1 files changed, 257 insertions, 24 deletions
diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index 8bb42bf5..3b289deb 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -15,6 +15,135 @@
  * -Os -Wall -Wextra -Werror -pedantic -std=c90
  */
 
+/*
+ * Major TODO: split this into multiple files.
+ * This program has become quite large now, mostly
+ * due to all the extra sanity checks / portability.
+ * Make most of nvmutil a *library* for re-use
+ *
+ * TODO: gettimeofday not posible - use portable functions.
+ * TODO: uint32_t fallback: modify the program instead
+ * to run on 16-bit systems: smaller buffers, and do
+ * operations byte-based instead of word-based.
+ *
+ * TODO: _XOPEN_SOURCE 500 probably not needed anymore.
+ * the portable fallbacks alone are likely enough.
+ * e.g. i don't need stdint, and i don't use pwrite/pread
+ * anymore.
+ *
+ * TODO: version detection of various BSDs to detect
+ * arc4random, use that if available. but also work on
+ * older versions of those BSDs (also MacOS) that lack it.
+ *
+ * TODO: portability/testing on non-Unix systems:
+ * old DOS. all windows versions (probably irrelevant
+ * because you can use cygwin/wsl, whatever), classic MacOS,
+ * also test really old unix e.g. sunos and irix. Be/Haiku too!
+ *
+ * TODO: reliance on global variables for status. make
+ * functions use structs passed as args instead, make
+ * functions re-useable (including libraries), etc.
+ *
+ * TODO: bound checks for files per-command, e.g. only
+ * first 6 bytes for CMD_SETMAC
+ *
+ * TODO: clean up the do_rw function: make PSCHREIB and
+ * so on clearer, probably just define them inline and
+ * validate them inline (no define).
+ * TODO: in command sanitizer: verify that each given
+ * entry corresponds to the correct function, in the
+ * pointer (this check is currently missing)
+ *
+ * TODO: general modularisierung of the entire codebase.
+ * TODO: better explain copy/swap read inversion trick
+ *       by improving existing comments
+ * TODO: lots of overwritten comments in code. tidy it up.
+ *
+ * TODO: use getopt for nvmutil args, so that multiple
+ *      operations can be performed, and also on many
+ *	files at once (noting limitations with cat)
+ *	BONUS: implement own getopt(), for portability
+ *
+ * TODO: document fuzzing / static analysis methods
+ * 	for the code, and:
+ * TODO: implement rigorous unit tests (separate util)
+ *	NOTE: this would *include* known good test files
+ *	in various configurations, also invalid files.
+ *	the tests would likely be portable posix shell
+ *	scripts rather than a new C program, but a modularisiert
+ *	codebase would allow me to write a separate C
+ *	program to test some finer intricacies
+ * TODO: the unit tests would basically test regressions
+ * TODO: after writing back a gbe to file, close() and
+ *	open() it again, read it again, and check that
+ *	the contents were written correctly, providing
+ *	a warning if they were. do this in the main
+ *	program.
+ * TODO: the unit tests would include an aggressive set
+ *	of fuzz tests, under controlled conditions
+ *
+ * TODO: also document the layout of Intel GbE files, so
+ *       that wily individuals can easily expand the
+ *	featureset of nvmutil.
+ * TODO: remove some clever code, e.g.:
+ *	rw_type == PLESEN << 2
+ *	make stuff like that clearer.
+ *	ditto the invert copy/swap trick
+ * TODO: write a manpage
+ * TODO: simplify the command sanitization, implement more
+ *	of it as build time checks, e.g. static asserts.
+ *	generally remove cleverness from the code, instead
+ *	prefyerring readibility
+ * TODO: also document nvmutil's coding style, which is
+ *	its own style at this point!
+ * TODO: when all the above (and possibly more) is done,
+ *	submit this tool to coreboot with a further change
+ *	to their build system that lets users modify
+ *	GbE images, especially set MAC addresses, when
+ *	including GbE files in coreboot configs.
+ */
+/*
+ BONUS TODO:
+ CI/CD. woodpecker is good enough, sourcehut also has one.
+	tie this in with other things mentioned here, 
+	e.g. fuzzer / unit tests
+*/
+
+/* Major TODO: reproducible builds
+Test with and without these:
+
+CFLAGS += -fno-record-gcc-switches
+CFLAGS += -ffile-prefix-map=$(PWD)=.
+CFLAGS += -fdebug-prefix-map=$(PWD)=.
+
+I already avoid unique timestamps per-build,
+by not using them, e.g. not reporting build
+time in the program.
+
+When splitting the nvmutil.c file later, do e.g.:
+
+SRC = main.c io.c nvm.c cmd.c
+OBJ = $(SRC:.c=.o)
+
+^ explicitly declare the order in which to build
+*/
+
+/*
+TODO:
+further note when fuzzing is implemented:
+use deterministic randomisation, with a
+guaranteed seed - so e.g. don't use /dev/urandom
+in test builds. e.g. just use normal rand()
+but with a static seed e.g. 1234
+*/
+/*
+TODO: stricter build flags, e.g.
+CFLAGS += -fstack-protector-strong
+CFLAGS += -fno-common
+CFLAGS += -D_FORTIFY_SOURCE=2
+CFLAGS += -fPIE
+*/
+
 #ifndef _XOPEN_SOURCE
 #define _XOPEN_SOURCE 500
 #endif
@@ -27,6 +156,7 @@
 #include <sys/param.h>
 #endif
 #include <sys/types.h>
+#include <sys/time.h>
 #include <sys/stat.h>
 
