| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Petitboot might run some checks to validate the kernel images before
call the kexec load. This patch adds both 'preboot check' option in the
config UI screen and a NVRAM variable 'petitboot,preboot-check' to make
the user choice persistent.
The 'preboot check' is enabled by default. The 'petitboot,preboot-check'
is created on NVRAM only when 'preboot check' is disabled by the user.
NVRAM property changed to preboot-check, small label changes and help
text added by Jeremy Kerr <jk@ozlabs.org>.
Signed-off-by: Maxiwell S. Garcia <maxiwell@linux.ibm.com>
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
| |
Add state of secure & trusted boot to struct system_info:
- fw_measurement: whether the firmware has been measured
- fw_enforcing: whether the firmware has been authenticated
- os_enforcing: whether the boot payload will be authenticated
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
We currently serialise the BMC MAC at the end of a system info message,
so update struct system_info to suit.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
... to match the definition of struct system_info.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
Extend the auth_message struct to support the AUTH_MSG_DECRYPT
operation, allowing the existing authentications methods to be used for
passing a disk password from the UI to pb-discover.
In addition add DEVICE_TYPE_LUKS to identify encrypted disk devices.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
If pipe_stdin exists, create a second pipe to write to the child
process's STDIN. This allows Petitboot to pipe information to a process,
for example piping a LUKS password to cryptsetup.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
And include a pxe-parser test which uses a port in the path prefix to
exercise this. This could cause PXE discovery failures if parameters
such as pathprefix included a port in the URL.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
If there is an IPMI boot mailbox configuration present display a message
in the System Configuration screen and provide the option to clear the
mailbox.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The IPMI Get System Boot Options commands includes parameter 7, the
"boot initiator mailbox". This can be used to hold arbitrary data to
influence the boot order.
Use this to provide an alternate bootdev configuration to Petitboot that
will override the one saved to NVRAM. This provides more fine grained
override options than the existing device-type based overrides.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
Keep track of the default boot option, and prefix its display name with
a '(*)' to point it out to the user.
This avoids having to authenticate with pb-discover even if only booting
the default option.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
If petitboot,password exists set it as the root password. This will be
the password used to authenticate clients.
This is the *hash* of a password as it would appear in /etc/shadow, not
the password itself.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Add a new "authenticate" action. Depending on the 'op' field this is
either a) an authentication request, b) a response indicating the
result, or c) a request to change the password.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Provides helper functions for reading, writing, and checking against
/etc/shadow. The main use case if for authenticating clients against the
"system" password, which is set as the root password.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few places where we print out the response buffer from an IPMI command
weren't updated when log timestamps were added, resulting in very hard
to read output. Add a little helper to format buffers and use it to
print these with only one timestamp.
Example:
[04:59:01] ipmi_get_bmc_versions: BMC version resp [0][16]:
0x00 0x20 0x01 0x02 0x13 0x02 0xbf 0x00
0x00 0x00 0xbb 0xaa 0x58 0x98 0x01 0x00
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ncurses UI sets a few console options at startup that are needed for
ncurses to work properly. These aren't reset however and can lead to
quirks like the cursor being invisible after kexecing to the next
kernel.
The UI process doesn't have time to reset these when it is killed by
kexec, so instead add a 'boot_active' field to status updates. This is
set by boot.c's update handler so the UI can assume it is about to boot
if it receives a status update with this field, and resets the console
options. If the boot is cancelled for any reason the status update will
reflect that and the console options are restored.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
In more recent firmware images built by op-build the VERSION partition
is signed, and includes a 'secure header'. Check for this and skip it if
found so we parse the version strings properly.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
efi_check_mount now does a magic number check by default, so
move the magic number related code from efivar.h to efivar.c.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To make it easier to manage EFI variables add a new struct efi_mount
that holds the path to the EFI file system mount and the EFI variable
name GUID. Update the lib/efi routines to use struct efi_mount. Add
a new routine efi_check_mount based on the checks done in
platform-arm64.
This change to using struct efi_mount removes the static variable
efivarfs_path making the lib/efi routines stateless.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
| |
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
For convenience, add a new efi data attributes macro
EFI_DEFALT_ATTRIBUTES.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
The efi tests may use a filesystem which does not support
ioctl_iflags. Add a check and skip the ioctl_iflags
operations if not supported.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current TALLOC_ABORT macro had a number of problems.
Failures were not going to the pb log, but only to stderr.
If the object passed in was not a talloc object the printing
of an object name would be printing random data.
The use of a macro obscured the code.
To clean this up, remove all reference to TALLOC_ABORT and
put the logging and abort calls directly into talloc_chunk_from_ptr.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
Fixes double timestamp on pb_log_fn, pb_debug_fn.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
For use by the arm64 get_sysinfo.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
| |
Signed-off-by: Geoff Levand <geoff@infradead.org>
[Name string fixup]
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Based on the powerpc param routines adds new generic routines
to manage a name + value parameter list.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
| |
Make a new stucture struct efi_data to hold the info that describes
an efi variable. Make a common routine efi_open that opens the efi
variable file. Switch the efi get/set/del routines over to use
efi_open.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
| |
Provide methods to load/store petitboot's configuration on efi-based
platforms. A test case is also provided.
