| Age | Commit message (Collapse) | Author |
|---|
|
rnd.c uses nanotime to get access to some bits that change quickly
between events that it can mix into the entropy pool. it doesn't
use nanotime to get a monotonically increasing set or ordered and
accurate timestamps, it just wants something with bits that change.
there's been discussions for years about letting rnd use a clock
that's super fast to read, but not necessarily accurate, but it
wasn't until recently that i figured out it wasn't interested in
time at all, so things like keeping a fast clock coherent between
cpu cores or correct according to ntp is unecessary. this means we
can just let rnd read the cycle counters on cpus and things will
be fine. cpus with cycle counters that vary in their speed and
arent kept consistent between cores may even be desirable in this
context.
so this is the first step in converting rnd.c to reading cycle
counter. it copies the nanotime backend to each arch, and they can
replace it with something MD as a second step later on.
djm@ suggested rnd_messybytes, but we landed on cpu_rnd_messybits.
thanks to visa for his eyes.
ok deraadt@ visa@
deraadt@ says he will help handle any MD fallout that occurs.
|
|
conversion steps). it only contains kernel prototypes for 4 interfaces,
all of which legitimately belong in sys/systm.h, which are already included
by all enqueue_randomness() users.
|
|
Nothing uses the header anymore.
OK deraadt@ mpi@
|
|
(fchmod +T by bootcode, chmod 600 by /etc/rc). If the seed is reused, and
HWRNG isn't available, the kernel won't get RB_GOODSEED indication...
|
|
relax the fstat() check because the system will have left the file
in the right mode.
ok visa kettenis
|
|
|
|
|
|
miod@ agrees this can go
|
|
|
|
These were removed from files.alpha 1.105 in 2017 and the rcons bits
they reference were removed in 2006.
removal suggested by miod@
|
|
This shrinks the ramdisks a tiny bit.
|
|
ok deraadt@, mpi@, visa@
ok cheloha@ as well (would have preferred in new file for this code)
|
|
amd64/arm64/armv7/hppa/i386/landisk/macppc/mips64/sparc64 and move it to
the end of machdep.c. Wrap the existing clockfns hooks into something
that can be used as a todr_handle.
ok deraadt@
|
|
|
|
custom installboot to deal with ffs2. While there, fix the partition
read code to deal with offsets > 2G; ok deraadt@
|
|
messages do have the newline already.
OK anton@ kettenis@
|
|
ok visa@, kettenis@, deraadt@
|
|
i was lazy and just put them at the end of the existing set. fyi,
i think major 51 is free on all archs if anyone is looking for
another one.
ok claudio@
|
|
While FIDO/U2F keys were already supported by the generic uhid(4)
driver, this driver adds the first step to tighten the security of
FIDO/U2F access. Specifically, users don't need read/write access to
all USB/HID devices anymore and the driver also improves integration
with pledge(2) and unveil(2): It is pledge-friendly because it doesn't
require any ioctls to discover the device and unveil-friendly because
it uses a single /dev/fido/* directory for its device nodes.
It also allows to support FIDO/U2F in firefox without further
weakening the "sandbox" of the browser. Firefox does not have a
proper privsep design and many operations, such as U2F access, are
handled directly by the main process. This means that the browser's
"fat" main process needs direct read/write access to all USB HID
devices, at least on other operating systems. With fido(4) we can
support security keys in Firefox under OpenBSD without such a
compromise.
With this change, libfido2 stops using the ioctl to query the device
vendor/product and just assumes "OpenBSD" "fido(4)" instead. The
ioctl is still supported but there was no benefit in obtaining the
vendor product or name; it also allows to use libfido2 under pledge.
With feedback from deraadt@ and many others
OK kettenis@ djm@ and jmc@ for the manpage bits
|
|
OK deraadt@
|
|
retguard and similar when profiling. However, that missed all the .S files,
as ${PROF} wasn't added when ${NORMAL_S} was converted from direct invocation
of ${AS} to instead use ${CC}. Similarly, mcount.o still had retguards
as it cannot be built with -pg. So: pass ${PROF} when compiling .S files,
and compile "no profiling" files with -fno-ret-protector on archs with
retguard.
feedback and ok mpi@ mortimer@
|
|
|
|
ok jasper@, deraadt@
|
|
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer
|
|
userret() must be called on trap() exit to deliver it, rather than
repeating the same cause infinitely. discovered by George Koehler
ok kettenis bluhm visa
|
|
|
|
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.
Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.
based upon a discussion florian
tested in snapshots for more than a week without any complaints
|
|
then ran into the messaging being poor. Then I fixed the messages. But
there are two sub-cases of sp-not-MAP_STACK -- one at syscall time, and
another at regular userland trap (on some architectures), and I bungled
that messaging. Correct that now, while I look for yet another better way...
discovered by millert, who ran an pre-MAP_STACK binary.
|
|
Use install -F to instead of cp, for fsync(2). Coupled with the new
sync(8) in the reorder_kernel script, the window for a incomplete /bsd
file on-disk due to a crash has now shrunk substantially.
Discussion with kettenis, millert and tedu
|
|
Lookup the address that a syscall instruction is executed from, and kill
the process if that page is writeable. This brings an aspect of W^X
behaviour to W|X mappings (in JITs not yet adapted to W^X). The goal is
to remove simple attack methods and force use of ret2libc or other more
complicated means.
ok kettenis stefan visa
|
|
From miod@
|
|
ok deraadt@
|
|
tightly-built ramdisk kernels, set the option in per-arch Makefile.inc
based upon SMALL_KERNEL
|
|
details from the ELF header instead of faking it.
Proposal from mlarkin, tested on most architectures already
|
|
ok deraadt
|
|
Reminded by deraadt@
|
|
As of usr.bin/xinstall/install.c revision 1.68, -S is a no-op and
install(1) will always create files safely, thus clean the option usage
from the tree.
Diff from Lauri Tirkkonen <lotheac at iki dot fi>, thanks.
|
|
including cpu.h machine/intr.h etc without first including param.h when
MULTIPROCESSOR is defined.
ok visa@
|
|
4MB which is far too low especially when the platform is able to run MP.
New limits are, amd64 = 256M; arm64, mips64, sparc64 = 64M; alpha, arm,
hppa, i386, powerpc = 32M; m88k, sh = 8M
Still rather conservative numbers but much better than before. At least
some hangs of arm64 build boxes was caused by this.
OK kettenis@, visa@
|
|
|
|
Based on a submisison from Jan Klemkow.
|
|
OK deraadt@ mpi@
|
|
instead of passing sendsig() the code+type+val, pass a siginfo_t*
to copy from. Eliminate the indirection through struct emul for
sendsig(); we no longer have a SunOS4-compat version of sendsig()
ok deraadt@
|
|
ok kettenis@
|
|
ok guenther, jmc, tom, millert, deraadt
|
|
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis
|
|
It would be better if this was filled in at trap time.
ok guenther
|
|
Extend the logic already present for panic() to any DDB-related
operation such that if ddb(4) is entered because of a fault or
other trap it is still possible to call 'boot reboot'.
While here stop printing splassert() messages as well, to not fill
the buffer.
ok visa@, deraadt@
|
|
needs (looking at you sgi, but others required this before). This is for
the circumstances we need pagesize known at compile time, not getpagesize()
runtime. Use it for malloc storage sizes, for shm, and to set pthread stack
default sizes. The stack sizes were a mess, and pushing them towards
page-aligned is healthy move (which will also be needed by the coming
stack register checker)
ok guenther kettenis, discussion with stefan
|
|
The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.
No objection from millert@, ok tedu@, bluhm@
|
