A few places where we print out the response buffer from an IPMI command
weren't updated when log timestamps were added, resulting in very hard
to read output. Add a little helper to format buffers and use it to
print these with only one timestamp.
The ncurses UI sets a few console options at startup that are needed for
ncurses to work properly. These aren't reset however and can lead to
quirks like the cursor being invisible after kexecing to the next
kernel.
The UI process doesn't have time to reset these when it is killed by
kexec, so instead add a 'boot_active' field to status updates. This is
set by boot.c's update handler so the UI can assume it is about to boot
if it receives a status update with this field, and resets the console
options. If the boot is cancelled for any reason the status update will
reflect that and the console options are restored.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
discover: Reimplement native-parser as a Bison parser
Occasionally you look at some code and realise that a) this never gets
built, and b) even if it did it would never compile. Today's example is
native-parser.c which we must have just assumed worked for quite a
while.
The native parser has bitrotted entirely and needs to be brought up to
date. While we're here, lets take the chance to implement a proper
grammar for it. This helps us reason more effectively about the parser,
lets us extend it easily in the future, and.. I wanted to write a Bison
parser too.
This implements most of the old functionality, but drops off some
smaller details like settings icons which needs some separate attention
to bring up to date.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
In more recent firmware images built by op-build the VERSION partition
is signed, and includes a 'secure header'. Check for this and skip it if
found so we parse the version strings properly.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
To avoid sending all the files in the top most project
directory tree down to the docker daemon, change into
the docker directory when running 'docker build'.
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
docker: Allow CC and make command to be customised
Allow CC to be passed through to change the default compiler, and also
allow the invocation of 'make' to be customised. An example use case of
this is to set CC=/usr/bin/clang and use
--make-command 'scan-build make' to build Petitboot with the clang
static analyzer.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
The kboot parser doesn't set a default option. Change it so that if we
see the 'default' parameter we match against this value when deciding if
an option should be set as default.
discover/device-handler: Restore autoboot setting on requery
When a device requery is triggered we cancel any default boot option on
the device. This also disables autoboot which we don't want; any boot
options found after the requery will not be able to autoboot.
To avoid this restore the existing autoboot setting after checking for
default options.
This prevents a particular corner case where a default boot option has
been selected for boot but one of its boot files has stalled or is
taking more time to download than the requery timeout and the requery
accidentally cancels autoboot preventing Petitboot from trying to boot
again.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Brett Grandbois [Sun, 26 Aug 2018 22:17:20 +0000 (08:17 +1000)]
ui/ncurses: in lockdown ensure system reboot in ncurses menu exit
In a lockdown situation in the ncurses menu there is a switch to replace
the 'Exit to shell' option with 'Reboot', so the intent seems to be to
not allow the user the option to exit to shell in a lockdown situation.
However the associated foreced reboot logic is in the process atexit so
is only triggered when completely exiting the menu system. The default
menu item logic to exit to shell is still in place though so the menu
exit never occurs and shell access is still available.
Add a switch to a different menu exit callback to force a menu abort
using the same mechanism as a signal in lockdown situations so the shell
can never be entered. This also affects the 'x' or esc shortcut keys.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
If a 'name' parameter is used for a boot user event, search existing
boot options for one that matches that name on the given device.
This allows a pb-event user to boot based on name rather than having to
specify the exact boot arguments.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Geoff Levand [Fri, 17 Aug 2018 17:59:33 +0000 (10:59 -0700)]
travis: Update to job matrix
o Set language to bash (same as generic), so just the
scrip steps run.
o Move build-builder to 'before_script'.
o Switch to a job matrix of 'os' entries with names.
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Geoff Levand [Fri, 10 Aug 2018 17:29:14 +0000 (17:29 +0000)]
lib/efi: Add new struct efi_mount
To make it easier to manage EFI variables add a new struct efi_mount
that holds the path to the EFI file system mount and the EFI variable
name GUID. Update the lib/efi routines to use struct efi_mount. Add
a new routine efi_check_mount based on the checks done in
platform-arm64.
