sync with OpenBSD -current
This commit is contained in:
parent
676afb990b
commit
39bad15604
GPG Key ID:
F42C07F07E2E35B7
@ -351,6 +351,7 @@
|
||||
./usr/include/dev/ic/pgtreg.h
|
||||
./usr/include/dev/ic/pgtvar.h
|
||||
./usr/include/dev/ic/pluartvar.h
|
||||
./usr/include/dev/ic/pspvar.h
|
||||
./usr/include/dev/ic/qlareg.h
|
||||
./usr/include/dev/ic/qlavar.h
|
||||
./usr/include/dev/ic/qlwreg.h
|
||||
@ -2230,7 +2231,6 @@
|
||||
./usr/share/man/man3/X509_check_issued.3
|
||||
./usr/share/man/man3/X509_check_private_key.3
|
||||
./usr/share/man/man3/X509_check_purpose.3
|
||||
./usr/share/man/man3/X509_check_trust.3
|
||||
./usr/share/man/man3/X509_cmp.3
|
||||
./usr/share/man/man3/X509_cmp_time.3
|
||||
./usr/share/man/man3/X509_digest.3
|
||||
@ -2252,8 +2252,6 @@
|
||||
./usr/share/man/man3/X509_sign.3
|
||||
./usr/share/man/man3/X509_signature_dump.3
|
||||
./usr/share/man/man3/X509_verify_cert.3
|
||||
./usr/share/man/man3/X509at_add1_attr.3
|
||||
./usr/share/man/man3/X509at_get_attr.3
|
||||
./usr/share/man/man3/X509v3_addr_add_inherit.3
|
||||
./usr/share/man/man3/X509v3_addr_get_range.3
|
||||
./usr/share/man/man3/X509v3_addr_inherits.3
|
||||
|
||||
@ -103,6 +103,7 @@
|
||||
./usr/share/games/quiz.db/elements
|
||||
./usr/share/games/quiz.db/europe
|
||||
./usr/share/games/quiz.db/flowers
|
||||
./usr/share/games/quiz.db/greek
|
||||
./usr/share/games/quiz.db/inca
|
||||
./usr/share/games/quiz.db/index
|
||||
./usr/share/games/quiz.db/latin
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
vers(a, {-$OpenBSD: MAKEDEV.common,v 1.120 2023/01/28 11:04:47 phessler Exp $-})dnl
|
||||
vers(a, {-$OpenBSD: MAKEDEV.common,v 1.121 2024/09/03 09:35:46 bluhm Exp $-})dnl
|
||||
dnl
|
||||
dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
|
||||
dnl
|
||||
@ -167,6 +167,7 @@ target(all, bpf)dnl
|
||||
target(all, kcov)dnl
|
||||
target(all, dt)dnl
|
||||
target(all, kstat)dnl
|
||||
target(all, psp)dnl
|
||||
dnl
|
||||
_mkdev(all, {-all-}, {-dnl
|
||||
show_target(all)dnl
|
||||
@ -535,3 +536,5 @@ __devitem(kstat, kstat, Kernel Statistics)dnl
|
||||
_mkdev(kstat, kstat, {-M kstat c major_kstat_c 0 640-})dnl
|
||||
__devitem(efi, efi, EFI runtime services)dnl
|
||||
_mkdev(efi, efi, {-M efi c major_efi_c 0 600-})dnl
|
||||
__devitem(psp, psp, Platform Security Processor)dnl
|
||||
_mkdev(psp, psp, {-M psp c major_psp_c 0 600-})dnl
|
||||
|
||||
@ -3,8 +3,8 @@
|
||||
# THIS FILE AUTOMATICALLY GENERATED. DO NOT EDIT.
|
||||
# generated from:
|
||||
#
|
||||
# OpenBSD: etc.amd64/MAKEDEV.md,v 1.82 2023/01/14 12:15:12 kettenis Exp
|
||||
# OpenBSD: MAKEDEV.common,v 1.120 2023/01/28 11:04:47 phessler Exp
|
||||
# OpenBSD: etc.amd64/MAKEDEV.md,v 1.83 2024/09/03 09:35:46 bluhm Exp
|
||||
# OpenBSD: MAKEDEV.common,v 1.121 2024/09/03 09:35:46 bluhm Exp
|
||||
# OpenBSD: MAKEDEV.mi,v 1.83 2016/09/11 03:06:31 deraadt Exp
|
||||
# OpenBSD: MAKEDEV.sub,v 1.14 2005/02/07 06:14:18 david Exp
|
||||
#
|
||||
@ -101,6 +101,7 @@
|
||||
# vscsi* Virtual SCSI controller
|
||||
# pvbus* paravirtual device tree root
|
||||
# kstat Kernel Statistics
|
||||
# psp Platform Security Processor
|
||||
PATH=/sbin:/usr/sbin:/bin:/usr/bin
|
||||
T=$0
|
||||
|
||||
@ -252,6 +253,10 @@ ttyc*)
|
||||
M cuac$U c 38 $(($U+128)) 660 dialer root
|
||||
;;
|
||||
|
||||
psp)
|
||||
M psp c 101 0 600
|
||||
;;
|
||||
|
||||
kstat)
|
||||
M kstat c 51 0 640
|
||||
;;
|
||||
@ -604,7 +609,7 @@ all)
|
||||
R sd4 sd5 sd6 sd7 sd8 sd9 cd0 cd1 rd0 tap0 tap1 tap2 tap3 tun0
|
||||
R tun1 tun2 tun3 bio pty0 fd1 fd1B fd1C fd1D fd1E fd1F fd1G
|
||||
R fd1H fd0 fd0B fd0C fd0D fd0E fd0F fd0G fd0H diskmap vscsi0
|
||||
R ch0 audio0 audio1 audio2 audio3 kstat dt kcov bpf pvbus0
|
||||
R ch0 audio0 audio1 audio2 audio3 psp kstat dt kcov bpf pvbus0
|
||||
R pvbus1 vmm fuse pppac pppx hotplug ptm local wscons pci0
|
||||
R pci1 pci2 pci3 uall rmidi0 rmidi1 rmidi2 rmidi3 rmidi4
|
||||
R rmidi5 rmidi6 rmidi7 tuner0 radio0 speaker video0 video1 uk0
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
define(MACHINE,amd64)dnl
|
||||
vers(__file__,
|
||||
{-$OpenBSD: MAKEDEV.md,v 1.82 2023/01/14 12:15:12 kettenis Exp $-},
|
||||
{-$OpenBSD: MAKEDEV.md,v 1.83 2024/09/03 09:35:46 bluhm Exp $-},
|
||||
etc.MACHINE)dnl
|
||||
dnl
|
||||
dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
|
||||
@ -99,6 +99,7 @@ _DEV(vmm, 10)
|
||||
_DEV(vscsi, 89)
|
||||
_DEV(pvbus, 95)
|
||||
_DEV(kstat, 51)
|
||||
_DEV(psp, 101)
|
||||
dnl
|
||||
divert(__mddivert)dnl
|
||||
dnl
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
# $OpenBSD: Makefile,v 1.9 2024/08/23 17:29:08 deraadt Exp $
|
||||
# $OpenBSD: Makefile,v 1.10 2024/09/02 16:34:44 deraadt Exp $
|
||||
|
||||
PROG= quiz
|
||||
MAN= quiz.6
|
||||
SRCS= quiz.c rxp.c
|
||||
CATS= africa america arith asia babies bard chinese collectives \
|
||||
ed elements europe flowers ship inca index latin locomotive \
|
||||
ed elements europe flowers greek ship inca index latin locomotive \
|
||||
midearth morse mult murders poetry posneg pres province seq-easy \
|
||||
seq-hard sexes sov state trek ucc
|
||||
|
||||
|
||||
7
games/quiz/datfiles/greek
Normal file
7
games/quiz/datfiles/greek
Normal file
@ -0,0 +1,7 @@
|
||||
acme:acme:[high[est] point|peak]
|
||||
chaos:chaos:[first state of the universe|abyss|infinite darkness]
|
||||
cosmos:cosmos:universe|world
|
||||
hubris:hubris:[[insolent|wanton] violence]|insolence
|
||||
metamorphosis:metamorphosis:transformation
|
||||
trauma:trauma:wound|hurt
|
||||
kudos:kudos:glory|renown
|
||||
@ -11,6 +11,7 @@
|
||||
/usr/share/games/quiz.db/elements:symbol:number:weight:element
|
||||
/usr/share/games/quiz.db/europe:Europe{an}:cap{ital}
|
||||
/usr/share/games/quiz.db/flowers:flower{s}:meaning
|
||||
/usr/share/games/quiz.db/greek:greek:english:def{inition}
|
||||
/usr/share/games/quiz.db/inca:inca:succ{essor}
|
||||
/usr/share/games/quiz.db/latin:latin:english
|
||||
/usr/share/games/quiz.db/locomotive:locomotive:name
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#!/bin/ksh
|
||||
# $OpenBSD: check_sym,v 1.12 2024/08/15 01:25:13 guenther Exp $
|
||||
# $OpenBSD: check_sym,v 1.13 2024/09/03 08:49:16 tb Exp $
|
||||
#
|
||||
# Copyright (c) 2016,2019,2022 Philip Guenther <guenther@openbsd.org>
|
||||
#
|
||||
@ -425,7 +425,7 @@ done
|
||||
|
||||
{
|
||||
echo "$old --> $new"
|
||||
$dynamic && dynamic_output
|
||||
$static && static_output
|
||||
! $dynamic || dynamic_output
|
||||
! $static || static_output
|
||||
}
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: inet_pton.c,v 1.10 2015/09/13 21:36:08 guenther Exp $ */
|
||||
/* $OpenBSD: inet_pton.c,v 1.11 2024/09/03 17:05:59 deraadt Exp $ */
|
||||
|
||||
/* Copyright (c) 1996 by Internet Software Consortium.
|
||||
*
|
||||
@ -87,7 +87,7 @@ inet_pton4(const char *src, u_char *dst)
|
||||
|
||||
if (new > 255)
|
||||
return (0);
|
||||
if (! saw_digit) {
|
||||
if (!saw_digit) {
|
||||
if (++octets > 4)
|
||||
return (0);
|
||||
saw_digit = 1;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: CMS_signed_add1_attr.3,v 1.3 2024/01/22 14:00:13 tb Exp $
|
||||
.\" $OpenBSD: CMS_signed_add1_attr.3,v 1.5 2024/09/02 07:54:21 tb Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2024 Job Snijders <job@openbsd.org>
|
||||
.\" Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
|
||||
@ -16,7 +16,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: January 22 2024 $
|
||||
.Dd $Mdocdate: September 2 2024 $
|
||||
.Dt CMS_SIGNED_ADD1_ATTR 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -81,7 +81,7 @@
|
||||
.Fo CMS_signed_get0_data_by_OBJ
|
||||
.Fa "CMS_SignerInfo *si"
|
||||
.Fa "const ASN1_OBJECT *oid"
|
||||
.Fa "int lastpos"
|
||||
.Fa "int start_after"
|
||||
.Fa "int type"
|
||||
.Fc
|
||||
.Ft "X509_ATTRIBUTE *"
|
||||
@ -93,13 +93,13 @@
|
||||
.Fo CMS_signed_get_attr_by_NID
|
||||
.Fa "const CMS_SignerInfo *si"
|
||||
.Fa "int nid"
|
||||
.Fa "int lastpos"
|
||||
.Fa "int start_after"
|
||||
.Fc
|
||||
.Ft int
|
||||
.Fo CMS_signed_get_attr_by_OBJ
|
||||
.Fa "const CMS_SignerInfo *si"
|
||||
.Fa "const ASN1_OBJECT *obj"
|
||||
.Fa "int lastpos"
|
||||
.Fa "int start_after"
|
||||
.Fc
|
||||
.Ft int
|
||||
.Fo CMS_signed_get_attr_count
|
||||
@ -143,7 +143,7 @@
|
||||
.Fo CMS_unsigned_get0_data_by_OBJ
|
||||
.Fa "CMS_SignerInfo *si"
|
||||
.Fa "ASN1_OBJECT *oid"
|
||||
.Fa "int lastpos"
|
||||
.Fa "int start_after"
|
||||
.Fa "int type"
|
||||
.Fc
|
||||
.Ft "X509_ATTRIBUTE *"
|
||||
@ -155,13 +155,13 @@
|
||||
.Fo CMS_unsigned_get_attr_by_NID
|
||||
.Fa "const CMS_SignerInfo *si"
|
||||
.Fa "int nid"
|
||||
.Fa "int lastpos"
|
||||
.Fa "int start_after"
|
||||
.Fc
|
||||
.Ft int
|
||||
.Fo CMS_unsigned_get_attr_by_OBJ
|
||||
.Fa "const CMS_SignerInfo *si"
|
||||
.Fa "const ASN1_OBJECT *obj"
|
||||
.Fa "int lastpos"
|
||||
.Fa "int start_after"
|
||||
.Fc
|
||||
.Ft int
|
||||
.Fo CMS_unsigned_get_attr_count
|
||||
@ -176,29 +176,18 @@ a set of signed attributes in the
|
||||
array and a set of unsigned attributes in the
|
||||
.Fa unsignedAttrs
|
||||
array.
|
||||
The functions in this manual are wrappers of the
|
||||
.Fn X509at_*
|
||||
functions.
|
||||
All arguments except
|
||||
.Fa si
|
||||
are passed to
|
||||
.Fn X509at_* .
|
||||
The
|
||||
.Fn CMS_signed_*
|
||||
and
|
||||
.Fn CMS_unsigned_*
|
||||
functions are similar, except
|
||||
.Fn CMS_signed_*
|
||||
calls
|
||||
.Fn X509at_*
|
||||
with the
|
||||
.Em CMS_SignerInfo
|
||||
modifies the
|
||||
.Vt CMS_SignerInfo
|
||||
object's set of signed attributes and
|
||||
.Fn CMS_unsigned_*
|
||||
calls
|
||||
.Fn X509at_*
|
||||
with the
|
||||
.Em CMS_SignerInfo
|
||||
modifies the
|
||||
.Vt CMS_SignerInfo
|
||||
object's set of unsigned attributes.
|
||||
For brevity only the
|
||||
.Fn CMS_signed_*
|
||||
@ -218,10 +207,11 @@ allocating a new array if necessary.
|
||||
and
|
||||
.Fn CMS_signed_add1_attr_by_txt
|
||||
create a new X.501 Attribute object using
|
||||
.Xr X509at_add1_attr_by_NID 3 ,
|
||||
.Xr X509at_add1_attr_by_OBJ 3 ,
|
||||
and
|
||||
.Xr X509at_add1_attr_by_txt 3 ,
|
||||
.Xr X509_ATTRIBUTE_create_by_NID 3 ,
|
||||
.Xr X509_ATTRIBUTE_create_by_OBJ 3 ,
|
||||
or
|
||||
.Xr X509_ATTRIBUTE_create_by_txt 3 ,
|
||||
respectively,
|
||||
and append it to the
|
||||
.Fa signedAttrs
|
||||
array of
|
||||
@ -240,26 +230,26 @@ of
|
||||
and
|
||||
.Fn CMS_signed_get_attr_by_OBJ
|
||||
search the array starting after the index
|
||||
.Fa lastpos .
|
||||
.Fa start_after .
|
||||
They fail if no matching object is found.
|
||||
.Fn CMS_signed_get0_data_by_OBJ
|
||||
also fails if the data is not of the requested
|
||||
.Fa type .
|
||||
.Pp
|
||||
Additionally, the
|
||||
.Fa lastpos
|
||||
.Fa start_after
|
||||
argument of
|
||||
.Fn CMS_signed_get0_data_by_OBJ
|
||||
is interpreted in a special way.
|
||||
If
|
||||
.Fa lastpos
|
||||
.Fa start_after
|
||||
is \-2 or smaller, the function also fails if the
|
||||
.Fa signedAttrs
|
||||
array of
|
||||
.Fa si ,
|
||||
contains more than one matching object.
|
||||
If
|
||||
.Fa lastpos
|
||||
.Fa start_after
|
||||
is \-3 or smaller, it also fails unless the matching object contains exactly
|
||||
one value.
|
||||
.Pp
|
||||
@ -315,7 +305,7 @@ and
|
||||
.Fn CMS_unsigned_get0_data_by_OBJ
|
||||
return an internal pointer to the data contained in the value of the first
|
||||
object that has an index greater than
|
||||
.Fa lastpos
|
||||
.Fa start_after
|
||||
and a type matching
|
||||
.Fa type ,
|
||||
or NULL on failure.
|
||||
@ -331,7 +321,7 @@ return an internal pointer or NULL on failure.
