 0x00 0x20 0x01 0x02 0x13 0x02 0xbf 0x00 0x00 0x00 0xbb 0xaa 0x58 0x98 0x01 0x00 Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* ui/ncurses: Reset console options on bootSamuel Mendoza-Jonas2018-11-162-1/+9
| | | | | | | | | | | | | | | The ncurses UI sets a few console options at startup that are needed for ncurses to work properly. These aren't reset however and can lead to quirks like the cursor being invisible after kexecing to the next kernel. The UI process doesn't have time to reset these when it is killed by kexec, so instead add a 'boot_active' field to status updates. This is set by boot.c's update handler so the UI can assume it is about to boot if it receives a status update with this field, and resets the console options. If the boot is cancelled for any reason the status update will reflect that and the console options are restored. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/flash: Check if the partition is signedSamuel Mendoza-Jonas2018-11-141-0/+16
| | | | | | | | In more recent firmware images built by op-build the VERSION partition is signed, and includes a 'secure header'. Check for this and skip it if found so we parse the version strings properly. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/efi: Move magic to implementationGeoff Levand2018-08-142-6/+5
| | | | | | | | efi_check_mount now does a magic number check by default, so move the magic number related code from efivar.h to efivar.c. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/efi: Add new struct efi_mountGeoff Levand2018-08-142-33/+85
| | | | | | | | | | | | | | To make it easier to manage EFI variables add a new struct efi_mount that holds the path to the EFI file system mount and the EFI variable name GUID. Update the lib/efi routines to use struct efi_mount. Add a new routine efi_check_mount based on the checks done in platform-arm64. This change to using struct efi_mount removes the static variable efivarfs_path making the lib/efi routines stateless. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/efi: Log operations to debug logGeoff Levand2018-08-141-0/+3
| | | | | Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/efi: Add EFI_DEFALT_ATTRIBUTES macroGeoff Levand2018-08-141-0/+6
| | | | | | | | For convenience, add a new efi data attributes macro EFI_DEFALT_ATTRIBUTES. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/efi: Add check for ioctl_iflags supportGeoff Levand2018-08-141-2/+17
| | | | | | | | | The efi tests may use a filesystem which does not support ioctl_iflags. Add a check and skip the ioctl_iflags operations if not supported. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/talloc: Fix TALLOC_ABORTGeoff Levand2018-08-141-14/+9
| | | | | | | | | | | | | | The current TALLOC_ABORT macro had a number of problems. Failures were not going to the pb log, but only to stderr. If the object passed in was not a talloc object the printing of an object name would be printing random data. The use of a macro obscured the code. To clean this up, remove all reference to TALLOC_ABORT and put the logging and abort calls directly into talloc_chunk_from_ptr. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* pb_log: Break out timestampGeoff Levand2018-08-141-2/+9
| | | | | | | Fixes double timestamp on pb_log_fn, pb_debug_fn. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/system: Add dmidecode as system appGeoff Levand2018-08-072-0/+2
| | | | | | | For use by the arm64 get_sysinfo. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/powerpc: Switch to new param_listGeoff Levand2018-08-071-0/+1
| | | | | | Signed-off-by: Geoff Levand <geoff@infradead.org> [Name string fixup] Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/param_list: Add new parameter list routinesGeoff Levand2018-08-073-1/+169
| | | | | | | | Based on the powerpc param routines adds new generic routines to manage a name + value parameter list. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/efi: Cleanup read/write routinesGeoff Levand2018-08-072-104/+112
| | | | | | | | | | Make a new stucture struct efi_data to hold the info that describes an efi variable. Make a common routine efi_open that opens the efi variable file. Switch the efi get/set/del routines over to use efi_open. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/efi: Add new routines to access efi variablesGe Song2018-08-073-1/+240
| | | | | | | | | | Provide methods to load/store petitboot's configuration on efi-based platforms. A test case is also provided. Signed-off-by: Ge Song <ge.song@hxt-semitech.com> [Cleanup file comments, make efivarfs_path static.] Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/process: Add process_get_stdoutGeoff Levand2018-08-072-18/+62
| | | | | | | | | | | | Add a new structure 'struct process_stdout' and optional parameter 'stdout' to the process_run_simple functions to allow the caller to get a buffer filled with the stdout from the child process. Rename the process_run_simple functions to process_get_stdout and add wrappers for the old process_run_simple function names. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/process: Cleanup stdout callbackGeoff Levand2018-08-072-25/+9
