Date: Mon, 9 Mar 2020 07:05:46 +0100 From: "O. Hartmann" <ohartmann@walstatt.org> To: "Simon J. Gerraty" <sjg@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r358744 - in head: lib/libsecureboot lib/libsecureboot/h lib/libsecureboot/tests share/mk stand stand/common stand/efi/loader stand/efi/loader/arch/i386 stand/ficl stand/i386/libi386 st... Message-ID: <20200309070540.7b3c9ce6@freyja> In-Reply-To: <202003081742.028HghCd086246@repo.freebsd.org> References: <202003081742.028HghCd086246@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 8 Mar 2020 17:42:43 +0000 (UTC) "Simon J. Gerraty" <sjg@FreeBSD.org> wrote: > Author: sjg > Date: Sun Mar 8 17:42:42 2020 > New Revision: 358744 > URL: https://svnweb.freebsd.org/changeset/base/358744 > > Log: > veloader use vectx API for kernel and modules > > The vectx API, computes the hash for verifying a file as it is read. > This avoids the overhead of reading files twice - once to verify, then > again to load. > > For doing an install via loader, avoiding the need to rewind > large files is critical. > > This API is only used for modules, kernel and mdimage as these are the > biggest files read by the loader. > The reduction in boot time depends on how expensive the I/O is > on any given platform. On a fast VM we see 6% improvement. > > For install via loader the first file to be verified is likely to be t= he > kernel, so some of the prep work (finding manifest etc) done by > verify_file() needs to be factored so it can be reused for > vectx_open(). > > For missing or unrecognized fingerprint entries, we fail > in vectx_open() unless verifying is disabled. > > Otherwise fingerprint check happens in vectx_close() and > since this API is only used for files which must be verified > (VE_MUST) we panic if we get an incorrect hash. > > Reviewed by: imp,tsoome > MFC after: 1 week > Sponsored by: Juniper Networks > Differential Revision: https://reviews.freebsd.org//D23827 > > Modified: > head/lib/libsecureboot/h/libsecureboot.h > head/lib/libsecureboot/h/verify_file.h > head/lib/libsecureboot/tests/tvo.c > head/lib/libsecureboot/vectx.c > head/lib/libsecureboot/verify_file.c > head/share/mk/src.opts.mk > head/stand/common/bootstrap.h > head/stand/common/interp_forth.c > head/stand/common/interp_simple.c > head/stand/common/load_elf.c > head/stand/common/load_elf_obj.c > head/stand/common/misc.c > head/stand/common/module.c > head/stand/efi/loader/arch/i386/i386_copy.c > head/stand/efi/loader/copy.c > head/stand/efi/loader/loader_efi.h > head/stand/efi/loader/main.c > head/stand/ficl/loader.c > head/stand/i386/libi386/i386_copy.c > head/stand/i386/libi386/libi386.h > head/stand/i386/loader/chain.c > head/stand/libofw/libofw.h > head/stand/libofw/ofw_copy.c > head/stand/loader.mk > head/stand/mips/beri/loader/arch.c > head/stand/powerpc/kboot/main.c > head/stand/uboot/lib/copy.c > head/stand/uboot/lib/libuboot.h > head/stand/userboot/userboot/copy.c > head/stand/userboot/userboot/libuserboot.h > > To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" [... deleted ...] buildworld seems to be broken on this commit: [...] =2D-- all_subdir_stand --- =2D-- lstd.o --- /usr/src/stand/liblua/lstd.c:86:44: error: too few arguments to function c= all, expected 5, have 4 if (verify_file(fd, filename, 0, VE_GUESS) < 0) { ~~~~~~~~~~~ ^ /usr/src/lib/libsecureboot/h/verify_file.h:50:1: note: 'verify_file' decla= red here int verify_file(int, const char *, off_t, int, const char *); ^ 1 error generated. [...] Building host is CURRENT, FreeBSD 13.0-CURRENT #118 r358695: Fri Mar 6 12:48:00 CET 2020 amd64: kind regards, oh
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200309070540.7b3c9ce6>