|
||||
and
|
||||
.Fn CMS_unsigned_get_attr_by_OBJ
|
||||
return the index of the first object in the array that has an index greater than
|
||||
.Fa lastpos
|
||||
.Fa start_after
|
||||
and a type matching
|
||||
.Fa nid
|
||||
or
|
||||
@ -356,8 +346,7 @@ return the number of array elements or \-1 on failure.
|
||||
.Xr CMS_get0_SignerInfos 3 ,
|
||||
.Xr OBJ_nid2obj 3 ,
|
||||
.Xr X509_ATTRIBUTE_create_by_OBJ 3 ,
|
||||
.Xr X509_ATTRIBUTE_new 3 ,
|
||||
.Xr X509at_add1_attr 3
|
||||
.Xr X509_ATTRIBUTE_new 3
|
||||
.Sh STANDARDS
|
||||
RFC 5652: Cryptographic Message Syntax (CMS)
|
||||
.Bl -dash -compact -offset indent
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.292 2024/08/29 20:25:13 tb Exp $
|
||||
# $OpenBSD: Makefile,v 1.294 2024/09/02 08:04:32 tb Exp $
|
||||
|
||||
.include <bsd.own.mk>
|
||||
|
||||
@ -354,7 +354,6 @@ MAN= \
|
||||
X509_check_issued.3 \
|
||||
X509_check_private_key.3 \
|
||||
X509_check_purpose.3 \
|
||||
X509_check_trust.3 \
|
||||
X509_cmp.3 \
|
||||
X509_cmp_time.3 \
|
||||
X509_digest.3 \
|
||||
@ -376,8 +375,6 @@ MAN= \
|
||||
X509_sign.3 \
|
||||
X509_signature_dump.3 \
|
||||
X509_verify_cert.3 \
|
||||
X509at_add1_attr.3 \
|
||||
X509at_get_attr.3 \
|
||||
X509v3_addr_add_inherit.3 \
|
||||
X509v3_addr_get_range.3 \
|
||||
X509v3_addr_inherits.3 \
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.22 2024/05/07 20:40:07 tb Exp $
|
||||
.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.23 2024/09/02 08:04:32 tb Exp $
|
||||
.\" full merge up to:
|
||||
.\" OpenSSL man3/PEM_read_bio_PrivateKey.pod 18bad535 Apr 9 15:13:55 2019 +0100
|
||||
.\" OpenSSL man3/PEM_read_CMS.pod 83cf7abf May 29 13:07:08 2018 +0100
|
||||
@ -51,7 +51,7 @@
|
||||
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: May 7 2024 $
|
||||
.Dd $Mdocdate: September 2 2024 $
|
||||
.Dt PEM_READ_BIO_PRIVATEKEY 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -896,9 +896,6 @@ The
|
||||
functions process a trusted X509 certificate using an
|
||||
.Vt X509
|
||||
structure.
|
||||
The
|
||||
.Xr X509_check_trust 3
|
||||
manual explains how the auxiliary trust information is used.
|
||||
.Pp
|
||||
The
|
||||
.Sy X509_REQ
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: PKCS8_pkey_set0.3,v 1.2 2021/10/25 13:48:12 schwarze Exp $
|
||||
.\" $OpenBSD: PKCS8_pkey_set0.3,v 1.3 2024/09/02 07:45:09 tb Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
|
||||
.\"
|
||||
@ -14,7 +14,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: October 25 2021 $
|
||||
.Dd $Mdocdate: September 2 2024 $
|
||||
.Dt PKCS8_PKEY_SET0 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -120,9 +120,7 @@ is set to the number of bytes in
|
||||
creates a new X.501 Attribute object using
|
||||
.Xr X509_ATTRIBUTE_create_by_NID 3
|
||||
and appends it to the attributes of
|
||||
.Fa keyinfo
|
||||
using
|
||||
.Xr X509at_add1_attr 3 .
|
||||
.Fa keyinfo .
|
||||
.Sh RETURN VALUES
|
||||
.Fn PKCS8_pkey_set0
|
||||
and
|
||||
@ -146,9 +144,7 @@ if no attributes are set.
|
||||
.Xr STACK_OF 3 ,
|
||||
.Xr X509_ALGOR_new 3 ,
|
||||
.Xr X509_ATTRIBUTE_create_by_NID 3 ,
|
||||
.Xr X509_ATTRIBUTE_new 3 ,
|
||||
.Xr X509at_add1_attr 3 ,
|
||||
.Xr X509at_get_attr 3
|
||||
.Xr X509_ATTRIBUTE_new 3
|
||||
.Sh HISTORY
|
||||
.Fn PKCS8_pkey_set0
|
||||
and
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.17 2024/08/24 09:15:36 tb Exp $
|
||||
.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.18 2024/09/02 07:57:27 tb Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
|
||||
.\"
|
||||
@ -14,7 +14,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: August 24 2024 $
|
||||
.Dd $Mdocdate: September 2 2024 $
|
||||
.Dt X509_ATTRIBUTE_NEW 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -121,9 +121,7 @@ fails on
|
||||
.Xr X509_EXTENSION_new 3 ,
|
||||
.Xr X509_new 3 ,
|
||||
.Xr X509_REQ_add1_attr 3 ,
|
||||
.Xr X509_REQ_new 3 ,
|
||||
.Xr X509at_add1_attr 3 ,
|
||||
.Xr X509at_get_attr 3
|
||||
.Xr X509_REQ_new 3
|
||||
.Sh STANDARDS
|
||||
.Bl -ohang
|
||||
.It Xo
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: X509_CINF_new.3,v 1.10 2021/07/24 14:33:14 schwarze Exp $
|
||||
.\" $OpenBSD: X509_CINF_new.3,v 1.11 2024/09/02 08:04:32 tb Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
|
||||
.\"
|
||||
@ -14,7 +14,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: July 24 2021 $
|
||||
.Dd $Mdocdate: September 2 2024 $
|
||||
.Dt X509_CINF_NEW 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -96,7 +96,6 @@ if an error occurs.
|
||||
.Xr d2i_X509_CINF 3 ,
|
||||
.Xr X509_add1_trust_object 3 ,
|
||||
.Xr X509_CERT_AUX_print 3 ,
|
||||
.Xr X509_check_trust 3 ,
|
||||
.Xr X509_keyid_set1 3 ,
|
||||
.Xr X509_new 3
|
||||
.Sh STANDARDS
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.12 2021/11/12 14:05:28 schwarze Exp $
|
||||
.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.13 2024/09/02 07:20:21 tb Exp $
|
||||
.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
|
||||
.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
|
||||
.\"
|
||||
@ -67,7 +67,7 @@
|
||||
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: November 12 2021 $
|
||||
.Dd $Mdocdate: September 2 2024 $
|
||||
.Dt X509_LOOKUP_HASH_DIR 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -77,11 +77,11 @@
|
||||
.Nd certificate lookup methods
|
||||
.Sh SYNOPSIS
|
||||
.In openssl/x509_vfy.h
|
||||
.Ft X509_LOOKUP_METHOD *
|
||||
.Ft const X509_LOOKUP_METHOD *
|
||||
.Fn X509_LOOKUP_hash_dir void
|
||||
.Ft X509_LOOKUP_METHOD *
|
||||
.Ft const X509_LOOKUP_METHOD *
|
||||
.Fn X509_LOOKUP_file void
|
||||
.Ft X509_LOOKUP_METHOD *
|
||||
.Ft const X509_LOOKUP_METHOD *
|
||||
.Fn X509_LOOKUP_mem void
|
||||
.Sh DESCRIPTION
|
||||
.Fn X509_LOOKUP_hash_dir ,
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: X509_REQ_add1_attr.3,v 1.2 2021/10/26 18:50:38 jmc Exp $
|
||||
.\" $OpenBSD: X509_REQ_add1_attr.3,v 1.4 2024/09/02 07:56:28 tb Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
|
||||
.\"
|
||||
@ -14,7 +14,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: October 26 2021 $
|
||||
.Dd $Mdocdate: September 2 2024 $
|
||||
.Dt X509_REQ_ADD1_ATTR 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -91,9 +91,8 @@ with a PKCS#10 certification request.
|
||||
.Pp
|
||||
.Fn X509_REQ_add1_attr
|
||||
appends a deep copy of the
|
||||
.Fa attr
|
||||
using
|
||||
.Xr X509at_add1_attr 3 .
|
||||
.Fa attr ,
|
||||
allocating a new array if necessary.
|
||||
.Pp
|
||||
.Fn X509_REQ_add1_attr_by_OBJ ,
|
||||
.Fn X509_REQ_add1_attr_by_NID ,
|
||||
@ -104,26 +103,20 @@ create a new X.501 Attribute object using
|
||||
.Xr X509_ATTRIBUTE_create_by_NID 3 ,
|
||||
or
|
||||
.Xr X509_ATTRIBUTE_create_by_txt 3 ,
|
||||
respectively, and append it using
|
||||
.Xr X509at_add1_attr 3 .
|
||||
respectively,
|
||||
allocating a new array if necessary.
|
||||
.Pp
|
||||
.Fn X509_REQ_delete_attr
|
||||
deletes the attribute with the zero-based
|
||||
.Fa index
|
||||
using
|
||||
.Xr X509at_delete_attr 3 .
|
||||
.Fa index .
|
||||
.Pp
|
||||
.Fn X509_REQ_get_attr
|
||||
returns the attribute with the zero-based
|
||||
.Fa index
|
||||
using
|
||||
.Xr X509at_get_attr 3 .
|
||||
.Fa index .
|
||||
.Pp
|
||||
.Fn X509_REQ_get_attr_count
|
||||
returns the number of attributes currently associated with
|
||||
.Fa req
|
||||
using
|
||||
.Xr X509at_get_attr_count 3 .
|
||||
.Fa req .
|
||||
.Pp
|
||||
.Fn X509_REQ_get_attr_by_OBJ
|
||||
and
|
||||
@ -131,12 +124,7 @@ and
|
||||
search for an attribute of the type
|
||||
.Fa obj
|
||||
or
|
||||
.Fa nid
|
||||
using
|
||||
.Xr X509at_get_attr_by_OBJ 3
|
||||
or
|
||||
.Xr X509at_get_attr_by_NID 3 ,
|
||||
respectively.
|
||||
.Fa nid .
|
||||
.Sh RETURN VALUES
|
||||
.Fn X509_REQ_add1_attr ,
|
||||
.Fn X509_REQ_add1_attr_by_OBJ ,
|
||||
@ -177,9 +165,7 @@ fails on the requested
|
||||
.Xr OBJ_nid2obj 3 ,
|
||||
.Xr X509_ATTRIBUTE_create_by_OBJ 3 ,
|
||||
.Xr X509_ATTRIBUTE_new 3 ,
|
||||
.Xr X509_REQ_new 3 ,
|
||||
.Xr X509at_add1_attr 3 ,
|
||||
.Xr X509at_get_attr 3
|
||||
.Xr X509_REQ_new 3
|
||||
.Sh HISTORY
|
||||
These functions first appeared in OpenSSL 0.9.5
|
||||
and have been available since
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: X509_STORE_load_locations.3,v 1.11 2024/03/06 10:07:47 tb Exp $
|
||||
.\" $OpenBSD: X509_STORE_load_locations.3,v 1.12 2024/09/02 07:20:21 tb Exp $
|
||||
.\" full merge up to:
|
||||
.\" OpenSSL X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000
|
||||
.\"
|
||||
@ -16,7 +16,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: March 6 2024 $
|
||||
.Dd $Mdocdate: September 2 2024 $
|
||||
.Dt X509_STORE_LOAD_LOCATIONS 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -46,7 +46,7 @@
|
||||
.Ft X509_LOOKUP *
|
||||
.Fo X509_STORE_add_lookup
|
||||
.Fa "X509_STORE *store"
|
||||
.Fa "X509_LOOKUP_METHOD *method"
|
||||
.Fa "const X509_LOOKUP_METHOD *method"
|
||||
.Fc
|
||||
.Sh DESCRIPTION
|
||||
.Fn X509_STORE_load_locations
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: X509_add1_trust_object.3,v 1.3 2021/07/24 14:33:14 schwarze Exp $
|
||||
.\" $OpenBSD: X509_add1_trust_object.3,v 1.4 2024/09/02 08:04:32 tb Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
|
||||
.\"
|
||||
@ -14,7 +14,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: July 24 2021 $
|
||||
.Dd $Mdocdate: September 2 2024 $
|
||||
.Dt X509_ADD1_TRUST_OBJECT 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -93,7 +93,6 @@ does not contain a sub-object that can hold non-standard auxiliary data.
|
||||
.Xr EXTENDED_KEY_USAGE_new 3 ,
|
||||
.Xr OBJ_nid2obj 3 ,
|
||||
.Xr X509_CERT_AUX_new 3 ,
|
||||
.Xr X509_check_trust 3 ,
|
||||
.Xr X509_new 3
|
||||
.Sh HISTORY
|
||||
These functions first appeared in OpenSSL 0.9.4 and have been available since
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: X509_check_purpose.3,v 1.11 2023/06/25 13:54:58 tb Exp $
|
||||
.\" $OpenBSD: X509_check_purpose.3,v 1.12 2024/09/02 08:04:32 tb Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
|
||||
.\"
|
||||
@ -14,7 +14,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: June 25 2023 $
|
||||
.Dd $Mdocdate: September 2 2024 $
|
||||
.Dt X509_CHECK_PURPOSE 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -410,7 +410,6 @@ can be used as a CA for the
|
||||
.Sh SEE ALSO
|
||||
.Xr BASIC_CONSTRAINTS_new 3 ,
|
||||
.Xr EXTENDED_KEY_USAGE_new 3 ,
|
||||
.Xr X509_check_trust 3 ,
|
||||
.Xr X509_new 3 ,
|
||||
.Xr X509_PURPOSE_set 3 ,
|
||||
.Xr X509V3_get_d2i 3 ,
|
||||
|
||||
@ -1,207 +0,0 @@
|
||||
.\" $OpenBSD: X509_check_trust.3,v 1.10 2024/08/17 09:19:04 tb Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: August 17 2024 $
|
||||
.Dt X509_CHECK_TRUST 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm X509_check_trust
|
||||
.Nd check whether a certificate is trusted
|
||||
.Sh SYNOPSIS
|
||||
.In openssl/x509.h
|
||||
.Ft int
|
||||
.Fo X509_check_trust
|
||||
.Fa "X509 *certificate"
|
||||
.Fa "int trust"
|
||||
.Fa "int flags"
|
||||
.Fc
|
||||
.Sh DESCRIPTION
|
||||
.Fn X509_check_trust
|
||||
checks whether the
|
||||
.Fa certificate
|
||||
is marked as trusted for the purpose corresponding to the requested
|
||||
.Fa trust
|
||||
identifier.
|
||||
.Pp
|
||||
The standard algorithm used by all built-in trust checking functions
|
||||
performs the following tests in the following order.
|
||||
The first matching test terminates the algorithm
|
||||
and decides the return value.
|
||||
.Bl -enum
|
||||
.It
|
||||
If
|
||||
.Xr X509_add1_reject_object 3
|
||||
was previously called on the
|
||||
.Fa certificate
|
||||
with the ASN.1 object identifier corresponding to the requested
|
||||
.Fa trust
|
||||
identifier,
|
||||
.Dv X509_TRUST_REJECTED
|
||||
is returned.
|
||||
.It
|
||||
If
|
||||
.Xr X509_add1_trust_object 3
|
||||
was previously called on the
|
||||
.Fa certificate
|
||||
with the ASN.1 object identifier corresponding to the requested
|
||||
.Fa trust
|
||||
identifier,
|
||||
.Dv X509_TRUST_TRUSTED
|
||||
is returned.
|
||||
.It
|
||||
If
|
||||
.Xr X509_add1_reject_object 3
|
||||
or
|
||||
.Xr X509_add1_trust_object 3
|
||||
were previously called on the
|
||||
.Fa certificate ,
|
||||
but neither of them
|
||||
with the ASN.1 object identifier corresponding to the requested
|
||||
.Fa trust
|
||||
identifier,
|
||||
.Dv X509_TRUST_UNTRUSTED
|
||||
is returned.
|
||||
.It
|
||||
This so-called
|
||||
.Dq compatibility
|
||||
step is skipped by some of the trust checking functions.
|
||||
If neither
|
||||
.Xr X509_add1_reject_object 3
|
||||
nor
|
||||
.Xr X509_add1_trust_object 3
|
||||
was previously called on the
|
||||
.Fa certificate
|
||||
and if the
|
||||
.Fa certificate
|
||||
is a self-signed,
|
||||
.Dv X509_TRUST_TRUSTED
|
||||
is returned.
