diff options
Diffstat (limited to 'util/nvmutil')
| -rw-r--r-- | util/nvmutil/.gitignore | 3 | ||||
| -rw-r--r-- | util/nvmutil/AUTHORS | 1 | ||||
| -rw-r--r-- | util/nvmutil/COPYING | 3 | ||||
| -rw-r--r-- | util/nvmutil/ChangeLog.md | 8 | ||||
| -rw-r--r-- | util/nvmutil/Makefile | 43 | ||||
| -rw-r--r-- | util/nvmutil/README.md | 4 | ||||
| -rw-r--r-- | util/nvmutil/nvmutil.c | 3020 | ||||
| -rw-r--r-- | util/nvmutil/nvmutil.h | 465 | ||||
| -rw-r--r-- | util/nvmutil/todo.c | 134 |
9 files changed, 3464 insertions, 217 deletions
diff --git a/util/nvmutil/.gitignore b/util/nvmutil/.gitignore new file mode 100644 index 00000000..802202a4 --- /dev/null +++ b/util/nvmutil/.gitignore @@ -0,0 +1,3 @@ +/nvm +/nvmutil +*.bin diff --git a/util/nvmutil/AUTHORS b/util/nvmutil/AUTHORS index f3c00385..f38ea210 100644 --- a/util/nvmutil/AUTHORS +++ b/util/nvmutil/AUTHORS @@ -1 +1,2 @@ Leah Rowe +Riku Viitanen diff --git a/util/nvmutil/COPYING b/util/nvmutil/COPYING index 784581dd..47c35a86 100644 --- a/util/nvmutil/COPYING +++ b/util/nvmutil/COPYING @@ -1,4 +1,5 @@ -Copyright (C) 2022, 2023 Leah Rowe <leah@libreboot.org> +Copyright (C) 2022-2026 Leah Rowe <leah@libreboot.org> +Copyright (c) 2023 Riku Viitanen <riku.viitanen@protonmail.com> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the diff --git a/util/nvmutil/ChangeLog.md b/util/nvmutil/ChangeLog.md deleted file mode 100644 index e1ed5754..00000000 --- a/util/nvmutil/ChangeLog.md +++ /dev/null @@ -1,8 +0,0 @@ -This change log has moved. Please refer here for historical pre-osboot-merge -changes: - -<https://libreboot.org/docs/install/nvmutilimport.html> - -Osboot merged with Libreboot on November 17th, 2022. For nvmutil changes after -this date, please check regular Libreboot release announcements which shall -now specify any such changes. diff --git a/util/nvmutil/Makefile b/util/nvmutil/Makefile index f25f6dd5..025e87e1 100644 --- a/util/nvmutil/Makefile +++ b/util/nvmutil/Makefile @@ -1,16 +1,39 @@ # SPDX-License-Identifier: MIT -# SPDX-FileCopyrightText: 2022 Leah Rowe <leah@libreboot.org> -# SPDX-FileCopyrightText: 2023 Riku Viitanen <riku.viitanen@protonmail.com> +# Copyright (c) 2022,2026 Leah Rowe <leah@libreboot.org> +# Copyright (c) 2023 Riku Viitanen <riku.viitanen@protonmail.com> -CC=cc -CFLAGS=-Os -Wall -Wextra -Werror -pedantic -PREFIX?=/usr/bin +CC?=cc +CSTD?=-std=c90 +WERROR?=-Werror +CWARN?=-Wall -Wextra -pedantic +COPT?=-Os +CFLAGS?=$(CWARN) $(CSTD) +LDFLAGS?= +DESTDIR?= +PREFIX?=/usr/local +INSTALL?=install +LDIR?=-I. -nvm: nvmutil.c - $(CC) $(CFLAGS) nvmutil.c -o nvm +OPTS=$(LDIR) $(COPT) $(WERROR) $(CFLAGS) $(LDFLAGS) -install: nvm - install nvm $(PREFIX)/nvm +PROG=nvmutil + +all: $(PROG) + +$(PROG): nvmutil.c + $(CC) $(OPTS) nvmutil.c -o $(PROG) + +install: $(PROG) + $(INSTALL) -d $(DESTDIR)$(PREFIX)/bin + $(INSTALL) $(PROG) $(DESTDIR)$(PREFIX)/bin/$(PROG) + chmod 755 $(DESTDIR)$(PREFIX)/bin/$(PROG) + +uninstall: + rm -f $(DESTDIR)$(PREFIX)/bin/$(PROG) clean: - rm -f nvm + rm -f $(PROG) + +distclean: clean + +.PHONY: all install uninstall clean distclean diff --git a/util/nvmutil/README.md b/util/nvmutil/README.md deleted file mode 100644 index 03a25bc4..00000000 --- a/util/nvmutil/README.md +++ /dev/null @@ -1,4 +0,0 @@ - -This documentation has become part of lbwww. See: - -<https://libreboot.org/docs/install/nvmutil.html> diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c index 35abbfae..e536e273 100644 --- a/util/nvmutil/nvmutil.c +++ b/util/nvmutil/nvmutil.c @@ -1,281 +1,2913 @@ -/* SPDX-License-Identifier: MIT */ -/* SPDX-FileCopyrightText: 2022, 2023 Leah Rowe <leah@libreboot.org> */ -/* SPDX-FileCopyrightText: 2023 Riku Viitanen <riku.viitanen@protonmail.com> */ +/* SPDX-License-Identifier: MIT + * + * Copyright (c) 2022-2026 Leah Rowe <leah@libreboot.org> + * Copyright (c) 2023 Riku Viitanen <riku.viitanen@protonmail.com> + * + * This tool lets you modify Intel GbE NVM (Gigabit Ethernet + * Non-Volatile Memory) images, e.g. change the MAC address. + * These images configure your Intel Gigabit Ethernet adapter. + * + * This code is designed to be portable, running on as many + * Unix and Unix-like systems as possible (mainly BSD/Linux). + * + * Recommended CFLAGS for Clang/GCC: + * + * -Os -Wall -Wextra -Werror -pedantic -std=c90 + */ +#ifdef __OpenBSD__ +#include <sys/param.h> +#endif +#include <sys/types.h> #include <sys/stat.h> -#include <dirent.h> -#include <err.h> #include <errno.h> #include <fcntl.h> -#include <stdint.h> +#include <limits.h> +#include <stdarg.h> +#include <stddef.h> #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <time.h> #include <unistd.h> -void cmd_setchecksum(void), cmd_brick(void), cmd_copy(void), writeGbeFile(void), - cmd_dump(void), cmd_setmac(void), readGbeFile(void), showmac(int partnum), - hexdump(int partnum), handle_endianness(int partnum), openFiles(const char *path); -int macAddress(const char *strMac, uint16_t *mac), validChecksum(int partnum); -uint8_t hextonum(char chs), rhex(void); - -#define COMMAND argv[2] -#define MAC_ADDRESS argv[3] -#define PARTNUM argv[3] -#define SIZE_4KB 0x1000 - -uint16_t buf16[SIZE_4KB], mac[3] = {0, 0, 0}; -uint8_t *buf = (uint8_t *) &buf16; -size_t nf = 128, gbe[2]; -uint8_t nvmPartModified[2] = {0, 0}, skipread[2] = {0, 0}; -int e = 1, flags = O_RDWR, rfd, fd, part, gbeFileModified = 0; - -const char *strMac = NULL, *strRMac = "??:??:??:??:??:??", *filename = NULL; - -typedef struct op { - char *str; - void (*cmd)(void); - int args; -} op_t; -op_t op[] = { -{ .str = "dump", .cmd = cmd_dump, .args = 3}, -{ .str = "setmac", .cmd = cmd_setmac, .args = 3}, -{ .str = "swap", .cmd = writeGbeFile, .args = 3}, -{ .str = "copy", .cmd = cmd_copy, .args = 4}, -{ .str = "brick", .cmd = cmd_brick, .args = 4}, -{ .str = "setchecksum", .cmd = cmd_setchecksum, .args = 4}, -}; -void (*cmd)(void) = NULL; - -#define ERR() errno = errno ? errno : ECANCELED -#define err_if(x) if (x) err(ERR(), "%s", filename) - -#define xopen(f,l,p) if (opendir(l) != NULL) err(errno = EISDIR, "%s", l); \ - if ((f = open(l, p)) == -1) err(ERR(), "%s", l); \ - if (fstat(f, &st) == -1) err(ERR(), "%s", l) - -#define word(pos16, partnum) buf16[pos16 + (partnum << 11)] -#define setWord(pos16, p, val16) if ((gbeFileModified = 1) && \ - word(pos16, p) != val16) nvmPartModified[p] = 1 | (word(pos16, p) = val16) +#include "nvmutil.h" + +/* + * Program state/command table + * Default config stored here, + * and copied to a newly allocated + * buffer in memory, then the pointer + * is passed. The rest of the program + * will manipulate this data. + */ +struct xstate * +new_xstate(void) +{ + static struct xstate us = { + /* .cmd (update cmd[] in the struct if adding to it) + DO NOT FORGET. or C will init zeroes/NULLs */ + + /* cmd[] members */ + /* DO NOT MESS THIS UP */ + /* items must be set *exactly* */ + { + { + CMD_DUMP, "dump", cmd_helper_dump, ARGC_3, + ARG_NOPART, + SKIP_CHECKSUM_READ, SKIP_CHECKSUM_WRITE, + NVM_SIZE, O_RDONLY + }, { + CMD_SETMAC, "setmac", cmd_helper_setmac, ARGC_3, + ARG_NOPART, + CHECKSUM_READ, CHECKSUM_WRITE, + NVM_SIZE, O_RDWR + }, { + CMD_SWAP, "swap", cmd_helper_swap, ARGC_3, + ARG_NOPART, + CHECKSUM_READ, SKIP_CHECKSUM_WRITE, + GBE_PART_SIZE, O_RDWR + }, { + CMD_COPY, "copy", cmd_helper_copy, ARGC_4, + ARG_PART, + CHECKSUM_READ, SKIP_CHECKSUM_WRITE, + GBE_PART_SIZE, O_RDWR + }, { + CMD_CAT, "cat", cmd_helper_cat, ARGC_3, + ARG_NOPART, + CHECKSUM_READ, SKIP_CHECKSUM_WRITE, + GBE_PART_SIZE, O_RDONLY + }, { + CMD_CAT16, "cat16", cmd_helper_cat, ARGC_3, + ARG_NOPART, + CHECKSUM_READ, SKIP_CHECKSUM_WRITE, + GBE_PART_SIZE, O_RDONLY + }, { + CMD_CAT128, "cat128", cmd_helper_cat, ARGC_3, + ARG_NOPART, + CHECKSUM_READ, SKIP_CHECKSUM_WRITE, + GBE_PART_SIZE, O_RDONLY + } + }, + + /* ->mac */ + {NULL, "xx:xx:xx:xx:xx:xx", {0, 0, 0}}, /* .str, .rmac, .mac_buf */ + + /* .buf */ + {0}, + + /* .argv0 (for our getprogname implementation) */ + NULL, + + /* ->i (index to cmd[]) */ + 0, + + /* .no_cmd (set 0 when a command is found) */ + 1, + + /* .xsize (size of the stuct will be stored here later) */ + 0 + + }; + + struct xstate *xs_new; + + us.xsize = sizeof(us); + + xs_new = malloc(us.xsize); + if (xs_new == NULL) + err(ECANCELED, "Could not initialise new state"); + + memcpy(xs_new, &us, us.xsize); + + /* + * Some pointers should be set + * in the copy, not the template, + * if they point to other items + * in the struct, because if they + * were set before copy, then copied, + * the copied pointer would be invalid, + * referring to the reference struct + * + * e.g. ->f.buf (gbe tmp file work memory): + */ + + xs_new->f.buf = xs_new->f.real_buf; + + xs_new->f.gbe_fd = -1; + xs_new->f.tmp_fd = -1; + + xs_new->f.tname = NULL; + xs_new->f.fname = NULL; + + return xs_new; +} + +static struct xstate *nv = NULL; int main(int argc, char *argv[]) { - if (argc < 3) { - fprintf(stderr, "USAGE:\n"); - fprintf(stderr, " %s FILE dump\n", argv[0]); - fprintf(stderr, " %s FILE setmac [MAC]\n", argv[0]); - fprintf(stderr, " %s FILE swap\n", argv[0]); - fprintf(stderr, " %s FILE copy 0|1\n", argv[0]); - fprintf(stderr, " %s FILE brick 0|1\n", argv[0]); - fprintf(stderr, " %s FILE setchecksum 0|1\n", argv[0]); - err(errno = ECANCELED, "Too few arguments"); - } - flags = (strcmp(COMMAND, "dump") == 0) ? O_RDONLY : flags; - filename = argv[1]; -#ifdef __OpenBSD__ - err_if(unveil("/dev/urandom", "r") == -1); - err_if(unveil(filename, flags == O_RDONLY ? "r" : "rw") == -1); - err_if(pledge(flags == O_RDONLY ? "stdio rpath" : "stdio rpath wpath", - NULL) == -1); + struct commands *cmd; + struct xfile *f; + + unsigned long *i; + + nv = new_xstate(); + if (nv == NULL) + err(errno, NULL); + + nv->argv0 = argv[0]; + if (argc < 3) + usage(); + + if (CHAR_BIT != 8) + err(EINVAL, "Unsupported char size"); + + f = &nv->f; + + f->fname = argv[1]; + +#ifdef NVMUTIL_UNVEIL + /* + * if global tmp is a different filesystem, + * unveil would trap on final file rename + * and we can't know the path in advance + */ + f->tname = new_tmpfile(&f->tmp_fd, 1, NULL); +#else + f->tname = new_tmpfile(&f->tmp_fd, 0, NULL); +#endif + + if (f->tname == NULL) + err(errno, "Can't create tmpfile"); + +#ifdef NVMUTIL_PLEDGE +#ifdef NVMUTIL_UNVEIL + if (pledge("stdio flock rpath wpath cpath unveil", NULL) == -1) + err(errno, "pledge, unveil"); + if (unveil("/dev/urandom", "r") == -1) + err(errno, "unveil: /dev/urandom"); + if (unveil("/dev/random", "r") == -1) + err(errno, "unveil: /dev/random"); +#else + if (pledge("stdio flock rpath wpath cpath", NULL) == -1) + err(errno, "pledge"); #endif - openFiles(filename); -#ifdef __OpenBSD__ - err_if(pledge("stdio", NULL) == -1); #endif - for (int i = 0; i < 6; i++) - if (strcmp(COMMAND, op[i].str) == 0) - if ((cmd = argc >= op[i].args ? op[i].cmd : NULL)) - break; - if (cmd == cmd_setmac) - strMac = (argc > 3) ? MAC_ADDRESS : strRMac; - else if ((cmd != NULL) && (argc > 3)) - err_if((errno = (!