diff options
Diffstat (limited to 'src/usr')
| -rw-r--r-- | src/usr/autoboot.c | 1 | ||||
| -rw-r--r-- | src/usr/certmgmt.c | 1 | ||||
| -rw-r--r-- | src/usr/dhcpmgmt.c | 1 | ||||
| -rw-r--r-- | src/usr/fdtmgmt.c | 51 | ||||
| -rw-r--r-- | src/usr/ifmgmt.c | 1 | ||||
| -rw-r--r-- | src/usr/imgarchive.c | 1 | ||||
| -rw-r--r-- | src/usr/imgcrypt.c | 75 | ||||
| -rw-r--r-- | src/usr/imgmgmt.c | 4 | ||||
| -rw-r--r-- | src/usr/imgtrust.c | 45 | ||||
| -rw-r--r-- | src/usr/ipstat.c | 15 | ||||
| -rw-r--r-- | src/usr/neighmgmt.c | 6 | ||||
| -rw-r--r-- | src/usr/nslookup.c | 1 | ||||
| -rw-r--r-- | src/usr/ntpmgmt.c | 1 | ||||
| -rw-r--r-- | src/usr/pingmgmt.c | 1 | ||||
| -rw-r--r-- | src/usr/profstat.c | 1 | ||||
| -rw-r--r-- | src/usr/prompt.c | 1 | ||||
| -rw-r--r-- | src/usr/route.c | 1 | ||||
| -rw-r--r-- | src/usr/route_ipv4.c | 48 | ||||
| -rw-r--r-- | src/usr/route_ipv6.c | 1 | ||||
| -rw-r--r-- | src/usr/shimmgmt.c | 1 | ||||
| -rw-r--r-- | src/usr/sync.c | 1 |
21 files changed, 214 insertions, 44 deletions
diff --git a/src/usr/autoboot.c b/src/usr/autoboot.c index 4b64ca82b..3d46e65e0 100644 --- a/src/usr/autoboot.c +++ b/src/usr/autoboot.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <string.h> #include <stdio.h> diff --git a/src/usr/certmgmt.c b/src/usr/certmgmt.c index e6bf51fd8..9056a917c 100644 --- a/src/usr/certmgmt.c +++ b/src/usr/certmgmt.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <stdio.h> #include <errno.h> diff --git a/src/usr/dhcpmgmt.c b/src/usr/dhcpmgmt.c index dcb360b23..2a0a8c718 100644 --- a/src/usr/dhcpmgmt.c +++ b/src/usr/dhcpmgmt.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <string.h> #include <stdio.h> diff --git a/src/usr/fdtmgmt.c b/src/usr/fdtmgmt.c new file mode 100644 index 000000000..dabeef2c8 --- /dev/null +++ b/src/usr/fdtmgmt.c @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/fdt.h> +#include <usr/fdtmgmt.h> + +/** @file + * + * Flattened Device Tree management + * + */ + +/** + * Apply flattened device tree image + * + * @v image FDT image, or NULL to clear FDT + * @ret rc Return status code + */ +int imgfdt ( struct image *image ) { + + /* Record (or clear) FDT image */ + image_tag ( image, &fdt_image ); + + /* Avoid including image in constructed initrd */ + if ( image ) + image_hide ( image ); + + return 0; +} diff --git a/src/usr/ifmgmt.c b/src/usr/ifmgmt.c index d87ffff27..80f350ee4 100644 --- a/src/usr/ifmgmt.c +++ b/src/usr/ifmgmt.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <string.h> #include <stdio.h> diff --git a/src/usr/imgarchive.c b/src/usr/imgarchive.c index 6849dd510..91600760e 100644 --- a/src/usr/imgarchive.c +++ b/src/usr/imgarchive.c @@ -24,6 +24,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include <stdio.h> +#include <string.h> #include <ipxe/image.h> #include <usr/imgarchive.h> diff --git a/src/usr/imgcrypt.c b/src/usr/imgcrypt.c new file mode 100644 index 000000000..1b649f197 --- /dev/null +++ b/src/usr/imgcrypt.c @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2024 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <string.h> +#include <syslog.h> +#include <ipxe/image.h> +#include <ipxe/cms.h> +#include <ipxe/privkey.h> +#include <usr/imgcrypt.h> + +/** @file + * + * Image encryption management + * + */ + +/** + * Decrypt image using downloaded envelope + * + * @v image Image to decrypt + * @v envelope Image containing decryption key + * @v name Decrypted image name (or NULL to use default) + * @ret rc Return status code + */ +int imgdecrypt ( struct image *image, struct image *envelope, + const char *name ) { + struct cms_message *cms; + int rc; + + /* Parse envelope */ + if ( ( rc = cms_message ( envelope, &cms ) ) != 0 ) + goto err_parse; + + /* Decrypt image */ + if ( ( rc = cms_decrypt ( cms, image, name, &private_key ) ) != 0 ) + goto err_decrypt; + + /* Drop reference to message */ + cms_put ( cms ); + cms = NULL; + + /* Record decryption */ + syslog ( LOG_NOTICE, "Image \"%s\" decrypted OK\n", image->name ); + + return 0; + + err_decrypt: + cms_put ( cms ); + err_parse: + syslog ( LOG_ERR, "Image \"%s\" decryption failed: %s\n", + image->name, strerror ( rc ) ); + return rc; +} diff --git a/src/usr/imgmgmt.c b/src/usr/imgmgmt.c index 92bf236f9..bad056f0e 100644 --- a/src/usr/imgmgmt.c +++ b/src/usr/imgmgmt.c @@ -22,10 +22,12 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <stdint.h> #include <stdlib.h> #include <stdio.h> +#include <string.h> #include <errno.h> #include <ipxe/image.h> #include <ipxe/downloader.h> @@ -184,7 +186,7 @@ void imgstat ( struct image *image ) { * @v len Length * @ret rc Return status code */ -int imgmem ( const char *name, userptr_t data, size_t len ) { +int imgmem ( const char *name, const void *data, size_t len ) { struct image *image; /* Create image */ diff --git a/src/usr/imgtrust.c b/src/usr/imgtrust.c index e7c2067a0..fa8282da0 100644 --- a/src/usr/imgtrust.c +++ b/src/usr/imgtrust.c @@ -22,12 +22,13 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <stdlib.h> +#include <string.h> #include <errno.h> #include <time.h> #include <syslog.h> -#include <ipxe/uaccess.h> #include <ipxe/image.h> #include <ipxe/cms.h> #include <ipxe/validator.h> @@ -50,34 +51,18 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); */ int imgverify ( struct image *image, struct image *signature, const char *name ) { - struct asn1_cursor *data; - struct cms_signature *sig; - struct cms_signer_info *info; + struct cms_message *cms; + struct cms_participant *part; time_t now; - int next; int rc; - /* Mark image as untrusted */ - image_untrust ( image ); - - /* Get raw signature data */ - next = image_asn1 ( signature, 0, &data ); - if ( next < 0 ) { - rc = next; - goto err_asn1; - } - /* Parse signature */ - if ( ( rc = cms_signature ( data->data, data->len, &sig ) ) != 0 ) + if ( ( rc = cms_message ( signature, &cms ) ) != 0 ) goto err_parse; - /* Free raw signature data */ - free ( data ); - data = NULL; - /* Complete all certificate chains */ - list_for_each_entry ( info, &sig->info, list ) { - if ( ( rc = create_validator ( &monojob, info->chain, + list_for_each_entry ( part, &cms->participants, list ) { + if ( ( rc = create_validator ( &monojob, part->chain, NULL ) ) != 0 ) goto err_create_validator; if ( ( rc = monojob_wait ( NULL, 0 ) ) != 0 ) @@ -86,16 +71,14 @@ int imgverify ( struct image *image, struct image *signature, /* Use signature to verify image */ now = time ( NULL ); - if ( ( rc = cms_verify ( sig, image->data, image->len, - name, now, NULL, NULL ) ) != 0 ) + if ( ( rc = cms_verify ( cms, image, name, now, NULL, NULL ) ) != 0 ) goto err_verify; - /* Drop reference to signature */ - cms_put ( sig ); - sig = NULL; + /* Drop reference to message */ + cms_put ( cms ); + cms = NULL; - /* Mark image as trusted */ - image_trust ( image ); + /* Record signature verification */ syslog ( LOG_NOTICE, "Image \"%s\" signature OK\n", image->name ); return 0; @@ -103,10 +86,8 @@ int imgverify ( struct image *image, struct image *signature, err_verify: err_validator_wait: err_create_validator: - cms_put ( sig ); + cms_put ( cms ); err_parse: - free ( data ); - err_asn1: syslog ( LOG_ERR, "Image \"%s\" signature bad: %s\n", image->name, strerror ( rc ) ); return rc; diff --git a/src/usr/ipstat.c b/src/usr/ipstat.c index 0f09cc2ff..c0d9739fa 100644 --- a/src/usr/ipstat.c +++ b/src/usr/ipstat.c @@ -22,25 +22,28 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <stdio.h> +#include <ipxe/tcp.h> #include <ipxe/ipstat.h> #include <usr/ipstat.h> /** @file * - * IP statistics + * TCP/IP statistics * */ /** - * Print IP statistics + * Print TCP/IP statistics * */ void ipstat ( void ) { struct ip_statistics_family *family; struct ip_statistics *stats; + /* Print per-family statistics */ for_each_table_entry ( family, IP_STATISTICS_FAMILIES ) { stats = family->stats; printf ( "IP version %d:\n", family->version ); @@ -63,4 +66,12 @@ void ipstat ( void ) { stats->out_mcast_pkts, stats->out_bcast_pkts, stats->out_octets ); } + + /* Print TCP statistics */ + printf ( "TCP:\n" ); + printf ( " InSegs:%ld InOctets:%ld InOctetsGood:%ld\n", + tcp_stats.in_segs, tcp_stats.in_octets, + tcp_stats.in_octets_good ); + printf ( " InDiscards:%ld InOutOfOrder:%ld\n", + tcp_stats.in_discards, tcp_stats.in_out_of_order ); } diff --git a/src/usr/neighmgmt.c b/src/usr/neighmgmt.c index 9fd88f82b..79f62e6d3 100644 --- a/src/usr/neighmgmt.c +++ b/src/usr/neighmgmt.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <stdio.h> #include <ipxe/neighbour.h> @@ -50,9 +51,8 @@ void nstat ( void ) { printf ( "%s %s %s is %s %s", netdev->name, net_protocol->name, net_protocol->ntoa ( neighbour->net_dest ), ll_protocol->name, - ( neighbour_has_ll_dest ( neighbour ) ? - ll_protocol->ntoa ( neighbour->ll_dest ) : - "(incomplete)" ) ); + ( neighbour->discovery ? "(incomplete)" : + ll_protocol->ntoa ( neighbour->ll_dest ) ) ); if ( neighbour->discovery ) printf ( " (%s)", neighbour->discovery->name ); printf ( "\n" ); diff --git a/src/usr/nslookup.c b/src/usr/nslookup.c index eb2b08b42..e4386e2c0 100644 --- a/src/usr/nslookup.c +++ b/src/usr/nslookup.c @@ -18,6 +18,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER ); +FILE_SECBOOT ( PERMITTED ); #include <stdlib.h> #include <stdio.h> diff --git a/src/usr/ntpmgmt.c b/src/usr/ntpmgmt.c index 765c6dc9e..8b61662a0 100644 --- a/src/usr/ntpmgmt.c +++ b/src/usr/ntpmgmt.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <stdint.h> #include <stdio.h> diff --git a/src/usr/pingmgmt.c b/src/usr/pingmgmt.c index bb33c5d47..fee6b438b 100644 --- a/src/usr/pingmgmt.c +++ b/src/usr/pingmgmt.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <stdint.h> #include <stdio.h> diff --git a/src/usr/profstat.c b/src/usr/profstat.c index d80fa26b2..7fafd7b5f 100644 --- a/src/usr/profstat.c +++ b/src/usr/profstat.