|
||||
.It
|
||||
Otherwise,
|
||||
.Dv X509_TRUST_UNTRUSTED
|
||||
is returned.
|
||||
.El
|
||||
.Pp
|
||||
By default, the following
|
||||
.Fa trust
|
||||
identifiers are supported.
|
||||
The
|
||||
.Dq ASN.1 NID
|
||||
column indicates the corresponding ASN.1 object identifier;
|
||||
for the relationship between ASN.1 NIDs and OIDs, see the
|
||||
.Xr OBJ_nid2obj 3
|
||||
manual page.
|
||||
The
|
||||
.Qq compat
|
||||
column indicates whether the compatibility step in the standard algorithm
|
||||
detailed above is used or skipped.
|
||||
.Pp
|
||||
.Bl -column X509_TRUST_OCSP_REQUEST NID_anyExtendedKeyUsage compat -compact
|
||||
.It Fa trust No identifier Ta Em ASN.1 NID Ta Em compat
|
||||
.It Dv X509_TRUST_SSL_CLIENT Ta Dv NID_client_auth Ta use
|
||||
.It Dv X509_TRUST_SSL_SERVER Ta Dv NID_server_auth Ta use
|
||||
.It Dv X509_TRUST_EMAIL Ta Dv NID_email_protect Ta use
|
||||
.It Dv X509_TRUST_OBJECT_SIGN Ta Dv NID_code_sign Ta use
|
||||
.It Dv X509_TRUST_OCSP_SIGN Ta Dv NID_OCSP_sign Ta skip
|
||||
.It Dv X509_TRUST_OCSP_REQUEST Ta Dv NID_ad_OCSP Ta skip
|
||||
.It Dv X509_TRUST_TSA Ta Dv NID_time_stamp Ta use
|
||||
.It Dv X509_TRUST_COMPAT Ta none Ta only
|
||||
.It 0 Ta Dv NID_anyExtendedKeyUsage Ta special
|
||||
.It \-1 Ta none Ta trusted
|
||||
.It invalid Ta Fa trust No argument Ta skip
|
||||
.El
|
||||
.Pp
|
||||
For the following
|
||||
.Fa trust
|
||||
identifiers, the standard algorithm is modified:
|
||||
.Bl -tag -width Ds
|
||||
.It Dv X509_TRUST_COMPAT
|
||||
.Xr X509_add1_reject_object 3
|
||||
and
|
||||
.Xr X509_add1_trust_object 3
|
||||
settings are completely ignored
|
||||
and all steps before the compatibility step are skipped.
|
||||
The
|
||||
.Fa certificate
|
||||
is trusted if and only if it is self-signed.
|
||||
.It 0
|
||||
The third step in the standard algorithm is skipped, and the
|
||||
compatibility step is used even if
|
||||
.Xr X509_add1_reject_object 3
|
||||
or
|
||||
.Xr X509_add1_trust_object 3
|
||||
were called with ASN.1 object identifiers not corresponding to
|
||||
.Dv NID_anyExtendedKeyUsage .
|
||||
.It \-1
|
||||
The
|
||||
.Fa certificate
|
||||
is not inspected and
|
||||
.Dv X509_TRUST_TRUSTED
|
||||
is always returned.
|
||||
.It invalid
|
||||
If the
|
||||
.Fa trust
|
||||
argument is neither 0 nor \-1 nor valid as a trust identifier,
|
||||
it is re-interpreted as an ASN.1 NID
|
||||
and used itself for the standard algorithm.
|
||||
The compatibility step is skipped in this case.
|
||||
.El
|
||||
.Pp
|
||||
The
|
||||
.Fa flags
|
||||
argument is ignored by all built-in trust checking functions,
|
||||
but user-specified trust checking functions might use it.
|
||||
.Pp
|
||||
If the function
|
||||
.Xr X509_TRUST_add 3
|
||||
was called before
|
||||
.Fn X509_check_trust ,
|
||||
it may have installed different, user-supplied checking functions
|
||||
for some of the standard
|
||||
.Fa trust
|
||||
identifiers listed above, or it may have installed additional,
|
||||
user-supplied checking functions for user-defined
|
||||
.Fa trust
|
||||
identifiers not listed above.
|
||||
.Sh RETURN VALUES
|
||||
.Fn X509_check_trust
|
||||
returns the following values:
|
||||
.Bl -tag -width Ds
|
||||
.It Dv X509_TRUST_TRUSTED
|
||||
The
|
||||
.Fa certificate
|
||||
is explicitly or implicitly trusted for the requested purpose.
|
||||
.It Dv X509_TRUST_REJECTED
|
||||
The
|
||||
.Fa certificate
|
||||
is explicitly rejected for the requested purpose.
|
||||
.It Dv X509_TRUST_UNTRUSTED
|
||||
The
|
||||
.Fa certificate
|
||||
is neither trusted nor explicitly rejected,
|
||||
which implies that it is not trusted.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr PEM_read_X509_AUX 3 ,
|
||||
.Xr X509_add1_trust_object 3 ,
|
||||
.Xr X509_CERT_AUX_new 3 ,
|
||||
.Xr X509_check_purpose 3 ,
|
||||
.Xr X509_new 3 ,
|
||||
.Xr X509_VERIFY_PARAM_set_trust 3
|
||||
.Sh HISTORY
|
||||
.Fn X509_check_trust
|
||||
first appeared in OpenSSL 0.9.5 and has been available since
|
||||
.Ox 2.7 .
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: X509_new.3,v 1.44 2024/08/17 09:16:37 tb Exp $
|
||||
.\" $OpenBSD: X509_new.3,v 1.45 2024/09/02 08:04:32 tb Exp $
|
||||
.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
|
||||
.\"
|
||||
.\" This file is a derived work.
|
||||
@ -66,7 +66,7 @@
|
||||
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: August 17 2024 $
|
||||
.Dd $Mdocdate: September 2 2024 $
|
||||
.Dt X509_NEW 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -208,7 +208,6 @@ if an error occurs.
|
||||
.Xr X509_check_issued 3 ,
|
||||
.Xr X509_check_private_key 3 ,
|
||||
.Xr X509_check_purpose 3 ,
|
||||
.Xr X509_check_trust 3 ,
|
||||
.Xr X509_CINF_new 3 ,
|
||||
.Xr X509_cmp 3 ,
|
||||
.Xr X509_CRL_new 3 ,
|
||||
|
||||
@ -1,133 +0,0 @@
|
||||
.\" $OpenBSD: X509at_add1_attr.3,v 1.6 2024/08/24 09:15:36 tb Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: August 24 2024 $
|
||||
.Dt X509AT_ADD1_ATTR 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm X509at_add1_attr ,
|
||||
.Nm X509at_add1_attr_by_OBJ ,
|
||||
.Nm X509at_add1_attr_by_NID ,
|
||||
.Nm X509at_add1_attr_by_txt ,
|
||||
.Nm X509at_delete_attr
|
||||
.Nd change an array of X.501 Attribute objects
|
||||
.Sh SYNOPSIS
|
||||
.In openssl/x509.h
|
||||
.Ft STACK_OF(X509_ATTRIBUTE) *
|
||||
.Fo X509at_add1_attr
|
||||
.Fa "STACK_OF(X509_ATTRIBUTE) **pattrs"
|
||||
.Fa "X509_ATTRIBUTE *attr"
|
||||
.Fc
|
||||
.Ft STACK_OF(X509_ATTRIBUTE) *
|
||||
.Fo X509at_add1_attr_by_OBJ
|
||||
.Fa "STACK_OF(X509_ATTRIBUTE) **pattrs"
|
||||
.Fa "const ASN1_OBJECT *obj"
|
||||
.Fa "int type"
|
||||
.Fa "const unsigned char *data"
|
||||
.Fa "int len"
|
||||
.Fc
|
||||
.Ft STACK_OF(X509_ATTRIBUTE) *
|
||||
.Fo X509at_add1_attr_by_NID
|
||||
.Fa "STACK_OF(X509_ATTRIBUTE) **pattrs"
|
||||
.Fa "int nid"
|
||||
.Fa "int type"
|
||||
.Fa "const unsigned char *data"
|
||||
.Fa "int len"
|
||||
.Fc
|
||||
.Ft STACK_OF(X509_ATTRIBUTE) *
|
||||
.Fo X509at_add1_attr_by_txt
|
||||
.Fa "STACK_OF(X509_ATTRIBUTE) **pattrs"
|
||||
.Fa "const char *name"
|
||||
.Fa "int type"
|
||||
.Fa "const unsigned char *data"
|
||||
.Fa "int len"
|
||||
.Fc
|
||||
.Ft X509_ATTRIBUTE *
|
||||
.Fo X509at_delete_attr
|
||||
.Fa "STACK_OF(X509_ATTRIBUTE) *attrs"
|
||||
.Fa "int index"
|
||||
.Fc
|
||||
.Sh DESCRIPTION
|
||||
.Fn X509at_add1_attr
|
||||
appends a deep copy of
|
||||
.Fa attr
|
||||
to the end of
|
||||
.Pf ** Fa pattrs .
|
||||
If
|
||||
.Pf * Fa pattrs
|
||||
is
|
||||
.Dv NULL ,
|
||||
a new array is allocated, and in case of success,
|
||||
a pointer to it is assigned to
|
||||
.Pf * Fa pattrs .
|
||||
.Pp
|
||||
.Fn X509at_add1_attr_by_OBJ ,
|
||||
.Fn X509at_add1_attr_by_NID ,
|
||||
and
|
||||
.Fn X509at_add1_attr_by_txt
|
||||
create a new X.501 Attribute object using
|
||||
.Xr X509_ATTRIBUTE_create_by_OBJ 3 ,
|
||||
.Xr X509_ATTRIBUTE_create_by_NID 3 ,
|
||||
or
|
||||
.Xr X509_ATTRIBUTE_create_by_txt 3 ,
|
||||
respectively, and append it to
|
||||
.Pf ** Fa pattrs
|
||||
using
|
||||
.Fn X509at_add1_attr .
|
||||
.Pp
|
||||
.Fn X509at_delete_attr
|
||||
deletes the element with the zero-based
|
||||
.Fa index
|
||||
from the array
|
||||
.Pf * Fa attrs .
|
||||
.Sh RETURN VALUES
|
||||
.Fn X509at_add1_attr ,
|
||||
.Fn X509at_add1_attr_by_OBJ ,
|
||||
.Fn X509at_add1_attr_by_NID ,
|
||||
and
|
||||
.Fn X509at_add1_attr_by_txt
|
||||
return a pointer to the modified or new array or
|
||||
.Dv NULL
|
||||
if the
|
||||
.Fa pattrs
|
||||
argument is
|
||||
.Dv NULL
|
||||
or if creating or copying the X.501 Attribute object
|
||||
or memory allocation fails.
|
||||
.Pp
|
||||
.Fn X509at_delete_attr
|
||||
returns the deleted element or
|
||||
.Dv NULL
|
||||
if
|
||||
.Fa attrs
|
||||
is
|
||||
.Dv NULL
|
||||
or if the requested
|
||||
.Fa index
|
||||
is negative or greater than or equal to the number of objects in
|
||||
.Pf * Fa attrs .
|
||||
.Sh SEE ALSO
|
||||
.Xr OBJ_nid2obj 3 ,
|
||||
.Xr PKCS8_pkey_add1_attr_by_NID 3 ,
|
||||
.Xr STACK_OF 3 ,
|
||||
.Xr X509_ATTRIBUTE_create_by_OBJ 3 ,
|
||||
.Xr X509_ATTRIBUTE_new 3 ,
|
||||
.Xr X509_REQ_add1_attr 3 ,
|
||||
.Xr X509at_get_attr 3
|
||||
.Sh HISTORY
|
||||
These functions first appeared in OpenSSL 0.9.5
|
||||
and have been available since
|
||||
.Ox 2.7 .
|
||||
@ -1,158 +0,0 @@
|
||||
.\" $OpenBSD: X509at_get_attr.3,v 1.9 2024/08/24 09:23:09 tb Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd $Mdocdate: August 24 2024 $
|
||||
.Dt X509AT_GET_ATTR 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm X509at_get_attr ,
|
||||
.Nm X509at_get_attr_count ,
|
||||
.Nm X509at_get_attr_by_OBJ ,
|
||||
.Nm X509at_get_attr_by_NID ,
|
||||
.Nm X509at_get0_data_by_OBJ
|
||||
.\" In the following line, "X.501" and "Attribute" are not typos.
|
||||
.\" The "Attribute" type is defined in X.501, not in X.509.
|
||||
.\" The type is called "Attribute" with capital "A", not "attribute".
|
||||
.Nd X.501 Attribute array read accessors
|
||||
.Sh SYNOPSIS
|
||||
.In openssl/x509.h
|
||||
.Ft X509_ATTRIBUTE *
|
||||
.Fo X509at_get_attr
|
||||
.Fa "const STACK_OF(X509_ATTRIBUTE) *attrs"
|
||||
.Fa "int index"
|
||||
.Fc
|
||||
.Ft int
|
||||
.Fo X509at_get_attr_count
|
||||
.Fa "const STACK_OF(X509_ATTRIBUTE) *attrs"
|
||||
.Fc
|
||||
.Ft int
|
||||
.Fo X509at_get_attr_by_OBJ
|
||||
.Fa "const STACK_OF(X509_ATTRIBUTE) *attrs"
|
||||
.Fa "const ASN1_OBJECT *obj"
|
||||
.Fa "int start_after"
|
||||
.Fc
|
||||
.Ft int
|
||||
.Fo X509at_get_attr_by_NID
|
||||
.Fa "const STACK_OF(X509_ATTRIBUTE) *attrs"
|
||||
.Fa "int nid"
|
||||
.Fa "int start_after"
|
||||
.Fc
|
||||
.Ft void *
|
||||
.Fo X509at_get0_data_by_OBJ
|
||||
.Fa "STACK_OF(X509_ATTRIBUTE) *attrs"
|
||||
.Fa "const ASN1_OBJECT *obj"
|
||||
.Fa "int start_after"
|
||||
.Fa "int type"
|
||||
.Fc
|
||||
.Sh DESCRIPTION
|
||||
These functions retrieve information from the
|
||||
.Fa attrs
|
||||
array of X.501 Attribute objects.
|
||||
They all fail if
|
||||
.Fa attrs
|
||||
is a
|
||||
.Dv NULL
|
||||
pointer.
|
||||
.Pp
|
||||
.Fn X509at_get_attr
|
||||
returns the array element at the zero-based
|
||||
.Fa index .
|
||||
It fails if the
|
||||
.Fa index
|
||||
is negative or greater than or equal to the number of objects in the array.
|
||||
.Pp
|
||||
.Fn X509at_get_attr_count
|
||||
returns the number of objects currently stored in the array.
|
||||
.Pp
|
||||
The three remaining functions search the array starting after the index
|
||||
.Fa start_after .
|
||||
They fail if no matching object is found.
|
||||
.Fn X509at_get0_data_by_OBJ
|
||||
also fails if the data is not of the requested
|
||||
.Fa type .
|
||||
.Pp
|
||||
Additionally, the
|
||||
.Fa start_after
|
||||
argument of
|
||||
.Fn X509at_get0_data_by_OBJ
|
||||
is interpreted in a special way.
|
||||
If
|
||||
.Fa start_after
|
||||
is \-2 or smaller,
|
||||
.Fn X509at_get0_data_by_OBJ
|
||||
also fails if
|
||||
.Fa attrs
|
||||
contains more than one matching object.
|
||||
If
|
||||
.Fa start_after
|
||||
is \-3 or smaller, it also fails unless the matching object
|
||||
contains exactly one value.
|
||||
.Sh RETURN VALUES
|
||||
.Fn X509at_get_attr
|
||||
returns an internal pointer or
|
||||
.Dv NULL
|
||||
on failure.
|
||||
.Pp
|
||||
.Fn X509at_get_attr_count
|
||||
returns the number of array elements or \-1 on failure.
|
||||
.Pp
|
||||
.Fn X509at_get_attr_by_OBJ
|
||||
and
|
||||
.Fn X509at_get_attr_by_NID
|
||||
return the index of the first object in the array
|
||||
that has an index greater than
|
||||
.Fa start_after
|
||||
and a type matching
|
||||
.Fa obj
|
||||
or
|
||||
.Fa nid ,
|
||||
respectively, or \-1 on failure.
|
||||
In addition,
|
||||
.Fn X509at_get_attr_by_NID
|
||||
returns \-2
|
||||
if
|
||||
.Xr OBJ_nid2obj 3
|
||||
fails on the requested
|
||||
.Fa nid .
