my style of C programming is this: always return errno
upon exit from the program, or from a thread.
handle errno in the calling/forking function.
returning errno at the end of main has this intention:
if an unhandled error occured, the program exits with
non-zero status.
a correctly written program should *never* return non-zero
at the end of main, and if it does, this indicates a bug
in the code (per my code style / philosophy).
so, warn the user with a message if this occurs. the
intention is that this message should never be printed.
do not use assert() for this. i don't believe in that.
such a test should always be present, for everyone.
Signed-off-by: Leah Rowe <leah@libreboot.org>
This version of spkmodem uses err() to indicate an error,
and the value of errno is used as exit status at all times,
even when it is zero.
When calling err(), it is intended that errno always be
non-zero, so modify the code accordingly.
Signed-off-by: Leah Rowe <leah@libreboot.org>
when calling fread(), errno may be set to EOVEFLOW if
the range being read will cause an integer overflow
if end-of-file is reached, errno may not be set. when
calling this function, you must check errno or check
feof() - ferror() should also be checked, so this check
is added immediately afterwards in the code
ferror() does not set errno, so ERR() is used to set
errno to ECANCELED as program exit status
further separate reading of frames into a new function
Signed-off-by: Leah Rowe <leah@libreboot.org>
The mentality behind pledge and unveil is that you should
think ahead, so that large parts of code can run under
extremely tight restrictions.
The pledge calls have been adjusted accordingly, also.
Disallow all unveil calls after the gbe file and the
file /dev/urandom have been unveiled.
Signed-off-by: Leah Rowe <leah@libreboot.org>
This replaces a check in the function for O_RDONLY, and
fixes the bug where the "dump" command triggers such error.
Signed-off-by: Leah Rowe <leah@libreboot.org>
*Open* files at the start, then unveil. The same overall
behaviour is observed. In the case that invalid arguments
are given, simply opening a file does not cause much
performance impact (if any).
Restrict operations as early as possible in code.
Bonus:
writeGbeFile also hardened; if flags is O_RDONLY, it aborts.
Signed-off-by: Leah Rowe <leah@libreboot.org>
i screwed up in an earlier commit
this change fixes a bug where on rhex(), each
call would re-open /dev/urandom, resetting rfd
Signed-off-by: Leah Rowe <leah@libreboot.org>
in practise, the file was never written unless the checksum
was valid, but in the same of sloccount reduction i made it
do the swap/copy before checking. while functionally ok, it
never sat right with me. this is one example of where sloc
count doesn't mean everything. code correctness is critical
Signed-off-by: Leah Rowe <leah@libreboot.org>
the style was already quite similar, but extended lines in
bsd are indented by 4 spaces instead of a tab. this style
has grown on me, so i'm adopting it here
Signed-off-by: Leah Rowe <leah@libreboot.org>
They don't precisely *pertain* to nvmutil, but they are
useful helper functions for calling pledge/unveil in
OpenBSD. Ideally, the main file should only contain core
logic pertaining to the execution of *nvmutil*.
Put xpledge() and xunveil() in nvmutil.h.
Signed-off-by: Leah Rowe <leah@libreboot.org>
When err() is called, it is intended that nvmutil will
always exit with non-zero status, but with errno as the
return value. Ensure that errno is *not* zero.
Signed-off-by: Leah Rowe <leah@libreboot.org>
Make word() a macro, simplify err_if().
Could also make setWord() a macro if I forego certain
optimisations, but I'll leave it as-is.
Signed-off-by: Leah Rowe <leah@libreboot.org>
After /dev/urandom (for MAC address randomisation) and
the GbE file have been handled, unveil them. Unveil is
a system call provided by OpenBSD that, when called,
restricts access only to the files and/or directories
specified, each given specific permissions.
You can learn more about unveil here:
https://man.openbsd.org/unveil.2
An ifdef rule makes nvmutil only use unveil on OpenBSD,
because it's not available anywhere else. This is the same
as with the pledge() system call.
Where invalid arguments are given, and no action performed,
pledge promises are also reduced to just stdio, preventing
any writes to files, or reads from files.
Signed-off-by: Leah Rowe <leah@libreboot.org>
After reading a file, remove rpath.
When removing rpath, also remove wpath if flags
are not to O_RDONLY (read-only disk operation).
When wpath is permitted, and a file was successfully
written, remove wpath.
In order to permit /dev/urandom access in rhex(),
I call it as a void just before re-calling pledge.
The rhex() function has been written in such a way
that /dev/urandom only needs to be read *once*.
Signed-off-by: Leah Rowe <leah@libreboot.org>
I assumed wpath was all that's needed, but this simply
allows writes.
rpath must be specified alongside wpath, for reads.
Signed-off-by: Leah Rowe <leah@libreboot.org>
The utils that are pledged checked HAVE_PLEDGE which was
bogus. OpenBSD defines __OpenBSD__, which you can check
for in ifdef.
