| Age | Commit message (Collapse) | Author |
|---|
|
and with this, i'm probably done for a while
i've obsessively audited this code for a week
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
explicitly declare the directory path for the given
file (nvmutil), otherwise it's implementation-defined;
on some systems, /bin/nvmutil means a directory named
nvmutil could then contain nvmutil.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
makefile is correct, but lots of people don't read it.
putting it iin code helps people avoid confusion.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
I also needed: #define _POSIX_C_SOURCE 200809L
I use -pedantic with -Wall -Wextra -Werror, which
forces very strict error handling and ISO C; this
means pread and pwrite aren't available.
The define fixes this.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
only allow the long form: setmac [MAC]
specifying gbe.bin just shows the help/usage now.
this is a safety feature, so that someone doesn't
accidentally write the gbe file. we want it to be
that the user specifically requested setmac.
setmac with mac address as the 3rd argument is
also disabled. this is done as part of a general
simplification and safety improvement to nvmutil.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this is an extremely dangerous feature, and serves
no purpose to the user.
this change is part of a series of extreme safety
improvements, part of a larger nvmutil audit.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This feature is extremely dangerous, and we should
discourage against its use.
This is part of a series of changes that I've made
to make the code safer. You should only ever run
this on a valid GbE file, and nothing else.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
linear, top-down order. re-order the prototypes
also some general cleanup:
argc enums now validated. ifdefs for pledge
and arc4random now use a consistent naming
scheme.
feature change:
the "dump" command now fails if both checksums
are invalid, and won't show anything.
my next commit will disable setchecksum when
both checksums are invalid. this and the other
insane auditing i've done over the last few
days has been part of a major effort to make
nvmutil extremely safe, and robust.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
setchecksum and setmac update the checksum.
other commands don't.
this patch unified the logic, handling it
in write_gbe based on command[].chksum_write
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
only pledge/unveil where available, on versions
that have it. this patch disables it on older
versions, allowing nvmutil to compile.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
its return value is never used, in the current code.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i previously had this as a speed optimisation, but
removed it because it wouldn't make any real speed
difference, on most modern file systems / kernels.
however, this also has the dual purpose of ensuring
only what was verified gets written, on operations
that only touch the NVM area, since this relies on
checksum verification.
therefore, i have re-added this feature, but under
the new design of nvmutil. it is done policy-based,
instead of having if/else for specific commands.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
up to a maximum number of retries
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
their functions now only return. not needed anymore.
these commands are still available, but they no longer
need helper functions.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we centralise this now. better not to over-engineer
our over-engineering.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
errno must never be negative
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
the existing verification is retained, an a few commands.
this is an additional security mechanism. redundancy is
best.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
3-arg arguments were broken, by recent generalisations.
this should fix it.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
no more command-specific logic here. this should be the
same in the rest of the code now.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
now they only set checksums.
and generalised checksumming is next!
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
get it out of main(), it's bloat there
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
gbe_write already checks this, but we should
also check inside the caller.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
nice bit of defense here
we absolutely need this code to be bullet proof
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