((part = PARTNUM[0] - '0') == 0 || part == 1)) - || PARTNUM[1] ? EINVAL : errno)); - err_if((errno = (cmd == NULL) ? EINVAL : errno)); + sanitize_command_list(); + + set_cmd(argc, argv); + set_cmd_args(argc, argv); + + i = &nv->i; + cmd = &nv->cmd[*i]; + +#ifdef NVMUTIL_UNVEIL + if (cmd->flags == O_RDONLY) { + if (unveil(fname, "r") == -1) + err(errno, "%s: unveil r", fname); + } else { + if (unveil(fname, "rwc") == -1) + err(errno, "%s: unveil rw", fname); + } + + if (unveil(tname, "rwc") == -1) + err(errno, "%s: unveil rwc", tname); + + if (unveil(NULL, NULL) == -1) + err(errno, "unveil block (rw)"); + + if (pledge("stdio flock rpath wpath cpath", NULL) == -1) + err(errno, "pledge (kill unveil)"); +#endif + + srand((unsigned int)(time(NULL) ^ getpid())); + + open_gbe_file(); + + memset(f->buf, 0, GBE_BUF_SIZE); + memset(f->bufcmp, 0, GBE_BUF_SIZE); + + copy_gbe(); + + read_checksums(); + + run_cmd(); + + if (cmd->flags == O_RDWR) + write_to_gbe_bin(); + + if (exit_cleanup() == -1) + err(EIO, "%s: close", f->fname); - readGbeFile(); - (*cmd)(); + if (f->io_err_gbe_bin) + err(EIO, "%s: error writing final file"); - if ((gbeFileModified) && (flags != O_RDONLY) && (cmd != writeGbeFile)) - writeGbeFile(); - err_if((errno != 0) && (cmd != cmd_dump)); - return errno; + if (f->tname != NULL) + free(f->tname); + + return EXIT_SUCCESS; } +/* + * Guard against regressions by maintainers (command table) + */ void -openFiles(const char *path) +sanitize_command_list(void) { - struct stat st; - xopen(fd, path, flags); - if ((st.st_size != (SIZE_4KB << 1))) - err(errno = ECANCELED, "File `%s` not 8KiB", path); - xopen(rfd, "/dev/urandom", O_RDONLY); - errno = errno != ENOTDIR ? errno : 0; + unsigned long c; + unsigned long num_commands = items(nv->cmd); + + for (c = 0; c < num_commands; c++) + sanitize_command_index(c); } +/* + * TODO: specific config checks per command + */ void -readGbeFile(void) +sanitize_command_index(unsigned long c) { - nf = ((cmd == writeGbeFile) || (cmd == cmd_copy)) ? SIZE_4KB : nf; - skipread[part ^ 1] = (cmd == cmd_copy) | (cmd == cmd_setchecksum) - | (cmd == cmd_brick); - gbe[1] = (gbe[0] = (size_t) buf) + SIZE_4KB; - for (int p = 0; p < 2; p++) { - if (skipread[p]) - continue; - err_if(pread(fd, (uint8_t *) gbe[p], nf, p << 12) == -1); - handle_endianness(p); + unsigned long gbe_rw_size; + + struct commands *cmd = &nv->cmd[c]; + + check_command_num(c); + + if (cmd->argc < 3) + err(EINVAL, "cmd index %lu: argc below 3, %d", + (unsigned long)c, cmd->argc); + + if (cmd->str == NULL) + err(EINVAL, "cmd index %lu: NULL str", + (unsigned long)c); + + if (*cmd->str == '\0') + err(EINVAL, "cmd index %lu: empty str", + (unsigned long)c); + + if (xstrxlen(cmd->str, MAX_CMD_LEN + 1) > + MAX_CMD_LEN) { + err(EINVAL, "cmd index %lu: str too long: %s", + (unsigned long)c, cmd->str); } + + if (cmd->run == NULL) + err(EINVAL, "cmd index %lu: cmd ptr null", + (unsigned long)c); + + check_bin(cmd->arg_part, "cmd.arg_part"); + check_bin(cmd->chksum_read, "cmd.chksum_read"); + check_bin(cmd->chksum_write, "cmd.chksum_write"); + + gbe_rw_size = cmd->rw_size; + + switch (gbe_rw_size) { + case GBE_PART_SIZE: + case NVM_SIZE: + break; + default: + err(EINVAL, "Unsupported rw_size: %lu", + (unsigned long)gbe_rw_size); + } + + if (gbe_rw_size > GBE_PART_SIZE) + err(EINVAL, "rw_size larger than GbE part: %lu", + (unsigned long)gbe_rw_size); + + if (cmd->flags != O_RDONLY && + cmd->flags != O_RDWR) + err(EINVAL, "invalid cmd.flags setting"); } void -cmd_setmac(void) +set_cmd(int argc, char *argv[]) { - if (macAddress(strMac, mac)) - err(errno = ECANCELED, "Bad MAC address"); - for (int partnum = 0; partnum < 2; partnum++) { - if (!validChecksum(part = partnum)) + const char *cmd; + + unsigned long i = 0; + + for (i = 0; i < items(nv->cmd); i++) { + + cmd = nv->cmd[i].str; + + /* not the right command */ + if (xstrxcmp(argv[2], cmd, MAX_CMD_LEN) != 0) continue; - for (int w = 0; w < 3; w++) - setWord(w, partnum, mac[w]); - cmd_setchecksum(); + + /* valid command found */ + if (argc >= nv->cmd[i].argc) { + nv->no_cmd = 0; + nv->i = i; /* set command */ + + return; + } + + err(EINVAL, + "Too few args on command '%s'", cmd); } + + nv->no_cmd = 1; } +void +set_cmd_args(int argc, char *argv[]) +{ + unsigned char arg_part; + unsigned long i; + + struct xfile *f; + struct commands *cmd; + + if (!valid_command(nv->i) || argc < 3) + usage(); + + if (nv->no_cmd) + usage(); + + i = nv->i; + f = &nv->f; + + cmd = &nv->cmd[i]; + + arg_part = cmd->arg_part; + + /* Maintainer bugs */ + if (arg_part && argc < 4) + err(EINVAL, + "arg_part set for command that needs argc4"); + + if (arg_part && i == CMD_SETMAC) + err(EINVAL, + "arg_part set on CMD_SETMAC"); + + if (i == CMD_SETMAC) { + + if (argc >= 4) + nv->mac.str = argv[3]; + else + nv->mac.str = nv->mac.rmac; + + } else if (arg_part) { + + f->part = conv_argv_part_num(argv[3]); + } +} + +unsigned long +conv_argv_part_num(const char *part_str) +{ + unsigned char ch; + + if (part_str[0] == '\0' || part_str[1] != '\0') + err(EINVAL, "Partnum string '%s' wrong length", part_str); + + /* char signedness is implementation-defined */ + ch = (unsigned char)part_str[0]; + if (ch < '0' || ch > '1') + err(EINVAL, "Bad part number (%c)", ch); + + return (unsigned long)(ch - '0'); +} + +/* + * Portable strcmp() but blocks NULL/empty/unterminated + * strings. Even stricter than strncmp(). + */ int -macAddress(const char *strMac, uint16_t *mac) -{ - uint64_t total = 0; - if (strnlen(strMac, 20) == 17) { - for (uint8_t h, i = 0; i < 16; i += 3) { - if (i != 15) - if (strMac[i + 2] != ':') - return 1; - int byte = i / 3; - for (int nib = 0; nib < 2; nib++, total += h) { - if ((h = hextonum(strMac[i + nib])) > 15) - return 1; - if ((byte == 0) && (nib == 1)) - if (strMac[i + nib] == '?') - h = (h & 0xE) | 2; /* local, unicast */ - mac[byte >> 1] |= ((uint16_t ) h) - << ((8 * (byte % 2)) + (4 * (nib ^ 1))); +xstrxcmp(const char *a, const char *b, unsigned long maxlen) +{ + unsigned long i; + + if (a == NULL || b == NULL) + err(EINVAL, "NULL input to xstrxcmp"); + + if (*a == '\0' || *b == '\0') + err(EINVAL, "Empty string in xstrxcmp"); + + for (i = 0; i < maxlen; i++) { + unsigned char ac = (unsigned char)a[i]; + unsigned char bc = (unsigned char)b[i]; + + if (ac == '\0' || bc == '\0') { + if (ac == bc) + return 0; + return ac - bc; } - }} - return ((total == 0) | (mac[0] & 1)); /* multicast/all-zero banned */ + + if (ac != bc) + return ac - bc; + } + + /* + * We reached maxlen, so assume unterminated string. + */ + err(EINVAL, "Unterminated string in xstrxcmp"); + + /* + * Should never reach here. This keeps compilers happy. + */ + errno = EINVAL; + return -1; +} + +void +open_gbe_file(void) +{ + struct stat _st; + int _flags; + + unsigned long *i = &nv->i; + + struct commands *cmd = &nv->cmd[*i]; + + struct xfile *f = &nv->f; + + xopen(&f->gbe_fd, f->fname, + cmd->flags | O_BINARY | + O_NOFOLLOW | O_CLOEXEC, &_st); + + /* inode will be checked later on write */ + f->gbe_dev = _st.st_dev; + f->gbe_ino = _st.st_ino; + + if (_st.st_nlink > 1) + err(EINVAL, + "%s: warning: file has multiple (%lu) hard links\n", + f->fname, (unsigned long)_st.st_nlink); + + if (_st.st_nlink == 0) + err(EIO, "%s: file unlinked while open", f->fname); + + _flags = fcntl(f->gbe_fd, F_GETFL); + if (_flags == -1) + err(errno, "%s: fcntl(F_GETFL)", f->fname); + + /* + * O_APPEND must not be used, because this + * allows POSIX write() to ignore the + * current write offset and write at EOF, + * which would therefore break pread/pwrite + */ + if (_flags & O_APPEND) + err(EIO, "%s: O_APPEND flag", f->fname); + + f->gbe_file_size = _st.st_size; + + switch (f->gbe_file_size) { + case SIZE_8KB: + case SIZE_16KB: + case SIZE_128KB: + break; + default: + err(EINVAL, "File size must be 8KB, 16KB or 128KB"); + } + + if (lock_file(f->gbe_fd) == -1) + err(errno, "%s: can't lock", f->fname); +} + +int +lock_file(int fd) +{ + struct flock fl; + struct commands *cmd = &nv->cmd[nv->i]; + + memset(&fl, 0, sizeof(fl)); + + if (cmd->flags == O_RDONLY) + fl.l_type = F_RDLCK; + else + fl.l_type = F_WRLCK; + + fl.l_whence = SEEK_SET; + + if (fcntl(fd, F_SETLK, &fl) == -1) + return -1; + + return 0; +} + +void +xopen(int *fd_ptr, const char *path, int flags, struct stat *st) +{ + if ((*fd_ptr = open(path, flags)) == -1) + err(errno, "%s", path); + + if (fstat(*fd_ptr, st) == -1) + err(errno, "%s: stat", path); + + if (!S_ISREG(st->st_mode)) + err(errno, "%s: not a regular file", path); + + if (lseek(*fd_ptr, 0, SEEK_CUR) == (off_t)-1) + err(errno, "%s: file not seekable", path); +} + +/* + * We copy the entire gbe file + * to the tmpfile, and then we + * work on that. We copy back + * afterward. this is the copy. + * + * we copy to tmpfile even on + * read-only commands, for the + * double-read verification, + * which also benefits cmd_cat. + */ +void +copy_gbe(void) +{ + struct xfile *f = &nv->f; + + read_file(); + + /* + regular operations post-read operate only on the first + 8KB, because each GbE part is the first 4KB of each + half of the file. + + we no longer care about anything past 8KB, until we get + to writing, at which point we will flush the buffer + again + */ + + if (f->gbe_file_size == SIZE_8KB) + return; + + x_v_memcpy(f->buf + (unsigned long)GBE_PART_SIZE, + f->buf + (unsigned long)(f->gbe_file_size >> 1), + (unsigned long)GBE_PART_SIZE); +} + +void +read_file(void) +{ + long _r; + struct stat _st; + + struct xfile *f = &nv->f; + + /* read main file */ + _r = rw_file_exact(f->gbe_fd, f->buf, f->gbe_file_size, + 0, IO_PREAD, NO_LOOP_EAGAIN, LOOP_EINTR, + MAX_ZERO_RW_RETRY, OFF_ERR); + + if (_r < 0) + err(errno, "%s: read failed", f->fname); + + /* copy to tmpfile */ + + _r = rw_file_exact(f->tmp_fd, f->buf, f->gbe_file_size, + 0, IO_PWRITE, NO_LOOP_EAGAIN, LOOP_EINTR, + MAX_ZERO_RW_RETRY, OFF_ERR); + + if (_r < 0) + err(errno, "%s: %s: copy failed", + f->fname, f->tname); + + /* + * file size comparison + */ + + if (fstat(f->tmp_fd, &_st) == -1) + err(errno, "%s: stat", f->tname); + + f->gbe_tmp_size = _st.st_size; + + if (f->gbe_tmp_size != f->gbe_file_size) + err(EIO, "%s: %s: not the same size", + f->fname, f->tname); + + /* + * fsync tmp gbe