|
||||
.Pp
|
||||
.Fn X509at_get0_data_by_OBJ
|
||||
returns an internal pointer to the data contained in the value
|
||||
of the first object that has an index greater than
|
||||
.Fa start_after
|
||||
and a type matching
|
||||
.Fa obj ,
|
||||
or
|
||||
.Dv NULL
|
||||
on failure.
|
||||
.Sh SEE ALSO
|
||||
.Xr OBJ_nid2obj 3 ,
|
||||
.Xr PKCS8_pkey_get0_attrs 3 ,
|
||||
.Xr STACK_OF 3 ,
|
||||
.Xr X509_ATTRIBUTE_get0_data 3 ,
|
||||
.Xr X509_ATTRIBUTE_new 3 ,
|
||||
.Xr X509_REQ_get_attr 3
|
||||
.Sh HISTORY
|
||||
.Fn X509at_get_attr ,
|
||||
.Fn X509at_get_attr_count ,
|
||||
.Fn X509at_get_attr_by_OBJ ,
|
||||
and
|
||||
.Fn X509at_get_attr_by_NID
|
||||
first appeared in OpenSSL 0.9.5 and have been available since
|
||||
.Ox 2.7 .
|
||||
.Pp
|
||||
.Fn X509at_get0_data_by_OBJ
|
||||
first appeared in OpenSSL 0.9.8h and has been available since
|
||||
.Ox 4.5 .
|
||||
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.7 2024/09/01 05:48:20 anton Exp $
|
||||
# $OpenBSD: Makefile,v 1.8 2024/09/03 04:58:30 anton Exp $
|
||||
|
||||
WARNINGS= yes
|
||||
|
||||
@ -13,6 +13,6 @@ PROGS+= socket
|
||||
|
||||
PROGS+=access
|
||||
run-regress-access: access
|
||||
./access ${.CURDIR}/access-expected
|
||||
./access 2>&1 | diff -u ${.CURDIR}/access-expected -
|
||||
|
||||
.include <bsd.regress.mk>
|
||||
|
||||
@ -1,17 +1,17 @@
|
||||
unveil:access
|
||||
:
|
||||
r:RF
|
||||
r:RXF
|
||||
w:
|
||||
x:
|
||||
c:
|
||||
rw:RWF
|
||||
rw:RWXF
|
||||
rx:RXF
|
||||
rc:RF
|
||||
rc:RXF
|
||||
wx:
|
||||
wc:
|
||||
xc:
|
||||
rwx:RWXF
|
||||
rwc:RWF
|
||||
rwc:RWXF
|
||||
rxc:RXF
|
||||
wxc:
|
||||
rwxc:RWXF
|
||||
|
||||
@ -1,8 +1,6 @@
|
||||
#include <err.h>
|
||||
#include <fcntl.h>
|
||||
#include <limits.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
@ -14,7 +12,6 @@
|
||||
|
||||
#define NUM_PERMS 16
|
||||
static char uv_dir[] = "/tmp/uvdir.XXXXXX"; /* test directory */
|
||||
static char uv_file[] = "/tmp/uvfile.XXXXXX"; /* log file */
|
||||
|
||||
const char* perms[] = {"", "r", "w", "x", "c", "rw", "rx", "rc",
|
||||
"wx", "wc","xc", "rwx", "rwc", "rxc", "wxc", "rwxc"};
|
||||
@ -24,21 +21,11 @@ const char* filenames[] = {"f", "fr", "fw", "fx", "fc", "frw", "frx", "frc",
|
||||
const char* header = "unveil:access\n";
|
||||
|
||||
int
|
||||
main(int argc, char *argv[])
|
||||
main(void)
|
||||
{
|
||||
FILE *log = stdout;
|
||||
int i;
|
||||
int log_fd;
|
||||
FILE *log;
|
||||
const char *expected;
|
||||
|
||||
if (argc != 2) {
|
||||
fprintf(stderr, "usage: access expected-path\n");
|
||||
exit(1);
|
||||
}
|
||||
expected = argv[1];
|
||||
|
||||
UV_SHOULD_SUCCEED(((log_fd = mkstemp(uv_file)) == -1), "mkstemp");
|
||||
UV_SHOULD_SUCCEED(((log = fdopen(log_fd, "w")) == NULL), "fdopen");
|
||||
UV_SHOULD_SUCCEED((mkdtemp(uv_dir) == NULL), "mkdtmp");
|
||||
UV_SHOULD_SUCCEED((unveil("/", "rwxc") == -1), "unveil");
|
||||
UV_SHOULD_SUCCEED((chdir(uv_dir) == -1), "chdir");
|
||||
@ -63,7 +50,6 @@ main(int argc, char *argv[])
|
||||
UV_SHOULD_SUCCEED((fwrite("F", 1, 1, log) != 1), "fwrite");
|
||||
UV_SHOULD_SUCCEED((fwrite("\n", 1, 1, log) != 1), "fwrite");
|
||||
}
|
||||
UV_SHOULD_SUCCEED((fclose(log) == -1), "fclose");
|
||||
|
||||
return execl("/usr/bin/diff", "diff", "-u", uv_file, expected, NULL);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: syscalls.c,v 1.36 2024/08/23 12:56:26 anton Exp $ */
|
||||
/* $OpenBSD: syscalls.c,v 1.37 2024/09/03 04:59:03 anton Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2017-2019 Bob Beck <beck@openbsd.org>
|
||||
@ -679,8 +679,9 @@ test_fork_body(int do_uv)
|
||||
UV_SHOULD_ENOENT((open(uv_file2, O_RDWR|O_CREAT, 0644) == -1), "open after fork");
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
test_fork()
|
||||
test_fork(int do_uv)
|
||||
{
|
||||
printf("testing fork inhertiance\n");
|
||||
do_unveil();
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: cfginclude.sh,v 1.3 2021/06/08 06:52:43 djm Exp $
|
||||
# $OpenBSD: cfginclude.sh,v 1.4 2024/09/03 05:58:56 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="config include"
|
||||
@ -142,7 +142,7 @@ trial a aa
|
||||
|
||||
# cleanup
|
||||
rm -f $OBJ/ssh_config.i $OBJ/ssh_config.i.* $OBJ/ssh_config.out
|
||||
# $OpenBSD: cfginclude.sh,v 1.3 2021/06/08 06:52:43 djm Exp $
|
||||
# $OpenBSD: cfginclude.sh,v 1.4 2024/09/03 05:58:56 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="config include"
|
||||
@ -289,5 +289,27 @@ _EOF
|
||||
${REAL_SSH} -F $OBJ/ssh_config.i -G a 2>/dev/null && \
|
||||
fail "ssh include allowed infinite recursion?" # or hang...
|
||||
|
||||
# Environment variable expansion
|
||||
cat > $OBJ/ssh_config.i << _EOF
|
||||
Include $OBJ/ssh_config.\${REAL_FILE}
|
||||
_EOF
|
||||
cat > $OBJ/ssh_config.i.x << _EOF
|
||||
Hostname xyzzy
|
||||
_EOF
|
||||
REAL_FILE=i.x
|
||||
export REAL_FILE
|
||||
trial a xyzzy
|
||||
|
||||
# Environment variable expansion
|
||||
cat > $OBJ/ssh_config.i << _EOF
|
||||
Include $OBJ/ssh_config.i.%h%h
|
||||
_EOF
|
||||
cat > $OBJ/ssh_config.i.blahblah << _EOF
|
||||
Hostname mekmitastdigoat
|
||||
_EOF
|
||||
REAL_FILE=i.x
|
||||
export REAL_FILE
|
||||
trial blah mekmitastdigoat
|
||||
|
||||
# cleanup
|
||||
rm -f $OBJ/ssh_config.i $OBJ/ssh_config.i.* $OBJ/ssh_config.out
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: pmap.c,v 1.172 2024/08/29 20:13:42 dv Exp $ */
|
||||
/* $OpenBSD: pmap.c,v 1.173 2024/09/03 17:19:53 bluhm Exp $ */
|
||||
/* $NetBSD: pmap.c,v 1.3 2003/05/08 18:13:13 thorpej Exp $ */
|
||||
|
||||
/*
|
||||
@ -2159,8 +2159,8 @@ pmap_write_protect(struct pmap *pmap, vaddr_t sva, vaddr_t eva, vm_prot_t prot)
|
||||
shootself = (scr3 == 0);
|
||||
|
||||
/* should be ok, but just in case ... */
|
||||
sva &= pg_frame;
|
||||
eva &= pg_frame;
|
||||
sva &= PG_FRAME;
|
||||
eva &= PG_FRAME;
|
||||
|
||||
if (!(prot & PROT_READ))
|
||||
set |= pg_xo;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: vmm_machdep.c,v 1.33 2024/08/27 09:16:03 bluhm Exp $ */
|
||||
/* $OpenBSD: vmm_machdep.c,v 1.34 2024/09/03 13:36:19 dv Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org>
|
||||
*
|
||||
@ -2253,7 +2253,7 @@ vcpu_reset_regs_vmx(struct vcpu *vcpu, struct vcpu_reg_state *vrs)
|
||||
uint32_t pinbased, procbased, procbased2, exit, entry;
|
||||
uint32_t want1, want0;
|
||||
uint64_t ctrlval, cr3, msr_misc_enable;
|
||||
uint16_t ctrl, vpid;
|
||||
uint16_t ctrl;
|
||||
struct vmx_msr_store *msr_store;
|
||||
|
||||
rw_assert_wrlock(&vcpu->vc_lock);
|
||||
@ -2516,30 +2516,12 @@ vcpu_reset_regs_vmx(struct vcpu *vcpu, struct vcpu_reg_state *vrs)
|
||||
IA32_VMX_ACTIVATE_SECONDARY_CONTROLS, 1)) {
|
||||
if (vcpu_vmx_check_cap(vcpu, IA32_VMX_PROCBASED2_CTLS,
|
||||
IA32_VMX_ENABLE_VPID, 1)) {
|
||||
|
||||
/* We may sleep during allocation, so reload VMCS. */
|
||||
vcpu->vc_last_pcpu = curcpu();
|
||||
ret = vmm_alloc_vpid(&vpid);
|
||||
if (vcpu_reload_vmcs_vmx(vcpu)) {
|
||||
printf("%s: failed to reload vmcs\n", __func__);
|
||||
ret = EINVAL;
|
||||
goto exit;
|
||||
}
|
||||
if (ret) {
|
||||
DPRINTF("%s: could not allocate VPID\n",
|
||||
__func__);
|
||||
ret = EINVAL;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if (vmwrite(VMCS_GUEST_VPID, vpid)) {
|
||||
if (vmwrite(VMCS_GUEST_VPID, vcpu->vc_vpid)) {
|
||||
DPRINTF("%s: error setting guest VPID\n",
|
||||
__func__);
|
||||
ret = EINVAL;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
vcpu->vc_vpid = vpid;
|
||||
}
|
||||
}
|
||||
|
||||
@ -2832,13 +2814,19 @@ vcpu_init_vmx(struct vcpu *vcpu)
|
||||
uint32_t cr0, cr4;
|
||||
int ret = 0;
|
||||
|
||||
/* Allocate a VPID early to avoid km_alloc if we're out of VPIDs. */
|
||||
if (vmm_alloc_vpid(&vcpu->vc_vpid))
|
||||
return (ENOMEM);
|
||||
|
||||
/* Allocate VMCS VA */
|
||||
vcpu->vc_control_va = (vaddr_t)km_alloc(PAGE_SIZE, &kv_page, &kp_zero,
|
||||
&kd_waitok);
|
||||
vcpu->vc_vmx_vmcs_state = VMCS_CLEARED;
|
||||
|
||||
if (!vcpu->vc_control_va)
|
||||
return (ENOMEM);
|
||||
if (!vcpu->vc_control_va) {
|
||||
ret = ENOMEM;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* Compute VMCS PA */
|
||||
if (!pmap_extract(pmap_kernel(), vcpu->vc_control_va,
|
||||
@ -3091,15 +3079,20 @@ vcpu_reset_regs(struct vcpu *vcpu, struct vcpu_reg_state *vrs)
|
||||
int
|
||||
vcpu_init_svm(struct vcpu *vcpu, struct vm_create_params *vcp)
|
||||
{
|
||||
uint16_t asid;
|
||||
int ret = 0;
|
||||
|
||||
/* Allocate an ASID early to avoid km_alloc if we're out of ASIDs. */
|
||||
if (vmm_alloc_vpid(&vcpu->vc_vpid))
|
||||
return (ENOMEM);
|
||||
|
||||
/* Allocate VMCB VA */
|
||||
vcpu->vc_control_va = (vaddr_t)km_alloc(PAGE_SIZE, &kv_page, &kp_zero,
|
||||
&kd_waitok);
|
||||
|
||||
if (!vcpu->vc_control_va)
|
||||
return (ENOMEM);
|
||||
if (!vcpu->vc_control_va) {
|
||||
ret = ENOMEM;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* Compute VMCB PA */
|
||||
if (!pmap_extract(pmap_kernel(), vcpu->vc_control_va,
|
||||
@ -3173,14 +3166,6 @@ vcpu_init_svm(struct vcpu *vcpu, struct vm_create_params *vcp)
|
||||
(uint64_t)vcpu->vc_svm_ioio_va,
|
||||
(uint64_t)vcpu->vc_svm_ioio_pa);
|
||||
|
||||
/* Guest VCPU ASID */
|
||||
if (vmm_alloc_vpid(&asid)) {
|
||||
DPRINTF("%s: could not allocate asid\n", __func__);
|
||||
ret = EINVAL;
|
||||
goto exit;
|
||||
}
|
||||
vcpu->vc_vpid = asid;
|
||||
|
||||
/* Shall we enable SEV? */
|
||||
vcpu->vc_sev = vcp->vcp_sev;
|
||||
|
||||
@ -3260,8 +3245,7 @@ vcpu_deinit_vmx(struct vcpu *vcpu)
|
||||
}
|
||||
#endif
|
||||
|
||||
if (vcpu->vc_vmx_vpid_enabled)
|
||||
vmm_free_vpid(vcpu->vc_vpid);
|
||||
vmm_free_vpid(vcpu->vc_vpid);
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: files.amd64,v 1.109 2023/07/08 08:01:10 tobhe Exp $
|
||||
# $OpenBSD: files.amd64,v 1.110 2024/09/03 00:23:05 jsg Exp $
|
||||
|
||||
maxpartitions 16
|
||||
maxusers 2 16 128
|
||||
@ -65,6 +65,8 @@ file arch/amd64/amd64/powernow-k8.c !small_kernel
|
||||
file arch/amd64/amd64/est.c !small_kernel
|
||||
file arch/amd64/amd64/k1x-pstate.c !small_kernel
|
||||
|
||||
file dev/ic/psp.c ccp
|
||||
|
||||
include "dev/rasops/files.rasops"
|
||||
include "dev/wsfont/files.wsfont"
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: virtio_mmio.c,v 1.16 2024/08/27 19:01:11 sf Exp $ */
|
||||
/* $OpenBSD: virtio_mmio.c,v 1.17 2024/09/02 08:26:26 sf Exp $ */
|
||||
/* $NetBSD: virtio.c,v 1.3 2011/11/02 23:05:52 njoly Exp $ */
|
||||
|
||||
/*
|
||||
@ -97,6 +97,7 @@ void virtio_mmio_write_device_config_4(struct virtio_softc *, int, uint32_t);
|
||||
void virtio_mmio_write_device_config_8(struct virtio_softc *, int, uint64_t);
|
||||
uint16_t virtio_mmio_read_queue_size(struct virtio_softc *, uint16_t);
|
||||
void virtio_mmio_setup_queue(struct virtio_softc *, struct virtqueue *, uint64_t);
|
||||
void virtio_mmio_setup_intrs(struct virtio_softc *);
|
||||
int virtio_mmio_get_status(struct virtio_softc *);
|
||||
void virtio_mmio_set_status(struct virtio_softc *, int);
|
||||
int virtio_mmio_negotiate_features(struct virtio_softc *,
|
||||
@ -145,6 +146,7 @@ const struct virtio_ops virtio_mmio_ops = {
|
||||
virtio_mmio_write_device_config_8,
|
||||
virtio_mmio_read_queue_size,
|
||||
virtio_mmio_setup_queue,
|
||||
virtio_mmio_setup_intrs,
|
||||
virtio_mmio_get_status,
|
||||
virtio_mmio_set_status,
|
||||
virtio_mmio_negotiate_features,
|
||||
@ -196,6 +198,11 @@ virtio_mmio_setup_queue(struct virtio_softc *vsc, struct virtqueue *vq,
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
virtio_mmio_setup_intrs(struct virtio_softc *vsc)
|
||||
{
|
||||
}
|
||||
|
||||
int
|
||||
virtio_mmio_get_status(struct virtio_softc *vsc)
|
||||
{
|
||||
|
||||
644
sys/dev/ic/ccp.c
644
sys/dev/ic/ccp.c
@ -1,8 +1,7 @@
|
||||
/* $OpenBSD: ccp.c,v 1.9 2024/09/01 19:25:06 bluhm Exp $ */
|
||||
/* $OpenBSD: ccp.c,v 1.10 2024/09/03 00:23:05 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2018 David Gwynne <dlg@openbsd.org>
|
||||
* Copyright (c) 2023, 2024 Hans-Joerg Hoexer <hshoexer@genua.de>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
@ -19,21 +18,11 @@
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/buf.h>
|
||||
#include <sys/device.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/timeout.h>
|
||||
#include <sys/pledge.h>
|
||||
|
||||
#include <machine/bus.h>
|
||||
|
||||
#ifdef __amd64__
|
||||
#include <sys/proc.h>
|
||||
#include <uvm/uvm.h>
|
||||
#include <crypto/xform.h>
|
||||
#endif
|
||||
|
||||
#include <dev/ic/ccpvar.h>
|
||||
|
||||
#define CCP_REG_TRNG 0xc
|
||||
@ -46,13 +35,6 @@ struct cfdriver ccp_cd = {
|
||||
DV_DULL
|
||||
};
|
||||
|
||||
#ifdef __amd64__
|
||||
struct ccp_softc *ccp_softc;
|
||||
|
||||
int psp_get_pstatus(struct psp_platform_status *);
|
||||
int psp_init(struct psp_init *);
|
||||
#endif
|
||||
|
||||
void
|
||||
ccp_attach(struct ccp_softc *sc)
|
||||
{
|
||||
@ -77,627 +59,3 @@ ccp_rng(void *arg)
|
||||
|
||||
timeout_add_msec(&sc->sc_tick, 100);
|
||||
}
|
||||
|
||||
#ifdef __amd64__
|
||||
int
|
||||
psp_sev_intr(struct ccp_softc *sc, uint32_t status)
|
||||
{
|
||||
if (!(status & PSP_CMDRESP_COMPLETE))
|
||||
return (0);
|
||||
|
||||
wakeup(sc);
|
||||
|
||||
return (1);
|
||||
}
|
||||
|
||||
int
|
||||
psp_attach(struct ccp_softc *sc)
|
||||
{
|
||||
struct psp_platform_status pst;
|
||||
struct psp_init init;
|
||||
size_t size;
|
||||
int nsegs;
|
||||
|
||||
if (!(sc->sc_capabilities & PSP_CAP_SEV))
|
||||
return (0);
|
||||
|
||||
rw_init(&sc->sc_lock, "ccp_lock");
|
||||
|
||||
/* create and map SEV command buffer */
|
||||
sc->sc_cmd_size = size = PAGE_SIZE;
|
||||
if (bus_dmamap_create(sc->sc_dmat, size, 1, size, 0,
|
||||
BUS_DMA_WAITOK | BUS_DMA_ALLOCNOW | BUS_DMA_64BIT,
|
||||
&sc->sc_cmd_map) != 0)
|
||||
return (0);
|
||||
|
||||
if (bus_dmamem_alloc(sc->sc_dmat, size, 0, 0, &sc->sc_cmd_seg, 1,
|
||||
&nsegs, BUS_DMA_WAITOK | BUS_DMA_ZERO) != 0)
|
||||
goto fail_0;
|
||||
|
||||
if (bus_dmamem_map(sc->sc_dmat, &sc->sc_cmd_seg, nsegs, size,
|
||||
&sc->sc_cmd_kva, BUS_DMA_WAITOK) != 0)
|
||||
goto fail_1;
|
||||
|
||||
if (bus_dmamap_load(sc->sc_dmat, sc->sc_cmd_map, sc->sc_cmd_kva,
|
||||
size, NULL, BUS_DMA_WAITOK) != 0)
|
||||
goto fail_2;
|
||||
|
||||
sc->sc_sev_intr = psp_sev_intr;
|
||||
ccp_softc = sc;
|
||||
|
||||
if (psp_get_pstatus(&pst) || pst.state != 0)
|
||||
goto fail_3;
|
||||
|
||||
/*
|
||||
* create and map Trusted Memory Region (TMR); size 1 Mbyte,
|
||||
* needs to be aligned to 1 Mbyte.
