| Age | Commit message (Collapse) | Author |
|---|
|
We were allocating 128KB even if we only needed 8KB, for
example. It's not a lot of memory, but the principle of
the matter is that we must respect the user by not wasting
their memory.
The design of nvmutil is that it will never overflow, because
operations are mapped in memory to the exact size of the gbe
file, which can be 8KB, 16KB or 128KB, and this is enforced.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
The buf variable is only used once, and only so
that we can get a pointer. We can point to buf16
instead, for the same result.
The gbe pointer (size_t) is later converter to
a char * when writing back to the file.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
For example, if the brick command is used without specifying
a part number. Instead of saying "Invalid argument", show a
much more useful error message to help the user adapt.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
call pledge *much* earlier, and and lock everything down
much sooner. the point of pledge/unveil is precisely that
your program must operate under the most restrictive set
of conditions possible, and still function.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
just some line breaks
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
tell the user exactly what they got wrong, instead
of simply printing "bad mac address", which is not
very helpful to the user
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
spread out a few lines, so that they are more
readable, and more thoroughly comment some parts.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
See:
https://edc.intel.com/content/www/us/en/design/ipla/software-development-platforms/client/platforms/alder-lake-mobile-p/intel-600-series-chipset-family-on-package-platform-controller-hub-pch-datash/spi0-for-flash/
The rules described there are universal, and replicated elsewhere
for many other platforms. The rules are simply:
* Flash descriptor is one block size, e.g. 4KB
* GbE is two block sizes, so if IfD is 4KB, GbE is 8KB
Intel defines 16KB and 128KB GbE files in specs, pertaining to
8KB and 64KB block sizes respectively.
The minimum size is 4KB blocksize, for 8KB GbE files which
we already supported. On larger block sizes, the same 4KB
parts are observed: a single 4KB IfD area at the start of
the block, and:
4KB GbE part at the start of the GbE region, and:
4KB GbE part at the start of GbE region plus block size
The empty space inbetween is padding, and we ignore it,
except when running swap/copy commands.
The nvmutil code has been modified, to create a 128KB buffer in
memory instead of 8KB, for loading GbE files.
Partsize is set to GbE file size divided by 2, and only the
area of memory we need to use is mapped; for example, if
we're loading a 8KB GbE file into memory, we only touch
the first 8KB part of the buffer, or first 16KB for 128KB
files.
In practise, we almost never see GbE files with sizes higher
than 8KB, but *we have seen it*, *AND NOW IT'S SUPPORTED!"
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
We were checking directories *after* calling unveil, which
means that the sandboxing was incomplete; we only want files
to be accessed, not directories.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
A lot of size-coding was performed in prior audits, to
make the sloccount lower on nvmutil, but this resulted in
code that wasn't very human readable.
I've reversed some of it and added comments, for clarity.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This makes the code easier to understand.
All 2-byte words, stored in little endian order within
the 128-byte GbE NVM area, must add up to 0xBABA.
If it doesn't, then software is supposed to reject that
GbE config. The nvmutil software works on that basis.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
make it look like hexdump -C, where individual bytes are
spaced, and there is an additional space after 8 bytes,
per row.
i won't bother with a character display, since that is
meaningless on gbe nvm words.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Must not exceed 79 lines. Some variables and functions have
been renamed, and there has been some minor re-factoring.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
I don't like using SPDX for actual copyright declarations.
I only want it to be used for the license identifier.
Also:
I made a *single* change to nvmutil.c in 2024, which means
that I have copyright in all years since and including 2022;
the file said 2022, 2023, 2025, but it's actually 2022-2025.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
I don't like using strings this way, it looks unclean.
Once again, use good old fashioned if/else.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
I wasn't too happy using shorthand for strings like that.
Tidy it up and use good old fashioned if/else.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Riku Viitanen <riku.viitanen@protonmail.com>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
under the current logic, errno would be ECANCELED
if neither checksum is valid, or I/O related if
pwrite fails; alternatively, the for loop exits
and the file has been written, where it is quite
correctly reset already.
ergo, the errno reset at the start of
writeGbeFile is superfluous. remove this bloat.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
previously, a bad checksum would have caused a non-zero
exit, even if the other checksum was correct (observed
when using the swap command)
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
also, some of them were out of date; years now updated.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
it's only used once, so just do it once.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
253 sloccount on nvmutil.c now, versus 258
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
don't swap pointers at all. handle it in the for loop.
258 sloccount now, versus 261.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
handle it exclusively in writeGbeFile()
this reduces nvmutil.c sloccount to 261, versus 265
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
at this stage in the code, the file name will be NULL
value, so it would be improper to use it in a string.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
the previous code size optimisations removed mention
of the file name, on file-related err() calls.
almost every error the user runs across will be file
related, so put the path on err() called from err_if()
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
use SIZE_4KB << 1 when needing 8KB size
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
use err_if instead
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
it is only used once. use err_if instead.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
there is no need to have these as defines, when err_if
exists; get rid of xunveil and xpledge. use the bare
pledge and unveil functions directly, with err_if().
268 sloccount now on nvmutil.c, versus 289 sloccount
before this change, with no loss of functionality.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
it doesn't really make sense to have nvmutil.h
since this is only a very small program and not
intended for use as a library
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
The mentality behind pledge and unveil is that you should
think ahead, so that large parts of code can run under
extremely tight restrictions.
The pledge calls have been adjusted accordingly, also.
Disallow all unveil calls after the gbe file and the
file /dev/urandom have been unveiled.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
also remove wpath if using the dump command
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
in practise, no other condition would be met and the
program still worked. this is a pre-emptive fix.
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Also hardened the pledges.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This replaces a check in the function for O_RDONLY, and
fixes the bug where the "dump" command triggers such error.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