This change to using struct efi_mount removes the static variable
efivarfs_path making the lib/efi routines stateless.
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Geoff Levand [Wed, 8 Aug 2018 20:24:50 +0000 (13:24 -0700)]
lib/talloc: Fix TALLOC_ABORT
The current TALLOC_ABORT macro had a number of problems.
Failures were not going to the pb log, but only to stderr.
If the object passed in was not a talloc object the printing
of an object name would be printing random data.
The use of a macro obscured the code.
To clean this up, remove all reference to TALLOC_ABORT and
put the logging and abort calls directly into talloc_chunk_from_ptr.
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Ge Song [Thu, 2 Aug 2018 17:29:41 +0000 (17:29 +0000)]
discover: Add platform-arm64
Signed-off-by: Ge Song <ge.song@hxt-semitech.com>
[Split from a larger patch and cleaned up] Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Geoff Levand [Thu, 2 Aug 2018 17:29:40 +0000 (17:29 +0000)]
discover: Add platform-dummy
With the new configure enable-platform parameters it is possible
configure no platform support. Add a new minimal 'dummy' platform
so that the __start_platforms and __stop_platforms variables needed
by platform_init are created.
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Ge Song [Thu, 2 Aug 2018 17:29:39 +0000 (17:29 +0000)]
discover: Move generic params routines to platform
Move the generic params routines from platform-powerpc to platform.
Also, for clarity, add a params prefix to the names.
Signed-off-by: Ge Song <ge.song@hxt-semitech.com>
[Split from a larger patch and cleaned up] Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Ge Song [Thu, 2 Aug 2018 17:29:39 +0000 (17:29 +0000)]
discover: Move generic config routines to platform
Move the generic config routines from platform-powerpc to platform.
Also, for clarity, add a config_ prefix to the names.
Signed-off-by: Ge Song <ge.song@hxt-semitech.com>
[Split from a larger patch and cleaned up] Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Ge Song [Thu, 2 Aug 2018 17:29:38 +0000 (17:29 +0000)]
discover/powerpc: Rearange save_config
Rearange update_config and save_config so that update_config
only operates on the platform params list.
Signed-off-by: Ge Song <ge.song@hxt-semitech.com>
[Split from a larger patch and cleaned up] Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Ge Song [Thu, 2 Aug 2018 17:29:37 +0000 (17:29 +0000)]
discover: Move generic ipmi routines to ipmi
Signed-off-by: Ge Song <ge.song@hxt-semitech.com>
[Split from a larger patch] Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Geoff Levand [Thu, 2 Aug 2018 17:29:36 +0000 (17:29 +0000)]
lib/efi: Cleanup read/write routines
Make a new stucture struct efi_data to hold the info that describes
an efi variable. Make a common routine efi_open that opens the efi
variable file. Switch the efi get/set/del routines over to use
efi_open.
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Ge Song [Thu, 2 Aug 2018 17:29:36 +0000 (17:29 +0000)]
lib/efi: Add new routines to access efi variables
Provide methods to load/store petitboot's configuration on efi-based
platforms. A test case is also provided.
Signed-off-by: Ge Song <ge.song@hxt-semitech.com>
[Cleanup file comments, make efivarfs_path static.] Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Geoff Levand [Thu, 2 Aug 2018 17:29:35 +0000 (17:29 +0000)]
lib/process: Add process_get_stdout
Add a new structure 'struct process_stdout' and optional parameter
'stdout' to the process_run_simple functions to allow the caller
to get a buffer filled with the stdout from the child process.
Rename the process_run_simple functions to process_get_stdout
and add wrappers for the old process_run_simple function names.
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Geoff Levand [Thu, 2 Aug 2018 17:29:35 +0000 (17:29 +0000)]
lib/process: Cleanup stdout callback
General cleanup of async stdout processing.
