Page MenuHomeFreeBSD

Make append and write work more like Linux
Needs ReviewPublic

Authored by ambrisko on Oct 18 2016, 8:38 PM.

Details

Reviewers
imp
Summary

Linux gets the current attributes and uses that as the default when
writing or appending. When appending Linux automatically adds
the EFI_VARIABLE_APPEND_WRITE attribute. Linux requires the data
to come from a file. Change the type of attrib to uint32_t. Allow
the attribute to come from the command line. When appending,
EFI_VARIABLE_APPEND_WRITE is added to the command line specified
attribute option.

Test Plan

Tested updates via append to secure variables with signed updates.
Tested updates via write. Both testing was done without specifying
an attribute and with. Compared that the same command with -f worked
on Linux and FreeBSD. Testing that FreeBSD still worked when reading
from stdin.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 7690
Build 7837: arc lint + arc unit

Event Timeline

ambrisko retitled this revision from to Make append and write work more like Linux.
ambrisko updated this object.
ambrisko edited the test plan for this revision. (Show Details)
ambrisko added a reviewer: imp.

See inline. Basically I like this, but there's some issues.

usr.sbin/efivar/efivar.c
66

I don't think this should be done. Also, you're diffing against an old version.

131

This is not needed. efi_append_variable already does this:

return efi_set_variable(guid, name, data, data_size,
    attributes | EFI_VARIABLE_APPEND_WRITE, 0);
156–157

You're allowed to set a variable that's not been set yet. This is incorrect.

158–159

And this is wrong if it was never set. The default should still be 0x7.

325–326

This is already in -current.

ambrisko edited edge metadata.

Update to address comments so that writing a new variable works.
Use the sane attribute default and if the default is being used,
check for the old attribute file and use that. This could cause
an issue if the user tried to over ride the attribute but it matched
the sane default. This is probably low risk.

With this change I can delete the secure boot db keys via an authenticated
null db file. I can write a new db via an authenticated update passing
in -t 0x27. Authenticated appends also work (with -t 0x67 if it is the
first update).

Also various bases for the -t parameter.

This diverges from Linux but makes it more usable.