|
||||
*/
|
||||
sc->sc_tmr_size = size = PSP_TMR_SIZE;
|
||||
if (bus_dmamap_create(sc->sc_dmat, size, 1, size, 0,
|
||||
BUS_DMA_WAITOK | BUS_DMA_ALLOCNOW | BUS_DMA_64BIT,
|
||||
&sc->sc_tmr_map) != 0)
|
||||
goto fail_3;
|
||||
|
||||
if (bus_dmamem_alloc(sc->sc_dmat, size, size, 0, &sc->sc_tmr_seg, 1,
|
||||
&nsegs, BUS_DMA_WAITOK | BUS_DMA_ZERO) != 0)
|
||||
goto fail_4;
|
||||
|
||||
if (bus_dmamem_map(sc->sc_dmat, &sc->sc_tmr_seg, nsegs, size,
|
||||
&sc->sc_tmr_kva, BUS_DMA_WAITOK) != 0)
|
||||
goto fail_5;
|
||||
|
||||
if (bus_dmamap_load(sc->sc_dmat, sc->sc_tmr_map, sc->sc_tmr_kva,
|
||||
size, NULL, BUS_DMA_WAITOK) != 0)
|
||||
goto fail_6;
|
||||
|
||||
memset(&init, 0, sizeof(init));
|
||||
init.enable_es = 1;
|
||||
init.tmr_length = PSP_TMR_SIZE;
|
||||
init.tmr_paddr = sc->sc_tmr_map->dm_segs[0].ds_addr;
|
||||
if (psp_init(&init))
|
||||
goto fail_7;
|
||||
|
||||
printf(", SEV");
|
||||
|
||||
psp_get_pstatus(&pst);
|
||||
if ((pst.state == 1) && (pst.cfges_build & 0x1))
|
||||
printf(", SEV-ES");
|
||||
|
||||
sc->sc_psp_attached = 1;
|
||||
|
||||
return (1);
|
||||
|
||||
fail_7:
|
||||
bus_dmamap_unload(sc->sc_dmat, sc->sc_tmr_map);
|
||||
fail_6:
|
||||
bus_dmamem_unmap(sc->sc_dmat, sc->sc_tmr_kva, size);
|
||||
fail_5:
|
||||
bus_dmamem_free(sc->sc_dmat, &sc->sc_tmr_seg, 1);
|
||||
fail_4:
|
||||
bus_dmamap_destroy(sc->sc_dmat, sc->sc_tmr_map);
|
||||
fail_3:
|
||||
bus_dmamap_unload(sc->sc_dmat, sc->sc_cmd_map);
|
||||
fail_2:
|
||||
bus_dmamem_unmap(sc->sc_dmat, sc->sc_cmd_kva, size);
|
||||
fail_1:
|
||||
bus_dmamem_free(sc->sc_dmat, &sc->sc_cmd_seg, 1);
|
||||
fail_0:
|
||||
bus_dmamap_destroy(sc->sc_dmat, sc->sc_cmd_map);
|
||||
|
||||
ccp_softc = NULL;
|
||||
sc->sc_psp_attached = -1;
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
ccp_wait(struct ccp_softc *sc, uint32_t *status, int poll)
|
||||
{
|
||||
uint32_t cmdword;
|
||||
int count;
|
||||
|
||||
if (poll) {
|
||||
count = 0;
|
||||
while (count++ < 10) {
|
||||
cmdword = bus_space_read_4(sc->sc_iot, sc->sc_ioh,
|
||||
PSP_REG_CMDRESP);
|
||||
if (cmdword & PSP_CMDRESP_RESPONSE)
|
||||
goto done;
|
||||
delay(5000);
|
||||
}
|
||||
|
||||
/* timeout */
|
||||
return (1);
|
||||
}
|
||||
|
||||
if (tsleep_nsec(sc, PWAIT, "psp", SEC_TO_NSEC(1)) == EWOULDBLOCK)
|
||||
return (1);
|
||||
|
||||
done:
|
||||
if (status) {
|
||||
*status = bus_space_read_4(sc->sc_iot, sc->sc_ioh,
|
||||
PSP_REG_CMDRESP);
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
ccp_docmd(struct ccp_softc *sc, int cmd, uint64_t paddr)
|
||||
{
|
||||
uint32_t plo, phi, cmdword, status;
|
||||
|
||||
plo = ((paddr >> 0) & 0xffffffff);
|
||||
phi = ((paddr >> 32) & 0xffffffff);
|
||||
cmdword = (cmd & 0x3ff) << 16;
|
||||
if (!cold)
|
||||
cmdword |= PSP_CMDRESP_IOC;
|
||||
|
||||
bus_space_write_4(sc->sc_iot, sc->sc_ioh, PSP_REG_ADDRLO, plo);
|
||||
bus_space_write_4(sc->sc_iot, sc->sc_ioh, PSP_REG_ADDRHI, phi);
|
||||
bus_space_write_4(sc->sc_iot, sc->sc_ioh, PSP_REG_CMDRESP, cmdword);
|
||||
|
||||
if (ccp_wait(sc, &status, cold))
|
||||
return (1);
|
||||
|
||||
/* Did PSP sent a response code? */
|
||||
if (status & PSP_CMDRESP_RESPONSE) {
|
||||
if ((status & PSP_STATUS_MASK) != PSP_STATUS_SUCCESS)
|
||||
return (1);
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_init(struct psp_init *uinit)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_init *init;
|
||||
int ret;
|
||||
|
||||
init = (struct psp_init *)sc->sc_cmd_kva;
|
||||
bzero(init, sizeof(*init));
|
||||
|
||||
init->enable_es = uinit->enable_es;
|
||||
init->tmr_paddr = uinit->tmr_paddr;
|
||||
init->tmr_length = uinit->tmr_length;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_INIT, sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
wbinvd_on_all_cpus();
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_get_pstatus(struct psp_platform_status *ustatus)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_platform_status *status;
|
||||
int ret;
|
||||
|
||||
status = (struct psp_platform_status *)sc->sc_cmd_kva;
|
||||
bzero(status, sizeof(*status));
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_PLATFORMSTATUS,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
bcopy(status, ustatus, sizeof(*ustatus));
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_df_flush(void)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
int ret;
|
||||
|
||||
wbinvd_on_all_cpus();
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_DF_FLUSH, 0x0);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_decommission(struct psp_decommission *udecom)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_decommission *decom;
|
||||
int ret;
|
||||
|
||||
decom = (struct psp_decommission *)sc->sc_cmd_kva;
|
||||
bzero(decom, sizeof(*decom));
|
||||
|
||||
decom->handle = udecom->handle;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_DECOMMISSION,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_get_gstatus(struct psp_guest_status *ustatus)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_guest_status *status;
|
||||
int ret;
|
||||
|
||||
status = (struct psp_guest_status *)sc->sc_cmd_kva;
|
||||
bzero(status, sizeof(*status));
|
||||
|
||||
status->handle = ustatus->handle;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_GUESTSTATUS,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
ustatus->policy = status->policy;
|
||||
ustatus->asid = status->asid;
|
||||
ustatus->state = status->state;
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_launch_start(struct psp_launch_start *ustart)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_launch_start *start;
|
||||
int ret;
|
||||
|
||||
start = (struct psp_launch_start *)sc->sc_cmd_kva;
|
||||
bzero(start, sizeof(*start));
|
||||
|
||||
start->handle = ustart->handle;
|
||||
start->policy = ustart->policy;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_LAUNCH_START,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
/* If requested, return new handle. */
|
||||
if (ustart->handle == 0)
|
||||
ustart->handle = start->handle;
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_launch_update_data(struct psp_launch_update_data *ulud, struct proc *p)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_launch_update_data *ludata;
|
||||
pmap_t pmap;
|
||||
vaddr_t v, next, end;
|
||||
size_t size, len, off;
|
||||
int ret;
|
||||
|
||||
/* Ensure AES_XTS_BLOCKSIZE alignment and multiplicity. */
|
||||
if ((ulud->paddr & (AES_XTS_BLOCKSIZE - 1)) != 0 ||
|
||||
(ulud->length % AES_XTS_BLOCKSIZE) != 0)
|
||||
return (EINVAL);
|
||||
|
||||
ludata = (struct psp_launch_update_data *)sc->sc_cmd_kva;
|
||||
bzero(ludata, sizeof(*ludata));
|
||||
|
||||
ludata->handle = ulud->handle;
|
||||
|
||||
/* Drain caches before we encrypt memory. */
|
||||
wbinvd_on_all_cpus();
|
||||
|
||||
/*
|
||||
* Launch update one physical page at a time. We could
|
||||
* optimise this for contiguous pages of physical memory.
|
||||
*
|
||||
* vmd(8) provides the guest physical address, thus convert
|
||||
* to system physical address.