The process_stdout_cb and process_stdout_custom routines were doing the
same thing, so rename process_stdout_custom to process_process_stdout
and make process_stdout_cb a wrapper that calls process_process_stdout.
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Geoff Levand [Thu, 2 Aug 2018 17:29:34 +0000 (17:29 +0000)]
discover: Add --debug to kexec
If verbose logging is enabled then add '--debug' to the kexec command line.
Adds a new routine pb_log_get_debug() that can be used to query the log
debug state.
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Geoff Levand [Thu, 2 Aug 2018 17:29:33 +0000 (17:29 +0000)]
lib/log: Add verbose logging routines
Add three new logging routines pb_log_fn and pb_debug_fn, which
print the calling function's name to the log, and pb_debug_fl
which prints the calling function's name and the file line
number to the log.
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
The relative time between logged events is very useful during debugging,
particularly when debugging autoboot failures. Prepend a short HH:MM:SS
timestamp to each line logged.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Geoff Levand [Thu, 24 May 2018 00:25:57 +0000 (17:25 -0700)]
jenkins: Add build jobs
Adds two Jenkins pipeline jobs pb-upstream-trigger and pb-build-matrix.
pb-upstream-trigger checks for upstream updates and runs
pb-build-matrix. pb-build-matrix builds a pb-builder image and runs the
build-pb script.
Signed-off-by: Geoff Levand <geoff@infradead.org> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
discover: Determine connectivity with getaddrinfo()
Use getaddrinfo() to determine if a remote URL is reachable instead of
only checking if we have an addresses configured. This avoids, for
example, trying to load an IPv4 URL when only an IPv6 address is
available.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
lib: Add support and helpers for IPv6 host addresses
Recognise IPv6 addresses and URLs, and allow an interface_info struct to
have both an IPv4 and IPv6 address.
The addr_scheme() helper returns the address family of a given address.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Jeremy Kerr [Tue, 3 Jul 2018 06:24:58 +0000 (16:24 +1000)]
discover: implement a periodic requery for network devices
If we boot a machine before external (network) dependencies are properly
configured, it will have tried once to download configuration, and
possibly failed due to that configuration not being present.
This change introduces a periodic requery of network resources. After a
timeout, petitboot will either re-acquire its DHCP lease (causing any
downloads to be re-processed, possibly with different parameters from
the new lease), or re-download a statically defined URL.
This timeout defaults to five minutes (similar to pxelinux), and is
configurable by DHCP option 211, "reboot time".
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
[added test stub] Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
discover/user-event: Check for required parameters
Check for some required parameters in the 'dhcp' handler, and in the
'add' handler return an error if parse_user_event() fails rather than
charging ahead into a segfault.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
The fields from a BootLoaderSpec file can contain environment variables,
in GRUB 2 these are show verbatim and are evaluated later when an entry
is selected. But on Petitboot these have to be expanded before creating
the GRUB 2 resources and show in the UI the values after the evaluation.
The current blscfg handler had a very limited support for variables, it
only had support for the options field and also didn't take into account
that variables could be mixed with literal values.
So for example the following fields were not expanded correctly:
linux $bootprefix/vmlinuz
options $kernelopts foo=bar
options foo=bar $kernelopts
options $kernelopts $debugopts
Also change some of the tests to cover mixing variables and literals.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
discover/grub: Use different paths to search for the BLS directory
Currenlty the BLS fragments are only searched in the /loader/entries
directory, but this assumes that there is a boot partition mounted
in /boot. This may not always be the case, /boot may not be a mount
point and just a directory inside the root partition.
To cover this case, Petitboot tries to find a GRUB 2 config file in
different paths. So let's do the same for the BLS files directory.
Also change some of the unit tests to use /boot/loader/entries as a
BLS directory instead of /loader/entries.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
test/parser: Make parser_scandir() ignore files with path len less than dir
Both the test files and directories added into the test harness are stored
into the same file list. So the parser_scandir() stub compares the absolute
file path of the files and the directory to scan, to know if a file belongs
to the directory.
