| Age | Commit message (Collapse) | Author |
|---|
|
While FIDO/U2F keys were already supported by the generic uhid(4)
driver, this driver adds the first step to tighten the security of
FIDO/U2F access. Specifically, users don't need read/write access to
all USB/HID devices anymore and the driver also improves integration
with pledge(2) and unveil(2): It is pledge-friendly because it doesn't
require any ioctls to discover the device and unveil-friendly because
it uses a single /dev/fido/* directory for its device nodes.
It also allows to support FIDO/U2F in firefox without further
weakening the "sandbox" of the browser. Firefox does not have a
proper privsep design and many operations, such as U2F access, are
handled directly by the main process. This means that the browser's
"fat" main process needs direct read/write access to all USB HID
devices, at least on other operating systems. With fido(4) we can
support security keys in Firefox under OpenBSD without such a
compromise.
With this change, libfido2 stops using the ioctl to query the device
vendor/product and just assumes "OpenBSD" "fido(4)" instead. The
ioctl is still supported but there was no benefit in obtaining the
vendor product or name; it also allows to use libfido2 under pledge.
With feedback from deraadt@ and many others
OK kettenis@ djm@ and jmc@ for the manpage bits
|
|
Some numbers may be wrong but it a start and further fixes can
happen in tree. Especially the LPDDRx case is untested.
OK deraadt@
|
|
From Joe Gidi.
|
|
especially KERNCZ (AMD FCH SMBus). Additionally this also implements
multi-bus support for SB800, Hudson-2 and KERNCZ.
Tested by many. Input & OK kettenis@
|
|
OK deraadt@ kettenis@
|
|
ok deraadt@
|
|
Spotted by Hrvoje Popovski using witness(4)
OK dlg@
|
|
* Enable gen2 link training when the dtb is configured with
max-link-speed = <2>;
* Workaround a rockchip bug where Target Link Speed is not set when
PCIE_CLIENT_PCIE_GEN_SEL_2 is configured
* Wait for LTSSM L0 state after initial link training to ensure gen2
link training does not start too early
okay kettenis@
|
|
OK tedu@
|
|
OK tedu@
|
|
OK tedu@
|
|
OK tedu@
|
|
OK tedu@
|
|
ACPI lock and when we call our own ws_[gs]et_param functions we cannot
take the lock again, because it's non-recursive. Thus we need to find
another way, like not taking the lock if we already have it. But the
solutions need to be discussed first, so back it out in the meantime.
|
|
|
|
calling the ACPI methods. On some machines, like my X395,
those ACPI methods don't allow changing the brightness, so
this allows acpivout(4) to e.g. use amdgpu(4)'s code.
ok kettenis@
|
|
Attaches pvclock with lower priority (500) in case of unstable tsc
(PVCLOCK_FLAG_TSC_STABLE) instead of not attaching at all. In this state, we do
make sure to return a monotonically increasing number.
This mostly helps openbsd guests on openbsd vmm(4) where a pvclock with unstable
tsc is still better than i8254.
ok mlarkin@
|
|
This diff ensures we reload the VMCS before we dump its content in a few
debug code paths, and ensures we flush the VMCS in a few error paths
in the writeregs VMX function.
|
|
xen_intr_unmask_release was not decrementing the reference counter
on the interrupt source structure when bailing out early which led
to the refcnt overflow.
From niklas, ok mlarkin
|
|
Missing piece of tickless timeout revert.
|
|
structures"
Backed out during revert of "timeout(9): switch to tickless backend".
Original commit message:
- CIRCQ_APPEND -> CIRCQ_CONCAT
- Flip argument order of CIRCQ_INSERT to match e.g. TAILQ_INSERT_TAIL
- CIRCQ_INSERT -> CIRCQ_INSERT_TAIL
- Add CIRCQ_FOREACH, use it in ddb(4) when printing buckets
- While here, use tabs for indentation like we do with other macros
ok visa@ mpi@
|
|
timehands.th_adjustment"
Reverted with backout of tickless timeouts.
Original commit message:
We currently mix timecounter.tc_freq_adj and timehands.th_adjtimedelta
in ntp_update_second() to produce timehands.th_adjustment, our net skew.
But if you set a low enough adjfreq(2) adjustment you can freeze time.
