Page MenuHomeFreeBSD

EFI secure boot VECTX related changes
ClosedPublic

Authored by vangyzen on Apr 26 2021, 2:12 PM.

Details

Summary

When VECTX is enabled as a kernel option and non-EFI loaders are built, many reads will fail due to the mis-match of whether LOADER_VERIEXEC_VECTX or not in readin.h. Source that includes bootstrap.h must ensure the kernel option agrees with the compile time CFLAGS in the various make related files.

Test Plan

Tested with the EFI and i386 loaders.

Diff Detail

Repository
R10 FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

This revision is now accepted and ready to land.Apr 26 2021, 3:33 PM

Thanks, I had to fix something similar recently - in libefi

vangyzen added inline comments.
stand/i386/libi386/Makefile
19

This adds console.c to the SRCS for libi386.a, which causes link failures:

===> i386/zfsboot (all)
[...]
ld: error: duplicate symbol: getchar
>>> defined at cons.c:127 (/usr/src/stand/i386/common/cons.c:127)
>>>            cons.o:(getchar)
>>> defined at console.c:105 (/usr/src/stand/common/console.c:105)
>>>            console.o:(.text.getchar+0x0) in archive /usr/obj/usr/src/amd64.amd64/stand/i386/libi386/libi386.a

Those two getchar functions are completely different.

Instead of including loader.mk in these new places, refactor the VERIEXEC-related variables into a new file named veriexec.mk, and include that instead.

This revision now requires changes to proceed.Apr 29 2021, 2:57 PM
vangyzen edited reviewers, added: bret_ketchum_dell.com; removed: vangyzen.

I'll finish this for Bret.

This revision is now accepted and ready to land.Apr 29 2021, 3:34 PM
vangyzen edited the test plan for this revision. (Show Details)
  • refactor VERIEXEC vars into new veriexec.mk
This revision now requires review to proceed.Apr 29 2021, 4:04 PM
This revision is now accepted and ready to land.Apr 29 2021, 4:07 PM
bdrewery added inline comments.
stand/veriexec.mk
1

# $FreeBSD$ seems pointless now but at least kind of implies the license. Not our problem though.

@sjg or @stevek If one of you could take a look, I'd appreciate it.

stand/veriexec.mk
1

Good eye. I considered adding it, but decided to let this commit open that can of worms...I mean, "drive that discussion."

Seems okay to me, but @sjg would be the best to look at it, since the loader veriexec bits are his pet project.

sjg requested changes to this revision.Apr 30 2021, 4:48 PM
sjg added inline comments.
stand/veriexec.mk
8

I don't think this one makes sense without LOADER_VERIEXEC so should be within the scope of the first block.

Otherwise looks good

This revision now requires changes to proceed.Apr 30 2021, 4:48 PM
This revision was not accepted when it landed; it landed in state Needs Revision.Apr 30 2021, 6:13 PM
This revision was automatically updated to reflect the committed changes.
stand/veriexec.mk
1

Add it if you are merging to 12, otherwise omit is the rule.