 #include <errno.h>
@@ -51,6 +181,7 @@ typedef unsigned int   uint32_t;
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <time.h>
 #include <unistd.h>
 
 typedef char static_assert_char_is_8_bits[(CHAR_BIT == 8) ? 1 : -1];
@@ -161,6 +292,8 @@ static void set_mac_nib(size_t mac_str_pos,
     size_t mac_byte_pos, size_t mac_nib_pos);
 static uint16_t hextonum(char ch_s);
 static uint16_t rhex(void);
+static uint16_t fallback_rand(void);
+static unsigned long entropy_jitter(void);
 static void write_mac_part(size_t partnum);
 
 /*
@@ -211,6 +344,8 @@ static off_t gbe_x_offset(size_t part, const char *f_op,
     const char *d_type, off_t nsize, off_t ncmp);
 static ssize_t rw_file_exact(int fd, uint8_t *mem, size_t len,
     off_t off, int rw_type);
+static ssize_t rw_file_once(int fd, uint8_t *mem, size_t len,
+    off_t off, int rw_type, size_t rc);
 static ssize_t do_rw(int fd,
     uint8_t *mem, size_t len, off_t off, int rw_type);
 static ssize_t prw(int fd, void *mem, size_t nrw,
@@ -260,7 +395,6 @@ static void usage(uint8_t usage_exit);
 #define items(x) (sizeof((x)) / sizeof((x)[0]))
 
 static const char newrandom[] = "/dev/urandom";
-static const char oldrandom[] = "/dev/random"; /* fallback on OLD unix */
 static const char *rname = NULL;
 
 /*
@@ -434,6 +568,8 @@ static size_t cmd_index = CMD_NULL;
 typedef char assert_argc3[(ARGC_3==3)?1:-1];
 typedef char assert_argc4[(ARGC_4==4)?1:-1];
 
+static int use_prng = 0;
+
 int
 main(int argc, char *argv[])
 {
@@ -447,8 +583,8 @@ main(int argc, char *argv[])
 #ifdef NVMUTIL_UNVEIL
 	if (pledge("stdio rpath wpath unveil", NULL) == -1)
 		err(errno, "pledge");
-	if (unveil("/dev/null", "r") == -1)
-		err(errno, "unveil '/dev/null'");
+	if (unveil("/dev/urandom", "r") == -1)
+		err(errno, "unveil /dev/urandom");
 #else
 	if (pledge("stdio rpath wpath", NULL) == -1)
 		err(errno, "pledge");
@@ -718,8 +854,9 @@ open_dev_urandom(void)
 	if (urandom_fd != -1)
 		return;
 
-	rname = oldrandom;
-	urandom_fd = open(rname, O_RDONLY);
+	/* fallback on VERY VERY VERY old unix */
+	use_prng = 1;
+	srand((unsigned)(time(NULL) ^ getpid()));
 }
 
 static void
@@ -996,8 +1133,8 @@ rhex(void)
 	static size_t n = 0;
 	static uint8_t rnum[12];
 
-	if (urandom_fd < 0)
-		err(ECANCELED, "Your operating system has no /dev/[u]random");
+	if (use_prng)
+		return fallback_rand();
 
 	if (!n) {
 		n = sizeof(rnum);
@@ -1008,6 +1145,52 @@ rhex(void)
 	return (uint16_t)(rnum[--n] & 0xf);
 }
 