file, because we will compare + * its contents to what was read (for safety) + */ + if (x_i_fsync(f->tmp_fd) == -1) + err(errno, "%s: fsync (tmpfile copy)", f->tname); + + _r = rw_file_exact(f->tmp_fd, f->bufcmp, f->gbe_file_size, + 0, IO_PREAD, NO_LOOP_EAGAIN, LOOP_EINTR, + MAX_ZERO_RW_RETRY, OFF_ERR); + + if (_r < 0) + err(errno, "%s: read failed (cmp)", f->tname); + + if (x_i_memcmp(f->buf, f->bufcmp, f->gbe_file_size) != 0) + err(errno, "%s: %s: read contents differ (pre-test)", + f->fname, f->tname); +} + +void +read_checksums(void) +{ + unsigned long _p; + unsigned long _skip_part; + unsigned char _num_invalid; + unsigned char _max_invalid; + + struct xfile *f = &nv->f; + struct commands *cmd = &nv->cmd[nv->i]; + + f->part_valid[0] = 0; + f->part_valid[1] = 0; + + if (!cmd->chksum_read) + return; + + _num_invalid = 0; + _max_invalid = 2; + + if (cmd->arg_part) + _max_invalid = 1; + + /* + * Skip verification on this part, + * but only when arg_part is set. + */ + _skip_part = f->part ^ 1; + + for (_p = 0; _p < 2; _p++) { + /* + * Only verify a part if it was *read* + */ + if (cmd->arg_part && (_p == _skip_part)) + continue; + + f->part_valid[_p] = good_checksum(_p); + if (!f->part_valid[_p]) + ++_num_invalid; + } + + if (_num_invalid >= _max_invalid) { + if (_max_invalid == 1) + err(ECANCELED, "%s: part %lu has a bad checksum", + f->fname, (unsigned long)f->part); + err(ECANCELED, "%s: No valid checksum found in file", + f->fname); + } +} + +int +good_checksum(unsigned long partnum) +{ + unsigned short expected_checksum = + calculated_checksum(partnum); + + unsigned short current_checksum = + nvm_word(NVM_CHECKSUM_WORD, partnum); + + return current_checksum == expected_checksum; +} + +void +run_cmd(void) +{ + unsigned long cmd_num; + struct commands *cmd; + + cmd_num = nv->i; + cmd = &nv->cmd[cmd_num]; + + check_command_num(cmd_num); + + if (cmd->run == NULL) + err(EINVAL, "Command %lu: null ptr", cmd_num); + + cmd->run(); +} + +void +check_command_num(unsigned long c) +{ + if (!valid_command(c)) + err(EINVAL, "Invalid run_cmd arg: %lu", + (unsigned long)c); +} + +unsigned char +valid_command(unsigned long c) +{ + struct commands *cmd; + + if (c >= items(nv->cmd)) + return 0; + + cmd = &nv->cmd[c]; + + if (c != cmd->chk) + err(EINVAL, + "Invalid cmd chk value (%lu) vs arg: %lu", + cmd->chk, c); + + return 1; } -uint8_t -hextonum(char ch) +void +cmd_helper_setmac(void) +{ + unsigned long partnum; + struct macaddr *mac = &nv->mac; + + printf("MAC address to be written: %s\n", mac->str); + parse_mac_string(); + + for (partnum = 0; partnum < 2; partnum++) + write_mac_part(partnum); +} + +void +parse_mac_string(void) { - if ((ch >= '0') && (ch <= '9')) + unsigned long mac_byte; + + struct macaddr *mac = &nv->mac; + + if (xstrxlen(nv->mac.str, 18) != 17) + err(EINVAL, "MAC address is the wrong length"); + + memset(mac->mac_buf, 0, sizeof(mac->mac_buf)); + + for (mac_byte = 0; mac_byte < 6; mac_byte++) + set_mac_byte(mac_byte); + + if ((mac->mac_buf[0] | mac->mac_buf[1] | mac->mac_buf[2]) == 0) + err(EINVAL, "Must not specify all-zeroes MAC address"); + + if (mac->mac_buf[0] & 1) + err(EINVAL, "Must not specify multicast MAC address"); +} + +/* + * strnlen() but aborts on NULL input, and empty strings. + * Our version also prohibits unterminated strings. + * strnlen() was standardized in POSIX.1-2008 and is not + * available on some older systems, so we provide our own. + */ +unsigned long +xstrxlen(const char *scmp, unsigned long maxlen) +{ + unsigned long xstr_index; + + if (scmp == NULL) + err(EINVAL, "NULL input to xstrxlen"); + + if (*scmp == '\0') + err(EINVAL, "Empty string in xstrxlen"); + + for (xstr_index = 0; + xstr_index < maxlen && scmp[xstr_index] != '\0'; + xstr_index++); + + if (xstr_index == maxlen) + err(EINVAL, "Unterminated string in xstrxlen"); + + return xstr_index; +} + +void +set_mac_byte(unsigned long mac_byte_pos) +{ + unsigned long mac_str_pos = mac_byte_pos * 3; + unsigned long mac_nib_pos; + char separator; + + struct macaddr *mac = &nv->mac; + + if (mac_str_pos < 15) { + if ((separator = mac->str[mac_str_pos + 2]) != ':') + err(EINVAL, "Invalid MAC address separator '%c'", + separator); + } + + for (mac_nib_pos = 0; mac_nib_pos < 2; mac_nib_pos++) + set_mac_nib(mac_str_pos, mac_byte_pos, mac_nib_pos); +} + +void +set_mac_nib(unsigned long mac_str_pos, + unsigned long mac_byte_pos, unsigned long mac_nib_pos) +{ + char mac_ch; + unsigned short hex_num; + + struct macaddr *mac = &nv->mac; + + mac_ch = mac->str[mac_str_pos + mac_nib_pos]; + + if ((hex_num = hextonum(mac_ch)) > 15) + err(EINVAL, "Invalid character '%c'", + mac->str[mac_str_pos + mac_nib_pos]); + + /* + * If random, ensure that local/unicast bits are set. + */ + if ((mac_byte_pos == 0) && (mac_nib_pos == 1) && + ((mac_ch | 0x20) == 'x' || + (mac_ch == '?'))) + hex_num = (hex_num & 0xE) | 2; /* local, unicast */ + + /* + * MAC words stored big endian in-file, little-endian + * logically, so we reverse the order. + */ + mac->mac_buf[mac_byte_pos >> 1] |= hex_num << + (((mac_byte_pos & 1) << 3) /* left or right byte? */ + | ((mac_nib_pos ^ 1) << 2)); /* left or right nib? */ +} + +unsigned short +hextonum(char ch_s) +{ + unsigned char ch = (unsigned char)ch_s; + + if ((unsigned int)(ch - '0') <= 9) return ch - '0'; - else if ((ch >= 'A') && (ch <= 'F')) - return ch - 'A' + 10; - else if ((ch >= 'a') && (ch <= 'f')) + + ch |= 0x20; + + if ((unsigned int)(ch - 'a') <= 5) return ch - 'a' + 10; - return (ch == '?') ? rhex() : 16; + + if (ch == '?' || ch == 'x') + return (unsigned short)rlong() & 0xf; + + return 16; /* invalid character */ +} + +unsigned long +rlong(void) +{ + struct x_st_timeval tv; + static unsigned long mix = 0; + static unsigned long counter = 0; + + static int fd = -1; + unsigned long rval = 0; + long nr = -1; + + x_i_gettimeofday(&tv, NULL); + + mix ^= (unsigned long)tv.tv_sec + ^ (unsigned long)tv.tv_usec + ^ (unsigned long)getpid() + ^ (unsigned long)&mix + ^ counter++ + ^ entropy_jitter(); + + /* + * Stack addresses can vary between + * calls, thus increasing entropy. + */ + mix ^= (unsigned long)&mix; + mix ^= (unsigned long)&tv; + mix ^= (unsigned long)&counter; + + /* + * Now, we won't use this mix + * immediately. We'll try to + * read urandom first, which is + * likely safer, and pass that, + * falling back to the mixture + * if urandom fails. + * + * Since urandom is likely + * reliable, the number of + * times it will fail is + * likely extremely random, + * thus, building more than + * sufficient entropy by the + * time we do eventually use + * the fallback code + */ + + if (fd < 0) + fd = open("/dev/urandom", O_RDONLY | O_BINARY | O_NONBLOCK); + +#if !(defined(__OpenBSD__) && defined(OpenBSD)) || \ + (defined(__OpenBSD__) && defined(OpenBSD) && \ + OpenBSD < 604) + if (fd < 0) /* old openbsd */ + fd = open("/dev/arandom", O_RDONLY | O_BINARY | O_NONBLOCK); +#endif + + if (fd < 0) + fd = open("/dev/random", O_RDONLY | O_BINARY | O_NONBLOCK); + + nr = rw_file_exact(fd, (unsigned char *)&rval, + sizeof(unsigned long), 0, IO_READ, LOOP_EAGAIN, + LOOP_EINTR, MAX_ZERO_RW_RETRY, OFF_ERR); + + if (nr == sizeof(unsigned long)) + return rval; + + return mix; } -uint8_t -rhex(void) +unsigned long +entropy_jitter(void) { - static uint8_t n = 0, rnum[16]; - if (!n) - err_if(pread(rfd, (uint8_t *) &rnum, (n = 15) + 1, 0) == -1); - return rnum[n--] & 0xf; + struct x_st_timeval a, b; + unsigned long mix = 0; + long mix_diff; + int i; + + x_i_gettimeofday(&a, NULL); + + for (i = 0; i < 32; i++) { + getpid(); + x_i_gettimeofday(&b, NULL); + + /* + * prevent negative numbers to prevent overflow, + * which would bias rand to large numbers + */ + mix_diff = (long)(b.tv_usec - a.tv_usec); + if (mix_diff < 0) + mix_diff = -mix_diff; + + mix ^= (unsigned long)(mix_diff); + mix ^= (unsigned long)&mix; + } + + return mix; +} + + + +int +x_i_gettimeofday(struct x_st_timeval *tv, void *tz) +{ + time_t t; + + (void)tz; + + t = time(NULL); + + tv->tv_sec = t; + tv->tv_usec = (long)((unsigned long)clock() % 1000000UL); + + return 0; } void -cmd_dump(void) +write_mac_part(unsigned long partnum) { - for (int partnum = 0, numInvalid = 0; partnum < 2; partnum++) { - if (!validChecksum(partnum)) - ++numInvalid; - printf("MAC (part %d): ", partnum); - showmac(partnum), hexdump(partnum); - errno = ((numInvalid < 2) && (partnum)) ? 0 : errno; + unsigned long w; + + struct xfile *f = &nv->f; + struct macaddr *mac = &nv->mac; + + check_bin(partnum, "part number"); + if (!f->part_valid[partnum]) + return; + + for (w = 0; w < 3; w++) + set_nvm_word(w, partnum, mac->mac_buf[w]); + + printf("Wrote MAC address to part %lu: ", + (unsigned long)partnum); + print_mac_from_nvm(partnum); +} + +void +cmd_helper_dump(void) +{ + unsigned long partnum; + + struct xfile *f = &nv->f; + + f->part_valid[0] = good_checksum(0); + f->part_valid[1] = good_checksum(1); + + for (partnum = 0; partnum < 2; partnum++) { + if (!f->part_valid[partnum]) + fprintf(stderr, + "BAD checksum %04x in part %lu (expected %04x)\n", + nvm_word(NVM_CHECKSUM_WORD, partnum), + (unsigned long)partnum, + calculated_checksum(partnum)); + + printf("MAC (part %lu): ", + (unsigned long)partnum); + print_mac_from_nvm(partnum); + hexdump(partnum); } } void -showmac(int partnum) +print_mac_from_nvm(unsigned long partnum) { - for (int c = 0; c < 3; c++) { - uint16_t val16 = word(c, partnum); - printf("%02x:%02x", val16 & 0xff, val16 >> 8); - printf(c == 2 ? "\n" : ":"); + unsigned long c; + unsigned short val16; + + for (c = 0; c < 3; c++) { + val16 = nvm_word(c, partnum); + printf("%02x:%02x", + (unsigned int)(val16 & 0xff), + (unsigned int)(val16 >> 8)); + if (c == 2) + printf("\n"); + else + printf(":"); } } void -hexdump(int partnum) +hexdump(unsigned long partnum) { - for (int row = 0; row < 8; row++) { - printf("%07x", row << 4); - for (int c = 0; c < 8; c++) { - uint16_t val16 = word((row << 3) + c, partnum); - printf(" %02x%02x", val16 >> 8, val16 & 0xff); - } printf("\n"); + unsigned long c; + unsigned long row; + unsigned short val16; + + for (row = 0; row < 8; row++) { + printf("%08lx ", (unsigned long)((unsigned long)row << 4)); + for (c = 0; c < 8; c++) { + val16 = nvm_word((row << 3) + c, partnum); + if (c == 4) + printf(" "); + printf(" %02x %02x", + (unsigned int)(val16 & 0xff), + (unsigned int)(val16 >> 8)); + } + printf("\n"); } } void -cmd_setchecksum(void) +cmd_helper_swap(void) { - uint16_t val16 = 0; - for (int c = 0; c < 0x3F; c++) - val16 += word(c, part); - setWord(0x3F, part, 0xBABA - val16); + struct xfile *f = &nv->f; + + x_v_memcpy( + f->buf + (unsigned long)GBE_WORK_SIZE, + f->buf, + GBE_PART_SIZE); + + x_v_memcpy( + f->buf, + f->buf + (unsigned long)GBE_PART_SIZE, + GBE_PART_SIZE); + + x_v_memcpy( + f->buf + (unsigned long)GBE_PART_SIZE, + f->buf + (unsigned long)GBE_WORK_SIZE, + GBE_PART_SIZE); + + set_part_modified(0); + set_part_modified(1); } void -cmd_brick(void) +cmd_helper_copy(void) { - if (validChecksum(part)) - setWord(0x3F, part, ((word(0x3F, part)) ^ 0xFF)); + struct xfile *f = &nv->f; + + x_v_memcpy( + f->buf + (unsigned long)((f->part ^ 1) * GBE_PART_SIZE), + f->buf + (unsigned long)(f->part * GBE_PART_SIZE), + GBE_PART_SIZE); + + set_part_modified(f->part ^ 1); } void -cmd_copy(void) +cmd_helper_cat(void) { - if ((gbeFileModified = nvmPartModified[part ^ 1] = validChecksum(part))) - gbe[part ^ 1] = gbe[part]; /* speedhack: copy ptr, not words */ + struct xfile *f = &nv->f; + + unsigned long p = 0; + unsigned long ff = 0; + unsigned long nff = 0; + + unsigned long cmd_num = nv->i; + + fflush(NULL); + + memset(f->pad, 0xff, GBE_PART_SIZE); + + switch (cmd_num) { + case CMD_CAT: + nff = 0; + break; + case CMD_CAT16: + nff = 1; + break; + case CMD_CAT128: + nff = 15; + break; + default: + err(EINVAL, "erroneous call to cat"); + } + + for (p = 0; p < 2; p++) { + cat_buf(f->bufcmp + + (unsigned long)(p * (f->gbe_file_size >> 1))); + + for (ff = 0; ff < nff; ff++) + cat_buf(f->pad); + } } -int -validChecksum(int partnum) +void +cat_buf(unsigned char *b) { - uint16_t total = 0; - for(int w = 0; w <= 0x3F; w++) - total += word(w, partnum); - if (total == 0xBABA) - return 1; - fprintf(stderr, "WARNING: BAD checksum in part %d\n", partnum); - return (errno = ECANCELED) & 0; + if (rw_file_exact(STDOUT_FILENO, b, + GBE_PART_SIZE, 0, IO_WRITE, LOOP_EAGAIN, LOOP_EINTR, + MAX_ZERO_RW_RETRY, OFF_ERR) < 0) + err(errno, "stdout: cat"); } void -writeGbeFile(void) +write_gbe_file(void) { - err_if((cmd == writeGbeFile) && !(validChecksum(0) || validChecksum(1))); - for (int p = 0, x = (cmd == writeGbeFile) ? 1 : 0; p < 2; p++) { - if ((!nvmPartModified[p]) && (cmd != writeGbeFile)) + struct stat _gbe_st; + struct stat _tmp_st; + + unsigned long p; + unsigned char update_checksum; + + struct commands *cmd = &nv->cmd[nv->i]; + struct xfile *f = &nv->f; + + if (cmd->flags == O_RDONLY) + return; + + if (fstat(f->gbe_fd, &_gbe_st) == -1) + err(errno, "%s: re-check", f->fname); + if (_gbe_st.st_dev != f->gbe_dev || _gbe_st.st_ino != f->gbe_ino) + err(EIO, "%s: file replaced while open", f->fname); + if (_gbe_st.st_size != f->gbe_file_size) + err(errno, "%s: file size changed before write", f->fname); + if (!S_ISREG(_gbe_st.st_mode)) + err(errno, "%s: file type changed before write", f->fname); + + if (fstat(f->tmp_fd, &_tmp_st) == -1) + err(errno, "%s: re-check", f->tname); + if (_tmp_st.st_dev != f->tmp_dev || _tmp_st.st_ino != f->tmp_ino) + err(EIO, "%s: file replaced while open", f->tname); + if (_tmp_st.st_size != f->gbe_file_size) + err(errno, "%s: file size changed before write", f->tname); + if (!S_ISREG(_tmp_st.st_mode)) + err(errno, "%s: file type changed before write", f->tname); + + update_checksum = cmd->chksum_write; + + for (p = 0; p < 2; p++) { + if (!f->part_modified[p]) continue; - handle_endianness(p^x); - err_if(pwrite(fd, (uint8_t *) gbe[p^x], nf, p << 12) == -1); + + if (update_checksum) + set_checksum(p); + + rw_gbe_file_part(p, IO_PWRITE, "pwrite"); } - errno = 0; - err_if(close(fd) == -1); } void -handle_endianness(int partnum) +set_checksum(unsigned long p) +{ + check_bin(p, "part number"); + set_nvm_word(NVM_CHECKSUM_WORD, p, calculated_checksum(p)); +} + +unsigned short +calculated_checksum(unsigned long p) +{ + unsigned long c; + unsigned int val16 = 0; + + for (c = 0; c < NVM_CHECKSUM_WORD; c++) + val16 += (unsigned int)nvm_word(c, p); + + return (unsigned short)((NVM_CHECKSUM - val16) & 0xffff); +} + +/* + * GbE NVM files store 16-bit (2-byte) little-endian words. + * We must therefore swap the order when reading or writing. + * + * NOTE: The MAC address words are stored big-endian in the + * file, but we assume otherwise and adapt accordingly. + */ + +unsigned short +nvm_word(unsigned long pos16, unsigned long p) +{ + struct xfile *f = &nv->f; + + unsigned long pos; + + check_nvm_bound(pos16, p); + pos = (pos16 << 1) + (p * GBE_PART_SIZE); + + return (unsigned short)f->buf[pos] | + ((unsigned short)f->buf[pos + 1] << 8); +} + +void +set_nvm_word(unsigned long pos16, unsigned long p, unsigned short val16) +{ + struct xfile *f = &nv->f; + unsigned long pos; + + check_nvm_bound(pos16, p); + pos = (pos16 << 1) + (p * GBE_PART_SIZE); + + f->buf[pos] = (unsigned char)(val16 & 0xff); + f->buf[pos + 1] = (unsigned char)(val16 >> 8); + + set_part_modified(p); +} + +void +set_part_modified(unsigned long p) +{ + struct xfile *f = &nv->f; + + check_bin(p, "part number"); + f->part_modified[p] = 1; +} + +void +check_nvm_bound(unsigned long c, unsigned long p) +{ + /* + * NVM_SIZE assumed as the limit, because this + * current design assumes that we will only + * ever modified the NVM area. + */ + + check_bin(p, "part number"); + + if (c >= NVM_WORDS) + err(ECANCELED, "check_nvm_bound: out of bounds %lu", + (unsigned long)c); +} + +void +check_bin(unsigned long a, const char *a_name) +{ + if (a > 1) + err(EINVAL, "%s must be 0 or 1, but is %lu", + a_name, (unsigned long)a); +} + +void +rw_gbe_file_part(unsigned long p, int rw_type, + const char *rw_type_str) +{ + struct xfile *f = &nv->f; + struct commands *cmd = &nv->cmd[nv->i]; + + long r; + unsigned long gbe_rw_size; + + unsigned char *mem_offset; + + off_t file_offset; + + gbe_rw_size = cmd->rw_size; + + if (rw_type < IO_PREAD || rw_type > IO_PWRITE) + err(errno, "%s: %s: part %lu: invalid rw_type, %d", + f->fname, rw_type_str, (unsigned long)p, rw_type); + + mem_offset = gbe_mem_offset(p, rw_type_str); + file_offset = (off_t)gbe_file_offset(p, rw_type_str); + + r = rw_gbe_file_exact(f->tmp_fd, mem_offset, + gbe_rw_size, file_offset, rw_type); + + if (r == -1) + err(errno, "%s: %s: part %lu", + f->fname, rw_type_str, (unsigned long)p); + + if ((unsigned long)r != gbe_rw_size) + err(EIO, "%s: partial %s: part %lu", + f->fname, rw_type_str, (unsigned long)p); +} + +void +write_to_gbe_bin(void) { - uint8_t *n = (uint8_t *) gbe[partnum]; - for (size_t w = nf * ((uint8_t *) &e)[0], x = 1; w < nf; w += 2, x += 2) - n[w] ^= n[x], n[x] ^= n[w], n[w] ^= n[x]; + struct xfile *f = &nv->f; + + int saved_errno; + int mv; + + struct commands *cmd = &nv->cmd[nv->i]; + + if (cmd->flags != O_RDWR) + return; + + write_gbe_file(); + + /* + * We may otherwise read from + * cache, so we must sync. + */ + if (x_i_fsync(f->tmp_fd) == -1) + err(errno, "%s: fsync (pre-verification)", + f->tname); + + check_written_part(0); + check_written_part(1); + + report_io_err_rw(); + + if (f->io_err_gbe) + err(EIO, "%s: bad write", f->fname); + + /* + * success! + * now just rename the tmpfile + */ + + saved_errno = errno; + + if (x_i_close(f->tmp_fd) == -1) { + fprintf(stderr, "FAIL: %s: close\n", f->tname); + f->io_err_gbe_bin = 1; + } + + if (x_i_close(f->gbe_fd) == -1) { + fprintf(stderr, "FAIL: %s: close\n", f->fname); + f->io_err_gbe_bin = 1; + } + + errno = saved_errno; + + f->tmp_fd = -1; + f->gbe_fd = -1; + + if (!f->io_err_gbe_bin) { + + mv = gbe_mv(); + + if (mv < 0) { + + f->io_err_gbe_bin = 1; + + fprintf(stderr, "%s: %s\n", + f->fname, strerror(errno)); + } else { + /* + * tmpfile removed + * by the rename + */ + + if (f->tname != NULL) + free(f->tname); + + f->tname = NULL; + } + } + + /* + * finally: + * must sync to disk! + * very nearly done + */ + + if (!f->io_err_gbe_bin) + return; + + fprintf(stderr, "FAIL (rename): %s: skipping fsync\n", + f->fname); + if (errno) + fprintf(stderr, + "errno %d: %s\n", errno, strerror(errno)); } + +void +check_written_part(unsigned long p) +{ + struct commands *cmd = &nv->cmd[nv->i]; + struct xfile *f = &nv->f; + + unsigned long gbe_rw_size; + unsigned char *mem_offset; + off_t file_offset; + unsigned char *buf_restore; + struct stat st; + + long r; + + if (!f->part_modified[p]) + return; + + gbe_rw_size = cmd->rw_size; + + /* invert not needed for pwrite */ + mem_offset = gbe_mem_offset(p, "pwrite"); + file_offset = (off_t)gbe_file_offset(p, "pwrite"); + + memset(f->pad, 0xff, sizeof(f->pad)); + + if (fstat(f->gbe_fd, &st) == -1) + err(errno, "%s: fstat (post-write)", f->fname); + if (st.st_dev != f->gbe_dev || st.st_ino != f->gbe_ino) + err(EIO, "%s: file changed during write", f->fname); + + if (fstat(f->tmp_fd, &st) == -1) + err(errno, "%s: fstat (post-write)", f->tname); + if (st.st_dev != f->tmp_dev || st.st_ino != f->tmp_ino) + err(EIO, "%s: file changed during write", f->tname); + + r = rw_gbe_file_exact(f->tmp_fd, f->pad, + gbe_rw_size, file_offset, IO_PREAD); + + if (r == -1) + f->rw_check_err_read[p] = f->io_err_gbe = 1; + else if ((unsigned long)r != gbe_rw_size) + f->rw_check_partial_read[p] = f->io_err_gbe = 1; + else if (x_i_memcmp(mem_offset, f->pad, gbe_rw_size) != 0) + f->rw_check_bad_part[p] = f->io_err_gbe = 1; + + if (f->rw_check_err_read[p] || + f->rw_check_partial_read[p]) + return; + + /* + * We only load one part on-file, into memory but + * always at offset zero, for post-write checks. + * That's why we hardcode good_checksum(0). + */ + buf_restore = f->buf; + f->buf = f->pad; + f->post_rw_checksum[p] = good_checksum(0); + f->buf = buf_restore; +} + +void +report_io_err_rw(void) +{ + struct xfile *f = &nv->f; + + unsigned long p; + + if (!f->io_err_gbe) + return; + + for (p = 0; p < 2; p++) { + if (!f->part_modified[p]) + continue; + + if (f->rw_check_err_read[p]) + fprintf(stderr, + "%s: pread: p%lu (post-verification)\n", + f->fname, (unsigned long)p); + if (f->rw_check_partial_read[p]) + fprintf(stderr, + "%s: partial pread: p%lu (post-verification)\n", + f->fname, (unsigned long)p); + if (f->rw_check_bad_part[p]) + fprintf(stderr, + "%s: pwrite: corrupt write on p%lu\n", + f->fname, (unsigned long)p); + + if (f->rw_check_err_read[p] || + f->rw_check_partial_read[p]) { + fprintf(stderr, + "%s: p%lu: skipped checksum verification " + "(because read failed)\n", + f->fname, (unsigned long)p); + + continue; + } + + fprintf(stderr, "%s: ", f->fname); + + if (f->post_rw_checksum[p]) + fprintf(stderr, "GOOD"); + else + fprintf(stderr, "BAD"); + + fprintf(stderr, " checksum in p%lu on-disk.\n", + (unsigned long)p); + + if (f->post_rw_checksum[p]) { + fprintf(stderr, + " This does NOT mean it's safe. it may be\n" + " salvageable if you use the cat feature.