|
||||
*/
|
||||
pmap = vm_map_pmap(&p->p_vmspace->vm_map);
|
||||
size = ulud->length;
|
||||
end = ulud->paddr + ulud->length;
|
||||
for (v = ulud->paddr; v < end; v = next) {
|
||||
off = v & PAGE_MASK;
|
||||
|
||||
len = MIN(PAGE_SIZE - off, size);
|
||||
|
||||
/* Wire mapping. */
|
||||
if (uvm_map_pageable(&p->p_vmspace->vm_map, v, v+len, FALSE, 0))
|
||||
return (EINVAL);
|
||||
if (!pmap_extract(pmap, v, (paddr_t *)&ludata->paddr))
|
||||
return (EINVAL);
|
||||
ludata->length = len;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_LAUNCH_UPDATE_DATA,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
size -= len;
|
||||
next = v + len;
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_launch_measure(struct psp_launch_measure *ulm)
|
||||
{
|
||||
struct psp_launch_measure *lm;
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
int ret;
|
||||
uint64_t paddr;
|
||||
|
||||
if (ulm->measure_len != sizeof(ulm->psp_measure))
|
||||
return (EINVAL);
|
||||
|
||||
lm = (struct psp_launch_measure *)sc->sc_cmd_kva;
|
||||
bzero(lm, sizeof(*lm));
|
||||
|
||||
lm->handle = ulm->handle;
|
||||
paddr = sc->sc_cmd_map->dm_segs[0].ds_addr;
|
||||
lm->measure_paddr =
|
||||
paddr + offsetof(struct psp_launch_measure, psp_measure);
|
||||
lm->measure_len = sizeof(lm->psp_measure);
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_LAUNCH_MEASURE, paddr);
|
||||
|
||||
if (ret != 0 || lm->measure_len != ulm->measure_len)
|
||||
return (EIO);
|
||||
|
||||
bcopy(&lm->psp_measure, &ulm->psp_measure, ulm->measure_len);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_launch_finish(struct psp_launch_finish *ulf)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_launch_finish *lf;
|
||||
int ret;
|
||||
|
||||
lf = (struct psp_launch_finish *)sc->sc_cmd_kva;
|
||||
bzero(lf, sizeof(*lf));
|
||||
|
||||
lf->handle = ulf->handle;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_LAUNCH_FINISH,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_attestation(struct psp_attestation *uat)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_attestation *at;
|
||||
int ret;
|
||||
uint64_t paddr;
|
||||
|
||||
if (uat->attest_len != sizeof(uat->psp_report))
|
||||
return (EINVAL);
|
||||
|
||||
at = (struct psp_attestation *)sc->sc_cmd_kva;
|
||||
bzero(at, sizeof(*at));
|
||||
|
||||
at->handle = uat->handle;
|
||||
paddr = sc->sc_cmd_map->dm_segs[0].ds_addr;
|
||||
at->attest_paddr =
|
||||
paddr + offsetof(struct psp_attestation, psp_report);
|
||||
bcopy(uat->attest_nonce, at->attest_nonce, sizeof(at->attest_nonce));
|
||||
at->attest_len = sizeof(at->psp_report);
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_ATTESTATION, paddr);
|
||||
|
||||
if (ret != 0 || at->attest_len != uat->attest_len)
|
||||
return (EIO);
|
||||
|
||||
bcopy(&at->psp_report, &uat->psp_report, uat->attest_len);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_activate(struct psp_activate *uact)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_activate *act;
|
||||
int ret;
|
||||
|
||||
act = (struct psp_activate *)sc->sc_cmd_kva;
|
||||
bzero(act, sizeof(*act));
|
||||
|
||||
act->handle = uact->handle;
|
||||
act->asid = uact->asid;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_ACTIVATE,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_deactivate(struct psp_deactivate *udeact)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_deactivate *deact;
|
||||
int ret;
|
||||
|
||||
deact = (struct psp_deactivate *)sc->sc_cmd_kva;
|
||||
bzero(deact, sizeof(*deact));
|
||||
|
||||
deact->handle = udeact->handle;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_DEACTIVATE,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_guest_shutdown(struct psp_guest_shutdown *ugshutdown)
|
||||
{
|
||||
struct psp_deactivate deact;
|
||||
struct psp_decommission decom;
|
||||
int ret;
|
||||
|
||||
bzero(&deact, sizeof(deact));
|
||||
deact.handle = ugshutdown->handle;
|
||||
if ((ret = psp_deactivate(&deact)) != 0)
|
||||
return (ret);
|
||||
|
||||
if ((ret = psp_df_flush()) != 0)
|
||||
return (ret);
|
||||
|
||||
bzero(&decom, sizeof(decom));
|
||||
decom.handle = ugshutdown->handle;
|
||||
if ((ret = psp_decommission(&decom)) != 0)
|
||||
return (ret);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_snp_get_pstatus(struct psp_snp_platform_status *ustatus)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_snp_platform_status *status;
|
||||
int ret;
|
||||
|
||||
status = (struct psp_snp_platform_status *)sc->sc_cmd_kva;
|
||||
bzero(status, sizeof(*status));
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_SNP_PLATFORMSTATUS,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
bcopy(status, ustatus, sizeof(*ustatus));
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
pspopen(dev_t dev, int flag, int mode, struct proc *p)
|
||||
{
|
||||
if (ccp_softc == NULL)
|
||||
return (ENODEV);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
pspclose(dev_t dev, int flag, int mode, struct proc *p)
|
||||
{
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
pspioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
|
||||
{
|
||||
int ret;
|
||||
|
||||
rw_enter_write(&ccp_softc->sc_lock);
|
||||
|
||||
switch (cmd) {
|
||||
case PSP_IOC_GET_PSTATUS:
|
||||
ret = psp_get_pstatus((struct psp_platform_status *)data);
|
||||
break;
|
||||
case PSP_IOC_DF_FLUSH:
|
||||
ret = psp_df_flush();
|
||||
break;
|
||||
case PSP_IOC_DECOMMISSION:
|
||||
ret = psp_decommission((struct psp_decommission *)data);
|
||||
break;
|
||||
case PSP_IOC_GET_GSTATUS:
|
||||
ret = psp_get_gstatus((struct psp_guest_status *)data);
|
||||
break;
|
||||
case PSP_IOC_LAUNCH_START:
|
||||
ret = psp_launch_start((struct psp_launch_start *)data);
|
||||
break;
|
||||
case PSP_IOC_LAUNCH_UPDATE_DATA:
|
||||
ret = psp_launch_update_data(
|
||||
(struct psp_launch_update_data *)data, p);
|
||||
break;
|
||||
case PSP_IOC_LAUNCH_MEASURE:
|
||||
ret = psp_launch_measure((struct psp_launch_measure *)data);
|
||||
break;
|
||||
case PSP_IOC_LAUNCH_FINISH:
|
||||
ret = psp_launch_finish((struct psp_launch_finish *)data);
|
||||
break;
|
||||
case PSP_IOC_ATTESTATION:
|
||||
ret = psp_attestation((struct psp_attestation *)data);
|
||||
break;
|
||||
case PSP_IOC_ACTIVATE:
|
||||
ret = psp_activate((struct psp_activate *)data);
|
||||
break;
|
||||
case PSP_IOC_DEACTIVATE:
|
||||
ret = psp_deactivate((struct psp_deactivate *)data);
|
||||
break;
|
||||
case PSP_IOC_GUEST_SHUTDOWN:
|
||||
ret = psp_guest_shutdown((struct psp_guest_shutdown *)data);
|
||||
break;
|
||||
case PSP_IOC_SNP_GET_PSTATUS:
|
||||
ret =
|
||||
psp_snp_get_pstatus((struct psp_snp_platform_status *)data);
|
||||
break;
|
||||
default:
|
||||
ret = ENOTTY;
|
||||
break;
|
||||
}
|
||||
|
||||
rw_exit_write(&ccp_softc->sc_lock);
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
int
|
||||
pledge_ioctl_psp(struct proc *p, long com)
|
||||
{
|
||||
switch (com) {
|
||||
case PSP_IOC_GET_PSTATUS:
|
||||
case PSP_IOC_DF_FLUSH:
|
||||
case PSP_IOC_GET_GSTATUS:
|
||||
case PSP_IOC_LAUNCH_START:
|
||||
case PSP_IOC_LAUNCH_UPDATE_DATA:
|
||||
case PSP_IOC_LAUNCH_MEASURE:
|
||||
case PSP_IOC_LAUNCH_FINISH:
|
||||
case PSP_IOC_ACTIVATE:
|
||||
case PSP_IOC_GUEST_SHUTDOWN:
|
||||
return (0);
|
||||
default:
|
||||
return (pledge_fail(p, EPERM, PLEDGE_VMM));
|
||||
}
|
||||
}
|
||||
#endif /* __amd64__ */
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ccpvar.h,v 1.4 2024/09/01 19:25:06 bluhm Exp $ */
|
||||
/* $OpenBSD: ccpvar.h,v 1.5 2024/09/03 00:23:05 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2018 David Gwynne <dlg@openbsd.org>
|
||||
@ -18,6 +18,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/timeout.h>
|
||||
#include <sys/rwlock.h>
|
||||
|
||||
struct ccp_softc {
|
||||
struct device sc_dev;
|
||||
@ -28,7 +29,6 @@ struct ccp_softc {
|
||||
|
||||
int sc_psp_attached;
|
||||
|
||||
#ifdef __amd64__
|
||||
bus_dma_tag_t sc_dmat;
|
||||
uint32_t sc_capabilities;
|
||||
int (*sc_sev_intr)(struct ccp_softc *, uint32_t);
|
||||
@ -45,251 +45,6 @@ struct ccp_softc {
|
||||
caddr_t sc_tmr_kva;
|
||||
|
||||
struct rwlock sc_lock;
|
||||
#endif
|
||||
};
|
||||
|
||||
#ifdef __amd64__
|
||||
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/rwlock.h>
|
||||
|
||||
/* AMD 17h */
|
||||
#define PSP_REG_INTEN 0x10690
|
||||
#define PSP_REG_INTSTS 0x10694
|
||||
#define PSP_REG_CMDRESP 0x10980
|
||||
#define PSP_REG_ADDRLO 0x109e0
|
||||
#define PSP_REG_ADDRHI 0x109e4
|
||||
#define PSP_REG_CAPABILITIES 0x109fc
|
||||
|
||||
#define PSP_PSTATE_UNINIT 0x0
|
||||
#define PSP_PSTATE_INIT 0x1
|
||||
#define PSP_PSTATE_WORKING 0x2
|
||||
|
||||
#define PSP_GSTATE_UNINIT 0x0
|
||||
#define PSP_GSTATE_LUPDATE 0x1
|
||||
#define PSP_GSTATE_LSECRET 0x2
|
||||
#define PSP_GSTATE_RUNNING 0x3
|
||||
#define PSP_GSTATE_SUPDATE 0x4
|
||||
#define PSP_GSTATE_RUPDATE 0x5
|
||||
#define PSP_GSTATE_SENT 0x6
|
||||
|
||||
#define PSP_CAP_SEV (1 << 0)
|
||||
#define PSP_CAP_TEE (1 << 1)
|
||||
#define PSP_CAP_DBC_THRU_EXT (1 << 2)
|
||||
#define PSP_CAP_SECURITY_REPORTING (1 << 7)
|
||||
#define PSP_CAP_SECURITY_FUSED_PART (1 << 8)
|
||||
#define PSP_CAP_SECURITY_DEBUG_LOCK_ON (1 << 10)
|
||||
#define PSP_CAP_SECURITY_TSME_STATUS (1 << 13)
|
||||
#define PSP_CAP_SECURITY_ANTI_ROLLBACK_STATUS (1 << 15)
|
||||
#define PSP_CAP_SECURITY_RPMC_PRODUCTION_ENABLED (1 << 16)
|
||||
#define PSP_CAP_SECURITY_RPMC_SPIROM_AVAILABLE (1 << 17)
|
||||
#define PSP_CAP_SECURITY_HSP_TPM_AVAILABLE (1 << 18)
|
||||
#define PSP_CAP_SECURITY_ROM_ARMOR_ENFORCED (1 << 19)
|
||||
|
||||
#define PSP_CAP_BITS "\20\001SEV\002TEE\003DBC_THRU_EXT\010REPORTING\011FUSED_PART\013DEBUG_LOCK_ON\016TSME_STATUS\020ANTI_ROLLBACK_STATUS\021RPMC_PRODUCTION_ENABLED\022RPMC_SPIROM_AVAILABLE\023HSP_TPM_AVAILABLE\024ROM_ARMOR_ENFORCED"
|
||||
|
||||
#define PSP_CMDRESP_IOC (1 << 0)
|
||||
#define PSP_CMDRESP_COMPLETE (1 << 1)
|
||||
#define PSP_CMDRESP_RESPONSE (1 << 31)
|
||||
|
||||
#define PSP_STATUS_MASK 0xffff
|
||||
#define PSP_STATUS_SUCCESS 0x0000
|
||||
#define PSP_STATUS_INVALID_PLATFORM_STATE 0x0001
|
||||
|
||||
#define PSP_TMR_SIZE (1024*1024) /* 1 Mb */
|
||||
|
||||
#define PSP_SUCCESS 0x0000
|
||||
#define PSP_INVALID_ADDRESS 0x0009
|
||||
|
||||
/* Selection of PSP commands of the SEV API Version 0.24 */
|
||||
|
||||
#define PSP_CMD_INIT 0x1
|
||||
#define PSP_CMD_PLATFORMSTATUS 0x4
|
||||
#define PSP_CMD_DF_FLUSH 0xa
|
||||
#define PSP_CMD_DECOMMISSION 0x20
|
||||
#define PSP_CMD_ACTIVATE 0x21
|
||||
#define PSP_CMD_DEACTIVATE 0x22
|
||||
#define PSP_CMD_GUESTSTATUS 0x23
|
||||
#define PSP_CMD_LAUNCH_START 0x30
|
||||
#define PSP_CMD_LAUNCH_UPDATE_DATA 0x31
|
||||
#define PSP_CMD_LAUNCH_MEASURE 0x33
|
||||
#define PSP_CMD_LAUNCH_FINISH 0x35
|
||||
#define PSP_CMD_ATTESTATION 0x36
|
||||
|
||||
struct psp_platform_status {
|
||||
/* Output parameters from PSP_CMD_PLATFORMSTATUS */
|
||||
uint8_t api_major;
|
||||
uint8_t api_minor;
|
||||
uint8_t state;
|
||||
uint8_t owner;
|
||||
uint32_t cfges_build;
|
||||
uint32_t guest_count;
|
||||
} __packed;
|
||||
|
||||
struct psp_guest_status {
|
||||
/* Input parameter for PSP_CMD_GUESTSTATUS */
|
||||
uint32_t handle;
|
||||
|
||||
/* Output parameters from PSP_CMD_GUESTSTATUS */
|
||||
uint32_t policy;
|
||||
uint32_t asid;
|
||||
uint8_t state;
|
||||
} __packed;
|
||||
|
||||
struct psp_launch_start {
|
||||
/* Input/Output parameter for PSP_CMD_LAUNCH_START */
|
||||
uint32_t handle;
|
||||
|
||||
/* Input parameters for PSP_CMD_LAUNCH_START */
|
||||
uint32_t policy;
|
||||
|
||||
/* The following input parameters are not used yet */
|
||||
uint64_t dh_cert_paddr;
|
||||
uint32_t dh_cert_len;
|
||||
uint32_t reserved;
|
||||
uint64_t session_paddr;
|
||||
uint32_t session_len;
|
||||
} __packed;
|
||||
|
||||
struct psp_launch_update_data {
|
||||
/* Input parameters for PSP_CMD_LAUNCH_UPDATE_DATA */
|
||||
uint32_t handle;
|
||||
uint32_t reserved;
|
||||
uint64_t paddr;
|
||||
uint32_t length;
|
||||
} __packed;
|
||||
|
||||
struct psp_measure {
|
||||
/* Output buffer for PSP_CMD_LAUNCH_MEASURE */
|
||||
uint8_t measure[32];
|
||||
uint8_t measure_nonce[16];
|
||||
} __packed;
|
||||
|
||||
struct psp_launch_measure {
|
||||
/* Input parameters for PSP_CMD_LAUNCH_MEASURE */
|
||||
uint32_t handle;
|
||||
uint32_t reserved;
|
||||
uint64_t measure_paddr;
|
||||
|
||||
/* Input/output parameter for PSP_CMD_LAUNCH_MEASURE */
|
||||
uint32_t measure_len;
|
||||
uint32_t padding;
|
||||
|
||||
/* Output buffer from PSP_CMD_LAUNCH_MEASURE */
|
||||
struct psp_measure psp_measure; /* 64bit aligned */
|
||||
#define measure psp_measure.measure
|
||||
#define measure_nonce psp_measure.measure_nonce
|
||||
} __packed;
|
||||
|
||||
struct psp_launch_finish {
|
||||
/* Input parameter for PSP_CMD_LAUNCH_FINISH */
|
||||
uint32_t handle;
|
||||
} __packed;
|
||||
|
||||
struct psp_report {
|
||||
/* Output buffer for PSP_CMD_ATTESTATION */
|
