| Age | Commit message (Collapse) | Author |
|---|
|
time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.
This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).
There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.
There is no performance cost on 64-bit (__LP64__) platforms.
With input from visa@, dlg@, and tedu@.
Several bugs squashed by visa@.
ok kettenis@
|
|
Use CP0 Count as a basis. Also take noise from virtual memory activity
by including BadVAddr.
OK deraadt@ dlg@
|
|
rnd.c uses nanotime to get access to some bits that change quickly
between events that it can mix into the entropy pool. it doesn't
use nanotime to get a monotonically increasing set or ordered and
accurate timestamps, it just wants something with bits that change.
there's been discussions for years about letting rnd use a clock
that's super fast to read, but not necessarily accurate, but it
wasn't until recently that i figured out it wasn't interested in
time at all, so things like keeping a fast clock coherent between
cpu cores or correct according to ntp is unecessary. this means we
can just let rnd read the cycle counters on cpus and things will
be fine. cpus with cycle counters that vary in their speed and
arent kept consistent between cores may even be desirable in this
context.
so this is the first step in converting rnd.c to reading cycle
counter. it copies the nanotime backend to each arch, and they can
replace it with something MD as a second step later on.
djm@ suggested rnd_messybytes, but we landed on cpu_rnd_messybits.
thanks to visa for his eyes.
ok deraadt@ visa@
deraadt@ says he will help handle any MD fallout that occurs.
|
|
conversion steps). it only contains kernel prototypes for 4 interfaces,
all of which legitimately belong in sys/systm.h, which are already included
by all enqueue_randomness() users.
|
|
Nothing uses the header anymore.
OK deraadt@ mpi@
|
|
If rsize is NULL, do not update the variable. Otherwise the bootloader
will crash when it invokes libsa's fchmod().
This lets the bootloader work again after the recent loadrandom()
change. The fix should also improve the chances of sysupgrade(8) on
loongson.
Note that pmon_iostrategy() does not allow writing. fchmod() will fail
but does not prevent boot.
|
|
the Yeelong Lemote mips-based netbook. Kernel bits only for now, needs
polishing; most of this work done during h2k9 last month, although the
porting effort started earlier this year.
|
|
|
|
Tested on Yeeloong.
Looks good to miod@
|
|
Looks good to miod@
|
|
the Yeelong Lemote mips-based netbook. Kernel bits only for now, needs
polishing; most of this work done during h2k9 last month, although the
porting effort started earlier this year.
|
|
the Yeelong Lemote mips-based netbook. Kernel bits only for now, needs
polishing; most of this work done during h2k9 last month, although the
porting effort started earlier this year.
|
|
miod explained it was initially a long as it was thought drivers may
need to allocate storage but in practice they don't need more than
32 bits for an attribute.
suggested and reviewed by miod@
|
|
Suggested by John Carmack. miod agrees a rename would make sense and
explained it was initially thought drivers may need to allocate storage
but in practice they don't need more than 32 bits for an attribute.
ok mpi@
|
|
bus_space_read_region_n, bus_space_write_region_n and
bus_space_set_region_n functions were all broken.
Same fix as arm64; Thanks to patrick@ for noting that mips64 had the same
code.
ok visa@
|
|
for example, with locking assertions.
OK mpi@, anton@
|
|
|
|
|
|
adding more filter properties without cluttering the struct.
OK mpi@, anton@
|
|
Test & ok visa@. Sadly his Lemote doesn't come back from sleep, with or
without this change.
|
|
i was lazy and just put them at the end of the existing set. fyi,
i think major 51 is free on all archs if anyone is looking for
another one.
ok claudio@
|
|
The design is fairly simple: events, in the form of descriptors on a
ring, are being produced in any kernel context and being consumed by
a userland process reading /dev/dt.
Code and hooks are all guarded under '#if NDT > 0' so this commit
shouldn't introduce any change as long as dt(4) is disable in GENERIC.
ok kettenis@, visa@, jasper@, deraadt@
|
|
make the structs const so that the data are put in .rodata.