+static uint16_t
+fallback_rand(void)
+{
+	struct timeval tv;
+	unsigned long mix;
+	static unsigned long counter = 0;
+
+	gettimeofday(&tv, NULL);
+
+	mix = (unsigned long)tv.tv_sec
+	    ^ (unsigned long)tv.tv_usec
+	    ^ (unsigned long)getpid()
+	    ^ (unsigned long)&mix
+	    ^ counter++
+	    ^ entropy_jitter();
+
+	/*
+	 * Stack addresses can vary between
+	 * calls, thus increasing entropy.
+	 */
+	mix ^= (unsigned long)&mix;
+	mix ^= (unsigned long)&tv;
+	mix ^= (unsigned long)&counter;
+
+	return (uint16_t)(mix & 0xf);
+}
+
+static unsigned long
+entropy_jitter(void)
+{
+	struct timeval a, b;
+	unsigned long mix = 0;
+	int i;
+
+	for (i = 0; i < 8; i++) {
+		gettimeofday(&a, NULL);
+		getpid();
+		gettimeofday(&b, NULL);
+
+		mix ^= (unsigned long)(b.tv_usec - a.tv_usec);
+		mix ^= (unsigned long)&mix;
+	}
+
+	return mix;
+}
+
 static void
 write_mac_part(size_t partnum)
 {
@@ -1362,41 +1545,91 @@ gbe_x_offset(size_t p, const char *f_op, const char *d_type,
  * be used on sockets or pipes, because 0-byte
  * reads are treated like fatal errors. This
  * means that EOF is also considered fatal.
+ *
+ * WARNING: Do not use O_APPEND on open() when
+ * using this function. If you do, POSIX allows
+ * write() to ignore the current file offset and
+ * write at EOF, which means that our use of
+ * lseek in prw() does not guarantee writing at
+ * a specified offset. So if using PSCHREIB or
+ * PLESEN, make sure not to pass a file descriptor
+ * with the O_APPEND flag. Alternatively, modify
+ * do_rw() to directly use pwrite() and pread()
+ * instead of prw().
  */
 static ssize_t
 rw_file_exact(int fd, uint8_t *mem, size_t len,
     off_t off, int rw_type)
 {
-	ssize_t rval = 0;
-	size_t rc = 0;
+	ssize_t rv;
+	size_t rc;
 
 	if (fd < 0 || !len || len > (size_t)SSIZE_MAX) {
 		errno = EIO;
 		return -1;
 	}
 
-	while (rc < len) {
-		rval = do_rw(fd, mem + rc, len - rc, off + rc, rw_type);
-
-		if (rval < 0 && errno == EINTR) {
-			continue;
-		} else if (rval < 0) {
-			errno = EIO;
-			return -1;
-		}
-		if ((size_t)rval > (len - rc) /* Prevent overflow */
-		    || rval == 0) { /* Prevent infinite 0-byte loop */
-			errno = EIO;
+	for (rc = 0, rv = 0; rc < len; rc += (size_t)rv) {
+		if ((rv = rw_file_once(fd, mem, len, off, rw_type, rc)) == -1)
 			return -1;
-		}
-
-		rc += (size_t)rval;
 	}
 
 	return rc;
 }
 
 static ssize_t
+rw_file_once(int fd, uint8_t *mem, size_t len,
+    off_t off, int rw_type, size_t rc)
+{
+	ssize_t rv;
+	size_t retries_on_zero = 0;
+	size_t max_retries = 10;
+read_again:
+	rv = do_rw(fd, mem + rc, len - rc, off + rc, rw_type);
+
+	if (rv < 0 && errno == EINTR) {
+		goto read_again;
+	} else if (rv < 0) {
+		errno = EIO;
+		return -1;
+	}
+
+	/*
+	 * Theoretical bug: if a buggy libc returned
+	 * a size larger than SSIZE_MAX, the cast may
+	 * cause an overflow. Specifications guarantee
+	 * this won't happen, but spec != implementation
+	 */
+	if ((size_t)rv > SSIZE_MAX) {
+		errno = EIO;
+		return -1;
+		/* we do not tolerate buggy libc */
+	}
+
+	if (!((size_t)rv > (len - rc) /* don't overflow */
+	    || rv == 0)) 
+		return rv;
+
+	/* Prevent infinite 0-byte loop */
+	if (rv != 0) {
+		errno = EIO;
+		return -1;
+	}
+	/*
+	 * Fault tolerance against infinite
+	 * zero-byte loop: re-try a finite
+	 * number of times. This mitigates
+	 * otherwise OK but slow filesystems
+	 * e.g. NFS or slow media.
+	 */
+	if (retries_on_zero++ < max_retries)
+		goto read_again;
+
+	errno = EIO;
+	return -1;
+}
+
+static ssize_t
 do_rw(int fd, uint8_t *mem,
     size_t len, off_t off, int rw_type)
 {