This change makes nvmutil and spkmodem-recv *actually*
use pledge, when the utils are compiled on OpenBSD.
Signed-off-by: Leah Rowe <leah@libreboot.org>
make blobutil a symlink. Example of command changes:
./blobutil download x220_8mb
is now:
./update blobs download x220_8mb
The old command still works, for compatibility.
Signed-off-by: Leah Rowe <leah@libreboot.org>
move resources/scripts/download/ to:
resources/scripts/update/module/
This: ./download coreboot
Is now: ./update module coreboot
However, running "./download coreboot"
still works, via backwards compatibility.
Signed-off-by: Leah Rowe <leah@libreboot.org>
unify them, by turning them into symlinks pointing
to a generic script named lbmk
the script named lbmk is a fork of the script
named "build", which just checks argument 0 and adapts
accordingly
all of these core scripts had the exact same overall
logic, and they are thus compatible
Signed-off-by: Leah Rowe <leah@libreboot.org>
The primary purpose of my intense auditing has
been to improve lbmk's coding style and fix bugs
but there is a secondary purpose: know precisely
who owns what, because I want to re-license as
much as possible of lbmk under *MIT*, instead of
the current GNU licensing. MIT is vastly superior,
because it grants *actual* freedom to the user,
permits *sublicensing* and it is vastly more
compatible with other GPL combinations; for
example, MIT license is compatible with GPL2-only
whereas lbmk's current mix of GPLv3-or-later and
GPLv3-only is legally incompatible with GPLv2-only.
Re-licensing under MIT will most likely result in
more contributions to Libreboot's build system in
the future, especially as it will attract a lot
more commercial interest. Contrary to the popular
arguments, copyleft is a liability to the free
software movement and results in less code being
written; in practise, permissively licensed code
gets more public contributions, including from
commercial entities, even if companies can
theoretically make something proprietary out of
it (in practise, anyone inclined can just use the
upstream and proprietary forks almost always die).
Copyleft propaganda is fundamentally flawed. See:
<https://unixsheikh.com/articles/the-problems-with-the-gpl.html>
Anyway, I've been doing a combination of:
* Seeking permission from other copyright holders,
for re-licensing
* Deleting, or moving, other contributions; for
example, splitting certain contributions into
separate files so that originally modified files
become unencumbered. This latter solution is a
result of *code cleanup* arising from the audit.
For Ferass's contributions, I opted to seek
*permission*, and permission was denied. In full compliance
with this legal imperative, I'm acting accordingly; this
commit removes all of Ferass's changes that converted lbmk
to posix shell scripts, thus removing his copyright on the
affected files, bypassing his authority entirely. Therefore,
lbmk is largely now bash-dependent. In practise, nobody is
going to use anything other than a GNU system to build
Libreboot, because many projects that Libreboot makes use
of rely heavily on GNU; for example, coreboot's build
system makes heavy use of GNU-specific extensions in *GNU
Make*, and likely contains many bashisms. Of course,
Libreboot also compiles GNU GRUB.
I would much rather have MIT-licensed Bash scripts
than GPL-licensed posix SCL scripts.
This reverts the changes from Ferass El Hafidi,
for the following commits, with some exceptions:
* 7f5dfebf7d
* f787044642
Exception:
download/mrc not reverted, because that was
already a fork of an existing script under
coreboot's build system, and their script was
GPLv2. i cannot/will not re-license this file
(ergo,
7f5dfebf7d
change remains intact, on this file)
resources/scripts/build/boot/roms_helper, these changes
have been kept:
* 7e6691e9 - Add ARMv7 and AArch64 support
* dec2d720 - add myself in the build/roms_helper script
(added 2021 copyright for the change below)
* b7405656 - Workaround for grub's slow boot
^ these changes will be re-factored, splitting them
out of the file into a new file. This will be done in
a future lbmk revision. (in some cases, it makes sense
to keep a change but split it, allowing the main file to
be re-licensed without the change in it)
This is part of a much larger series of
licensing audits. It's likely that lbmk will
be posix-compliant (in its shell scripts)
again some day, because I'm planning to rewrite
most of these scripts (the ones modified in this
patch), and many of them (e.g. individual download
scripts) are subject to future deletion in a planned
overhaul of the download logic for third party
projects.
In addition: these changes are being kept (no attempt
to re-license them will be made):
* cff081c6 - Fix grub's slow boot (1 year, 5 months ago) <Vitali64>
* 4c851889 - Add macbook*1 16mb configs (1 year, 6 months ago) <Vitali64>
Ferass's work that remains will be split into dedicated
files containing them, where feasible.
In the case of grub.cfg (for GNU GRUB), I don't care
because it's a script for an engine (GRUB shell) that's
under GPL anyway, so who really cares about MIT license.
Signed-off-by: Leah Rowe <leah@libreboot.org>