The construct is a POSIX invention, but it's just so useful, let's also
define it in EFI mode, so that we can use similar constructs in EFI mode
and userspace.
This commit adds support for loading, measuring and handling a ".ucode"
UKI section. This section is functionally an initrd, intended for
microcode updates. As such it will always be passed to the kernel first.
Adds a util function to sha256 an open fd (moved from dissect). Also
adds functions to check if a string contains a valid sha256 hash, and
parse it into a sha256 array.
ADD_SAFE/SUB_SAFE/MUL_SAFE do addition/subtraction/multiplication
respectively with an overflow check. If an overflow occurs these return
false, otherwise true. Example: (c = a + b) would become ADD_SAFE(&c, a,
b)
INC_SAFE/DEC_SAFE/MUL_ASSIGN_SAFE are like above but they also reassign
the first argument. Example: (a += b) would become INC_SAFE(&a, b)
This does what we do for system extension also for configuration
extension.
This is complicated by the fact that we previously looked for
<uki-binary>.d/*.raw for system extensions. We want to measure sysexts
and confexts to different PCRs (13 vs. 12) hence we must distinguish
them, but *.raw would match both kinds.
This commit solves this via the following mechanism: we'll load confexts
from *.confext.raw and sysexts from *.raw but will then enclude
*.confext.raw from the latter. This preserves compatibility but allows
us to somewhat reasonable distinguish both types of images.
The documentation is updated not going into this detail though, and
instead now claims that sysexts shall be *.sysext.raw and confexts
*.confext.raw even though we actually are more lenient than this. This
is simply to push people towards using the longer, more descriptive
suffixes.
I added an XML comment (<!-- … -->) about this to the docs, so that
whenever somebody notices the difference between code and docs
understands why and leaves it that way.
Ultimately we want to be able to recognize these in userspace, hence
make them available in both UEFI mode and userspace.
While we are at it, let's rename the fields a bit, reflecting more what
they measure, not what the metadata is that we store about them.
E.g. Consider the case ALIGN_TO(SIZE_MAX - 3, 4). The overflow check
passes as the condition
```
SIZE_MAX - 3 > SIZE_MAX - (4 - 1)
```
is false.
However, the value
```
l + ali - 1
```
may overflow as it is equivalent to
```
SIZE_MAX - 3 + 4 - 1
```
Currently we have a 100ms delay which allows for people to enter/show
the boot menu even when timeout is set to zero.
In a handful of cases, that may not be needed - both in terms of access
policy, as well as latency.
For example: the option to provide the boot menu may be hidden behind an
"expert only" UX in the OS, to avoid end users from accidentally
entering it.
In addition, the current 100ms input polling may cause unexpected
additional delays in the boot. Some example numbers from my SteamDeck:
- boot counting/rename/flush doubles 300us -> 600us
- seed/hash setup doubles 900us -> 1800us
- kernel/image load gets ~40% slower 107ms -> 167ms
It's not entirely clear why the UEFI calls gets slower, nevertheless the
information in itself proves useful.
This commit introduces a new option "menu-disabled", which omits the
100ms delay. The option is documented throughout the manual pages as
well as the Boot Loader Specification.
v2:
- use STR_IN_SET
v3:
- drop erroneous whitespace
v4:
- add a new LoaderFeature bit,
- don't change ABI keep TIMEOUT_* tokens the same
- move new token in the 64bit range, update API and storage for it
- change inc/dec behaviour to TIMEOUT_MIN : TIMEOUT_MENU_FORCE
- user cannot opt-in from sd-boot itself, add assert_not_reached()
v5:
- s/Menu disablement control/Menu can be disabled/
- rewrap comments to 109
- use SYNTHETIC_ERRNO(EOPNOTSUPP)
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
note that this slightly changes the semantic of assert when NDEBUG is
defined. if there's an extern function call (without attribute pure or
similar) then the compiler has to assume it has side effects and still
emit the function call.
whereas the old assert guaranteed that nothing will be evaluated on
NDEBUG.
Closes: https://github.com/systemd/systemd/issues/29408
This makes the special PE sections available again in our output EFI
images.
Since the compiler provides no way to mark a section as not allocated,
we use GNU assembler syntax to emit the sections instead. This ensures
the section data isn't emitted twice as load segments will only contain
allocating input sections.
The implementations are not 100% overlapping, so use different identifiers, so
that revocations can be done independently. e.g.: a bug that affects only
sd-boot won't necessarily cause old UKIs to be revoked.
The use of vcs_tag was dropped in #28567, which results in builds having
stale version information once new commit are made.
This also fixes a case where CI builds would have no version information
because they are checked out without any tags for git-describe to use.
Additionally, use `--git-dir` now, as that particular issues seems to
have been fixed by now.
I always found it confusing that most of our TPM related definitions are
in tpm2-util.h, but the PCR names in tpm-pcr.h, without the "2". Let's
fix that and make this systematic, in particular as the definitions in
the file all start with TPM2_ already.
No code flow changes, just some renaming.
We so far maintained two places for symboic names for PCRs. One in
tpm2-util.h and one in tpm-pcr.h.
Let's unify this into one, i.e. move the full list from tpm2-util.h into
tpm-pcr.h, replacing the short list placed so far there.
Systematically prefix the definitions with TPM2_ or tpm2_, to follow how
we do this for all other defines in this context.
No change in behaviour, just unification of tables.
We gained a bunch of new features that deserve reporting to userspace,
hence add matching flags for each.
This allows userspace to determine if installing addons in the ESP even
makes sense.
This is inspired by a similar changes in #28057
__builtin_popcount() is a bit of a mouthful, so let's provide a helper.
Using _Generic has the advantage that if a type other then the ones on
the list is given, compilation will fail. This is nice, because if by any
change we pass a wider type, it is rejected immediately instead of being
truncated.
log.h is also needed. It is included transitively, but let's include it
directly.
macro.h is *not* needed.
This adds back sd-boot builds by using meson compile targets directly.
We can do this now, because userspace binaries use the special
dependency that allows us to easily separate flags, so that we don't
pass anything to EFI builds that shouldn't be passed.
Additionally, we pass a bunch of flags to hopefully disable/override any
distro provided flags that should not be used for EFI binaries.
Fixes: #12275
This drops all mentions of gnu-efi and its manual build machinery. A
future commit will bring bootloader builds back. A new bootloader meson
option is now used to control whether to build sd-boot and its userspace
tooling.
These are provided by libc instead of the compiler and are not supposed
to be used in freestanding environments.
When cross-compiling with clang and the corresponding gcc
cross-toolchain is not around, clang may pick up the wrong header from
the host system.
We want to get away from gnu-efi and the only really usable source of
EFI headers would be EDK2, which is somewhat impractical to use and
quite large to require to be around just for some headers.
As a bonus point, the new headers are safe to be included in userspace
code.
This should not have any behavior changes as it is mostly changing
header includes. There are some renames to conform to standard names
and a few minor device path fixups as the struct is defined slightly
different.
Of note is that this removes usage of uchar.h and wchar.h as they are
not guaranteed to be available in a freestanding environment. Instead
efi.h will provide the needed types.
I tried to use DECLARE_FLEX_ARRAY like the kernel does, but it does not work
for anonymous structs (they cannot be declared inline), so an open-coded
version is used.
