| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
In certain cases, such as network booting over an untrusted connection,
it may be useful to fully encrypt and sign the kernel files.
Enable fully encrypted boot using builtin keyring via the addition of
the string "ENCRYPTED" to the first line of the /etc/pb-lockdown file.
This disables detached (plaintext) signature verification.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
kernels and related blobs
This can be used to implement a form of organization-controlled secure boot,
whereby kernels may be loaded from a variety of sources but they will only
boot if a valid signature file is found for each component, and only if the
signature is listed in the /etc/pb-lockdown file.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
(Minor build fixes and gpgme.m4, comment on secure boot in gpg.c)
|
| |
|
|
|
|
|
|
|
| |
If we don't specify command line arguments for the next kernel, kexec
will add the contents of /chosen/bootargs if present. This is unintended
and not obvious to the user, so explicitly add append="" to the kexec
arguments if we have none to add instead.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
| |
If boot_tty is set or a boot command is sent manually from a certain
console, set the boot_tty environment variable to be used by a boot hook
before kexec.
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If a call to load_url_async() fails immediately, boot() will free the
boot task and return. If other jobs started by load_url_async()
are still running they will attempt to free their task struct in
load_url_process_exit(), however the original boot task is the parent
context of this process task, resulting in a double-free.
Instead call cleanup_cancellations if an error immediately occurs to
cancel any pending load operations safely before freeing the boot task.
Signed-off-by: Sam Mendoza-Jonas <sam@mendozajonas.com>
|
| |
|
|
|
| |
Signed-off-by: Samuel Mendoza-Jonas <sam.mj@au1.ibm.com>
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
Since we're operating in the correct locale now, we can send translated
strings in the boot status messages.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, we have a bug when a boot task with more than one load tasks
is cancelled:
1) boot_cancel calls cleanup_cancellations, which performs a
load_url_async_cancel on all load tasks. This sets the load tasks'
states to LOAD_CANCELLED, and signals associated processes.
2) The first load task process completes, we get a load_url_process_exit
callback. This then invokes cleanup_cancellations.
3) cleanup_cancellations then (incorrectly) frees the boot task (and
hence freeing all pending load tasks) as no load tasks are in LOAD_ASYNC
state (we set them all to LOAD_CANCELLED in step 1)
4) The actual completion for the second load task attempts to reference
the now-freed task structure.
This change fixes the issue by handing the LOAD_CANCELLED state properly
- if we find a load task in this state, we consider the boot task still
pending, and delay the free until all loads are complete.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
Rather than #defining _GNU_SOURCE in our .c files, we can define this
from config.h instead.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
We're seeing a crash when boot hooks are specifying new resources, as
boot_hook_update_param will write to a NULL struct load_url_result.
Instead of writing the updated values to the struct, copy the local
parts of the result to a separate string, which the boot hooks are free
to update.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
| |
In commit 823958fb, we change to use struct process, but left in the
check for rc == BOOT_HOOK_EXIT_UPDATE. We actually want to check
process->exit_status here, not rc.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
This change groups the offsetof, container_of and ARRAY_SIZE macros in a
single header file util/util.h.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
| |
Currently, once the boot() function is called, the boot process will
ignore any cancellations.
This change allows boot() to be cancelled, via boot_cancel().
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
| |
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
| |
Now that we can download asynchronously, we can download boot resources
in parallel. This also means we don't need a state machine; we're either
not done (loads are still pending) or done.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, load_url and load_url_async return a filename parameter and a
tempfile flag (indicating whether the file needs to be cleaned after
use).
Instead, encapsulate this data in a struct load_url_result, which the
caller (and async callbacks) can read the status, filename and clean
parameters.
For internal use in load_url and helpers, we add a struct load_task to
hold a pointer to the load_url_result and async data.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
... otherwise we won't clean up local files from earlier boot stages.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
Use the status argument to the URL load callback to check for load
failures.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
We don't need a pointer here, just the status value.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The current boot process handled by boot() function is implemented such
that it blocks on the boot resources being downloaded which blocks
the discover process until the download completes. This patch
re-implements the boot() function using callback mechanism and
asynchronous notifications so that boot() returns to continue the
discover process while the download is in progress.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Neelesh Gupta <neelegup@linux.vnet.ibm.com>
|
| |
|
|
| |
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
It'd be nice to include arbitrary format strings here, so do a
taloc_vasprintf in update_status.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
| |
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
We need boot_task for kexec_reboot.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
This change replaces the pb_run_cmd() function with proper usage of the
process API.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
Replace pb_run_cmd_pipe with process_create / process_run_sync.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
| |
Rather than using the stack for struct boot_task, talloc one instead.
This gives us a short-lived context (active for the boot() process
only), and we don't need to use the externally-provided context
directly.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
| |
If the boot image fails to load, we end up calling talloc_free on an
unitialised are of stack (boot_task.local_initrd).
Move the initialisers a little earlier, so we always NULL pointers
before potentially freeing.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
By exiting with status == 2, boot hooks can update boot data by
printing name=value to stdout.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
| |
Add a method of running pre-boot hooks. Executable files in
/etc/petitboot/boot.d/ are run (in order) before we start the boot
process.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
This keeps all the boot-specific details in one place.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
Updates & fixes by Jeremy Kerr <jk@ozlabs.org>.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
If we're booting from a default option, we don't have a boot command.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
| |
`kexec -e` will just call shutdown, which we've already tried, so it's
likely to fail. Add a further fallback to force a kexec with -e -f
options.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
Now what we have protocol support, send status updates during the boot
process.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change switches the parsers over to populate the resources in
discover_boot_option, rather than the string parameters in boot_option.
To do this, we need a few things:
* Add struct resources to discover_boot_option for the boot_image,
initrd and icon data.
* Have the parsers populate the resources, rather than the strings.
Currently, parsers can all use the devpath resource type.
* Add a resolve_resource callback to parsers; this is how the device
handler will attempt to resolve resources.
* Change load_file to load_url, as we should be only accessing
(resolved) resources by URLs.
This then allows us to remove the mount map, and associated lookup code,
as well as the UUID and label links to devices.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
|
| |
discover/boot.c: In function ‘boot’:
discover/boot.c:153:13: error: ‘local_initrd’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
| |
|
|
|
|
| |
Fix typo in boot() routine.
Signed-off-by: Geoff Levand <geoff@infradead.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change moves the boot-via-kexec functionality from the UIs to the
discover server.
On the UI side: rather than run kexec directly, we just send a message
to the discover server. Because this is generic discover client
functionality, we no longer need the boot callbacks in the twin- and
ncurses-specific code.
We also remove the kexec and URL-loading code from the UIs, and add it
to the discover server code, in paths.c. We expose this to the server
though a new function:
load_path(void *, const char *, unsigned int *);
On the server side, we simply move hook up the boot() function to use
the load_file and kexec calls.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
|
|
This change adds a funtion, device_handler_boot, which processes the
boot command message from the discover server.
We add a new file, discover/boot.c (and a corresponding header) with a
skeleton for the final kexec code.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
|