||||
uint8_t report_nonce[16];
|
||||
uint8_t report_launch_digest[32];
|
||||
uint32_t report_policy;
|
||||
uint32_t report_sig_usage;
|
||||
uint32_t report_sig_algo;
|
||||
uint32_t reserved2;
|
||||
uint8_t report_sig1[144];
|
||||
} __packed;
|
||||
|
||||
struct psp_attestation {
|
||||
/* Input parameters for PSP_CMD_ATTESTATION */
|
||||
uint32_t handle;
|
||||
uint32_t reserved;
|
||||
uint64_t attest_paddr;
|
||||
uint8_t attest_nonce[16];
|
||||
|
||||
/* Input/output parameter from PSP_CMD_ATTESTATION */
|
||||
uint32_t attest_len;
|
||||
uint32_t padding;
|
||||
|
||||
/* Output parameter from PSP_CMD_ATTESTATION */
|
||||
struct psp_report psp_report; /* 64bit aligned */
|
||||
#define report_nonce psp_report.report_nonce
|
||||
#define report_launch_digest psp_report.report_launch_digest
|
||||
#define report_policy psp_report.report_policy
|
||||
#define report_sig_usage psp_report.report_sig_usage;
|
||||
#define report_report_sig_alg psp_report.report_sig_algo;
|
||||
#define report_report_sig1 psp_report.report_sig1;
|
||||
} __packed;
|
||||
|
||||
struct psp_activate {
|
||||
/* Input parameters for PSP_CMD_ACTIVATE */
|
||||
uint32_t handle;
|
||||
uint32_t asid;
|
||||
} __packed;
|
||||
|
||||
struct psp_deactivate {
|
||||
/* Input parameter for PSP_CMD_DEACTIVATE */
|
||||
uint32_t handle;
|
||||
} __packed;
|
||||
|
||||
struct psp_decommission {
|
||||
/* Input parameter for PSP_CMD_DECOMMISSION */
|
||||
uint32_t handle;
|
||||
} __packed;
|
||||
|
||||
struct psp_init {
|
||||
/* Output parameters from PSP_CMD_INIT */
|
||||
uint32_t enable_es;
|
||||
uint32_t reserved;
|
||||
uint64_t tmr_paddr;
|
||||
uint32_t tmr_length;
|
||||
} __packed;
|
||||
|
||||
|
||||
struct psp_guest_shutdown {
|
||||
/* Input parameter for PSP_CMD_GUEST_SHUTDOWN */
|
||||
uint32_t handle;
|
||||
} __packed;
|
||||
|
||||
/* Selection of PSP commands of the SEV-SNP ABI Version 1.55 */
|
||||
|
||||
#define PSP_CMD_SNP_PLATFORMSTATUS 0x81
|
||||
|
||||
struct psp_snp_platform_status {
|
||||
uint8_t api_major;
|
||||
uint8_t api_minor;
|
||||
uint8_t state;
|
||||
uint8_t is_rmp_init;
|
||||
uint32_t build;
|
||||
uint32_t features;
|
||||
uint32_t guest_count;
|
||||
uint64_t current_tcb;
|
||||
uint64_t reported_tcb;
|
||||
} __packed;
|
||||
|
||||
#define PSP_IOC_GET_PSTATUS _IOR('P', 0, struct psp_platform_status)
|
||||
#define PSP_IOC_DF_FLUSH _IO('P', 1)
|
||||
#define PSP_IOC_DECOMMISSION _IOW('P', 2, struct psp_decommission)
|
||||
#define PSP_IOC_GET_GSTATUS _IOWR('P', 3, struct psp_guest_status)
|
||||
#define PSP_IOC_LAUNCH_START _IOWR('P', 4, struct psp_launch_start)
|
||||
#define PSP_IOC_LAUNCH_UPDATE_DATA \
|
||||
_IOW('P', 5, struct psp_launch_update_data)
|
||||
#define PSP_IOC_LAUNCH_MEASURE _IOWR('P', 6, struct psp_launch_measure)
|
||||
#define PSP_IOC_LAUNCH_FINISH _IOW('P', 7, struct psp_launch_finish)
|
||||
#define PSP_IOC_ATTESTATION _IOWR('P', 8, struct psp_attestation)
|
||||
#define PSP_IOC_ACTIVATE _IOW('P', 9, struct psp_activate)
|
||||
#define PSP_IOC_DEACTIVATE _IOW('P', 10, struct psp_deactivate)
|
||||
#define PSP_IOC_SNP_GET_PSTATUS _IOR('P', 11, struct psp_snp_platform_status)
|
||||
#define PSP_IOC_GUEST_SHUTDOWN _IOW('P', 255, struct psp_guest_shutdown)
|
||||
#endif /* __amd64__ */
|
||||
|
||||
#ifdef _KERNEL
|
||||
|
||||
void ccp_attach(struct ccp_softc *);
|
||||
|
||||
#ifdef __amd64__
|
||||
int psp_attach(struct ccp_softc *);
|
||||
|
||||
int pspclose(dev_t, int, int, struct proc *);
|
||||
int pspopen(dev_t, int, int, struct proc *);
|
||||
int pspioctl(dev_t, u_long, caddr_t, int, struct proc *);
|
||||
#endif
|
||||
|
||||
#endif /* _KERNEL */
|
||||
|
||||
659
sys/dev/ic/psp.c
Normal file
659
sys/dev/ic/psp.c
Normal file
@ -0,0 +1,659 @@
|
||||
/* $OpenBSD: psp.c,v 1.1 2024/09/03 00:23:05 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2023, 2024 Hans-Joerg Hoexer <hshoexer@genua.de>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/device.h>
|
||||
#include <sys/timeout.h>
|
||||
#include <sys/pledge.h>
|
||||
|
||||
#include <machine/bus.h>
|
||||
|
||||
#include <sys/proc.h>
|
||||
#include <uvm/uvm.h>
|
||||
#include <crypto/xform.h>
|
||||
|
||||
#include <dev/ic/ccpvar.h>
|
||||
#include <dev/ic/pspvar.h>
|
||||
|
||||
struct ccp_softc *ccp_softc;
|
||||
|
||||
int psp_get_pstatus(struct psp_platform_status *);
|
||||
int psp_init(struct psp_init *);
|
||||
|
||||
int
|
||||
psp_sev_intr(struct ccp_softc *sc, uint32_t status)
|
||||
{
|
||||
if (!(status & PSP_CMDRESP_COMPLETE))
|
||||
return (0);
|
||||
|
||||
wakeup(sc);
|
||||
|
||||
return (1);
|
||||
}
|
||||
|
||||
int
|
||||
psp_attach(struct ccp_softc *sc)
|
||||
{
|
||||
struct psp_platform_status pst;
|
||||
struct psp_init init;
|
||||
size_t size;
|
||||
int nsegs;
|
||||
|
||||
if (!(sc->sc_capabilities & PSP_CAP_SEV))
|
||||
return (0);
|
||||
|
||||
rw_init(&sc->sc_lock, "ccp_lock");
|
||||
|
||||
/* create and map SEV command buffer */
|
||||
sc->sc_cmd_size = size = PAGE_SIZE;
|
||||
if (bus_dmamap_create(sc->sc_dmat, size, 1, size, 0,
|
||||
BUS_DMA_WAITOK | BUS_DMA_ALLOCNOW | BUS_DMA_64BIT,
|
||||
&sc->sc_cmd_map) != 0)
|
||||
return (0);
|
||||
|
||||
if (bus_dmamem_alloc(sc->sc_dmat, size, 0, 0, &sc->sc_cmd_seg, 1,
|
||||
&nsegs, BUS_DMA_WAITOK | BUS_DMA_ZERO) != 0)
|
||||
goto fail_0;
|
||||
|
||||
if (bus_dmamem_map(sc->sc_dmat, &sc->sc_cmd_seg, nsegs, size,
|
||||
&sc->sc_cmd_kva, BUS_DMA_WAITOK) != 0)
|
||||
goto fail_1;
|
||||
|
||||
if (bus_dmamap_load(sc->sc_dmat, sc->sc_cmd_map, sc->sc_cmd_kva,
|
||||
size, NULL, BUS_DMA_WAITOK) != 0)
|
||||
goto fail_2;
|
||||
|
||||
sc->sc_sev_intr = psp_sev_intr;
|
||||
ccp_softc = sc;
|
||||
|
||||
if (psp_get_pstatus(&pst) || pst.state != 0)
|
||||
goto fail_3;
|
||||
|
||||
/*
|
||||
* create and map Trusted Memory Region (TMR); size 1 Mbyte,
|
||||
* needs to be aligned to 1 Mbyte.
|
||||
*/
|
||||
sc->sc_tmr_size = size = PSP_TMR_SIZE;
|
||||
if (bus_dmamap_create(sc->sc_dmat, size, 1, size, 0,
|
||||
BUS_DMA_WAITOK | BUS_DMA_ALLOCNOW | BUS_DMA_64BIT,
|
||||
&sc->sc_tmr_map) != 0)
|
||||
goto fail_3;
|
||||
|
||||
if (bus_dmamem_alloc(sc->sc_dmat, size, size, 0, &sc->sc_tmr_seg, 1,
|
||||
&nsegs, BUS_DMA_WAITOK | BUS_DMA_ZERO) != 0)
|
||||
goto fail_4;
|
||||
|
||||
if (bus_dmamem_map(sc->sc_dmat, &sc->sc_tmr_seg, nsegs, size,
|
||||
&sc->sc_tmr_kva, BUS_DMA_WAITOK) != 0)
|
||||
goto fail_5;
|
||||
|
||||
if (bus_dmamap_load(sc->sc_dmat, sc->sc_tmr_map, sc->sc_tmr_kva,
|
||||
size, NULL, BUS_DMA_WAITOK) != 0)
|
||||
goto fail_6;
|
||||
|
||||
memset(&init, 0, sizeof(init));
|
||||
init.enable_es = 1;
|
||||
init.tmr_length = PSP_TMR_SIZE;
|
||||
init.tmr_paddr = sc->sc_tmr_map->dm_segs[0].ds_addr;
|
||||
if (psp_init(&init))
|
||||
goto fail_7;
|
||||
|
||||
printf(", SEV");
|
||||
|
||||
psp_get_pstatus(&pst);
|
||||
if ((pst.state == 1) && (pst.cfges_build & 0x1))
|
||||
printf(", SEV-ES");
|
||||
|
||||
sc->sc_psp_attached = 1;
|
||||
|
||||
return (1);
|
||||
|
||||
fail_7:
|
||||
bus_dmamap_unload(sc->sc_dmat, sc->sc_tmr_map);
|
||||
fail_6:
|
||||
bus_dmamem_unmap(sc->sc_dmat, sc->sc_tmr_kva, size);
|
||||
fail_5:
|
||||
bus_dmamem_free(sc->sc_dmat, &sc->sc_tmr_seg, 1);
|
||||
fail_4:
|
||||
bus_dmamap_destroy(sc->sc_dmat, sc->sc_tmr_map);
|
||||
fail_3:
|
||||
bus_dmamap_unload(sc->sc_dmat, sc->sc_cmd_map);
|
||||
fail_2:
|
||||
bus_dmamem_unmap(sc->sc_dmat, sc->sc_cmd_kva, size);
|
||||
fail_1:
|
||||
bus_dmamem_free(sc->sc_dmat, &sc->sc_cmd_seg, 1);
|
||||
fail_0:
|
||||
bus_dmamap_destroy(sc->sc_dmat, sc->sc_cmd_map);
|
||||
|
||||
ccp_softc = NULL;
|
||||
sc->sc_psp_attached = -1;
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
ccp_wait(struct ccp_softc *sc, uint32_t *status, int poll)
|
||||
{
|
||||
uint32_t cmdword;
|
||||
int count;
|
||||
|
||||
if (poll) {
|
||||
count = 0;
|
||||
while (count++ < 10) {
|
||||
cmdword = bus_space_read_4(sc->sc_iot, sc->sc_ioh,
|
||||
PSP_REG_CMDRESP);
|
||||
if (cmdword & PSP_CMDRESP_RESPONSE)
|
||||
goto done;
|
||||
delay(5000);
|
||||
}
|
||||
|
||||
/* timeout */
|
||||
return (1);
|
||||
}
|
||||
|
||||
if (tsleep_nsec(sc, PWAIT, "psp", SEC_TO_NSEC(1)) == EWOULDBLOCK)
|
||||
return (1);
|
||||
|
||||
done:
|
||||
if (status) {
|
||||
*status = bus_space_read_4(sc->sc_iot, sc->sc_ioh,
|
||||
PSP_REG_CMDRESP);
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
ccp_docmd(struct ccp_softc *sc, int cmd, uint64_t paddr)
|
||||
{
|
||||
uint32_t plo, phi, cmdword, status;
|
||||
|
||||
plo = ((paddr >> 0) & 0xffffffff);
|
||||
phi = ((paddr >> 32) & 0xffffffff);
|
||||
cmdword = (cmd & 0x3ff) << 16;
|
||||
if (!cold)
|
||||
cmdword |= PSP_CMDRESP_IOC;
|
||||
|
||||
bus_space_write_4(sc->sc_iot, sc->sc_ioh, PSP_REG_ADDRLO, plo);
|
||||
bus_space_write_4(sc->sc_iot, sc->sc_ioh, PSP_REG_ADDRHI, phi);
|
||||
bus_space_write_4(sc->sc_iot, sc->sc_ioh, PSP_REG_CMDRESP, cmdword);
|
||||
|
||||
if (ccp_wait(sc, &status, cold))
|
||||
return (1);
|
||||
|
||||
/* Did PSP sent a response code? */
|
||||
if (status & PSP_CMDRESP_RESPONSE) {
|
||||
if ((status & PSP_STATUS_MASK) != PSP_STATUS_SUCCESS)
|
||||
return (1);
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_init(struct psp_init *uinit)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_init *init;
|
||||
int ret;
|
||||
|
||||
init = (struct psp_init *)sc->sc_cmd_kva;
|
||||
bzero(init, sizeof(*init));
|
||||
|
||||
init->enable_es = uinit->enable_es;
|
||||
init->tmr_paddr = uinit->tmr_paddr;
|
||||
init->tmr_length = uinit->tmr_length;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_INIT, sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
wbinvd_on_all_cpus();
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_get_pstatus(struct psp_platform_status *ustatus)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_platform_status *status;
|
||||
int ret;
|
||||
|
||||
status = (struct psp_platform_status *)sc->sc_cmd_kva;
|
||||
bzero(status, sizeof(*status));
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_PLATFORMSTATUS,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
bcopy(status, ustatus, sizeof(*ustatus));
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_df_flush(void)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
int ret;
|
||||
|
||||
wbinvd_on_all_cpus();
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_DF_FLUSH, 0x0);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_decommission(struct psp_decommission *udecom)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_decommission *decom;
|
||||
int ret;
|
||||
|
||||
decom = (struct psp_decommission *)sc->sc_cmd_kva;
|
||||
bzero(decom, sizeof(*decom));
|
||||
|
||||
decom->handle = udecom->handle;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_DECOMMISSION,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_get_gstatus(struct psp_guest_status *ustatus)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_guest_status *status;
|
||||
int ret;
|
||||
|
||||
status = (struct psp_guest_status *)sc->sc_cmd_kva;
|
||||
bzero(status, sizeof(*status));
|
||||
|
||||
status->handle = ustatus->handle;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_GUESTSTATUS,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
ustatus->policy = status->policy;
|
||||
ustatus->asid = status->asid;
|
||||
ustatus->state = status->state;
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_launch_start(struct psp_launch_start *ustart)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_launch_start *start;
|
||||
int ret;
|
||||
|
||||
start = (struct psp_launch_start *)sc->sc_cmd_kva;
|
||||
bzero(start, sizeof(*start));
|
||||
|
||||
start->handle = ustart->handle;
|
||||
start->policy = ustart->policy;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_LAUNCH_START,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
/* If requested, return new handle. */
|
||||
if (ustart->handle == 0)
|
||||
ustart->handle = start->handle;
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_launch_update_data(struct psp_launch_update_data *ulud, struct proc *p)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_launch_update_data *ludata;
|
||||
pmap_t pmap;
|
||||
vaddr_t v, next, end;
|
||||
size_t size, len, off;
|
||||
int ret;
|
||||
|
||||
/* Ensure AES_XTS_BLOCKSIZE alignment and multiplicity. */
|
||||
if ((ulud->paddr & (AES_XTS_BLOCKSIZE - 1)) != 0 ||
|
||||
(ulud->length % AES_XTS_BLOCKSIZE) != 0)
|
||||
return (EINVAL);
|
||||
|
||||
ludata = (struct psp_launch_update_data *)sc->sc_cmd_kva;
|
||||
bzero(ludata, sizeof(*ludata));
|
||||
|
||||
ludata->handle = ulud->handle;
|
||||
|
||||
/* Drain caches before we encrypt memory. */
|
||||
wbinvd_on_all_cpus();
|
||||
|
||||
/*
|
||||
* Launch update one physical page at a time. We could
|
||||
* optimise this for contiguous pages of physical memory.
|
||||
*
|
||||
* vmd(8) provides the guest physical address, thus convert
|
||||
* to system physical address.
