The previous code would warn that the mask was being defaulted to
an obsolete class mask even if -mask was present after -network.
Import a fix from Peter Much with a little tweaking, deferring the
warning until after all parameters are processed.
PR: 263011
Obtained from: pmc at citilink.dinoex.sub.org
MFC after: 3 days
Reviewed by: rmacklem
Differential Revision: https://reviews.freebsd.org/D41774
Escape a period that caused a line not to be includesd. Also mention
that glob(3) patterns may be included, and a consequence of that.
PR: 273561
Reported by: crest@rlwinm.de
Reviewed by: emaste
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D41723
Prior to this commit privileged accounts in a jail could not access to the
filesystem extended attributes in the system namespace. To control access to
the system namespace in a per-jail basis add a new configuration parameter
allow.extattr which is off by default.
Reported by: zirias
Tested by: zirias
Obtained from: HardenedBSD
Reviewed by: kevans, jamie
Differential revision: https://reviews.freebsd.org/D41643
MFC after: 1 week
Relnotes: yes
Prefer libpfctl functions over direct access to the ioctl whenever
possible. This will allow subsequent removal of DIOCGETSTATUS (in 15) as
there already is an nvlist-based alternative.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D41650
The synopsis section of jail(8) is fine at showing everything that could
be on the command line, but doesn't make much sense. Add some sub-
ections for the different uses of the command.
Also fix up the paragraph about command-line parameter specification,
including removing some clearly erroneous information.
Reviewed by: dvl
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D41606
Systems that predate 971bac5ace ("kbd: consolidate kb interfaces
(phase one)") cannot build kbdcontrol since kbdelays and kbrates moved
to sys/kbio.h. Moreover, on non-FreeBSD, it requires all kinds of ioctls
and sysctls that are highly FreeBSD-specific to build, but we use it as
a bootstrap tool to generate the keymaps used by some kernels (LINT ones
in particular). Thus, when bootstrapping kbdcontrol, disable everything
that's not needed for that singular use, and use the in-tree kbio.h to
get the definitions of the necessary structures.
This allows KBDMUX_DFLT_KEYMAP, UKBD_DFLT_KEYMAP and ATKBD_DFLT_KEYMAP
to be enabled when building on non-FreeBSD, and thus LINT kernels.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D41541
For backward compatibility, the ACPI tables are loaded into the guest
memory. Windows scans the memory, finds the ACPI tables and uses them.
It ignores the ACPI tables provided by the UEFI. We are patching the
ACPI tables in the guest memory, so that's mostly fine. However, Windows
will break when the ACPI tables become to large or when we add entries
which can't be patched by bhyve. One example of an unpatchable entry, is
a TPM log. The TPM log has to be allocated by the guest firmware. As the
address of the TPM log is unpredictable, bhyve can't assign it in the
memory version of the ACPI tables. Additionally, this makes it
impossible for bhyve to calculate a correct checksum of the table.
By default ACPI tables are still loaded into guest memory for backward
compatibility. The new acpi_tables_in_memory config value can be set to
false to avoid this behaviour.
Reviewed by: markj
MFC after: 1 week
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D39979
It was originally in contrib, and moved to usr.sbin in 6692aa840c1f; I always thought lib would make more sense but never got around to moving it.
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D41504
Remove quotes around the list of packages to install.
Otherwise pkg is only fed one argument which results in a
non-working solution:
pkg: No packages available to install matching 'wifi-firmware-ath10k-kmod wifi-firmware-mt76-kmod wifi-firmware-ath11k-kmod' have been found in the repositories
MFC after: 10 days
Reviewed by: manu
Differential Revision: https://reviews.freebsd.org/D41474
Section 7.10.3 of the NVME 1.4b specification states that the IEEE OUI
in the identify controller structure is stored in little-endian format
(unlike the embedded OUI in EUI64 identifiers).
Reviewed by: corvink, chuck, imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D41487
At the moment, only a TPM passthru is supported. The cmdline looks like:
-l tpm,passthru,/dev/tpm0
Reviewed by: markj
MFC after: 1 week
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D32961
Windows requires a physical presence interface to recognize the TPM
device. Qemu's OVMF has an implementation for the PPI which can be
reused. Using the Qemu PPI makes it very easy because we don't have to
implement new PPI functionality into our OVMF. The Qemu implementation
is already there.
Reviewed by: markj
MFC after: 1 week
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D40462
Without this patch got_sighup(), which is the SIGHUP handler,
would set a variable of type int.
This would appear to be incorrect, although it has worked reliably.
This patch changes the type to "_Atomic(int)", which appears
to be all that is needed to correct it.
Reported by: pen@lysator.lui.se
Reviewed by: theraven, karels (prev version), kevans (prev version)
Differential Revision: https://reviews.freebsd.org/D41265
To send commands to the TPM device, bhyve can use the host TPM driver by
reading and writing from /dev/tpmX. Using this approach, only the host
TPM driver has to detect and interact with the physical TPM interface.
