Date: Mon, 9 Mar 2020 10:06:18 +0100 From: "O. Hartmann" <ohartmann@walstatt.org> Cc: "Simon J. Gerraty" <sjg@FreeBSD.org>, svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r358744 - in head: lib/libsecureboot lib/libsecureboot/h lib/libsecureboot/tests share/mk stand stand/common stand/efi/loader stand/efi/loader/arch/i386 stand/ficl stand/i386/libi386 st... Message-ID: <20200309100614.560b808e@freyja> In-Reply-To: <20200309070540.7b3c9ce6@freyja> References: <202003081742.028HghCd086246@repo.freebsd.org> <20200309070540.7b3c9ce6@freyja>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 9 Mar 2020 07:05:46 +0100 "O. Hartmann" <ohartmann@walstatt.org> wrote: > On Sun, 8 Mar 2020 17:42:43 +0000 (UTC) > "Simon J. Gerraty" <sjg@FreeBSD.org> wrote: > > > Author: sjg > > Date: Sun Mar 8 17:42:42 2020 > > New Revision: 358744 > > URL: https://svnweb.freebsd.org/changeset/base/358744 > > > > Log: > > veloader use vectx API for kernel and modules > > > > The vectx API, computes the hash for verifying a file as it is read. > > This avoids the overhead of reading files twice - once to verify, th= en > > again to load. > > > > For doing an install via loader, avoiding the need to rewind > > large files is critical. > > > > This API is only used for modules, kernel and mdimage as these are t= he > > biggest files read by the loader. > > The reduction in boot time depends on how expensive the I/O is > > on any given platform. On a fast VM we see 6% improvement. > > > > For install via loader the first file to be verified is likely to be= the > > kernel, so some of the prep work (finding manifest etc) done by > > verify_file() needs to be factored so it can be reused for > > vectx_open(). > > > > For missing or unrecognized fingerprint entries, we fail > > in vectx_open() unless verifying is disabled. > > > > Otherwise fingerprint check happens in vectx_close() and > > since this API is only used for files which must be verified > > (VE_MUST) we panic if we get an incorrect hash. > > > > Reviewed by: imp,tsoome > > MFC after: 1 week > > Sponsored by: Juniper Networks > > Differential Revision: https://reviews.freebsd.org//D23827 > > > > Modified: > > head/lib/libsecureboot/h/libsecureboot.h > > head/lib/libsecureboot/h/verify_file.h > > head/lib/libsecureboot/tests/tvo.c > > head/lib/libsecureboot/vectx.c > > head/lib/libsecureboot/verify_file.c > > head/share/mk/src.opts.mk > > head/stand/common/bootstrap.h > > head/stand/common/interp_forth.c > > head/stand/common/interp_simple.c > > head/stand/common/load_elf.c > > head/stand/common/load_elf_obj.c > > head/stand/common/misc.c > > head/stand/common/module.c > > head/stand/efi/loader/arch/i386/i386_copy.c > > head/stand/efi/loader/copy.c > > head/stand/efi/loader/loader_efi.h > > head/stand/efi/loader/main.c > > head/stand/ficl/loader.c > > head/stand/i386/libi386/i386_copy.c > > head/stand/i386/libi386/libi386.h > > head/stand/i386/loader/chain.c > > head/stand/libofw/libofw.h > > head/stand/libofw/ofw_copy.c > > head/stand/loader.mk > > head/stand/mips/beri/loader/arch.c > > head/stand/powerpc/kboot/main.c > > head/stand/uboot/lib/copy.c > > head/stand/uboot/lib/libuboot.h > > head/stand/userboot/userboot/copy.c > > head/stand/userboot/userboot/libuserboot.h > > > > To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org= " > [... deleted ...] > > > buildworld seems to be broken on this commit: > > [...] > --- all_subdir_stand --- > --- lstd.o --- > /usr/src/stand/liblua/lstd.c:86:44: error: too few arguments to function= call, > expected 5, have 4 if (verify_file(fd, filename, 0, VE_GUESS) < 0) { > ~~~~~~~~~~~ ^ > /usr/src/lib/libsecureboot/h/verify_file.h:50:1: note: 'verify_file' dec= lared > here int verify_file(int, const char *, off_t, int, const char *); > ^ > 1 error generated. > [...] > > Building host is CURRENT, FreeBSD 13.0-CURRENT #118 r358695: Fri Mar 6 > 12:48:00 CET 2020 amd64: > > kind regards, > > oh > _______________________________________________ > svn-src-head@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" The problem reported seems to occur when WITH_BEARSSL=3DYES is enabled in /etc/src.conf.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200309100614.560b808e>