Signed-off-by: Ge Song <ge.song@hxt-semitech.com>
[Cleanup file comments, make efivarfs_path static.]
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a new structure 'struct process_stdout' and optional parameter
'stdout' to the process_run_simple functions to allow the caller
to get a buffer filled with the stdout from the child process.
Rename the process_run_simple functions to process_get_stdout
and add wrappers for the old process_run_simple function names.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
General cleanup of async stdout processing.
The process_stdout_cb and process_stdout_custom routines were doing the
same thing, so rename process_stdout_custom to process_process_stdout
and make process_stdout_cb a wrapper that calls process_process_stdout.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
If verbose logging is enabled then add '--debug' to the kexec command line.
Adds a new routine pb_log_get_debug() that can be used to query the log
debug state.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
The only functional change should be an additional '/n' to
a few log messagees that seemed to be missing it.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add three new logging routines pb_log_fn and pb_debug_fn, which
print the calling function's name to the log, and pb_debug_fl
which prints the calling function's name and the file line
number to the log.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
The relative time between logged events is very useful during debugging,
particularly when debugging autoboot failures. Prepend a short HH:MM:SS
timestamp to each line logged.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Recognise IPv6 addresses and URLs, and allow an interface_info struct to
have both an IPv4 and IPv6 address.
The addr_scheme() helper returns the address family of a given address.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
Add a new message format for a temporarily-applied autoboot setting.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently if signed-boot is enabled in configure the presence of the
LOCKDOWN_FILE is used as a runtime determination to perform the actual
verification. In some environments this may be acceptable or even the
intended operation but in other environments could be a security hole
since the removal of the file will then cause boot task verification.
Add a 'hard_lockdown' enable flag to generate a HARD_LOCKDOWN
preprocessor definition to force the system to always do a signed boot
verification for each boot task, which in the case of a missing file the
boot will fail.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
| |
Explicitly rescan SCSI devices on reinit rather than just remounting
them in case a device did not init properly on boot.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor to export a generic API rather than specific gpg_ prefixes by
changing gpg.h to security.h and renaming some of the exports.
Break out the common and specific functionality into common.c and
none.c/gpg.c/openssl.c for no/gpgme/openssl modes respectively.
gpgme should work as before
OpenSSL support works like this:
The pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded
raw public key. To follow the current conventions the presence of a
PKCS12 file as a lockdown signals decrypt mode because of the presence
of the private key, anything else signals signature verification mode.
The keyring path is currently ignored but in the future could be used to
point to an X509 certificate chain for validity checking. Because of
this self-signed certificates are currently supported and really just
used as a public key container.
Signature verification mode supports:
* Cryptographic Message Syntax (CMS) as detached S/MIME, this is really
more for consistency for the encryption mode (see below). This mode
requires the lockdown file to be an X509 certificate.
A sample creation command would be:
openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \
-inkey (private key) -signer (recipient certificate)
* Raw signature digest as output from openssl dgst -sign command. This
mode can have the lockdown file be an X509 certificate or a PEM raw
public key but the digest algorithm must be pre-defined by the
VERIFY_DIGEST configure argument. The default is SHA256.
A sample creation command would be:
openssl dgst -sign (private key) -out (outfile) -(digest mode) \
(infile)
Decryption mode supports:
* CMS signed-envelope as attached S/MIME. This is for consistency with
the current expectation of no external file for decryption. Some
future enhancement could be to come up with some proprietary external
file format containing the cipher used, the encrypted cipher key, and
the IV (if necessary).
A sample creation command would be:
openssl cms -sign -in (infile) -signer (recipient certificate) \
-binary -nocerts -nodetach -inkey (private key) | \
openssl cms -encrypt -(cipher mode) -out (outfile) \
(recipient certificate)
The PKCS12 file is expecting the private key to have password of NULL or
"" as there is currently no mechanism to supply a custom one.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
mkstemp will generate the temp file with permissions 0600 so the
umask(0644) is causing the file to have permissions of 0000, making
signature files unreadable
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch ccb478ac "Add encrypted file support" removes two
result = KEXEC_LOAD_SIGNATURE_FAILURE;
statements from after the `if (verify_file_signature)` lines for the
kernel and cmdline signatures. This appears to have been a mistake that
snuck through testing, and would allow incorrect signatures to pass
validation.
Also fix up some confusing indenting in the decryption section.
Reported-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
| |
Fixes Coverity defect CIDs 143606, 143610
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Include the CCAN endian.h header in build sources and change the
--with-twin-foo options to default off - most users are not building
with libtwin so avoid having configure fail for them.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
In cui_on_exit()_ instead of exiting the program spawn a sh instance.
This allows the user to drop to the shell and return without losing any
custom boot options, for example.
SIGINT still calls cui_abort() to properly exit Petitboot.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
Skiboot commit c043065 "flash: Make size 64 bit safe" updated the
prototype of blocklevel_get_info() to use a uint64_t for the size
parameter. Update our usage to reflect this.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
| |
Handle "_PLUGIN_INSTALL" requests from clients. Calling the pb-plugin
script from pb-discover ensures different clients don't trip over each
other. Successfully installed plugins are automatically communicated
back to clients once pb-plugin sends a 'plugin' user event.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