This simplifies bhyve's code much. As the host TPM driver has to
interact with the TPM regardless of bhyve making use of it or not, makes
it a good approach.
Reviewed by: markj
MFC after: 1 week
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D40460
Trap accesses to the CRB MMIO range and emulate them properly.
Reviewed by: markj
MFC after: 1 week
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D40459
This splits out the certctl utility into a new certctl package and the
openssl libs into an openssl-lib package.
PR: 272816
Reviewed by: manu
Differential Revision: https://reviews.freebsd.org/D41321
If a guest tries to reset the fwctl device while a pending request was
in flight, the fwctl state machine can be left in an incomplete state.
Specifically, rinfo is not cleared.
Normally the state machine for fwctl alternates between REQ (receiving
request) and RESP (sending response) and ignores port writes while in
RESP or port reads while in REQ. Once a guest completes the writes to
the port to send a request, the state machine transitions to RESP and
ignores future writes.
However, if a guest writes a full request and then resets the fwctl
device, the state would transition to REQ without draining the pending
response or discarding the received request. Instead, additional
port writes after the reset were treated as new payload bytes, but
were appended to the previously-received request and could overflow
the fget_str buffer.
To fix, fully reset the fwctl state machine if the guest requests a
reset.
admbugs: 998
Approved by: so
Reviewed by: markj
Reported by: Omri Ben Bassat <t-benbassato@microsoft.com>
Security: FreeBSD-SA-23:07.bhyve
Security: CVE-2023-3494
These new targets avoid the need to invoke internal build system targets
or set internal variables when building, and also have the added benefit
of working with BUILD_WITH_STRICT_TMPPATH. Old source trees lacking such
targets will not work with BUILD_WITH_STRICT_TMPPATH; they could be made
to work by copying the steps, but it's not worth doing so, as they never
have worked in the past. The primary goal of this is to support changing
the default of BUILD_WITH_STRICT_TMPPATH to enabled.
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D41206
The distrib-dirs and distribution steps are shared between the two, the
only difference is whether MAKEOBJDIRPREFIX is in the environment for
the latter. Having in the environment for the former is currently not
needed but does no harm and will be needed in future, so we can just
export it up-front in the subshell. When we do distrib-dirs relative to
_obj and everything also doesn't matter, so move it next to distribution
where it makes more sense. Finally, to avoid complicated && chains, use
"|| exit 1" everywhere to make the subshell fail, and add an extra one
on to the cd $SRCDIR to handle that failing (otherwise we'd go on and
try to build the current directory after cd prints its error, which is
unhelpful).
These changes will make it easier to bundle these steps up into new
top-level targets to allow the build system to manage the steps rather
than etcupdate, which will also handle BUILD_WITH_STRICT_TMPPATH, which
currently does not work with etcupdate.
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D41204
The removal of the sparc64 support in February 2020 obsoleted the
VTOC8 partitioning scheme as no other FreeBSD platform makes use
of it. Moreover, the code is bitrotting as nothing defines e. g.
LOADER_VTOC8_SUPPORT any more and, thus, should go now, too. With
this change, the following commits are reverted as far as VTOC8
is concerned and parts haven't already previously been deleted
along with prior sparc64 removals:
094fcb157da7d366e958ba8d50d08b
The alignment example d9711c28ef
added to the VTOC8 section of gpart.8 is folded into the MBR one.
This should finally conclude the deorbit of sparc64-specific bits.
We had joy, we had fun
we ran Unix on a Sun.
But that source and the song
of FreeBSD have all gone.
Credits to Michael Bueker for the original "Unix on a Sun" and Rod
McKuen for the "Seasons in the Sun" lyrics.
vmm and libvmmapi already have handlers for that. When adding debug
cpus, they were only used for the debug stub. Over time, they were
reused by other parts like snapshots or idle APs.
Reviewed by: corvink, jhb
MFC after: 1 week
Sponsored by: vStack
Differential Revision: https://reviews.freebsd.org/D40804
TPM commands can take up to several seconds to execute. If we hold the
CRB mutex while executing the command, MMIO accesses could be blocked
for a long time. Therefore, just copy all required values and work on
the copied values.
Reviewed by: markj
MFC after: 1 week
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D40724
Fix the following problem:
1. A nonexistent user, someuser, is added to /etc/group as
someuser:*:12345:someuser.
2. someuser is then created with the default login group.
A second group entry for someuser will be created.
someuser:*:12345:someuser
someuser:*:12346:
With this fix, the existing group entry will be used.
PR: 238995
Reviewed by: bapt, jrm
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41057
Fix the following problem:
1. A nonexistent user, someuser, is added to somegroup in /etc/group.
2. someuser is then created with membership in somegroup.
The entry for somegroup in /etc/group will then contain
somegroup:*:12345:someuser,someuser
With this fix, the entry will be
somegroup:*:12345:someuser
PR: 238995
Reviewed by: bapt, jrm
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41076