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <stdio.h> #include <ipxe/profile.h> diff --git a/src/usr/prompt.c b/src/usr/prompt.c index fca0a157c..ea233e2ed 100644 --- a/src/usr/prompt.c +++ b/src/usr/prompt.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); /** @file * diff --git a/src/usr/route.c b/src/usr/route.c index 690ba3b6b..77c68eeb3 100644 --- a/src/usr/route.c +++ b/src/usr/route.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <ipxe/netdevice.h> #include <usr/route.h> diff --git a/src/usr/route_ipv4.c b/src/usr/route_ipv4.c index 6260335ac..21b0820da 100644 --- a/src/usr/route_ipv4.c +++ b/src/usr/route_ipv4.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <stdio.h> #include <ipxe/netdevice.h> @@ -41,16 +42,51 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); */ static void route_ipv4_print ( struct net_device *netdev ) { struct ipv4_miniroute *miniroute; + struct ipv4_miniroute *defroute; + struct in_addr address; + struct in_addr network; + struct in_addr netmask; + struct in_addr gateway; + int remote; + /* Print routing table */ list_for_each_entry ( miniroute, &ipv4_miniroutes, list ) { + + /* Skip non-matching network devices */ if ( miniroute->netdev != netdev ) continue; - printf ( "%s: %s/", netdev->name, - inet_ntoa ( miniroute->address ) ); - printf ( "%s", inet_ntoa ( miniroute->netmask ) ); - if ( miniroute->gateway.s_addr ) - printf ( " gw %s", inet_ntoa ( miniroute->gateway ) ); - if ( ! netdev_is_open ( miniroute->netdev ) ) + address = miniroute->address; + network = miniroute->network; + netmask = miniroute->netmask; + gateway = miniroute->gateway; + assert ( ( network.s_addr & ~netmask.s_addr ) == 0 ); + + /* Defer default routes to be printed with local addresses */ + if ( ! netmask.s_addr ) + continue; + + /* Print local address and destination subnet */ + remote = ( ( address.s_addr ^ network.s_addr ) & + netmask.s_addr ); + printf ( "%s: %s", netdev->name, inet_ntoa ( address ) ); + if ( remote ) + printf ( " for %s", inet_ntoa ( network ) ); + printf ( "/%s", inet_ntoa ( netmask ) ); + if ( gateway.s_addr ) + printf ( " gw %s", inet_ntoa ( gateway ) ); + + /* Print default routes with local subnets */ + list_for_each_entry ( defroute, &ipv4_miniroutes, list ) { + if ( ( defroute->netdev == netdev ) && + ( defroute->address.s_addr = address.s_addr ) && + ( ! defroute->netmask.s_addr ) && ( ! remote ) ) { + printf ( " gw %s", + inet_ntoa ( defroute->gateway ) ); + } + } + + /* Print trailer */ + if ( ! netdev_is_open ( netdev ) ) printf ( " (inaccessible)" ); printf ( "\n" ); } diff --git a/src/usr/route_ipv6.c b/src/usr/route_ipv6.c index 9e94b4a15..9d773ec60 100644 --- a/src/usr/route_ipv6.c +++ b/src/usr/route_ipv6.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <stdio.h> #include <ipxe/netdevice.h> diff --git a/src/usr/shimmgmt.c b/src/usr/shimmgmt.c index 6ac1ac35e..fb063ad51 100644 --- a/src/usr/shimmgmt.c +++ b/src/usr/shimmgmt.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <ipxe/efi/efi.h> #include <ipxe/efi/efi_shim.h> diff --git a/src/usr/sync.c b/src/usr/sync.c index f599588ae..1e740bd4c 100644 --- a/src/usr/sync.c +++ b/src/usr/sync.c @@ -22,6 +22,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); #include <stddef.h> #include <ipxe/job.h> |