*Open* files at the start, then unveil. The same overall
behaviour is observed. In the case that invalid arguments
are given, simply opening a file does not cause much
performance impact (if any).
Restrict operations as early as possible in code.
Bonus:
writeGbeFile also hardened; if flags is O_RDONLY, it aborts.
Signed-off-by: Leah Rowe <leah@libreboot.org>
i screwed up in an earlier commit
this change fixes a bug where on rhex(), each
call would re-open /dev/urandom, resetting rfd
Signed-off-by: Leah Rowe <leah@libreboot.org>
in practise, the file was never written unless the checksum
was valid, but in the same of sloccount reduction i made it
do the swap/copy before checking. while functionally ok, it
never sat right with me. this is one example of where sloc
count doesn't mean everything. code correctness is critical
Signed-off-by: Leah Rowe <leah@libreboot.org>
the style was already quite similar, but extended lines in
bsd are indented by 4 spaces instead of a tab. this style
has grown on me, so i'm adopting it here
Signed-off-by: Leah Rowe <leah@libreboot.org>
They don't precisely *pertain* to nvmutil, but they are
useful helper functions for calling pledge/unveil in
OpenBSD. Ideally, the main file should only contain core
logic pertaining to the execution of *nvmutil*.
Put xpledge() and xunveil() in nvmutil.h.
Signed-off-by: Leah Rowe <leah@libreboot.org>
When err() is called, it is intended that nvmutil will
always exit with non-zero status, but with errno as the
return value. Ensure that errno is *not* zero.
Signed-off-by: Leah Rowe <leah@libreboot.org>
Make word() a macro, simplify err_if().
Could also make setWord() a macro if I forego certain
optimisations, but I'll leave it as-is.
Signed-off-by: Leah Rowe <leah@libreboot.org>
After /dev/urandom (for MAC address randomisation) and
the GbE file have been handled, unveil them. Unveil is
a system call provided by OpenBSD that, when called,
restricts access only to the files and/or directories
specified, each given specific permissions.
You can learn more about unveil here:
https://man.openbsd.org/unveil.2
An ifdef rule makes nvmutil only use unveil on OpenBSD,
because it's not available anywhere else. This is the same
as with the pledge() system call.
Where invalid arguments are given, and no action performed,
pledge promises are also reduced to just stdio, preventing
any writes to files, or reads from files.
Signed-off-by: Leah Rowe <leah@libreboot.org>
After reading a file, remove rpath.
When removing rpath, also remove wpath if flags
are not to O_RDONLY (read-only disk operation).
When wpath is permitted, and a file was successfully
written, remove wpath.
In order to permit /dev/urandom access in rhex(),
I call it as a void just before re-calling pledge.
The rhex() function has been written in such a way
that /dev/urandom only needs to be read *once*.
Signed-off-by: Leah Rowe <leah@libreboot.org>
I assumed wpath was all that's needed, but this simply
allows writes.
rpath must be specified alongside wpath, for reads.
Signed-off-by: Leah Rowe <leah@libreboot.org>
The utils that are pledged checked HAVE_PLEDGE which was
bogus. OpenBSD defines __OpenBSD__, which you can check
for in ifdef.
This change makes nvmutil and spkmodem-recv *actually*
use pledge, when the utils are compiled on OpenBSD.
Signed-off-by: Leah Rowe <leah@libreboot.org>
small nitpick, but i try to use openbsd style
since i like that style. upon further reading
of their style guidelines today, it was revealed
to me that for includes, they:
* sort sys/ includes alphabetically, at the top
* after sys/ includes, have an empty line
* includes for networking-related headers below that
* empty space below networking headers if there
* after that, have the rest of the includes, sorted
alphabetically
at least, that is my understanding. i have to admit,
it does look cleaner
not really that critical but why not do it?
word/setWord no longer mitigates endianness. instead,
all bytes are swapped after reading and before writing the
file, and only if the host is big endian
this improves performance on little endian hosts, which is
most machines, and the code is much simpler, so it's more
robust and less likely to break
mac address endianness made more clear in code, including
with a comment that explains it
(the nvm section contains little endian words, *except* the
mac address whose words are stored big endian)
reduce the number of calls to read() by using
bit shifts. when rnum is zero, read again. in
most cases, a nibble will not be zero, so this
will usually result in about 13-15 of of 16
nibbles being used. this is in comparison to
8 nibbles being used before, which means that
the number of calls to read() are roughly
halved. at the same time, the extra amount of
logic is minimal (and probably less) when
compiled, outside of calls to read(), because
shifting is better optimised (on 64-bit machines,
the uint64_t will be shifted with just a single
instruction, if the compiler is decent), whereas
the alternative would be to always precisely use
exactly 16 nibbles by counting up to 16, which
would involve the use of an and mask and still
need a shift, plus...
you get the point. this is probably the most
efficient code ever written, for generating
random numbers between the value of 0 and 15
the way nvmutil is designed, setWord() is only ever called
under non-error conditions. however, if one part is valid but
the other one isn't, and a command is run that touches both parts,
errno is non-zero write writeGbeFile is called
in situations where one part is valid, but the other isn't, AND the
writes to gbe (in memory) results in a non-change, writeGbeFile is
not called; in this situation, errno is not being reset, despite
non-error condition
this patch fixed the bug, resulting in zero status upon exit under
such conditions