Commit Graph

636 Commits (db63fcffb5ba30f7a0ed74ba9b437957592e6cb9)

Author SHA1 Message Date
Leah Rowe db63fcffb5 util/nvmutil: hardening: reduce pledges earlier
also remove wpath if using the dump command

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-03 19:44:14 +01:00
Leah Rowe dbd6defe9a util/nvmutil: fix faulty arg check
in practise, no other condition would be met and the
program still worked. this is a pre-emptive fix.
2023-06-03 15:08:29 +01:00
Leah Rowe 270693fc92 util/nvmutil: cleanup: move logic out of main()
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-03 13:44:04 +01:00
Leah Rowe 46a9eea0f6 util/nvmutil: major cleanup. simpler arg handling.
Also hardened the pledges.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-03 13:36:10 +01:00
Leah Rowe c9fdfce34e util/nvmutil: simplify writeGbeFile()
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-02 11:52:49 +01:00
Leah Rowe bdccd7cb0c util/nvmutil: don't call writeGbeFile if O_RDONLY
This replaces a check in the function for O_RDONLY, and
fixes the bug where the "dump" command triggers such error.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 14:07:20 +01:00
Leah Rowe 99258a38ae util/nvmutil: code cleanup (pledge/unveil calls)
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 14:04:44 +01:00
Leah Rowe 69fa333e25 util/nvmutil: harden pledge/unveil calls (OpenBSD)
*Open* files at the start, then unveil. The same overall
behaviour is observed. In the case that invalid arguments
are given, simply opening a file does not cause much
performance impact (if any).

Restrict operations as early as possible in code.

Bonus:

writeGbeFile also hardened; if flags is O_RDONLY, it aborts.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 13:35:34 +01:00
Leah Rowe adf3aece6f util/nvmutil: fix faulty fd check
i screwed up in an earlier commit

this change fixes a bug where on rhex(), each
call would re-open /dev/urandom, resetting rfd

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 12:58:33 +01:00
Leah Rowe b49da12dad util/nvmutil: only swap/copy if checksum is valid
in practise, the file was never written unless the checksum
was valid, but in the same of sloccount reduction i made it
do the swap/copy before checking. while functionally ok, it
never sat right with me. this is one example of where sloc
count doesn't mean everything. code correctness is critical

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 12:21:55 +01:00
Leah Rowe 9aa34f1e20 util/nvmutil: use bsd-style indentation
the style was already quite similar, but extended lines in
bsd are indented by 4 spaces instead of a tab. this style
has grown on me, so i'm adopting it here

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 12:18:48 +01:00
Leah Rowe 18f39ab6fa util/nvmutil: clean up rhex()
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 12:02:16 +01:00
Leah Rowe 4d91bcc2d7 util/nvmutil: check correct return value on close()
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 11:14:49 +01:00
Leah Rowe c2c31677a3 util/nvmutil: massive code cleanup
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 11:11:15 +01:00
Leah Rowe f0846134b7 util/nvmutil: move includes to nvmutil.h
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 08:48:39 +01:00
Leah Rowe 2dabafe691 util/nvmutil: move xpledge/xunveil to nvmutil.h
They don't precisely *pertain* to nvmutil, but they are
useful helper functions for calling pledge/unveil in
OpenBSD. Ideally, the main file should only contain core
logic pertaining to the execution of *nvmutil*.

Put xpledge() and xunveil() in nvmutil.h.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 08:40:01 +01:00
Leah Rowe 9a3e651656 util/nvmutil: use SPDX license headers
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 08:31:08 +01:00
Leah Rowe 5d6af06a73 util/nvmutil: move non-functions to nvmutil.h
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 08:25:55 +01:00
Leah Rowe a2136933af util/nvmutil: use even more macros (code cleanup)
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 08:21:25 +01:00
Leah Rowe 5a9fac2a63 util/nvmutil: remove unnecessary parentheses 2023-06-01 07:40:40 +01:00
Leah Rowe 6885200c8b util/nvmutil: simplify setWord() with word() macro
There is nothing cooler than a macro.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 07:31:52 +01:00
Leah Rowe 7ab209d545 util/nvmutil: do xor swap in a macro
eventually, everything will be a macro!

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 07:23:38 +01:00
Leah Rowe 293ca0fcbb util/nvmutil pledge,unveil: use correct err string 2023-06-01 07:05:48 +01:00
Leah Rowe a1df8fd154 util/nvmutil: ensure that errno is set on err()
When err() is called, it is intended that nvmutil will
always exit with non-zero status, but with errno as the
return value. Ensure that errno is *not* zero.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 07:04:23 +01:00
Leah Rowe 1f54860401 util/nvmutil: minor code cleanup
Make word() a macro, simplify err_if().

