| Age | Commit message (Collapse) | Author |
|---|
|
we assume the fallback will be rare, so now we
make the mix static and keep xoring it, on the
theory that the number of failures on urandom
will be random, and tthat the fallback may only
apply once or twice in thousands of calls.
the time jitter is adjusted; rather than judge
the difference between two points close to each
other in time, we judge tthe randomness in
difference of time elapsed. this mitigates fast
CPUs being very fast and introducing rounding
errors, and also improves performonce on much
slower CPUs
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i was being cute earlier, but the rewrite
defeats the purpose of atomic file handling
in nvmutil, by not actually renaming! it was
more like, doing an actual copy, which meant
that corruption is likely during power loss
i've commented the code because i may
use it in a library in the future.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this improves reliability, making it more
likely that data actually gets synced,
since fsync can return -1 with EINTR,
indicating that a re-try should be
attempted.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
unreliable
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
better to just use standard names
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
arandom probably isn't available on super old obsd right??????
rather, unveil isn't. on systems that have arandom
yet we should not unveil something that may not
exist on modern systems
just don't unveil arandom, and don't check arandom
if unveil is enabled
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
some systems may not even have it
works with /dev/fd (bsd/mac etc)
works with linux (/proc/self/fd)
and falls back on super old systems
that have neither
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
not compiling without it is a bug
don't let the default exclude it
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
settting it to -Werror is wrong, should set
it not -Werror.
however, put the WERROR variable in the make
command. that way, i could test with
make WERROR=-Werror
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
and with that, now the code compiles on gcc
with -std=c90 -pedantic
with -Werror and -Wall -Wextra
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This reverts commit bdb43afac6edef21a15f99b8c3beac01be8b86f7.
|
|
have A-Z too, for more randomness
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i no longer use -Werror
these can actually conflict on some weird
systems, so better just remove them
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
close may set errno to EINTR, which could
cause weird edge case behaviour in our
prw() functtion
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
use stat instead of access (race conditions)
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
try a few more times until success
explicitly return EEXIST when needed
we try multiple times and check more
thoroughly if a file exists, thus
reducing the risk of race conditions
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
more portable
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
not portable. some old systems don't have it,
or handle it very poorly
unsigned long is a reasonable way to refer
to indexes inside pointters
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
some old systems don't have ssize_t or size_t
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
older unix needed lower
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
very old libc doesn't have it
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
if the global file is created on a different file
system than the gbe file, unveil would trigger an
abort trap, since we rely on created a second
temporary file, whose path we can't know ahead
of time.
i could get rid of unveil, or unveil a directory,
but neither is acceptable. just use localtmp on
openbsd. a temporary file is created next to
the gbe file, in the same directory.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
now the custom fallback code is very unlikely
to ever actually be used, on any system,
except really old systems.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i need these. can always turn them off
when running make if you need to
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
-Werror removed, for older compilers
actual warnings still there
-std is configurable now
e.g.
make CSTD=-c90
make CSTD=-c99
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i have urandom again. it's enough
the fallback rand implementation
is used if needed
now i don't have to worry about any
weird version of unix from 1992 and
deal with weird hacks. in fact, with
this change, my code will probably
compile on irix now
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i had to loosen the pledges for the new i/o
framework, which needs more permissions
as a result, i can now open urandom in
this function statically, rather than
in nvmutil's control logic
and because of that, it's less buggy now
arc4random is disabled on linux by default,
because it's not universally available
on all libc, and only since about 2022
in some glibc versions
better for portability to let linux users
justt use urandom
the new logic is different. now it falls
back to rand per-byte, but in practise
it almost never will.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
linux only had it since 2022.
lots of people will complain if i leave this enabled.
not all libc have it either
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
