| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
under the current logic, errno would be ECANCELED
if neither checksum is valid, or I/O related if
pwrite fails; alternatively, the for loop exits
and the file has been written, where it is quite
correctly reset already.
ergo, the errno reset at the start of
writeGbeFile is superfluous. remove this bloat.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
previously, a bad checksum would have caused a non-zero
exit, even if the other checksum was correct (observed
when using the swap command)
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
also, some of them were out of date; years now updated.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
it's only used once, so just do it once.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
253 sloccount on nvmutil.c now, versus 258
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
don't swap pointers at all. handle it in the for loop.
258 sloccount now, versus 261.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
handle it exclusively in writeGbeFile()
this reduces nvmutil.c sloccount to 261, versus 265
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
at this stage in the code, the file name will be NULL
value, so it would be improper to use it in a string.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
the previous code size optimisations removed mention
of the file name, on file-related err() calls.
almost every error the user runs across will be file
related, so put the path on err() called from err_if()
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
use SIZE_4KB << 1 when needing 8KB size
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
use err_if instead
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
it is only used once. use err_if instead.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
there is no need to have these as defines, when err_if
exists; get rid of xunveil and xpledge. use the bare
pledge and unveil functions directly, with err_if().
268 sloccount now on nvmutil.c, versus 289 sloccount
before this change, with no loss of functionality.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
it doesn't really make sense to have nvmutil.h
since this is only a very small program and not
intended for use as a library
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
The mentality behind pledge and unveil is that you should
think ahead, so that large parts of code can run under
extremely tight restrictions.
The pledge calls have been adjusted accordingly, also.
Disallow all unveil calls after the gbe file and the
file /dev/urandom have been unveiled.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
also remove wpath if using the dump command
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
in practise, no other condition would be met and the
program still worked. this is a pre-emptive fix.
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Also hardened the pledges.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This replaces a check in the function for O_RDONLY, and
fixes the bug where the "dump" command triggers such error.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
*Open* files at the start, then unveil. The same overall
behaviour is observed. In the case that invalid arguments
are given, simply opening a file does not cause much
performance impact (if any).
Restrict operations as early as possible in code.
Bonus:
writeGbeFile also hardened; if flags is O_RDONLY, it aborts.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i screwed up in an earlier commit
this change fixes a bug where on rhex(), each
call would re-open /dev/urandom, resetting rfd
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
in practise, the file was never written unless the checksum
was valid, but in the same of sloccount reduction i made it
do the swap/copy before checking. while functionally ok, it
never sat right with me. this is one example of where sloc
count doesn't mean everything. code correctness is critical
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
the style was already quite similar, but extended lines in
bsd are indented by 4 spaces instead of a tab. this style
has grown on me, so i'm adopting it here
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
They don't precisely *pertain* to nvmutil, but they are
useful helper functions for calling pledge/unveil in
OpenBSD. Ideally, the main file should only contain core
logic pertaining to the execution of *nvmutil*.
Put xpledge() and xunveil() in nvmutil.h.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
|
|
There is nothing cooler than a macro.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
eventually, everything will be a macro!
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
|
|
When err() is called, it is intended that nvmutil will
always exit with non-zero status, but with errno as the
return value. Ensure that errno is *not* zero.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Make word() a macro, simplify err_if().
Could also make setWord() a macro if I forego certain
optimisations, but I'll leave it as-is.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This change also reduces code indentation.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
After /dev/urandom (for MAC address randomisation) and
the GbE file have been handled, unveil them. Unveil is
a system call provided by OpenBSD that, when called,
restricts access only to the files and/or directories
specified, each given specific permissions.
You can learn more about unveil here:
https://man.openbsd.org/unveil.2
An ifdef rule makes nvmutil only use unveil on OpenBSD,
because it's not available anywhere else. This is the same
as with the pledge() system call.
Where invalid arguments are given, and no action performed,
pledge promises are also reduced to just stdio, preventing
any writes to files, or reads from files.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
After reading a file, remove rpath.
When removing rpath, also remove wpath if flags
are not to O_RDONLY (read-only disk operation).
When wpath is permitted, and a file was successfully
written, remove wpath.
In order to permit /dev/urandom access in rhex(),
I call it as a void just before re-calling pledge.
The rhex() function has been written in such a way
that /dev/urandom only needs to be read *once*.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Define xpledge which calls pledge and handles errors.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
I assumed wpath was all that's needed, but this simply
allows writes.
rpath must be specified alongside wpath, for reads.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