Could also make setWord() a macro if I forego certain
optimisations, but I'll leave it as-is.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-06-01 06:58:30 +01:00
Leah Rowe 8f1e6d792f util/nvmutil: simplified error handling in main
This change also reduces code indentation.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-31 09:30:13 +01:00
Leah Rowe 78fc89352b util/nvmutil: Use unveil, and harden pledges
After /dev/urandom (for MAC address randomisation) and
the GbE file have been handled, unveil them. Unveil is
a system call provided by OpenBSD that, when called,
restricts access only to the files and/or directories
specified, each given specific permissions.

You can learn more about unveil here:

https://man.openbsd.org/unveil.2

An ifdef rule makes nvmutil only use unveil on OpenBSD,
because it's not available anywhere else. This is the same
as with the pledge() system call.

Where invalid arguments are given, and no action performed,
pledge promises are also reduced to just stdio, preventing
any writes to files, or reads from files.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-31 08:53:08 +01:00
Leah Rowe c2cd191676 util/nvmutil: Harden pledge promises
After reading a file, remove rpath.

When removing rpath, also remove wpath if flags
are not to O_RDONLY (read-only disk operation).

When wpath is permitted, and a file was successfully
written, remove wpath.

In order to permit /dev/urandom access in rhex(),
I call it as a void just before re-calling pledge.

The rhex() function has been written in such a way
that /dev/urandom only needs to be read *once*.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-31 08:02:46 +01:00
Leah Rowe c759a7a095 util/nvmutil: Simplify use of pledge (on OpenBSD)
Define xpledge which calls pledge and handles errors.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-31 06:32:43 +01:00
Leah Rowe f37bd75925 util/nvmutil: Use correct pledge promise (OpenBSD)
I assumed wpath was all that's needed, but this simply
allows writes.

rpath must be specified alongside wpath, for reads.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-30 16:16:24 +01:00
Leah Rowe 83ecf26833 util/*: Properly detect OpenBSD for pledge() call
The utils that are pledged checked HAVE_PLEDGE which was
bogus. OpenBSD defines __OpenBSD__, which you can check
for in ifdef.

This change makes nvmutil and spkmodem-recv *actually*
use pledge, when the utils are compiled on OpenBSD.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-30 16:02:25 +01:00
Leah Rowe 8df2f8095e util/e6400-flash-unlock: clean up commented code
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-29 22:01:41 +01:00
Leah Rowe 06c92d4a4a blobutil: merge with main script
make blobutil a symlink. Example of command changes:

./blobutil download x220_8mb
is now:
./update blobs download x220_8mb

The old command still works, for compatibility.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-27 12:00:04 +01:00
Leah Rowe ff954c5b73 unify download/build scripts
move resources/scripts/download/ to:
resources/scripts/update/module/

This: ./download coreboot
Is now: ./update module coreboot

However, running "./download coreboot"
still works, via backwards compatibility.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-27 11:44:54 +01:00
Leah Rowe 092600d163 unify these scripts: build, modify and update
unify them, by turning them into symlinks pointing
to a generic script named lbmk

the script named lbmk is a fork of the script
named "build", which just checks argument 0 and adapts
accordingly

all of these core scripts had the exact same overall
logic, and they are thus compatible

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-27 10:54:50 +01:00
Leah Rowe 6344b19600 build/payload/seabios: reduced indentation
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-27 09:43:05 +01:00
Leah Rowe a4ea286731 Remove most of Ferass's lbmk contributions
The primary purpose of my intense auditing has
been to improve lbmk's coding style and fix bugs
but there is a secondary purpose: know precisely
who owns what, because I want to re-license as
much as possible of lbmk under *MIT*, instead of
the current GNU licensing. MIT is vastly superior,
because it grants *actual* freedom to the user,
permits *sublicensing* and it is vastly more
compatible with other GPL combinations; for
example, MIT license is compatible with GPL2-only
whereas lbmk's current mix of GPLv3-or-later and
GPLv3-only is legally incompatible with GPLv2-only.

Re-licensing under MIT will most likely result in
more contributions to Libreboot's build system in
the future, especially as it will attract a lot
more commercial interest. Contrary to the popular
arguments, copyleft is a liability to the free
software movement and results in less code being
written; in practise, permissively licensed code
gets more public contributions, including from
commercial entities, even if companies can
theoretically make something proprietary out of
it (in practise, anyone inclined can just use the
upstream and proprietary forks almost always die).

Copyleft propaganda is fundamentally flawed. See:
<https://unixsheikh.com/articles/the-problems-with-the-gpl.html>

Anyway, I've been doing a combination of:

* Seeking permission from other copyright holders,
  for re-licensing
* Deleting, or moving, other contributions; for
  example, splitting certain contributions into
  separate files so that originally modified files
  become unencumbered. This latter solution is a
  result of *code cleanup* arising from the audit.