| | | | | | | | | | | General cleanup of async stdout processing. The process_stdout_cb and process_stdout_custom routines were doing the same thing, so rename process_stdout_custom to process_process_stdout and make process_stdout_cb a wrapper that calls process_process_stdout. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover: Add --debug to kexecGeoff Levand2018-08-072-0/+6
| | | | | | | | | If verbose logging is enabled then add '--debug' to the kexec command line. Adds a new routine pb_log_get_debug() that can be used to query the log debug state. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/log: Switch to pb_log_fnGeoff Levand2018-08-078-41/+41
| | | | | | | | The only functional change should be an additional '/n' to a few log messagees that seemed to be missing it. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/log: Add verbose logging routinesGeoff Levand2018-08-072-0/+41
| | | | | | | | | | Add three new logging routines pb_log_fn and pb_debug_fn, which print the calling function's name to the log, and pb_debug_fl which prints the calling function's name and the file line number to the log. Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/log: Include timestamp prefixSamuel Mendoza-Jonas2018-07-301-0/+11
| | | | | | | | The relative time between logged events is very useful during debugging, particularly when debugging autoboot failures. Prepend a short HH:MM:SS timestamp to each line logged. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/system: Add udhcpc6Samuel Mendoza-Jonas2018-07-102-0/+2
| | | | Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib: Add support and helpers for IPv6 host addressesSamuel Mendoza-Jonas2018-07-104-6/+48
| | | | | | | | Recognise IPv6 addresses and URLs, and allow an interface_info struct to have both an IPv4 and IPv6 address. The addr_scheme() helper returns the address family of a given address. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* protocol: Add definition and serialisation for temporary autobootJeremy Kerr2018-07-102-0/+76
| | | | | | | Add a new message format for a temporarily-applied autoboot setting. Signed-off-by: Jeremy Kerr <jk@ozlabs.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/security: hard_lockdown flag to stop runtime disable of signed bootBrett Grandbois2018-06-122-1/+5
| | | | | | | | | | | | | | | Currently if signed-boot is enabled in configure the presence of the LOCKDOWN_FILE is used as a runtime determination to perform the actual verification. In some environments this may be acceptable or even the intended operation but in other environments could be a security hole since the removal of the file will then cause boot task verification. Add a 'hard_lockdown' enable flag to generate a HARD_LOCKDOWN preprocessor definition to force the system to always do a signed boot verification for each boot task, which in the case of a missing file the boot will fail. Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover: Rescan SCSI devices on reinitSamuel Mendoza-Jonas2018-06-122-0/+2
| | | | | | | Explicitly rescan SCSI devices on reinit rather than just remounting them in case a device did not init properly on boot. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/security: add in openssl supportBrett Grandbois2018-05-307-291/+849
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor to export a generic API rather than specific gpg_ prefixes by changing gpg.h to security.h and renaming some of the exports. Break out the common and specific functionality into common.c and none.c/gpg.c/openssl.c for no/gpgme/openssl modes respectively. gpgme should work as before OpenSSL support works like this: The pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded raw public key. To follow the current conventions the presence of a PKCS12 file as a lockdown signals decrypt mode because of the presence of the private key, anything else signals signature verification mode. The keyring path is currently ignored but in the future could be used to point to an X509 certificate chain for validity checking. Because of this self-signed certificates are currently supported and really just used as a public key container. Signature verification mode supports: * Cryptographic Message Syntax (CMS) as detached S/MIME, this is really more for consistency for the encryption mode (see below). This mode requires the lockdown file to be an X509 certificate. A sample creation command would be: openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \ -inkey (private key) -signer (recipient certificate) * Raw signature digest as output from openssl dgst -sign command. This mode can have the lockdown file be an X509 certificate or a PEM raw public key but the digest algorithm must be pre-defined by the VERIFY_DIGEST configure argument. The default is SHA256. A sample creation command