\n"); + } + } +} + +int +gbe_mv(void) +{ + struct xfile *f = &nv->f; + + int r; + int saved_errno; + int tmp_gbe_bin_exists = 1; + + char *dest_tmp = NULL; + int dest_fd = -1; + + saved_errno = errno; + + r = rename(f->tname, f->fname); + + if (r > -1) { + /* + * same filesystem + */ + + tmp_gbe_bin_exists = 0; + + if (fsync_dir(f->fname) < 0) { + f->io_err_gbe_bin = 1; + r = -1; + } + + goto ret_gbe_mv; + } + + if (errno != EXDEV) + goto ret_gbe_mv; + + /* cross-filesystem rename */ + + if ((r = f->tmp_fd = open(f->tname, + O_RDONLY | O_BINARY)) == -1) + goto ret_gbe_mv; + + /* create replacement temp in target directory */ + dest_tmp = new_tmpfile(&dest_fd, 1, f->fname); + if (dest_tmp == NULL) + goto ret_gbe_mv; + + /* copy data */ + + r = rw_file_exact(f->tmp_fd, f->bufcmp, + f->gbe_file_size, 0, IO_PREAD, + NO_LOOP_EAGAIN, LOOP_EINTR, + MAX_ZERO_RW_RETRY, OFF_ERR); + + if (r < 0) + goto ret_gbe_mv; + + r = rw_file_exact(dest_fd, f->bufcmp, + f->gbe_file_size, 0, IO_PWRITE, + NO_LOOP_EAGAIN, LOOP_EINTR, + MAX_ZERO_RW_RETRY, OFF_ERR); + + if (r < 0) + goto ret_gbe_mv; + + if (x_i_fsync(dest_fd) == -1) + goto ret_gbe_mv; + + if (x_i_close(dest_fd) == -1) + goto ret_gbe_mv; + + if (rename(dest_tmp, f->fname) == -1) + goto ret_gbe_mv; + + if (fsync_dir(f->fname) < 0) { + f->io_err_gbe_bin = 1; + goto ret_gbe_mv; + } + + free(dest_tmp); + dest_tmp = NULL; + +ret_gbe_mv: + + if (f->gbe_fd > -1) { + if (x_i_close(f->gbe_fd) < 0) + r = -1; + if (fsync_dir(f->fname) < 0) { + f->io_err_gbe_bin = 1; + r = -1; + } + f->gbe_fd = -1; + } + + if (f->tmp_fd > -1) { + if (x_i_close(f->tmp_fd) < 0) + r = -1; + + f->tmp_fd = -1; + } + + /* + * before this function is called, + * tmp_fd may have been moved + */ + if (tmp_gbe_bin_exists) { + if (unlink(f->tname) < 0) + r = -1; + else + tmp_gbe_bin_exists = 0; + } + + if (r < 0) { + /* + * if nothing set errno, + * we assume EIO, or we + * use what was set + */ + if (errno == saved_errno) + errno = EIO; + } else { + errno = saved_errno; + } + + return r; +} + +/* + * Ensure rename() is durable by syncing the + * directory containing the target file. + */ +int +fsync_dir(const char *path) +{ +#if defined(PATH_LEN) && \ + (PATH_LEN) >= 256 + unsigned long maxlen = PATH_LEN; +#else + unsigned long maxlen = 1024; +#endif + unsigned long pathlen; +/* char dirbuf[maxlen]; */ + char *dirbuf = NULL; + char *slash; + int dfd = -1; + + struct stat st; + + int saved_errno = errno; + + pathlen = xstrxlen(path, maxlen); + + if (pathlen >= maxlen) { + fprintf(stderr, "Path too long for fsync_parent_dir\n"); + goto err_fsync_dir; + } + + if (pathlen == 0) + { + errno = EINVAL; + goto err_fsync_dir; + } + + dirbuf = malloc(pathlen + 1); + if (dirbuf == NULL) + goto err_fsync_dir; + + x_v_memcpy(dirbuf, path, pathlen + 1); + slash = x_c_strrchr(dirbuf, '/'); + + if (slash != NULL) { + *slash = '\0'; + if (*dirbuf == '\0') { + dirbuf[0] = '/'; + dirbuf[1] = '\0'; + } + } else { + dirbuf[0] = '.'; + dirbuf[1] = '\0'; + } + + dfd = open(dirbuf, O_RDONLY +#ifdef O_DIRECTORY + | O_DIRECTORY +#endif +#ifdef O_NOFOLLOW + | O_NOFOLLOW +#endif + ); + if (dfd == -1) + goto err_fsync_dir; + + if (fstat(dfd, &st) < 0) + goto err_fsync_dir; + + if (!S_ISDIR(st.st_mode)) { + fprintf(stderr, "%s: not a directory\n", dirbuf); + goto err_fsync_dir; + } + + /* sync file on disk */ + if (x_i_fsync(dfd) == -1) + goto err_fsync_dir; + + if (x_i_close(dfd) == -1) + goto err_fsync_dir; + + if (dirbuf != NULL) + free(dirbuf); + + errno = saved_errno; + return 0; + +err_fsync_dir: + if (!errno) + errno = EIO; + + if (errno != saved_errno) + fprintf(stderr, "%s: %s\n", path, strerror(errno)); + + if (dirbuf != NULL) + free(dirbuf); + + if (dfd > -1) + x_i_close(dfd); + + errno = saved_errno; + + return -1; +} + +/* + * This one is similar to gbe_file_offset, + * but used to check Gbe bounds in memory, + * and it is *also* used during file I/O. + */ +unsigned char * +gbe_mem_offset(unsigned long p, const char *f_op) +{ + struct xfile *f = &nv->f; + + off_t gbe_off = gbe_x_offset(p, f_op, "mem", + GBE_PART_SIZE, GBE_WORK_SIZE); + + return (unsigned char *)(f->buf + (unsigned long)gbe_off); +} + +/* + * I/O operations filtered here. These operations must + * only write from the 0th position or the half position + * within the GbE file, and write 4KB of data. + * + * This check is called, to ensure just that. + */ +off_t +gbe_file_offset(unsigned long p, const char *f_op) +{ + struct xfile *f = &nv->f; + + off_t gbe_file_half_size = f->gbe_file_size >> 1; + + return gbe_x_offset(p, f_op, "file", + gbe_file_half_size, f->gbe_file_size); +} + +off_t +gbe_x_offset(unsigned long p, const char *f_op, const char *d_type, + off_t nsize, off_t ncmp) +{ + struct xfile *f = &nv->f; + + off_t off; + + check_bin(p, "part number"); + + off = ((off_t)p) * (off_t)nsize; + + if (off > ncmp - GBE_PART_SIZE) + err(ECANCELED, "%s: GbE %s %s out of bounds", + f->fname, d_type, f_op); + + if (off != 0 && off != ncmp >> 1) + err(ECANCELED, "%s: GbE %s %s at bad offset", + f->fname, d_type, f_op); + + return off; +} + +long +rw_gbe_file_exact(int fd, unsigned char *mem, unsigned long nrw, + off_t off, int rw_type) +{ + struct xfile *f = &nv->f; + + long r; + + if (io_args(fd, mem, nrw, off, rw_type) == -1) + return -1; + + if (mem != (void *)f->pad) { + if (mem < f->buf) + goto err_rw_gbe_file_exact; + + if ((unsigned long)(mem - f->buf) >= GBE_WORK_SIZE) + goto err_rw_gbe_file_exact; + } + + if (off < 0 || off >= f->gbe_file_size) + goto err_rw_gbe_file_exact; + + if (nrw > (unsigned long)(f->gbe_file_size - off)) + goto err_rw_gbe_file_exact; + + if (nrw > (unsigned long)GBE_PART_SIZE) + goto err_rw_gbe_file_exact; + + r = rw_file_exact(fd, mem, nrw, off, rw_type, + NO_LOOP_EAGAIN, LOOP_EINTR, MAX_ZERO_RW_RETRY, + OFF_ERR); + + return rw_over_nrw(r, nrw); + +err_rw_gbe_file_exact: + errno = EIO; + return -1; +} + +/* + * Safe I/O functions wrapping around + * read(), write() and providing a portable + * analog of both pread() and pwrite(). + * These functions are designed for maximum + * robustness, checking NULL inputs, overflowed + * outputs, and all kinds of errors that the + * standard libc functions don't. + * + * Looping on EINTR and EAGAIN is supported. + * EINTR/EAGAIN looping is done indefinitely. + */ + +/* + * rw_file_exact() - Read perfectly or die + * + * Read/write, and absolutely insist on an + * absolute read; e.g. if 100 bytes are + * requested, this MUST return 100. + * + * This function will never return zero. + * It will only return below (error), + * or above (success). On error, -1 is + * returned and errno is set accordingly. + * + * Zero-byte returns are not allowed. + * It will re-spin a finite number of + * times upon zero-return, to recover, + * otherwise it will return an error. + */ +long +rw_file_exact(int fd, unsigned char *mem, unsigned long nrw, + off_t off, int rw_type, int loop_eagain, + int loop_eintr, unsigned long max_retries, + int off_reset) +{ + long rv = 0; + long rc = 0; + unsigned long retries_on_zero = 0; + off_t off_cur; + unsigned long nrw_cur; + void *mem_cur; + + if (io_args(fd, mem, nrw, off, rw_type) == -1) + return -1; + + while (1) { + + /* Prevent theoretical overflow */ + if (rv >= 0 && (unsigned long)rv > (nrw - rc)) + goto err_rw_file_exact; + + rc += rv; + if ((unsigned long)rc >= nrw) + break; + + mem_cur = (void *)(mem + (unsigned long)rc); + nrw_cur = (unsigned long)(nrw - (unsigned long)rc); + if (off < 0) + goto err_rw_file_exact; + off_cur = off + (off_t)rc; + + rv = prw(fd, mem_cur, nrw_cur, off_cur, + rw_type, loop_eagain, loop_eintr, + off_reset); + + if (rv < 0) + return -1; + + if (rv == 0) { + if (retries_on_zero++ < max_retries) + continue; + goto err_rw_file_exact; + } + + retries_on_zero = 0; + } + + if ((unsigned long)rc != nrw) + goto err_rw_file_exact; + + return rw_over_nrw(rc, nrw); + +err_rw_file_exact: + errno = EIO; + return -1; +} + +/* + * prw() - portable read-write + * + * This implements a portable analog of pwrite() + * and pread() - note that this version is not + * thread-safe (race conditions are possible on + * shared file descriptors). + * + * This limitation is acceptable, since nvmutil is + * single-threaded. Portability is the main goal. + * + * If you need real pwrite/pread, just compile + * with flag: HAVE_REAL_PREAD_PWRITE=1 + * + * A fallback is provided for regular read/write. + * rw_type can be IO_READ, IO_WRITE, IO_PREAD + * or IO_PWRITE + * + * loop_eagain does a retry loop on EAGAIN if set + * loop_eintr does a retry loop on EINTR if set + * + * Unlike the bare syscalls, prw() does security + * checks e.g. checks NULL strings, checks bounds, + * also mitigates a few theoretical libc bugs. + * It is designed for extremely safe single-threaded + * I/O on applications that need it. + * + * NOTE: If you use loop_eagain (1), you enable wait + * loop on EAGAIN. Beware if using this on a non-blocking + * pipe (it could spin indefinitely). + * + * off_reset: if zero, and using fallback pwrite/pread + * analogs, we check if a file offset changed, + * which would indicate another thread changed + * it, and return error, without resetting the + * file - this would allow that thread to keep + * running, but we could then cause a whole + * program exit if we wanted to. + * if not zero: + * we reset and continue, and pray for the worst. + */ + +long +prw(int fd, void *mem, unsigned long nrw, + off_t off, int rw_type, + int loop_eagain, int loop_eintr, + int off_reset) +{ + long r; + int positional_rw; + struct stat st; +#if !defined(HAVE_REAL_PREAD_PWRITE) || \ + HAVE_REAL_PREAD_PWRITE < 1 + int saved_errno; + off_t verified; + off_t off_orig; + off_t off_last; +#endif + + if (io_args(fd, mem, nrw, off, rw_type) == -1) + return -1; + + r = -1; + + /* Programs like cat can use this, + so we only check if it's a normal + file if not looping EAGAIN */ + if (!loop_eagain) { + /* + * Checking on every run of prw() + * is expensive if called many + * times, but is defensive in + * case the status changes. + */ + if (check_file(fd, &st) == -1) + return -1; + } + + if (rw_type >= IO_PREAD) + positional_rw = 1; /* pread/pwrite */ + else + positional_rw = 0; /* read/write */ + +try_rw_again: + + if (!positional_rw) { +#if defined(HAVE_REAL_PREAD_PWRITE) && \ + HAVE_REAL_PREAD_PWRITE > 0 +real_pread_pwrite: +#endif + if (rw_type == IO_WRITE) + r = write(fd, mem, nrw); + else if (rw_type == IO_READ) + r = read(fd, mem, nrw); +#if defined(HAVE_REAL_PREAD_PWRITE) && \ + HAVE_REAL_PREAD_PWRITE > 0 + else if (rw_type == IO_PWRITE) + r = pwrite(fd, mem, nrw, off); + else