| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i already also guard other toctuo attacks :)
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
if someone deletes gbe.bin while operating, nvmutil
will now abort
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
too over engineered and cumbersome.
the new security in prw() makes it brittle,
and i'd rather not move checks outside of it.
the fallback rand is random enough.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
slow, per call. prw should be generic.
do it just for gbe files, once
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
build flag
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
the last lseek there is only there to reset
state, so its errors are irrelevant.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
write all at once, then sync all at once,
then verify all at once.
this increases the chancce that all data
gets written first, in the case of power
less, because fsync may take a while on
some systems.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
the post-verification stage deserves a function
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we already covered this in prw() which is
what ultimately gets called, but still.
it's logically correct not to check it here.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
read it back and check. sync to disk first.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
it should be is equal, not not equal
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
makes more sense in code
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
compliant posix systems should never meet this
check, but i put it here.
spec != implementation
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
do it at the very end
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
the cat function can be greatly simplified
handle it conditionally, because not all
functions should use it
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
move the gbe-specific parts out of it
what remains is a relatively generic
function; a very conservative implementation,
wrapping around libc functions but with
a few additional safety checks.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
don't return. set r instead. this will fall through
and return the same way, but with proper reset.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this still gets done from rw_once, but
it's generic enough that we want it in
our prw() wrapper function.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
most of it can be done in rw_file_once
truly general checks have been moved to prw(),
so that the function is more general purpose.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this way, we now have a universal function
that is reusable elsewhere, with the same
redundancy. the rw_once and rw_exact functions
still get this redundancy, through prw
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we can just fall through to nrw and decide
what function ta call there - either read/write
immediately and return, or fall back to the
portable positional implementation.
this also means we don't have to call io_args
in every function, since everything now runs
through prw()
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
no need to limit it here
rename ux to uint. no number specified.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
it can be higher than 32-bit, it's fine
the current check breaks some newer systems
accordingly, u32 becomes ux, x meaning x bits
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
