| Age | Commit message (Collapse) | Author |
|---|
|
add options for building with urandom+openat and
arc4+openat. useful for emulating a bsd / old linux
environment in modern linux distros, for portability
testing.
these options are not recommended for everyday use.
just use make without any special options, and the
code has build-time OS detection for features like
randomisation/openat2.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
-DUSE_ARC4=1
use that
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
these can be set explicitly in the compiler flags,
e.g.
make CC="cc -DUSE_OPENAT=1 -DUSE_URANDOM=1"
these options, if set to 1, will cause you to use
the code as if it were running on non-linux systems
such as openbsd. of course, some differences will
still exist, but this is useful for portability
testing when compiling on linux.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
otherwise, i will end up with a mess like the
one i recently fixed.
we always want to use correct C. the current
spec is set to c99, with -pedantic turned on.
flags now:
-Os -Wall -Wextra -std=c99 -pedantic -Werror
if you do: make hell, you get (uses clang):
-Os -Wall -Wextra -std=c99 -pedantic -Werror -Weverything
i initially loosened up the Makefile rules, so
that the code would be more "portable", but
every compiler worth caring about has these
flags, and turning them on is advisable,
especially pedantic and -std, because you want
to have some guarantee that the compiler is
generating correct code; if the standard is
left ambiguous, you could be introducing subtle
bugs when people compile it, because who knows
what spec the compiler is using?
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This reverts commit e54862fcccca0325da8ae2879c1fa965267d3df0.
nope. not ready yet. will fix it later.
|
|
i added a fake -t option, which doesn't actually
read optarg, so that -t usage can just override
the normal template. mkhtemp isn't ready for
distros yet, but it's ready for lbmk.
i hacked the makefile to also copy the binary to
mktemp, and i set PATH in lbmk so that this binary
is used insttead of the one on your system.
that way, upstream projects use it.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
not c90
i use stdint now on a few files. i had this
idea in my head to use C89 for some reason,
but this is pointless.
c99 however is worthy as a minimum, because
for example, compilers like tcc will adhere
to its spec (for the most part), so this is
the minimum reasonable requirement on modern
unix systems.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
to test the effectiveness of the rand function
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This will also be used in lbmk itself at some point,
which currently just uses regular mktemp, for tmpdir
handling during the build process.
Renamed util/nvmutil to util/libreboot-utils, which
now contains two tools. The new tool, mkhtemp, is a
hardened implementation of mktemp, which nvmutil
also uses now. Still experimental, but good enough
for nvmutil.
Mkhtemp attempts to provide TOCTOU resistance on
Linux, by using modern features in Linux such as
Openat2 (syscall) with O_EXCL and O_TMPFILE,
and many various security checks e.g.
inode/dev during creation. Checks are done constantly,
to try to detect race conditions. The code is very
strict about things like sticky bits in world writeable
directories, also ownership (it can be made to bar even
root access on files and directories it doesn't own).
It's a security-first implementation of mktemp, likely
even more secure than the OpenBSD mkstemp, but more
auditing and testing is needed - more features are
also planned, including a compatibility mode to make
it also work like traditional mktemp/mkstemp. The
intention, once this becomes stable, is that it will
become a modern drop-in replacement for mkstemp on
Linux and BSD systems.
Some legacy code has been removed, and in general
cleaned up. I wrote mkhtemp for nvmutil, as part of
its atomic write behaviour, but mktemp was the last
remaining liability, so I rewrote that too!
Docs/manpage/website will be made for mkhtemp once
the code is mature.
Other changes have also been made. This is from another
experimental branch of Libreboot, that I'm pushing
early. For example, nvmutil's state machine has been
tidied up, moving more logic back into main.
Mktemp is historically prone to race conditions,
e.g. symlink attacks, directory replacement, remounting
during operation, all sorts of things. Mkhtemp has
been written to solve, or otherwise mitigate, that
problem. Mkhtemp is currently experimental and will
require a major cleanup at some point, but it
already works well enough, and you can in fact use
it; at this time, the -d, -p and -q flags are
supported, and you can add a custom template at
the end, e.g.
mkhtemp -p test -d
Eventually, I will make this have complete parity
with the GNU and BSD implementations, so that it is
fully useable on existing setups, while optionally
providing the hardening as well.
A lot of code has also been tidied up. I didn't
track the changes I made with this one, because
it was a major re-write of nvmutil; it is now
libreboot-utils, and I will continue to write
more programs in here over time. It's basically
now a bunch of hardened wrappers around various
libc functions, e.g. there is also a secure I/O
wrapper for read/write.
There is a custom randomisation function, rlong,
which simply uses arc4random or getrandom, on
BSD and Linux respectively. Efforts are made to
make it as reliable as possible, to the extent
that it never returns with failure; in the unlikely
event that it fails, it aborts. It also sleeps
between failure, to mitigate certain DoS attacks.
You can just go in util/libreboot-utils and
type make, then you will have the nvmutil and
mkhtemp binaries, which you can just use. It
all works. Everything was massively rewritten.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