if (rw_type == IO_PREAD) + r = pread(fd, mem, nrw, off); +#endif + + if (r == -1 && (errno == try_err(loop_eintr, EINTR) + || errno == try_err(loop_eagain, EAGAIN))) + goto try_rw_again; + + return rw_over_nrw(r, nrw); + } + +#if defined(HAVE_REAL_PREAD_PWRITE) && \ + HAVE_REAL_PREAD_PWRITE > 0 + goto real_pread_pwrite; +#else + if ((off_orig = lseek_loop(fd, (off_t)0, SEEK_CUR, + loop_eagain, loop_eintr)) == (off_t)-1) { + r = -1; + } else if (lseek_loop(fd, off, SEEK_SET, + loop_eagain, loop_eintr) == (off_t)-1) { + r = -1; + } else { + verified = lseek_loop(fd, (off_t)0, SEEK_CUR, + loop_eagain, loop_eintr); + + /* + * Partial thread-safety: detect + * if the offset changed to what + * we previously got. If it did, + * then another thread may have + * changed it. Enabled if + * off_reset is OFF_RESET. + * + * We do this *once*, on the theory + * that nothing is touching it now. + */ + if (off_reset && off != verified) + lseek_loop(fd, off, SEEK_SET, + loop_eagain, loop_eintr); + + do { + /* + * Verify again before I/O + * (even with OFF_ERR) + * + * This implements the first check + * even with OFF_ERR, but without + * the recovery. On ERR_RESET, if + * the check fails again, then we + * know something else is touching + * the file, so it's best that we + * probably leave it alone and err. + * + * In other words, ERR_RESET only + * tolerates one change. Any more + * will cause an exit, including + * per EINTR/EAGAIN re-spin. + */ + verified = lseek_loop(fd, (off_t)0, SEEK_CUR, + loop_eagain, loop_eintr); + + if (off != verified) + goto err_prw; + + if (rw_type == IO_PREAD) + r = read(fd, mem, nrw); + else if (rw_type == IO_PWRITE) + r = write(fd, mem, nrw); + + if (rw_over_nrw(r, nrw) == -1) { + errno = EIO; + break; + } + + } while (r == -1 && + (errno == try_err(loop_eintr, EINTR) + || errno == try_err(loop_eagain, EAGAIN))); + } + + saved_errno = errno; + + off_last = lseek_loop(fd, off_orig, SEEK_SET, + loop_eagain, loop_eintr); + + if (off_last != off_orig) { + errno = saved_errno; + goto err_prw; + } + + errno = saved_errno; + + return rw_over_nrw(r, nrw); +#endif + +err_prw: + errno = EIO; + return -1; +} + +int +io_args(int fd, void *mem, unsigned long nrw, + off_t off, int rw_type) +{ + /* obviously */ + if (mem == NULL) + goto err_io_args; + + /* uninitialised fd */ + if (fd < 0) + goto err_io_args; + + /* negative offset */ + if (off < 0) + goto err_io_args; + + /* prevent zero-byte rw */ + if (!nrw) + goto err_io_args; + + /* prevent overflow */ + if (nrw > (unsigned long)X_LONG_MAX) + goto err_io_args; + + /* prevent overflow */ + if (((unsigned long)off + nrw) < (unsigned long)off) + goto err_io_args; + + if (rw_type > IO_PWRITE) + goto err_io_args; + + return 0; + +err_io_args: + errno = EIO; + return -1; +} + +int +check_file(int fd, struct stat *st) +{ + if (fstat(fd, st) == -1) + goto err_is_file; + + if (!S_ISREG(st->st_mode)) + goto err_is_file; + + return 0; + +err_is_file: + errno = EIO; + return -1; +} + +/* + * Check overflows caused by buggy libc. + * + * POSIX can say whatever it wants. + * specification != implementation + */ +long +rw_over_nrw(long r, unsigned long nrw) +{ + /* + * If a byte length of zero + * was requested, that is + * clearly a bug. No way. + */ + if (!nrw) + goto err_rw_over_nrw; + + if (r == -1) + return r; + + if ((unsigned long)r > X_LONG_MAX) { + /* + * Theoretical buggy libc + * check. Extremely academic. + * + * Specifications never + * allow this return value + * to exceed SSIZE_T, but + * spec != implementation + * + * Check this after using + * [p]read() or [p]write() + */ + goto err_rw_over_nrw; + } + + /* + * Theoretical buggy libc: + * Should never return a number of + * bytes above the requested length. + */ + if ((unsigned long)r > nrw) + goto err_rw_over_nrw; + + return r; + +err_rw_over_nrw: + + errno = EIO; + return -1; +} + +#if !defined(HAVE_REAL_PREAD_PWRITE) || \ + HAVE_REAL_PREAD_PWRITE < 1 +/* + * lseek_loop() does lseek() but optionally + * on an EINTR/EAGAIN wait loop. Used by prw() + * for setting offsets for positional I/O. + */ +off_t +lseek_loop(int fd, off_t off, int whence, + int loop_eagain, int loop_eintr) +{ + off_t old = -1; + + do { + old = lseek(fd, off, whence); + } while (old == (off_t)-1 && ( + errno == try_err(loop_eintr, EINTR) || + errno == try_err(loop_eagain, EAGAIN))); + + return old; +} +#endif + +/* + * If a given error loop is enabled, + * e.g. EINTR or EAGAIN, an I/O operation + * will loop until errno isn't -1 and one + * of these, e.g. -1 and EINTR + */ +int +try_err(int loop_err, int errval) +{ + if (loop_err) + return errval; + + /* errno is never negative, + so functions checking it + can use it accordingly */ + return -1; +} + +void +usage(void) +{ + const char *util = getnvmprogname(); + + fprintf(stderr, + "Modify Intel GbE NVM images e.g. set MAC\n" + "USAGE:\n" + "\t%s FILE dump\n" + "\t%s FILE setmac [MAC]\n" + "\t%s FILE swap\n" + "\t%s FILE copy 0|1\n" + "\t%s FILE cat\n" + "\t%s FILE cat16\n" + "\t%s FILE cat128\n", + util, util, util, util, + util, util, util); + + err(EINVAL, "Too few arguments"); +} + +void +err(int nvm_errval, const char *msg, ...) +{ + struct xfile *f = &nv->f; + + va_list args; + + if (errno == 0) + errno = nvm_errval; + if (!errno) + errno = ECANCELED; + + (void)exit_cleanup(); + + fprintf(stderr, "%s: ", getnvmprogname()); + + va_start(args, msg); + vfprintf(stderr, msg, args); + va_end(args); + + fprintf(stderr, ": %s", strerror(errno)); + + fprintf(stderr, "\n"); + + if (f->tname != NULL) + free(f->tname); + + exit(EXIT_FAILURE); +} + +int +exit_cleanup(void) +{ + struct xfile *f = &nv->f; + + int close_err = 0; + int saved_errno = errno; + + if (f->gbe_fd > -1) { + if (x_i_close(f->gbe_fd) == -1) + close_err = 1; + f->gbe_fd = -1; + } + + if (f->tmp_fd > -1) { + if (x_i_close(f->tmp_fd) == -1) + close_err = 1; + } + + if (f->tname != NULL) { + if (unlink(f->tname) == -1) + close_err = 1; + } + + f->tmp_fd = -1; + + if (saved_errno) + errno = saved_errno; + + if (close_err) + return -1; + + return 0; +} + +const char * +getnvmprogname(void) +{ + const char *p; + + if (nv->argv0 == NULL || *nv->argv0 == '\0') + return ""; + + p = x_c_strrchr(nv->argv0, '/'); + + if (p) + return p + 1; + else + return nv->argv0; +} + +/* + * create new tmpfile path + * + * ON SUCCESS: + * + * returns ptr to path string on success + * ALSO: the int at *fd will be set, + * indicating the file descriptor + * + * ON ERROR: + * + * return NULL (*fd not touched) + * + * malloc() may set errno, but you should + * not rely on errno from this function + * + * local: if non-zero, then only a file + * name will be given, relative to + * the current file name. for this, + * the 3rd argument (path) must be non-null + * + * if local is zero, then 3rd arg (path) + * is irrelevant and can be NULL + */ +char * +new_tmpfile(int *fd, int local, const char *path) +{ + struct xfile *f = &nv->f; + + unsigned long maxlen; + struct stat st; + + /* + * please do not modify the + * strings or I will get mad + */ + char tmp_none[] = ""; + char tmp_default[] = "/tmp"; + char default_tmpname[] = "tmpXXXXXX"; + char *tmpname; + + char *base = NULL; + char *dest = NULL; + + unsigned long tmpdir_len = 0; + unsigned long tmpname_len = 0; + unsigned long tmppath_len = 0; + + int fd_tmp = -1; + int flags; + + /* + * 256 is the most + * conservative path + * size limit (posix), + * but 4096 is modern + * + * set PATH_LEN as you + * wish, at build time + */ + +#if defined(PATH_LEN) && \ + (PATH_LEN) >= 256 + maxlen = PATH_LEN; +#else + maxlen = 1024; +#endif + + tmpname = default_tmpname; + if (local) { + if (path == NULL) + goto err_new_tmpfile; + if (*path == '\0') + goto err_new_tmpfile; + + if (stat(path, &st) == -1) + goto err_new_tmpfile; + + if (!S_ISREG(st.st_mode)) + goto err_new_tmpfile; + + tmpname = (char *)path; + } + + if (local) { + base = tmp_none; + + /* + * appended to filename for tmp: + */ + tmpdir_len = sizeof(default_tmpname); + } else { + base = x_c_tmpdir(); + + if (base == NULL) + base = tmp_default; + if (*base == '\0') + base = tmp_default; + + tmpdir_len = xstrxlen(base, maxlen); + } + + tmpname_len = xstrxlen(tmpname, maxlen); + + tmppath_len = tmpdir_len + tmpname_len; + ++tmppath_len; /* for '/' or '.' */ + + /* + * max length -1 of maxlen + * for termination + */ + if (tmpdir_len > maxlen - tmpname_len - 1) + goto err_new_tmpfile; + + /* +1 for NULL */ + dest = malloc(tmppath_len + 1); + if (dest == NULL) + goto err_new_tmpfile; + + if (local) { + + *dest = '.'; /* hidden file */ + + x_v_memcpy(dest + (unsigned long)1, tmpname, tmpname_len); + + x_v_memcpy(dest + (unsigned long)1 + tmpname_len, + default_tmpname, tmpdir_len); + } else { + + x_v_memcpy(dest, base, tmpdir_len); + + dest[tmpdir_len] = '/'; + + x_v_memcpy(dest + tmpdir_len + 1, tmpname, tmpname_len); + } + + dest[tmppath_len] = '\0'; + + fd_tmp = x_i_mkstemp(dest); + if (fd_tmp == -1) + goto err_new_tmpfile; + + if (x_i_fchmod(fd_tmp, 0600) == -1) + goto err_new_tmpfile; + + if (lock_file(fd_tmp) == -1) + goto err_new_tmpfile; + + if (fstat(fd_tmp, &st) == -1) + goto err_new_tmpfile; + + /* + * Extremely defensive + * likely pointless checks + */ + + /* check if it's a file */ + if (!S_ISREG(st.st_mode)) + goto err_new_tmpfile; + + /* check if it's seekable */ + if (lseek(fd_tmp, 0, SEEK_CUR) == (off_t)-1) + goto err_new_tmpfile; + + /* inode will be checked later on write */ + f->tmp_dev = st.st_dev; + f->tmp_ino = st.st_ino; + + /* tmpfile has >1 hardlinks */ + if (st.st_nlink > 1) + goto err_new_tmpfile; + + /* tmpfile unlinked while opened */ + if (st.st_nlink == 0) + goto err_new_tmpfile; + + flags = fcntl(fd_tmp, F_GETFL); + + if (flags == -1) + goto err_new_tmpfile; + + /* + * O_APPEND would permit offsets + * to be ignored, which breaks + * positional read/write + */ + if (flags & O_APPEND) + goto err_new_tmpfile; + + *fd = fd_tmp; + + return dest; + +err_new_tmpfile: + + if (dest != NULL) + free(dest); + + if (fd_tmp > -1) + x_i_close(fd_tmp); + + return NULL; +} + +/* + * portable mkstemp + */ +int +x_i_mkstemp(char *template) +{ + int fd; + int i, j; + unsigned long len; + char *p; + + char ch[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; + unsigned long r; + + len = xstrxlen(template, PATH_LEN); + + /* find trailing XXXXXX */ + if (len < 6) + return -1; + + p = template + len - 6; + + for (i = 0; i < 100; i++) { + + for (j = 0; j < 6; j++) { + r = rlong(); + p[j] = ch[r % (sizeof(ch) - 1)]; + } + + fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600); + + if (fd >= 0) + return fd; + + if (errno != EEXIST) + return -1; + } + + errno = EEXIST; + return -1; +} + +char * +x_c_strrchr(const char *s, int c) +{ + const char *p = NULL; + + while (*s) { + if (*s == (char)c) + p = s; + s++; + } + + if (c == '\0') + return (char *)s; + + return (char *)p; +} + +/* +int +x_i_rename(const char *src, const char *dst) +{ + int sfd, dfd; + ssize_t r; + char buf[8192]; + + sfd = open(src, O_RDONLY); + if (sfd < 0) + return -1; + + dfd = open(dst, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (dfd < 0) { + x_i_close(sfd); + return -1; + } + + while ((r = read(sfd, buf, sizeof(buf))) > 0) { + ssize_t w = write(dfd, buf, r); + if (w != r) { + x_i_close(sfd); + x_i_close(dfd); + return -1; + } + } + + if (r < 0) { + x_i_close(sfd); + x_i_close(dfd); + return -1; + } + + x_i_fsync(dfd); + + x_i_close(sfd); + x_i_close(dfd); + + if (unlink(src) < 0) + return -1; + + return 0; +} +*/ + +char * +x_c_tmpdir(void) +{ + char *t; + struct stat st; + + t = getenv("TMPDIR"); + if (t && *t) { + if (stat(t, &st) == 0 && S_ISDIR(st.st_mode)) + return t; + } + + if (stat("/tmp", &st) == 0 && S_ISDIR(st.st_mode)) + return "/tmp"; + + if (stat("/var/tmp", &st) == 0 && S_ISDIR(st.st_mode)) + return "/var/tmp"; + + return "."; +} + +int +x_i_close(int fd) +{ + int r; + + do { + r = close(fd); + } while (r == -1 && errno == EINTR); + + return r; +} + +void * +x_v_memcpy(void *dst, const void *src, unsigned long n) +{ + unsigned char *d = (unsigned char *)dst; + const unsigned char *s = (const unsigned char *)src; + + while (n--) + *d++ = *s++; + + return dst; +} + +int +x_i_memcmp(const void *a, const void *b, unsigned long n) +{ + const unsigned char *pa = (const unsigned char *)a; + const unsigned char *pb = (const unsigned char *)b; + + while (n--) { + if (*pa != *pb) + return *pa - *pb; + pa++; + pb++; + } + + return 0; +} + +/* + * emulate fchmod() using file descriptor + * paths, for old unix portability. should + * work on e.g. BSD/MacOS (/dev/fd/N), + * Linux (/proc/self/fd/N) and others + */ +int +x_i_fchmod(int fd, mode_t mode) +{ + if (x_try_fdpath("/dev/fd/", fd, mode) == 0) + return 0; + + if (x_try_fdpath("/proc/self/fd/", fd, mode) == 0) + return 0; + + errno = ENOSYS; + return -1; +} + +int +x_try_fdpath(const char *prefix, int fd, mode_t mode) +{ + char path[PATH_LEN]; + + unsigned long i = 0; + unsigned long j; + + struct stat st; + + while (prefix[i]) { + if (i >= PATH_LEN - 1) + return -1; + path[i] = prefix[i]; + i++; + } + + j = x_conv_fd(path + i, (unsigned long)fd); + + if (i + j >= PATH_LEN) + return -1; + + i += j; + path[i] = '\0'; + + if (stat(path, &st) < 0) + return -1; + + return chmod(path, mode); +} + +unsigned long +x_conv_fd(char *buf, unsigned long n) +{ + char tmp[256]; + + unsigned long i = 0; + unsigned long j = 0; + + if (n == 0) { + buf[0] = '0'; + return 1; + } + + while (n > 0) { + tmp[i++] = (char)('0' + (n % 10)); + n /= 10; + } + + while (i > 0) + buf[j++] = tmp[--i]; + + return j; +} + +int +x_i_fsync(int fd) +{ + int r; + + do { + r = fsync(fd); + } while (r == -1 && errno == EINTR); + + return r; +} + +/* type asserts */ +typedef char static_assert_char_is_8_bits[(CHAR_BIT == 8) ? 1 : -1]; +typedef char static_assert_char_is_1[(sizeof(char) == 1) ? 1 : -1]; +typedef char static_assert_unsigned_char_is_1[ + (sizeof(unsigned char) == 1) ? 1 : -1]; +typedef char static_assert_unsigned_short_is_2[ + (sizeof(unsigned short) >= 2) ? 1 : -1]; +typedef char static_assert_short_is_2[(sizeof(short) >= 2) ? 1 : -1]; +typedef char static_assert_unsigned_int_is_4[ + (sizeof(unsigned int) >= 4) ? 1 : -1]; +typedef char static_assert_unsigned_long_is_4[ + (sizeof(unsigned long) >= 4) ? 1 : -1]; +typedef char static_assert_int_ge_32[(sizeof(int) >= 4) ? 1 : -1]; +typedef char static_assert_twos_complement[ + ((-1 & 3) == 3) ? 1 : -1 +]; +typedef char assert_unsigned_long_ptr[ + (sizeof(unsigned long) >= sizeof(void *)) ? 1 : -1 +]; + +/* + * We set _FILE_OFFSET_BITS 64, but we only handle + * but we only need smaller files, so require 4-bytes. + * Some operating systems ignore the define, hence assert: + */ +typedef char static_assert_off_t_is_32[(sizeof(off_t) >= 4) ? 1 : -1]; + +/* + * asserts (variables/defines sanity check) + */ +typedef char assert_argc3[(ARGC_3==3)?1:-1]; +typedef char assert_argc4[(ARGC_4==4)?1:-1]; +typedef char assert_read[(IO_READ==0)?1:-1]; +typedef char assert_write[(IO_WRITE==1)?1:-1]; +typedef char assert_pread[(IO_PREAD==2)?1:-1]; +typedef char assert_pwrite[(IO_PWRITE==3)?1:-1]; +typedef char assert_pathlen[(PATH_LEN>=256)?1:-1]; +/* commands */ +typedef char assert_cmd_dump[(CMD_DUMP==0)?1:-1]; +typedef char assert_cmd_setmac[(CMD_SETMAC==1)?1:-1]; +typedef char assert_cmd_swap[(CMD_SWAP==2)?1:-1]; +typedef char assert_cmd_copy[(CMD_COPY==3)?1:-1]; +typedef char assert_cmd_cat[(CMD_CAT==4)?1:-1]; +typedef char assert_cmd_cat16[(CMD_CAT16==5)?1:-1]; +typedef char assert_cmd_cat128[(CMD_CAT128==6)?1:-1]; +/* bool */ +typedef char bool_arg_nopart[(ARG_NOPART==0)?1:-1]; +typedef char bool_arg_part[(ARG_PART==1)?1:-1]; +typedef char bool_skip_checksum_read[(SKIP_CHECKSUM_READ==0)?1:-1]; +typedef char bool_checksum_read[(CHECKSUM_READ==1)?1:-1]; +typedef char bool_skip_checksum_write[(SKIP_CHECKSUM_WRITE==0)?1:-1]; +typedef char bool_checksum_write[(CHECKSUM_WRITE==1)?1:-1]; +typedef char bool_loop_eintr[(LOOP_EINTR==1||LOOP_EINTR==0)?1:-1]; +typedef char bool_loop_eagain[(LOOP_EAGAIN==1||LOOP_EAGAIN==0)?1:-1]; +typedef char bool_no_loop_eintr[(NO_LOOP_EINTR==0)?1:-1]; +typedef char bool_no_loop_eagain[(NO_LOOP_EAGAIN==0)?1:-1]; +typedef char bool_off_err[(OFF_ERR==0)?1:-1]; +typedef char bool_off_reset[(OFF_RESET==0||OFF_RESET==1)?1:-1]; + diff --git a/util/nvmutil/nvmutil.h b/util/nvmutil/nvmutil.h new file mode 100644 index 00000000..20e66dd9 --- /dev/null +++ b/util/nvmutil/nvmutil.h @@ -0,0 +1,465 @@ +/* + * SPDX-License-Identifier: MIT + * + * Copyright (c) 2022-2026 Leah Rowe <leah@libreboot.org> + */ + +#ifndef NVMUTIL_H +#define NVMUTIL_H + +#define MAX_CMD_LEN 50 + +#ifndef PATH_LEN +#define PATH_LEN 1024 +#endif + +#define OFF_ERR 0 +#ifndef OFF_RESET +#define OFF_RESET 1 +#endif + +#ifndef MAX_ZERO_RW_RETRY +#define MAX_ZERO_RW_RETRY 5 +#endif + +#ifndef HAVE_REAL_PREAD_PWRITE +#define HAVE_REAL_PREAD_PWRITE 0 +#endif + +#ifndef LOOP_EAGAIN +#define LOOP_EAGAIN 1 +#endif +#ifndef LOOP_EINTR +#define LOOP_EINTR 1 +#endif + +#ifndef _FILE_OFFSET_BITS +#define _FILE_OFFSET_BITS 64 +#endif + +/* + * Older versions of BSD to the early 2000s + * could compile nvmutil, but pledge was + * added in the 2010s. Therefore, for extra + * portability, we will only pledge/unveil + * on OpenBSD versions that have it. + */ + +#if defined(__OpenBSD__) && defined(OpenBSD) +#if OpenBSD >= 604 +#ifndef NVMUTIL_UNVEIL +#define NVMUTIL_UNVEIL 1 +#endif +#endif +#if OpenBSD >= 509 +#ifndef NVMUTIL_PLEDGE +#define NVMUTIL_PLEDGE 1 +#endif +#endif +#endif + +#ifndef EXIT_FAILURE +#define EXIT_FAILURE 1 +#endif + +#ifndef EXIT_SUCCESS +#define EXIT_SUCCESS 0 +#endif + +#ifndef O_BINARY +#define O_BINARY 0 +#endif + +#ifndef O_EXCL +#define O_EXCL 0 +#endif + +#ifndef O_CREAT +#define O_CREAT 0 +#endif + +#ifndef O_NONBLOCK +#define O_NONBLOCK 0 +#endif + +#ifndef O_CLOEXEC +#define O_CLOEXEC 0 +#endif + +#ifndef O_NOFOLLOW +#define O_NOFOLLOW 0 +#endif + +#ifndef FD_CLOEXEC +#define FD_CLOEXEC 0 +#endif + +/* + * Sizes in bytes: + */ + +#define SIZE_1KB 1024 +#define SIZE_4KB (4 * SIZE_1KB) +#define SIZE_8KB (8 * SIZE_1KB) +#define SIZE_16KB (16 * SIZE_1KB) +#define SIZE_128KB (128 * SIZE_1KB) + +#define GBE_BUF_SIZE (SIZE_128KB) + +/* + * First 128 bytes of a GbE part contains + * the regular NVM (Non-Volatile-Memory) + * area. All of these bytes must add up, + * truncated to 0xBABA. + * + * The full GbE region is 4KB, but only + * the first 128 bytes are used here. + * + * There is a second 4KB part with the same + * rules, and it *should* be identical. + */ + +#define GBE_WORK_SIZE (SIZE_8KB) +#define GBE_PART_SIZE (GBE_WORK_SIZE >> 1) +#define NVM_CHECKSUM 0xBABA +#define NVM_SIZE 128 +#define NVM_WORDS (NVM_SIZE >> 1) +#define NVM_CHECKSUM_WORD (NVM_WORDS - 1) + +/* + * Portable macro based on BSD nitems. + * Used to count the number of commands (see below). + */ + +#define items(x) (sizeof((x)) / sizeof((x)[0])) + +/* + * GbE files can be 8KB, 16KB or 128KB, + * but we only need the two 4KB parts + * from offset zero and offset 64KB in + * a 128KB file, or zero and 8KB in a 16KB + * file, or zero and 4KB in an 8KB file. + * + * The code will handle this properly. + */ + +#ifndef X_LONG_MAX +#define X_LONG_MAX ((long)(~((long)1 << (sizeof(long)*CHAR_BIT-1)))) +#endif + +/* + * Use these for .argc in command[]: + */ + +#define ARGC_3 3 +#define ARGC_4 4 + +#define NO_LOOP_EAGAIN 0 +#define NO_LOOP_EINTR 0 + +/* + * Used for checking whether. + * a file is a file via stat(). + * + * Portable macro for compatibility + * with older unix e.g. v7 unix (has S_IFREG), + * 4.2bsd (has S_IFMT) or POSIX (has S_ISREG) + * + * Fallback works where S_IFREG == 0100000 + * (classic unix bitmask) + */ + +#ifndef S_ISREG +#if defined(S_IFMT) && defined(S_IFREG) +#define S_ISREG(m) (((m) & S_IFMT) == S_IFREG) +#elif defined(S_IFREG) +#define S_ISREG(m) (((m) & S_IFREG) != 0) +#else +#error "can't determine types with stat()" +#endif +#endif + +#define IO_READ 0 +#define IO_WRITE 1 +#define IO_PREAD 2 +#define IO_PWRITE 3 + +/* + * Used as indices for command[] + * MUST be in the same order as entries in command[] + */ + +#define CMD_DUMP 0 +#define CMD_SETMAC 1 +#define CMD_SWAP 2 +#define CMD_COPY 3 +#define CMD_CAT 4 +#define CMD_CAT16 5 +#define CMD_CAT128 6 + +#define ARG_NOPART 0 +#define ARG_PART 1 + +#define SKIP_CHECKSUM_READ 0 +#define CHECKSUM_READ 1 + +#define SKIP_CHECKSUM_WRITE 0 +#define CHECKSUM_WRITE 1 + +/* + * portable timeval + */ +struct x_st_timeval { + long tv_sec; + long tv_usec; +}; + +struct commands { + unsigned long chk; + char *str; + void (*run)(void); + int argc; + unsigned char arg_part; + unsigned char chksum_read; + unsigned char chksum_write; + unsigned long rw_size; /* within the 4KB GbE part */ + int flags; /* e.g. O_RDWR or O_RDONLY */ +}; + +struct macaddr { + char *str; /* set to rmac, or argv string */ + char rmac[18]; /* xx:xx:xx:xx:xx:xx */ + unsigned short mac_buf[3]; +}; + +struct xfile { + int gbe_fd; + int tmp_fd; + + char *tname; /* path of tmp file */ + char *fname; /* path of gbe file */ + + unsigned char *buf; /* work memory for files */ + + int io_err_gbe; /* intermediary