This is not really needed, the s" word is supposed to be a temporary string. If someone needs more than one string on the stack, then space needs to be allocated and the string copied there.

The same thing happens currently for cstringQuoteIm(), which is where this
change comes from:

If additional things are found necessary to be added to the list (or handled otherwise), they can be added after the fact. But this gets the ball rolling and is definitely needed.

Take care of review comments.
Also change the conditional in print_hypervisor_info() to explicitly check
for NUL character instead of treating a character as a boolean.

After discussion with sjg, we do not want to support veriexec without signing

Abandon, since this has already been addressed.

I will update and commit with the requested changes.

Return the size of the allocated space for the label, even if we copied in a smaller label.

In D16306#411450, @info_dominicschlegel.ch wrote:

any update on this?

Added fdt_addresses.c and fdt_overlay.c

Build libfdt as static library only
Update to latest head libnames.mk changes.

Removed kvm_clock_tsc_freq, per comments, as it is currently not needed.

Addressed review comments - added additional comments and save the first
hypervisor we found so we have some information even if we cannot find an
exact match.

In D6814#362680, @ian wrote:

In D6814#155355, @stevek wrote:

In D6814#155318, @andrew wrote:

This should be attached to the build, and used by the GNU dtc.

I'm wondering should libfdt be conditionally built and, if so, should it be based on MK_FDT and MK_GPL_DTC (since the dtc build will be using it after the suggested changes)?

I think it should be conditional on MK_FDT, but not on MK_GPL_DTC, because the library itself is BSD-licensed.

Fixed bhyve detection string, as pointed out by bryanv

Removed duplicate comment and replaced it with a more appropriate one
that explains if CPUID2_HV is set, we are running in a hypervisor environment.

In D1435#343486, @bryanv wrote:

The change in this review depends on some hypervisor detection changes that I don't think make sense anymore. @stevek has done the work to refactor this change on to HEAD that I hope he's able to submit soon.

In D14064#295707, @allanjude wrote:

Maybe as a separate change, but is it time to stop shipping lib32 by default as well?

In D8554#289494, @jtl wrote:

I think one of the few weaknesses I see is the way the hash result is cached.

Have you considered mitigations, such as:

• not caching hash results for remote volumes (e.g. NFS)?

In D8554#289476, @jtl wrote:

It seems like this could use a man page to describe the mechanism. There are some subtleties that are not immediately obvious, such as the way that shared libraries are protected. In addition, the O_VERIFY flag should probably be documented in the open() man page with a pointer to the verified exec man page.

looks good.

In D9691#279425, @emaste wrote:

@stevek will you commit (with style fix)?

In D13288#277164, @jhb wrote:

My only other thought is it would be nice to add a test case for this.

In D13287#277145, @imp wrote:

looks good to me. IIRC, this isn't true for every architecture, but there's no reason I know of to disallow it there.