would be: openssl dgst -sign (private key) -out (outfile) -(digest mode) \ (infile) Decryption mode supports: * CMS signed-envelope as attached S/MIME. This is for consistency with the current expectation of no external file for decryption. Some future enhancement could be to come up with some proprietary external file format containing the cipher used, the encrypted cipher key, and the IV (if necessary). A sample creation command would be: openssl cms -sign -in (infile) -signer (recipient certificate) \ -binary -nocerts -nodetach -inkey (private key) | \ openssl cms -encrypt -(cipher mode) -out (outfile) \ (recipient certificate) The PKCS12 file is expecting the private key to have password of NULL or "" as there is currently no mechanism to supply a custom one. Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/file: remove mkstemp umask in copy_file_secure_destBrett Grandbois2018-05-041-3/+0
| | | | | | | | | mkstemp will generate the temp file with permissions 0600 so the umask(0644) is causing the file to have permissions of 0000, making signature files unreadable Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/security: Fix broken if statements in gpg_validate_boot_files()Samuel Mendoza-Jonas2018-03-231-2/+4
| | | | | | | | | | | | | | The patch ccb478ac "Add encrypted file support" removes two result = KEXEC_LOAD_SIGNATURE_FAILURE; statements from after the `if (verify_file_signature)` lines for the kernel and cmdline signatures. This appears to have been a mistake that snuck through testing, and would allow incorrect signatures to pass validation. Also fix up some confusing indenting in the decryption section. Reported-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/file: Avoid off-by-one error in arraySamuel Mendoza-Jonas2018-03-231-1/+1
| | | | | | Fixes Coverity defect CIDs 143606, 143610 Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* Minor fixes for make distcheckSamuel Mendoza-Jonas2018-03-231-0/+1
| | | | | | | | Include the CCAN endian.h header in build sources and change the --with-twin-foo options to default off - most users are not building with libtwin so avoid having configure fail for them. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib: Fix gpg.h pathSamuel Mendoza-Jonas2018-03-071-1/+1
| | | | Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* ui/ncurses: Spawn shell in exit handlerSamuel Mendoza-Jonas2017-10-042-0/+2
| | | | | | | | | In cui_on_exit()_ instead of exiting the program spawn a sh instance. This allows the user to drop to the shell and return without losing any custom boot options, for example. SIGINT still calls cui_abort() to properly exit Petitboot. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/flash: Update type of size fieldSamuel Mendoza-Jonas2017-08-231-2/+2
| | | | | | | | Skiboot commit c043065 "flash: Make size 64 bit safe" updated the prototype of blocklevel_get_info() to use a uint64_t for the size parameter. Update our usage to reflect this. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover: Handle plugin install requestSamuel Mendoza-Jonas2017-08-151-0/+1
| | | | | | | | | Handle "_PLUGIN_INSTALL" requests from clients. Calling the pb-plugin script from pb-discover ensures different clients don't trip over each other. Successfully installed plugins are automatically communicated back to clients once pb-plugin sends a 'plugin' user event. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* Add pb-plugin and pb-exec to pb_system_appsSamuel Mendoza-Jonas2017-08-152-0/+4
| | | | Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/process: Add raw stdout modeSamuel Mendoza-Jonas2017-08-152-2/+6
| | | | | | | Allow process users to set 'raw_stdout', which if set skips redirecting and saving output from processes. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* discover/pxe-parser: Recognise plugin sourcesSamuel Mendoza-Jonas2017-08-152-1/+17
| | | | | | | | | | | | | Extend the pxe-parser to recognise 'PLUGIN' as well as the usual 'LABEL' when parsing a config file. 'PLUGIN' will be used to specify an option that provides the location of an installable pb-plugin file, named by the 'TARBALL' label. Since plugin options are discovered via the same mechanism as boot options treat them the same as boot options and at the 'type' field to the boot_option struct to differentiate between them. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib: Add plugin_option type and protocolSamuel Mendoza-Jonas2017-08-153-0/+127
| | | | | | | | | | Add a new struct 'plugin_option' to represent pb-plugins that are installed on the system. This consists of plugin metadata and an array of installed executables. This also adds two new pb-protocol actions to advertise the addition of a new plugin_option, and to remove known plugin_options. Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
* lib/system: Add vgscan, vgchange utilitiesSamuel Mendoza-Jonas2017-07-112-0/+4
| | | | Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
OpenPOWER on IntegriCloud