| Age | Commit message (Collapse) | Author |
|---|
|
this fixes the bug where if you specify an invalid command
such as:
./nvm gbe brick 9
part 9 doesn't exist, but fname isn't yet set, here.
same thing applys when running those pledge commands on
openbsd.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
only 79 characters or less, per line.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this is separate from other function calls. err_if
is used as though it was an if, where we always add
a space. it's just a quirk of my coding style.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
use the same naming scheme throughout
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this way, the correct part number is printed when an invalid
part is being operated on, in cmd copy or swap.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i overlooked this in a previous modification
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
instead, use a single integer, set to 1 if using
these commands (otherwise set to 0) used as an XOR
mask.
use this to invert where data gets read. one quirk
with this is that if a copy operation is performed
from a part with a bad checksum, it's already done
in advance, in memory, but then the check on the
checksum in cmd_copy is now checking the other part,
which will be all zeroes, so i invert that too; this
means now when running cmd_copy, it'll complain about
an invalid part, but the part number is inverted.
it's a small price to pay, because this restores the
previous performance optimisations but without being
as unsafe.
this is also true when doing the swap.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
lots of block devices use 4KB block size. it makes
sense to have this optimisation here.
i previously removed it, along with the one that
only reads the NVM area - that one is still gone,
because it was largely pointless.
because of this modification returning, i also
re-introduced the check in setWord against
nvmPartModified - otherwise, for example, running
cmd brick 0 would brick part 0 but then write
all zeroes to part 1.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we always read from offset zero, so use read
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
those lines at the end are a hangover from the old opendir-
based implementation.
i also made the output more verbose in that first error
check.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
opendir allocates resources and causes a bunch of other
error conditions which we need to catch.
use of stat is more efficient here.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
otherwise, early calls to err_if make use of a NULL string
inside err()
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
it still had some leftovers from the old macro-style
implementation. it still compiled, but this patch
fixes the function properly.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
irrelevant for most users, who are on little endian
anyway, but i broke the swap function on big endian
systems. this fixes it.
the new function uses an intermediate variable instead
of xor swapping, but i accidentally left some relics of
of the old xor swaps in place. this fixes that.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this, in conjunction with the centralised exit scheme now
used by nvmutil, means that we have portable exit status.
notwithstanding the use of non-portable unix functions, and
especially the use of non-standard err.c (which GNU and BSD
libc implementations all have anyway, as does musl).
this code should now run on essentially any computer with
Linux or BSD on it.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
exit with 0 or 1, as is proper.
errno is an int, but the return value on a shell
can be e.g. byte, and depending how that number (errno)
is valued, could overflow and cause a zero exit, where
you want a non-zero exit.
the code has been changed, in such a way to maintain
current behaviour (don't change errno), except that when
errno is set upon exit, the exit value is now one.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
also re-order the prototypes
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
split it into smaller, more readable functions
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
use buf directly
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this means that we make use of the boundary checks. it's just
a safer way of handling these functions.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
pointless optimisation. we know that when a user requests an
operation that would write, it will probably result in a change.
therefore, this change is the real optimisation. to avoid
writing the same half of a file twice, when using cmd_copy,
we check (in writeGbe) whether gbe part 0 and 1 are the same;
if they are, then we only loop once. this is important, because
otherwise we would call swap() twice.
this means that the optimisations in cmd_copy and cmd_swap must
be removed. the point of this and other changes is to improve
memory safety in nvmutil, so frivolous use of pointers has to go.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
it's so simply now, all it does is set the gbe pointers
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
pointless code complication, that doesn't yield a noticeable
performance increase.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
modern file systems work in 4KB blocks. reading only
a small part of it doesn't really make much difference
in terms of performance.
simplify the code instead.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
modern malloc implementations make the optimisation here
pretty pointless.
modern computers make this modification pointless.
i'm not planning to run nvmutil on a VAX. openbsd removed
support for it ages ago. 8KB fixed buffer is fine.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
it doesn't save any time on modern systems, and it's just
confusing for some people to read. i mean, i understand it
instinctively, but normal people do it with a swap variable.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
the only reason i did this was for that xor swap, but we
can just use an intermediary value
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we always want unveil/pledge calls to be in main, when
possible, so that they are more transparent and easier
to understand when re-factoring, because it's extremely
important that these syscalls be done correctly.
main is small enough now, from other re-factoring changes,
that i'm happy to have this back in main now.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
the current check is too liberal. make it sticter.
the issue is that the previous check did not take
into account that it's a check on a uint16_t array,
against nf which refers to a number of bytes.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this was the other complication with doing it as a macro.
for something this fundamental, we really want to ensure
that every access is safe.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
having this as a macro makes the code quite brittle.
better to have it as a function.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
merge the urandom handling back into this function.
it's called immediately after in main anyway, so we
may as well. this reduces the size of main.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
in the given call, we then do an equivalent call
immediately after that is the same, but without
unveil, so we'll just defer to that.
this changes no behaviour.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
in general, we should ensure that the pledge calls only happen
inside main. this means we can more easily see them, in future
re-factoring.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this will enable hardening of the pledge syscalls.
it also means that the program will error out much
earlier, when an invalid command is given, rather
than opening a bunch of files first, and it will
do so under reduced privilege already, notwithstanding
the further pledge/unveil hardening that is planned.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
same as the previous change. i'm going to harden the unveil
and pledge calls next.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
urandom in main. this is because i'm going to further
harden the use of pledge and unveil in a future patch,
and this is a prerequisite.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