Files whose absolute file path length isn't bigger than the directory to
scan should just be ignored, since it means they can't be from that dir.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
In signed-boot environments consistent handling of kernel commandline
options is essential as they must be pre-signed. In the syslinux parser
ensure that in the absence of a global APPEND they are processed
exactly as found and not with the leading space that the current APPEND
processing has as a shortcut.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Brett Grandbois [Sun, 10 Jun 2018 21:36:58 +0000 (07:36 +1000)]
lib/security: hard_lockdown flag to stop runtime disable of signed boot
Currently if signed-boot is enabled in configure the presence of the
LOCKDOWN_FILE is used as a runtime determination to perform the actual
verification. In some environments this may be acceptable or even the
intended operation but in other environments could be a security hole
since the removal of the file will then cause boot task verification.
Add a 'hard_lockdown' enable flag to generate a HARD_LOCKDOWN
preprocessor definition to force the system to always do a signed boot
verification for each boot task, which in the case of a missing file the
boot will fail.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
GCC 8 produces the following warning for network.c:
In function ‘network_handle_nlmsg’,
inlined from ‘network_netlink_process’ at ../discover/network.c:726:3:
../discover/network.c:568:3: warning: ‘strncpy’ output may be truncated copying 15 bytes from a string of length 16 [-Wstringop-truncation]
strncpy(interface->name, ifname, sizeof(interface->name) - 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../discover/network.c:586:3: warning: ‘strncpy’ output may be truncated copying 15 bytes from a string of length 16 [-Wstringop-truncation]
strncpy(interface->name, ifname, sizeof(interface->name) - 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The code is safe since interface is allocated with talloc_zero() and we
could use -Wno-stringop-truncation to hide this but since this is the
only offender instead just copy the whole IFNAMSIZ bytes and explicitly
terminate the ifname buffer to be safe.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Brett Grandbois [Tue, 15 May 2018 00:55:49 +0000 (10:55 +1000)]
lib/security: add in openssl support
Refactor to export a generic API rather than specific gpg_ prefixes by
changing gpg.h to security.h and renaming some of the exports.
Break out the common and specific functionality into common.c and
none.c/gpg.c/openssl.c for no/gpgme/openssl modes respectively.
gpgme should work as before
OpenSSL support works like this:
The pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded
raw public key. To follow the current conventions the presence of a
PKCS12 file as a lockdown signals decrypt mode because of the presence
of the private key, anything else signals signature verification mode.
The keyring path is currently ignored but in the future could be used to
point to an X509 certificate chain for validity checking. Because of
this self-signed certificates are currently supported and really just
used as a public key container.
Signature verification mode supports:
* Cryptographic Message Syntax (CMS) as detached S/MIME, this is really
more for consistency for the encryption mode (see below). This mode
requires the lockdown file to be an X509 certificate.
* Raw signature digest as output from openssl dgst -sign command. This
mode can have the lockdown file be an X509 certificate or a PEM raw
public key but the digest algorithm must be pre-defined by the
VERIFY_DIGEST configure argument. The default is SHA256.
A sample creation command would be:
openssl dgst -sign (private key) -out (outfile) -(digest mode) \
(infile)
Decryption mode supports:
* CMS signed-envelope as attached S/MIME. This is for consistency with
the current expectation of no external file for decryption. Some
future enhancement could be to come up with some proprietary external
file format containing the cipher used, the encrypted cipher key, and
the IV (if necessary).
Brett Grandbois [Tue, 15 May 2018 00:55:48 +0000 (10:55 +1000)]
configure: Add signed-boot openssl configuration support
Change the with-signed-boot option to take the following values:
no - disable signed boot (as before)
gpgme - configure for gpgme, fail if not found
openssl - configure for openssl, fail if not found
yes - look first for gpgme then openssl using first found, fail on none
this should behave as before if gpgme has been installed
fail on any other invalid options
add in the ax_check_openssl.m4 macro to facilitate openssl probing
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>