| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
similar to the logic about other failure states
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
make it more efficient. much lower rejection
rate now, about 2-5%. deal with bias, but also
get numbers in bulk. not too many.
i'd say this is about right in terms of performance
balance. 64 bytes == 8 large integers.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
now you can send an arbitrary number of bytes
with random numbers
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
also re-add /dev/urandom support, as a config option
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
build-time option. do not allow fallback; on
a system where getrandom is used, it should
be used exclusively.
on some systems, getrandom may not be available,
even if they have a newer kernel.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
This will also be used in lbmk itself at some point,
which currently just uses regular mktemp, for tmpdir
handling during the build process.
Renamed util/nvmutil to util/libreboot-utils, which
now contains two tools. The new tool, mkhtemp, is a
hardened implementation of mktemp, which nvmutil
also uses now. Still experimental, but good enough
for nvmutil.
Mkhtemp attempts to provide TOCTOU resistance on
Linux, by using modern features in Linux such as
Openat2 (syscall) with O_EXCL and O_TMPFILE,
and many various security checks e.g.
inode/dev during creation. Checks are done constantly,
to try to detect race conditions. The code is very
strict about things like sticky bits in world writeable
directories, also ownership (it can be made to bar even
root access on files and directories it doesn't own).
It's a security-first implementation of mktemp, likely
even more secure than the OpenBSD mkstemp, but more
auditing and testing is needed - more features are
also planned, including a compatibility mode to make
it also work like traditional mktemp/mkstemp. The
intention, once this becomes stable, is that it will
become a modern drop-in replacement for mkstemp on
Linux and BSD systems.
Some legacy code has been removed, and in general
cleaned up. I wrote mkhtemp for nvmutil, as part of
its atomic write behaviour, but mktemp was the last
remaining liability, so I rewrote that too!
Docs/manpage/website will be made for mkhtemp once
the code is mature.
Other changes have also been made. This is from another
experimental branch of Libreboot, that I'm pushing
early. For example, nvmutil's state machine has been
tidied up, moving more logic back into main.
Mktemp is historically prone to race conditions,
e.g. symlink attacks, directory replacement, remounting
during operation, all sorts of things. Mkhtemp has
been written to solve, or otherwise mitigate, that
problem. Mkhtemp is currently experimental and will
require a major cleanup at some point, but it
already works well enough, and you can in fact use
it; at this time, the -d, -p and -q flags are
supported, and you can add a custom template at
the end, e.g.
mkhtemp -p test -d
Eventually, I will make this have complete parity
with the GNU and BSD implementations, so that it is
fully useable on existing setups, while optionally
providing the hardening as well.
A lot of code has also been tidied up. I didn't
track the changes I made with this one, because
it was a major re-write of nvmutil; it is now
libreboot-utils, and I will continue to write
more programs in here over time. It's basically
now a bunch of hardened wrappers around various
libc functions, e.g. there is also a secure I/O
wrapper for read/write.
There is a custom randomisation function, rlong,
which simply uses arc4random or getrandom, on
BSD and Linux respectively. Efforts are made to
make it as reliable as possible, to the extent
that it never returns with failure; in the unlikely
event that it fails, it aborts. It also sleeps
between failure, to mitigate certain DoS attacks.
You can just go in util/libreboot-utils and
type make, then you will have the nvmutil and
mkhtemp binaries, which you can just use. It
all works. Everything was massively rewritten.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
err if buf NULL, len -1
also getrandom may return fewer bytes, so
loop that too.
why can't linux be like bsd? bsd is:
arc4random_buf(buf, len);
no checks needed. it never errs.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
for 1989
enabled via ifdef. not enabled by default.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
openbsd 2.1 has arc4random, which we detect here.
arandom was apparently added much later, so this
is dead code. remove it.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
we still fall back to the old /dev/urandom read
on older linux, via runtime detection (ENOSYS).
getrandom is better, because it guarantees entropy
via blocking, and works even when /dev/urandom
is unavailable.
it has the same practical benefit as arc4random,
which i use on bsd. linux can have arc4random,
but not every linux libc has it, so it's better
to use getrandom on linux.
older linux will fall back to /dev/urandom
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
also generally tidied the code and made
it more robust e.g. retries
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
more random characters
i added support for higher than the standard 6
characters so i can go nuts
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
200 retries, not 100.
and open with O_NOFOLLOW and O_CLOEXEC
check X on mkstemp
support more than 6 X in mkstemp
make PATH_LEN 4096
1024 is a bit low
make default mkstemp length 4096
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
that's what it does!
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
that's what it does. waits for eintr to stop firing
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this is technically incorrect. we don't control
faults in the hardware.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
that's what it does. waits on eintr.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
rename to fsync_on_eintr, because that's what it does
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
i had this idea in my head of later porting this
to k&r c for fun. but screw it.
compiling on everything since 1989 is enough
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
handle init in xstatus()
it's now a singleton design
also tidied up some other code
also removed todo.c. bloat.
will do all those anyway.
too much change. i just kept
touching the code until it
looked good
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
but git still has these directories
in history now, so people should have
it now when cloning.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
only keep nvmutil.c in main
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
question mark respects environmental variables
but isn't portable
you can just pass as argument on the command line
question mark is more useful for build systems,
but i'm not really bothered. the old way works.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
this is a big program now. act like it.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
make a singleton function instead
now there are technically no global variables,
so i can more easily start splitting this up
into multiple linked programs
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
arc4random added in openbsd 2,1
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
sizeof includes the null
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
must be world writeable and not have sticky bits
a bit theoretical, but we're also reading TMPDIR,
which could be anything
due to how this is called, it defaults back to /tmp
if null is returned, so itt's safe
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
set it really high though, so it's still
basically reliably
an EINTR/EAGAIN storm could cause problems
in prw()
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
|
that function i added was a load of crap. it
worked, but it was a bit dumb, and crap.
Signed-off-by: Leah Rowe <leah@libreboot.org>
|
