On Mon, 9 Mar 2020 07:05:46 +0100 "O. Hartmann" <ohartm...@walstatt.org> wrote:
> On Sun, 8 Mar 2020 17:42:43 +0000 (UTC) > "Simon J. Gerraty" <s...@freebsd.org> wrote: > > > Author: sjg > > Date: Sun Mar 8 17:42:42 2020 > > New Revision: 358744 > > URL: https://svnweb.freebsd.org/changeset/base/358744 > > > > Log: > > veloader use vectx API for kernel and modules > > > > The vectx API, computes the hash for verifying a file as it is read. > > This avoids the overhead of reading files twice - once to verify, then > > again to load. > > > > For doing an install via loader, avoiding the need to rewind > > large files is critical. > > > > This API is only used for modules, kernel and mdimage as these are the > > biggest files read by the loader. > > The reduction in boot time depends on how expensive the I/O is > > on any given platform. On a fast VM we see 6% improvement. > > > > For install via loader the first file to be verified is likely to be the > > kernel, so some of the prep work (finding manifest etc) done by > > verify_file() needs to be factored so it can be reused for > > vectx_open(). > > > > For missing or unrecognized fingerprint entries, we fail > > in vectx_open() unless verifying is disabled. > > > > Otherwise fingerprint check happens in vectx_close() and > > since this API is only used for files which must be verified > > (VE_MUST) we panic if we get an incorrect hash. > > > > Reviewed by: imp,tsoome > > MFC after: 1 week > > Sponsored by: Juniper Networks > > Differential Revision: https://reviews.freebsd.org//D23827 > > > > Modified: > > head/lib/libsecureboot/h/libsecureboot.h > > head/lib/libsecureboot/h/verify_file.h > > head/lib/libsecureboot/tests/tvo.c > > head/lib/libsecureboot/vectx.c > > head/lib/libsecureboot/verify_file.c > > head/share/mk/src.opts.mk > > head/stand/common/bootstrap.h > > head/stand/common/interp_forth.c > > head/stand/common/interp_simple.c > > head/stand/common/load_elf.c > > head/stand/common/load_elf_obj.c > > head/stand/common/misc.c > > head/stand/common/module.c > > head/stand/efi/loader/arch/i386/i386_copy.c > > head/stand/efi/loader/copy.c > > head/stand/efi/loader/loader_efi.h > > head/stand/efi/loader/main.c > > head/stand/ficl/loader.c > > head/stand/i386/libi386/i386_copy.c > > head/stand/i386/libi386/libi386.h > > head/stand/i386/loader/chain.c > > head/stand/libofw/libofw.h > > head/stand/libofw/ofw_copy.c > > head/stand/loader.mk > > head/stand/mips/beri/loader/arch.c > > head/stand/powerpc/kboot/main.c > > head/stand/uboot/lib/copy.c > > head/stand/uboot/lib/libuboot.h > > head/stand/userboot/userboot/copy.c > > head/stand/userboot/userboot/libuserboot.h > > > > To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org" > [... deleted ...] > > > buildworld seems to be broken on this commit: > > [...] > --- all_subdir_stand --- > --- lstd.o --- > /usr/src/stand/liblua/lstd.c:86:44: error: too few arguments to function call, > expected 5, have 4 if (verify_file(fd, filename, 0, VE_GUESS) < 0) { > ~~~~~~~~~~~ ^ > /usr/src/lib/libsecureboot/h/verify_file.h:50:1: note: 'verify_file' declared > here int verify_file(int, const char *, off_t, int, const char *); > ^ > 1 error generated. > [...] > > Building host is CURRENT, FreeBSD 13.0-CURRENT #118 r358695: Fri Mar 6 > 12:48:00 CET 2020 amd64: > > kind regards, > > oh > _______________________________________________ > svn-src-head@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org" The problem reported seems to occur when WITH_BEARSSL=YES is enabled in /etc/src.conf. _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