This prevents ntp_update_second() from running again. So even if you
then set a sane adjfreq(2) you cannot unfreeze time without rebooting.
If we just reread timecounter.tc_freq_adj every time we recompute
timehands.th_scale we avoid this trap. visa@ notes that this is
more costly than what we currently do but that the cost itself is
negligible.
Intuitively, timecounter.tc_freq_adj is a constant skew and should be
handled separately from timehands.th_adjtimedelta, an adjustment that
we chip away at very slowly.
tedu@ notes that this problem is sort-of an argument for imposing range
limits on adjfreq(2) inputs. He's right, but I think we should still
separate the counter adjustment from the adjtime(2) adjustment, with
or without range limits.
ok visa@
|
|
Tested by anton@, sashan@
OK mpi@, anton@, sashan@
|
|
In kqueue_scan(), threads have to get an exclusive access to a knote
before processing by calling knote_acquire(). This prevents the knote
from being destroyed while it is still in use. knote_acquire() also
blocks other threads from processing the knote. Once knote processing
has finished, the thread has to call knote_release().
The kqueue subsystem is still serialized by the kernel lock. If an event
filter sleeps, the kernel lock is released and another thread might
enter kqueue_scan(). kqueue_scan() uses start and end markers to keep
track of the scan's progress and it has to be aware of other threads'
markers.
This patch is a revised version of mpi@'s work derived
from DragonFly BSD. kqueue_check() has been adapted from NetBSD.
Tested by anton@, sashan@
OK mpi@, anton@, sashan@
|
|
compilers that OpenBSD provides have builtins for vararg routines
and use the machine-independent definitions in <sys/stdarg.h>.
Input from miod@
OK millert@
|
|
the area where the boot loader copies the kernel. Its EfiLoaderCode
is write protected, so the boot loader hangs in memmove(). As we
may use this memory after calling EFI ExitBootServices(), change
the protection bit to writeable in the page table.
OK deraadt@ mlarkin@ patrick@
|
|
- reduces gratuitous differences with NetBSD,
- merges multiple '#ifdef _KERNEL' blocks,
- kills unused 'struct vm_map_intrsafe'
- turns 'union vm_map_object' into a anonymous union (following to NetBSD)
- move questionable vm_map_modflags() into uvm/uvm_map.c
- remove guards around MAX_KMAPENT, it is defined&used only once
- document lock differences
- fix tab vs space
ok mlarkin@, visa@
|
|
this means we don't truncate sockaddr_in6, which in turn means we
dont end up using garbage or zeros on the underlying ports when
requesting they set up hardware filters for multicast addresses.
vlan(4) uses sockaddr_storage like this too for the same thing.
discovered by jmatthew@ because ipv6 on top of aggr wasn't working
unless tcpdump was running.
|
|
Convert those to a consolidated status when needed in wait4(), kevent(),
and sysctl()
Pass exit code and signal separately to exit1()
(This also serves as prep for adding waitid(2))
ok mpi@
|
|
resetting it in child_return() and update the comment in tcb.h to reflect
reality
ok miod@ aoyama@
|
|
We only install flows for IPcomp. When processing an incoming ESP SA,
look for a bundled IPcomp SA and use that in the policy check.
ok bluhm@
|
|
ok guenther@, "your choice" deraadt@
|
|
|
|
|
|
non-writeable / syscall checker.
|
|
|
|
it's own checks.
|
|
Comment fixes.
|
|
resolutions without running out of kernel memory.
Tested with 1920x1080 uncompressed and mjpeg without performance
degradation.
ok mpi@
|
|
Comment fixes.
|
|
ok visa@, jca@
|
|
ok visa@, jca@
|
|
|
|
Its last consumer is now gone and it has certainly not been used since the
introduction of PAE back in 2015.
ok kettenis@, jsg@
|
|
where such packet is bound to. This check is enforced if and only
IP forwarding is disabled.
Change discussed with bluhm@, claudio@, deraadt@, markus@, tobhe@
OK bluhm@, claudio@, tobhe@
|
|
by sparc pmap.
OK mpi@ guenther@ kettenis@
|
|
Comment fixes.
|
|
Comment fixes.
|
|
to make the code clearer.
OK claudio@ mpi@
|
|
Comment fixes.
|