For Ferass's contributions, I opted to seek
*permission*, and permission was denied. In full compliance
with this legal imperative, I'm acting accordingly; this
commit removes all of Ferass's changes that converted lbmk
to posix shell scripts, thus removing his copyright on the
affected files, bypassing his authority entirely. Therefore,
lbmk is largely now bash-dependent. In practise, nobody is
going to use anything other than a GNU system to build
Libreboot, because many projects that Libreboot makes use
of rely heavily on GNU; for example, coreboot's build
system makes heavy use of GNU-specific extensions in *GNU
Make*, and likely contains many bashisms. Of course,
Libreboot also compiles GNU GRUB.

I would much rather have MIT-licensed Bash scripts
than GPL-licensed posix SCL scripts.

This reverts the changes from Ferass El Hafidi,
for the following commits, with some exceptions:

* 7f5dfebf7d
* f787044642

Exception:

download/mrc not reverted, because that was
already a fork of an existing script under
coreboot's build system, and their script was
GPLv2. i cannot/will not re-license this file
(ergo,
7f5dfebf7d
change remains intact, on this file)

resources/scripts/build/boot/roms_helper, these changes
have been kept:
* 7e6691e9 - Add ARMv7 and AArch64 support
* dec2d720 - add myself in the build/roms_helper script
	(added 2021 copyright for the change below)
* b7405656 - Workaround for grub's slow boot
^ these changes will be re-factored, splitting them
  out of the file into a new file. This will be done in
  a future lbmk revision. (in some cases, it makes sense
  to keep a change but split it, allowing the main file to
  be re-licensed without the change in it)

This is part of a much larger series of
licensing audits. It's likely that lbmk will
be posix-compliant (in its shell scripts)
again some day, because I'm planning to rewrite
most of these scripts (the ones modified in this
patch), and many of them (e.g. individual download
scripts) are subject to future deletion in a planned
overhaul of the download logic for third party
projects.

In addition: these changes are being kept (no attempt
to re-license them will be made):

* cff081c6 - Fix grub's slow boot (1 year, 5 months ago) <Vitali64>
* 4c851889 - Add macbook*1 16mb configs (1 year, 6 months ago) <Vitali64>

Ferass's work that remains will be split into dedicated
files containing them, where feasible.

In the case of grub.cfg (for GNU GRUB), I don't care
because it's a script for an engine (GRUB shell) that's
under GPL anyway, so who really cares about MIT license.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-27 08:10:50 +01:00
Leah Rowe 2be1a8ea76 download/coreboot: fix error handling in subshell
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-24 07:45:07 +01:00
Leah Rowe d0171eeff3 download/coreboot: don't needlessly re-download 2023-05-24 07:16:51 +01:00
Leah Rowe c616930b71 download/coreboot: remove unnecessary bloat
it is not necessary to have help output

similarly, listing all boards in this script is
pointless. why not just run ls -1 on the directory?
2023-05-21 03:24:29 +01:00
Leah Rowe d1935c0590 build/clean/u-boot: remove unnecesssary check
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-20 21:48:12 +01:00
Leah Rowe 676efbb0df build/clean/u-boot: improved coding style
tabs for indentation

simplify some checks
2023-05-20 21:47:10 +01:00
Leah Rowe 06a92f61a8 build/clean/ich9utils: don't use subshell
this also fixes error handling

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-20 21:38:54 +01:00
Leah Rowe 43e2dfe2bf build/u-boot: top-down, split-function code style
main() on top

top-down order of logic

logic split into separate functions

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-20 21:33:37 +01:00
Leah Rowe a8f0721a6f build/payload/u-boot: 79 chars or less per line
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-20 20:48:19 +01:00
Leah Rowe 89ac1ea5a9 build/payload/u-boot: fix wrong attributions
only alper and ferass have ownership of this file,
but ferass only submitted to it in 2022, not 2021

fix this

i've removed myself from the file, for now

i never touched this file before, so it's
not right that my name be here

put alper's name at the top, because alper
was the person who created this file first

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-20 20:32:40 +01:00
Leah Rowe c973b95909 build/payload/grub: rename functions for clarity
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-20 20:16:10 +01:00
Leah Rowe 51e0e40123 build/payload/grub: remove unnecessary check
sed does the same job as cp, in this situation

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-20 20:08:40 +01:00
Leah Rowe 8e206be7c8 build/payload/grub: split logic into functions
main() on top

top-down logic

Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-20 20:07:22 +01:00
Leah Rowe db7e81612a build/payload/grub: 79 chars or less per line
Signed-off-by: Leah Rowe <leah@libreboot.org>
2023-05-20 19:55:40 +01:00