svn commit: r358744 - in head: lib/libsecureboot lib/libsecureboot/h lib/libsecureboot/tests share/mk stand stand/common stand/efi/loader stand/efi/loader/arch/i386 stand/ficl stand/i386/libi386 st...
O. Hartmann
ohartmann at walstatt.org
Mon Mar 9 09:06:27 UTC 2020
On Mon, 9 Mar 2020 07:05:46 +0100
"O. Hartmann" <ohartmann at walstatt.org> wrote:
> On Sun, 8 Mar 2020 17:42:43 +0000 (UTC)
> "Simon J. Gerraty" <sjg at FreeBSD.org> wrote:
>
> > Author: sjg
> > Date: Sun Mar 8 17:42:42 2020
> > New Revision: 358744
> > URL: https://svnweb.freebsd.org/changeset/base/358744
> >
> > Log:
> > veloader use vectx API for kernel and modules
> >
> > The vectx API, computes the hash for verifying a file as it is read.
> > This avoids the overhead of reading files twice - once to verify, then
> > again to load.
> >
> > For doing an install via loader, avoiding the need to rewind
> > large files is critical.
> >
> > This API is only used for modules, kernel and mdimage as these are the
> > biggest files read by the loader.
> > The reduction in boot time depends on how expensive the I/O is
> > on any given platform. On a fast VM we see 6% improvement.
> >
> > For install via loader the first file to be verified is likely to be the
> > kernel, so some of the prep work (finding manifest etc) done by
> > verify_file() needs to be factored so it can be reused for
> > vectx_open().
> >
> > For missing or unrecognized fingerprint entries, we fail
> > in vectx_open() unless verifying is disabled.
> >
> > Otherwise fingerprint check happens in vectx_close() and
> > since this API is only used for files which must be verified
> > (VE_MUST) we panic if we get an incorrect hash.
> >
> > Reviewed by: imp,tsoome
> > MFC after: 1 week
> > Sponsored by: Juniper Networks
> > Differential Revision: https://reviews.freebsd.org//D23827
> >
> > Modified:
> > head/lib/libsecureboot/h/libsecureboot.h
> > head/lib/libsecureboot/h/verify_file.h
> > head/lib/libsecureboot/tests/tvo.c
> > head/lib/libsecureboot/vectx.c
> > head/lib/libsecureboot/verify_file.c
> > head/share/mk/src.opts.mk
> > head/stand/common/bootstrap.h
> > head/stand/common/interp_forth.c
> > head/stand/common/interp_simple.c
> > head/stand/common/load_elf.c
> > head/stand/common/load_elf_obj.c
> > head/stand/common/misc.c
> > head/stand/common/module.c
> > head/stand/efi/loader/arch/i386/i386_copy.c
> > head/stand/efi/loader/copy.c
> > head/stand/efi/loader/loader_efi.h
> > head/stand/efi/loader/main.c
> > head/stand/ficl/loader.c
> > head/stand/i386/libi386/i386_copy.c
> > head/stand/i386/libi386/libi386.h
> > head/stand/i386/loader/chain.c
> > head/stand/libofw/libofw.h
> > head/stand/libofw/ofw_copy.c
> > head/stand/loader.mk
> > head/stand/mips/beri/loader/arch.c
> > head/stand/powerpc/kboot/main.c
> > head/stand/uboot/lib/copy.c
> > head/stand/uboot/lib/libuboot.h
> > head/stand/userboot/userboot/copy.c
> > head/stand/userboot/userboot/libuserboot.h
> >
> > To unsubscribe, send any mail to "svn-src-head-unsubscribe at freebsd.org"
> [... deleted ...]
>
>
> buildworld seems to be broken on this commit:
>
> [...]
> --- all_subdir_stand ---
> --- lstd.o ---
> /usr/src/stand/liblua/lstd.c:86:44: error: too few arguments to function call,
> expected 5, have 4 if (verify_file(fd, filename, 0, VE_GUESS) < 0) {
> ~~~~~~~~~~~ ^
> /usr/src/lib/libsecureboot/h/verify_file.h:50:1: note: 'verify_file' declared
> here int verify_file(int, const char *, off_t, int, const char *);
> ^
> 1 error generated.
> [...]
>
> Building host is CURRENT, FreeBSD 13.0-CURRENT #118 r358695: Fri Mar 6
> 12:48:00 CET 2020 amd64:
>
> kind regards,
>
> oh
> _______________________________________________
> svn-src-head at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> To unsubscribe, send any mail to "svn-src-head-unsubscribe at freebsd.org"
The problem reported seems to occur when WITH_BEARSSL=YES is enabled in
/etc/src.conf.
More information about the svn-src-head
mailing list