OK mpi@, deraadt@, anton@, bluhm@
|
|
OK mpi@
|
|
|
|
While FIDO/U2F keys were already supported by the generic uhid(4)
driver, this driver adds the first step to tighten the security of
FIDO/U2F access. Specifically, users don't need read/write access to
all USB/HID devices anymore and the driver also improves integration
with pledge(2) and unveil(2): It is pledge-friendly because it doesn't
require any ioctls to discover the device and unveil-friendly because
it uses a single /dev/fido/* directory for its device nodes.
It also allows to support FIDO/U2F in firefox without further
weakening the "sandbox" of the browser. Firefox does not have a
proper privsep design and many operations, such as U2F access, are
handled directly by the main process. This means that the browser's
"fat" main process needs direct read/write access to all USB HID
devices, at least on other operating systems. With fido(4) we can
support security keys in Firefox under OpenBSD without such a
compromise.
With this change, libfido2 stops using the ioctl to query the device
vendor/product and just assumes "OpenBSD" "fido(4)" instead. The
ioctl is still supported but there was no benefit in obtaining the
vendor product or name; it also allows to use libfido2 under pledge.
With feedback from deraadt@ and many others
OK kettenis@ djm@ and jmc@ for the manpage bits
|
|
inspect the memory layout that the firmware has created. It is
especially useful for UEFI debugging.
OK deraadt@ kettenis@
|
|
and not just ".openbsd.randomdata.retguard". Accept both in the kernel
ldscripts so that they're placed together between the __retguard_{start,end}
symbols.
Similarly, match not just ".openbsd.randomdata" but also
".openbsd.randomdata.*" to pick up other random (pun intended) items.
While here, stub in those retguard bits into all the ldscripts.
ok deraadt@
|
|
retguard and similar when profiling. However, that missed all the .S files,
as ${PROF} wasn't added when ${NORMAL_S} was converted from direct invocation
of ${AS} to instead use ${CC}. Similarly, mcount.o still had retguards
as it cannot be built with -pg. So: pass ${PROF} when compiling .S files,
and compile "no profiling" files with -fno-ret-protector on archs with
retguard.
feedback and ok mpi@ mortimer@
|
|
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer
|
|
|
|
of soft interrupts are lower than priorities of hard interrupts.
This allows the delivery of hard interrupts while soft interrupts
are masked.
|
|
|
|
|
|
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.
Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.
based upon a discussion florian
tested in snapshots for more than a week without any complaints
|
|
Use install -F to instead of cp, for fsync(2). Coupled with the new
sync(8) in the reorder_kernel script, the window for a incomplete /bsd
file on-disk due to a crash has now shrunk substantially.
Discussion with kettenis, millert and tedu
|
|
ok deraadt@
|
|
memcpy() correct behaviour. This also brings the bcopy() macro into line.
|
|
tightly-built ramdisk kernels, set the option in per-arch Makefile.inc
based upon SMALL_KERNEL
|
|
linux 4.19.34.
Adds support for more Intel hardware:
Broxton/Apollo Lake (was is_preliminary in 4.4)
Amber Lake (another Kaby Lake refresh)
Gemini Lake
Coffee Lake
Whiskey Lake
Cannon Lake (though no hardware with Intel graphics ever shipped)
Ice Lake (alpha support, hardware not released)
This does not add support for new radeon hardware on the AMD side as
newer radeons have a different kernel driver (amdgpu).
Thanks to the OpenBSD Foundation for sponsoring this work, kettenis@ for
helping and a bunch of other developers for testing.
|
|
|
|
details from the ELF header instead of faking it.
Proposal from mlarkin, tested on most architectures already
|
|
|
|
|
|
ok deraadt
|
|
|
|
|
|
no words or punctation were modified.
|
|
By default, nothing changes -- shutdown is initiated. But allows turning
power button into a sleep button if desired.
(grudging) ok from a few parties
|
|
OK deraadt@
|