write (verification) */ + int io_err_gbe_bin; /* final write (real file) */ + int rw_check_err_read[2]; + int rw_check_partial_read[2]; + int rw_check_bad_part[2]; + + int post_rw_checksum[2]; + + dev_t gbe_dev; + ino_t gbe_ino; + + dev_t tmp_dev; + ino_t tmp_ino; + + off_t gbe_file_size; + off_t gbe_tmp_size; + + unsigned long part; + unsigned char part_modified[2]; + unsigned char part_valid[2]; + + unsigned char real_buf[GBE_BUF_SIZE]; + unsigned char bufcmp[GBE_BUF_SIZE]; /* compare gbe/tmp/reads */ + + unsigned char pad[GBE_WORK_SIZE]; /* the file that wouldn't die */ +}; + +/* + * BE CAREFUL when editing this + * to ensure that you also update + * the tables in new_xstate() + */ +struct xstate { + struct commands cmd[7]; + struct macaddr mac; + struct xfile f; + + char *argv0; + + unsigned long i; /* index to cmd[] for current command */ + int no_cmd; + + /* store size of a struct here. + (can be used to copy old state) */ + unsigned long xsize; +}; + + + + +static struct xstate *new_xstate(void); + +/* + * Sanitize command tables. + */ +void sanitize_command_list(void); +void sanitize_command_index(unsigned long c); + +/* + * Argument handling (user input) + */ +void set_cmd(int argc, char *argv[]); +void set_cmd_args(int argc, char *argv[]); +unsigned long conv_argv_part_num(const char *part_str); +int xstrxcmp(const char *a, const char *b, unsigned long maxlen); + +/* + * Prep files for reading + */ +void open_gbe_file(void); +int lock_file(int fd); +void xopen(int *fd, const char *path, int flags, struct stat *st); + +/* + * Read GbE file and verify + * checksums. + * + * After this, we can run commands. + */ +void copy_gbe(void); +void read_file(void); +void read_checksums(void); +int good_checksum(unsigned long partnum); + +/* + * Execute user command on GbE data. + * These are stubs that call helpers. + */ +void run_cmd(void); +void check_command_num(unsigned long c); +unsigned char valid_command(unsigned long c); + +/* + * Helper functions for command: setmac + */ +void cmd_helper_setmac(void); +void parse_mac_string(void); +unsigned long xstrxlen(const char *scmp, unsigned long maxlen); +void set_mac_byte(unsigned long mac_byte_pos); +void set_mac_nib(unsigned long mac_str_pos, + unsigned long mac_byte_pos, unsigned long mac_nib_pos); +unsigned short hextonum(char ch_s); +unsigned long rlong(void); +unsigned long entropy_jitter(void); +int x_i_gettimeofday(struct x_st_timeval *tv, void *tz); +void write_mac_part(unsigned long partnum); + +/* + * Helper functions for command: dump + */ +void cmd_helper_dump(void); +void print_mac_from_nvm(unsigned long partnum); +void hexdump(unsigned long partnum); + +/* + * Helper functions for command: swap + */ +void cmd_helper_swap(void); + +/* + * Helper functions for command: copy + */ +void cmd_helper_copy(void); + +/* + * Helper functions for commands: + * cat, cat16 and cat128 + */ +void cmd_helper_cat(void); +void cat_buf(unsigned char *b); + +/* + * After command processing, write + * the modified GbE file back. + * + * These are stub functions: check + * below for the actual functions. + */ +void write_gbe_file(void); +void set_checksum(unsigned long part); +unsigned short calculated_checksum(unsigned long p); + +/* + * Helper functions for accessing + * the NVM area during operation. + */ +unsigned short nvm_word(unsigned long pos16, unsigned long part); +void set_nvm_word(unsigned long pos16, + unsigned long part, unsigned short val16); +void set_part_modified(unsigned long p); +void check_nvm_bound(unsigned long pos16, unsigned long part); +void check_bin(unsigned long a, const char *a_name); + +/* + * Helper functions for stub functions + * that handle GbE file reads/writes. + */ +void rw_gbe_file_part(unsigned long p, int rw_type, + const char *rw_type_str); +void write_to_gbe_bin(void); +int gbe_mv(void); +void check_written_part(unsigned long p); +void report_io_err_rw(void); +int fsync_dir(const char *path); +unsigned char *gbe_mem_offset(unsigned long part, const char *f_op); +off_t gbe_file_offset(unsigned long part, const char *f_op); +off_t gbe_x_offset(unsigned long part, const char *f_op, + const char *d_type, off_t nsize, off_t ncmp); +long rw_gbe_file_exact(int fd, unsigned char *mem, unsigned long nrw, + off_t off, int rw_type); +long rw_file_exact(int fd, unsigned char *mem, unsigned long len, + off_t off, int rw_type, int loop_eagain, int loop_eintr, + unsigned long max_retries, int off_reset); +long prw(int fd, void *mem, unsigned long nrw, + off_t off, int rw_type, int loop_eagain, int loop_eintr, + int off_reset); +int io_args(int fd, void *mem, unsigned long nrw, + off_t off, int rw_type); +int check_file(int fd, struct stat *st); +long rw_over_nrw(long r, unsigned long nrw); +#if !defined(HAVE_REAL_PREAD_PWRITE) || \ + HAVE_REAL_PREAD_PWRITE < 1 +off_t lseek_loop(int fd, off_t off, + int whence, int loop_eagain, int loop_eintr); +#endif +int try_err(int loop_err, int errval); + +/* + * Error handling and cleanup + */ +void usage(void); +void err(int nvm_errval, const char *msg, ...); +int exit_cleanup(void); +const char *getnvmprogname(void); + +/* + * a special kind of hell + */ +char *new_tmpfile(int *fd, int local, const char *path); +int x_i_mkstemp(char *template); +char *x_c_strrchr(const char *s, int c); +/* x_i_rename not suitable + * for atomic writes. kept + * commentted for use in a + * library in the future */ +/* +int x_i_rename(const char *src, const char *dst); +*/ +char *x_c_tmpdir(void); +int x_i_close(int fd); +void *x_v_memcpy(void *dst, + const void *src, unsigned long n); +int x_i_memcmp(const void *a, + const void *b, unsigned long n); +int x_i_fchmod(int fd, mode_t mode); +int x_try_fdpath(const char *prefix, + int fd, mode_t mode); +unsigned long x_conv_fd(char *buf, + unsigned long n); +int x_i_fsync(int fd); + +#endif diff --git a/util/nvmutil/todo.c b/util/nvmutil/todo.c new file mode 100644 index 00000000..3b80dd83 --- /dev/null +++ b/util/nvmutil/todo.c @@ -0,0 +1,134 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (c) 2026 Leah Rowe <leah@libreboot.org> + * + * Five Year Plan + */ + +/* + * Major TODO: split this into multiple files. + * This program has become quite large now, mostly + * due to all the extra sanity checks / portability. + * Make most of nvmutil a *library* for re-use + * + * TODO: gettimeofday not posible - use portable functions. + * TODO: ux fallback: modify the program instead + * to run on 16-bit systems: smaller buffers, and do + * operations byte-based instead of word-based. + * + * TODO: _XOPEN_SOURCE 500 probably not needed anymore. + * the portable fallbacks alone are likely enough. + * e.g. i don't need stdint, and i don't use pwrite/pread + * anymore. + * + * TODO: version detection of various BSDs to detect + * arc4random, use that if available. but also work on + * older versions of those BSDs (also MacOS) that lack it. + * + * TODO: portability/testing on non-Unix systems: + * old DOS. all windows versions (probably irrelevant + * because you can use cygwin/wsl, whatever), classic MacOS, + * also test really old unix e.g. sunos and irix. Be/Haiku too! + * + * TODO: reliance on global variables for status. make + * functions use structs passed as args instead, make + * functions re-useable (including libraries), etc. + * + * TODO: bound checks for files per-command, e.g. only + * first 6 bytes for CMD_SETMAC + * + * TODO: in command sanitizer: verify that each given + * entry corresponds to the correct function, in the + * pointer (this check is currently missing) + * + * TODO: general modularisierung of the entire codebase. + * TODO: better explain copy/swap read inversion trick + * by improving existing comments + * TODO: lots of overwritten comments in code. tidy it up. + * + * TODO: use getopt for nvmutil args, so that multiple + * operations can be performed, and also on many + * files at once (noting limitations with cat) + * BONUS: implement own getopt(), for portability + * + * TODO: document fuzzing / analysis methods + * for the code, and: + * TODO: implement rigorous unit tests (separate util) + * NOTE: this would *include* known good test files + * in various configurations, also invalid files. + * the tests would likely be portable posix shell + * scripts rather than a new C program, but a modularisiert + * codebase would allow me to write a separate C + * program to test some finer intricacies + * TODO: the unit tests would basically test regressions + * TODO: after writing back a gbe to file, x_i_close() and + * open() it again, read it again, and check that + * the contents were written correctly, providing + * a warning if they were. do this in the main + * program. + * TODO: the unit tests would include an aggressive set + * of fuzz tests, under controlled conditions + * + * TODO: also document the layout of Intel GbE files, so + * that wily individuals can easily expand the + * featureset of nvmutil. + * TODO: write a manpage + * TODO: simplify the command sanitization, implement more + * of it as build time checks, e.g. asserts. + * generally remove cleverness from the code, instead + * prefyerring readibility + * TODO: also document nvmutil's coding style, which is + * its own style at this point! + * TODO: when all the above (and possibly more) is done, + * submit this tool to coreboot with a further change + * to their build system that lets users modify + * GbE images, especially set MAC addresses, when + * including GbE files in coreboot configs. + */ +/* + BONUS TODO: + CI/CD. woodpecker is good enough, sourcehut also has one. + tie this in with other things mentioned here, + e.g. fuzzer / unit tests +*/ + +/* Major TODO: reproducible builds +Test with and without these: + +CFLAGS += -fno-record-gcc-switches +CFLAGS += -ffile-prefix-map=$(PWD)=. +CFLAGS += -fdebug-prefix-map=$(PWD)=. + +I already avoid unique timestamps per-build, +by not using them, e.g. not reporting build +time in the program. + +When splitting the nvmutil.c file later, do e.g.: + +SRC = main.c io.c nvm.c cmd.c +OBJ = $(SRC:.c=.o) + +^ explicitly declare the order in which to build +*/ + +/* +TODO: +further note when fuzzing is implemented: +use deterministic randomisation, with a +guaranteed seed - so e.g. don't use /dev/urandom +in test builds. e.g. just use normal rand() +but with a seed e.g. 1234 +*/ +/* +TODO: stricter build flags, e.g. +CFLAGS += -fstack-protector-strong +CFLAGS += -fno-common +CFLAGS += -D_FORTIFY_SOURCE=2 +CFLAGS += -fPIE + +also consider: +-fstack-clash-protection +-Wl,-z,relro +-Wl,-z,now +*/ + |