|
||||
*/
|
||||
pmap = vm_map_pmap(&p->p_vmspace->vm_map);
|
||||
size = ulud->length;
|
||||
end = ulud->paddr + ulud->length;
|
||||
for (v = ulud->paddr; v < end; v = next) {
|
||||
off = v & PAGE_MASK;
|
||||
|
||||
len = MIN(PAGE_SIZE - off, size);
|
||||
|
||||
/* Wire mapping. */
|
||||
if (uvm_map_pageable(&p->p_vmspace->vm_map, v, v+len, FALSE, 0))
|
||||
return (EINVAL);
|
||||
if (!pmap_extract(pmap, v, (paddr_t *)&ludata->paddr))
|
||||
return (EINVAL);
|
||||
ludata->length = len;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_LAUNCH_UPDATE_DATA,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
size -= len;
|
||||
next = v + len;
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_launch_measure(struct psp_launch_measure *ulm)
|
||||
{
|
||||
struct psp_launch_measure *lm;
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
int ret;
|
||||
uint64_t paddr;
|
||||
|
||||
if (ulm->measure_len != sizeof(ulm->psp_measure))
|
||||
return (EINVAL);
|
||||
|
||||
lm = (struct psp_launch_measure *)sc->sc_cmd_kva;
|
||||
bzero(lm, sizeof(*lm));
|
||||
|
||||
lm->handle = ulm->handle;
|
||||
paddr = sc->sc_cmd_map->dm_segs[0].ds_addr;
|
||||
lm->measure_paddr =
|
||||
paddr + offsetof(struct psp_launch_measure, psp_measure);
|
||||
lm->measure_len = sizeof(lm->psp_measure);
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_LAUNCH_MEASURE, paddr);
|
||||
|
||||
if (ret != 0 || lm->measure_len != ulm->measure_len)
|
||||
return (EIO);
|
||||
|
||||
bcopy(&lm->psp_measure, &ulm->psp_measure, ulm->measure_len);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_launch_finish(struct psp_launch_finish *ulf)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_launch_finish *lf;
|
||||
int ret;
|
||||
|
||||
lf = (struct psp_launch_finish *)sc->sc_cmd_kva;
|
||||
bzero(lf, sizeof(*lf));
|
||||
|
||||
lf->handle = ulf->handle;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_LAUNCH_FINISH,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_attestation(struct psp_attestation *uat)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_attestation *at;
|
||||
int ret;
|
||||
uint64_t paddr;
|
||||
|
||||
if (uat->attest_len != sizeof(uat->psp_report))
|
||||
return (EINVAL);
|
||||
|
||||
at = (struct psp_attestation *)sc->sc_cmd_kva;
|
||||
bzero(at, sizeof(*at));
|
||||
|
||||
at->handle = uat->handle;
|
||||
paddr = sc->sc_cmd_map->dm_segs[0].ds_addr;
|
||||
at->attest_paddr =
|
||||
paddr + offsetof(struct psp_attestation, psp_report);
|
||||
bcopy(uat->attest_nonce, at->attest_nonce, sizeof(at->attest_nonce));
|
||||
at->attest_len = sizeof(at->psp_report);
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_ATTESTATION, paddr);
|
||||
|
||||
if (ret != 0 || at->attest_len != uat->attest_len)
|
||||
return (EIO);
|
||||
|
||||
bcopy(&at->psp_report, &uat->psp_report, uat->attest_len);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_activate(struct psp_activate *uact)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_activate *act;
|
||||
int ret;
|
||||
|
||||
act = (struct psp_activate *)sc->sc_cmd_kva;
|
||||
bzero(act, sizeof(*act));
|
||||
|
||||
act->handle = uact->handle;
|
||||
act->asid = uact->asid;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_ACTIVATE,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_deactivate(struct psp_deactivate *udeact)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_deactivate *deact;
|
||||
int ret;
|
||||
|
||||
deact = (struct psp_deactivate *)sc->sc_cmd_kva;
|
||||
bzero(deact, sizeof(*deact));
|
||||
|
||||
deact->handle = udeact->handle;
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_DEACTIVATE,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_guest_shutdown(struct psp_guest_shutdown *ugshutdown)
|
||||
{
|
||||
struct psp_deactivate deact;
|
||||
struct psp_decommission decom;
|
||||
int ret;
|
||||
|
||||
bzero(&deact, sizeof(deact));
|
||||
deact.handle = ugshutdown->handle;
|
||||
if ((ret = psp_deactivate(&deact)) != 0)
|
||||
return (ret);
|
||||
|
||||
if ((ret = psp_df_flush()) != 0)
|
||||
return (ret);
|
||||
|
||||
bzero(&decom, sizeof(decom));
|
||||
decom.handle = ugshutdown->handle;
|
||||
if ((ret = psp_decommission(&decom)) != 0)
|
||||
return (ret);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
psp_snp_get_pstatus(struct psp_snp_platform_status *ustatus)
|
||||
{
|
||||
struct ccp_softc *sc = ccp_softc;
|
||||
struct psp_snp_platform_status *status;
|
||||
int ret;
|
||||
|
||||
status = (struct psp_snp_platform_status *)sc->sc_cmd_kva;
|
||||
bzero(status, sizeof(*status));
|
||||
|
||||
ret = ccp_docmd(sc, PSP_CMD_SNP_PLATFORMSTATUS,
|
||||
sc->sc_cmd_map->dm_segs[0].ds_addr);
|
||||
|
||||
if (ret != 0)
|
||||
return (EIO);
|
||||
|
||||
bcopy(status, ustatus, sizeof(*ustatus));
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
pspopen(dev_t dev, int flag, int mode, struct proc *p)
|
||||
{
|
||||
if (ccp_softc == NULL)
|
||||
return (ENODEV);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
pspclose(dev_t dev, int flag, int mode, struct proc *p)
|
||||
{
|
||||
return (0);
|
||||
}
|
||||
|
||||
int
|
||||
pspioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
|
||||
{
|
||||
int ret;
|
||||
|
||||
rw_enter_write(&ccp_softc->sc_lock);
|
||||
|
||||
switch (cmd) {
|
||||
case PSP_IOC_GET_PSTATUS:
|
||||
ret = psp_get_pstatus((struct psp_platform_status *)data);
|
||||
break;
|
||||
case PSP_IOC_DF_FLUSH:
|
||||
ret = psp_df_flush();
|
||||
break;
|
||||
case PSP_IOC_DECOMMISSION:
|
||||
ret = psp_decommission((struct psp_decommission *)data);
|
||||
break;
|
||||
case PSP_IOC_GET_GSTATUS:
|
||||
ret = psp_get_gstatus((struct psp_guest_status *)data);
|
||||
break;
|
||||
case PSP_IOC_LAUNCH_START:
|
||||
ret = psp_launch_start((struct psp_launch_start *)data);
|
||||
break;
|
||||
case PSP_IOC_LAUNCH_UPDATE_DATA:
|
||||
ret = psp_launch_update_data(
|
||||
(struct psp_launch_update_data *)data, p);
|
||||
break;
|
||||
case PSP_IOC_LAUNCH_MEASURE:
|
||||
ret = psp_launch_measure((struct psp_launch_measure *)data);
|
||||
break;
|
||||
case PSP_IOC_LAUNCH_FINISH:
|
||||
ret = psp_launch_finish((struct psp_launch_finish *)data);
|
||||
break;
|
||||
case PSP_IOC_ATTESTATION:
|
||||
ret = psp_attestation((struct psp_attestation *)data);
|
||||
break;
|
||||
case PSP_IOC_ACTIVATE:
|
||||
ret = psp_activate((struct psp_activate *)data);
|
||||
break;
|
||||
case PSP_IOC_DEACTIVATE:
|
||||
ret = psp_deactivate((struct psp_deactivate *)data);
|
||||
break;
|
||||
case PSP_IOC_GUEST_SHUTDOWN:
|
||||
ret = psp_guest_shutdown((struct psp_guest_shutdown *)data);
|
||||
break;
|
||||
case PSP_IOC_SNP_GET_PSTATUS:
|
||||
ret =
|
||||
psp_snp_get_pstatus((struct psp_snp_platform_status *)data);
|
||||
break;
|
||||
default:
|
||||
ret = ENOTTY;
|
||||
break;
|
||||
}
|
||||
|
||||
rw_exit_write(&ccp_softc->sc_lock);
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
int
|
||||
pledge_ioctl_psp(struct proc *p, long com)
|
||||
{
|
||||
switch (com) {
|
||||
case PSP_IOC_GET_PSTATUS:
|
||||
case PSP_IOC_DF_FLUSH:
|
||||
case PSP_IOC_GET_GSTATUS:
|
||||
case PSP_IOC_LAUNCH_START:
|
||||
case PSP_IOC_LAUNCH_UPDATE_DATA:
|
||||
case PSP_IOC_LAUNCH_MEASURE:
|
||||
case PSP_IOC_LAUNCH_FINISH:
|
||||
case PSP_IOC_ACTIVATE:
|
||||
case PSP_IOC_GUEST_SHUTDOWN:
|
||||
return (0);
|
||||
default:
|
||||
return (pledge_fail(p, EPERM, PLEDGE_VMM));
|
||||
}
|
||||
}
|
||||
255
sys/dev/ic/pspvar.h
Normal file
255
sys/dev/ic/pspvar.h
Normal file
@ -0,0 +1,255 @@
|
||||
/* $OpenBSD: pspvar.h,v 1.1 2024/09/03 00:23:05 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2023, 2024 Hans-Joerg Hoexer <hshoexer@genua.de>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include <sys/ioctl.h>
|
||||
|
||||
/* AMD 17h */
|
||||
#define PSP_REG_INTEN 0x10690
|
||||
#define PSP_REG_INTSTS 0x10694
|
||||
#define PSP_REG_CMDRESP 0x10980
|
||||
#define PSP_REG_ADDRLO 0x109e0
|
||||
#define PSP_REG_ADDRHI 0x109e4
|
||||
#define PSP_REG_CAPABILITIES 0x109fc
|
||||
|
||||
#define PSP_PSTATE_UNINIT 0x0
|
||||
#define PSP_PSTATE_INIT 0x1
|
||||
#define PSP_PSTATE_WORKING 0x2
|
||||
|
||||
#define PSP_GSTATE_UNINIT 0x0
|
||||
#define PSP_GSTATE_LUPDATE 0x1
|
||||
#define PSP_GSTATE_LSECRET 0x2
|
||||
#define PSP_GSTATE_RUNNING 0x3
|
||||
#define PSP_GSTATE_SUPDATE 0x4
|
||||
#define PSP_GSTATE_RUPDATE 0x5
|
||||
#define PSP_GSTATE_SENT 0x6
|
||||
|
||||
#define PSP_CAP_SEV (1 << 0)
|
||||
#define PSP_CAP_TEE (1 << 1)
|
||||
#define PSP_CAP_DBC_THRU_EXT (1 << 2)
|
||||
#define PSP_CAP_SECURITY_REPORTING (1 << 7)
|
||||
#define PSP_CAP_SECURITY_FUSED_PART (1 << 8)
|
||||
#define PSP_CAP_SECURITY_DEBUG_LOCK_ON (1 << 10)
|
||||
#define PSP_CAP_SECURITY_TSME_STATUS (1 << 13)
|
||||
#define PSP_CAP_SECURITY_ANTI_ROLLBACK_STATUS (1 << 15)
|
||||
#define PSP_CAP_SECURITY_RPMC_PRODUCTION_ENABLED (1 << 16)
|
||||
#define PSP_CAP_SECURITY_RPMC_SPIROM_AVAILABLE (1 << 17)
|
||||
#define PSP_CAP_SECURITY_HSP_TPM_AVAILABLE (1 << 18)
|
||||
#define PSP_CAP_SECURITY_ROM_ARMOR_ENFORCED (1 << 19)
|
||||
|
||||
#define PSP_CAP_BITS "\20\001SEV\002TEE\003DBC_THRU_EXT\010REPORTING\011FUSED_PART\013DEBUG_LOCK_ON\016TSME_STATUS\020ANTI_ROLLBACK_STATUS\021RPMC_PRODUCTION_ENABLED\022RPMC_SPIROM_AVAILABLE\023HSP_TPM_AVAILABLE\024ROM_ARMOR_ENFORCED"
|
||||
|
||||
#define PSP_CMDRESP_IOC (1 << 0)
|
||||
#define PSP_CMDRESP_COMPLETE (1 << 1)
|
||||
#define PSP_CMDRESP_RESPONSE (1 << 31)
|
||||
|
||||
#define PSP_STATUS_MASK 0xffff
|
||||
#define PSP_STATUS_SUCCESS 0x0000
|
||||
#define PSP_STATUS_INVALID_PLATFORM_STATE 0x0001
|
||||
|
||||
#define PSP_TMR_SIZE (1024*1024) /* 1 Mb */
|
||||
|
||||
#define PSP_SUCCESS 0x0000
|
||||
#define PSP_INVALID_ADDRESS 0x0009
|
||||
|
||||
/* Selection of PSP commands of the SEV API Version 0.24 */
|
||||
|
||||
#define PSP_CMD_INIT 0x1
|
||||
#define PSP_CMD_PLATFORMSTATUS 0x4
|
||||
#define PSP_CMD_DF_FLUSH 0xa
|
||||
#define PSP_CMD_DECOMMISSION 0x20
|
||||
#define PSP_CMD_ACTIVATE 0x21
|
||||
#define PSP_CMD_DEACTIVATE 0x22
|
||||
#define PSP_CMD_GUESTSTATUS 0x23
|
||||
#define PSP_CMD_LAUNCH_START 0x30
|
||||
#define PSP_CMD_LAUNCH_UPDATE_DATA 0x31
|
||||
#define PSP_CMD_LAUNCH_MEASURE 0x33
|
||||
#define PSP_CMD_LAUNCH_FINISH 0x35
|
||||
#define PSP_CMD_ATTESTATION 0x36
|
||||
|
||||
struct psp_platform_status {
|
||||
/* Output parameters from PSP_CMD_PLATFORMSTATUS */
|
||||
uint8_t api_major;
|
||||
uint8_t api_minor;
|
||||
uint8_t state;
|
||||
uint8_t owner;
|
||||
uint32_t cfges_build;
|
||||
uint32_t guest_count;
|
||||
} __packed;
|
||||
|
||||
struct psp_guest_status {
|
||||
/* Input parameter for PSP_CMD_GUESTSTATUS */
|
||||
uint32_t handle;
|
||||
|
||||
/* Output parameters from PSP_CMD_GUESTSTATUS */
|
||||
uint32_t policy;
|
||||
uint32_t asid;
|
||||
uint8_t state;
|
||||
} __packed;
|
||||
|
||||
struct psp_launch_start {
|
||||
/* Input/Output parameter for PSP_CMD_LAUNCH_START */
|
||||
uint32_t handle;
|
||||
|
||||
/* Input parameters for PSP_CMD_LAUNCH_START */
|
||||
uint32_t policy;
|
||||
|
||||
/* The following input parameters are not used yet */
|
||||
uint64_t dh_cert_paddr;
|
||||
uint32_t dh_cert_len;
|
||||
uint32_t reserved;
|
||||
uint64_t session_paddr;
|
||||
uint32_t session_len;
|
||||
} __packed;
|
||||
|
||||
struct psp_launch_update_data {
|
||||
/* Input parameters for PSP_CMD_LAUNCH_UPDATE_DATA */
|
||||
uint32_t handle;
|
||||
uint32_t reserved;
|
||||
uint64_t paddr;
|
||||
uint32_t length;
|
||||
} __packed;
|
||||
|
||||
struct psp_measure {
|
||||
/* Output buffer for PSP_CMD_LAUNCH_MEASURE */
|
||||
uint8_t measure[32];
|
||||
uint8_t measure_nonce[16];
|
||||
} __packed;
|
||||
|
||||
struct psp_launch_measure {
|
||||
/* Input parameters for PSP_CMD_LAUNCH_MEASURE */
|
||||
uint32_t handle;
|
||||
uint32_t reserved;
|
||||
uint64_t measure_paddr;
|
||||
|
||||
/* Input/output parameter for PSP_CMD_LAUNCH_MEASURE */
|
||||
uint32_t measure_len;
|
||||
uint32_t padding;
|
||||
|
||||
/* Output buffer from PSP_CMD_LAUNCH_MEASURE */
|
||||
struct psp_measure psp_measure; /* 64bit aligned */
|
||||
#define measure psp_measure.measure
|
||||
#define measure_nonce psp_measure.measure_nonce
|
||||
} __packed;
|
||||
|
||||
struct psp_launch_finish {
|
||||
/* Input parameter for PSP_CMD_LAUNCH_FINISH */
|
||||
uint32_t handle;
|
||||
} __packed;
|
||||
|
||||
struct psp_report {
|
||||
/* Output buffer for PSP_CMD_ATTESTATION */
|
||||
uint8_t report_nonce[16];
|
||||
uint8_t report_launch_digest[32];
|
||||
uint32_t report_policy;
|
||||
uint32_t report_sig_usage;
|
||||
uint32_t report_sig_algo;
|
||||
uint32_t reserved2;
|
||||
uint8_t report_sig1[144];
|
||||
} __packed;
|
||||
|
||||
struct psp_attestation {
|
||||
/* Input parameters for PSP_CMD_ATTESTATION */
|
||||
uint32_t handle;
|
||||
uint32_t reserved;
|
||||
uint64_t attest_paddr;
|
||||
uint8_t attest_nonce[16];
|
||||
|
||||
/* Input/output parameter from PSP_CMD_ATTESTATION */
|
||||
uint32_t attest_len;
|
||||
uint32_t padding;
|
||||
|
||||
/* Output parameter from PSP_CMD_ATTESTATION */
|
||||
struct psp_report psp_report; /* 64bit aligned */
|
||||
#define report_nonce psp_report.report_nonce
|
||||
#define report_launch_digest psp_report.report_launch_digest
|
||||
#define report_policy psp_report.report_policy
|
||||
#define report_sig_usage psp_report.report_sig_usage;
|
||||
#define report_report_sig_alg psp_report.report_sig_algo;
|
||||
#define report_report_sig1 psp_report.report_sig1;
|
||||
} __packed;
|
||||
|
||||
struct psp_activate {
|
||||
/* Input parameters for PSP_CMD_ACTIVATE */
|
||||
uint32_t handle;
|
||||
uint32_t asid;
|
||||
} __packed;
|
||||
|
||||
struct psp_deactivate {
|
||||
/* Input parameter for PSP_CMD_DEACTIVATE */
|
||||
uint32_t handle;
|
||||
} __packed;
|
||||
|
||||
struct psp_decommission {
|
||||
/* Input parameter for PSP_CMD_DECOMMISSION */
|
||||
uint32_t handle;
|
||||
} __packed;
|
||||
|
||||
struct psp_init {
|
||||
/* Output parameters from PSP_CMD_INIT */
|
||||
uint32_t enable_es;
|
||||
uint32_t reserved;
|
||||
uint64_t tmr_paddr;
|
||||
uint32_t tmr_length;
|
||||
} __packed;
|
||||
|
||||
|
||||
struct psp_guest_shutdown {
|
||||
/* Input parameter for PSP_CMD_GUEST_SHUTDOWN */
|
||||
uint32_t handle;
|
||||
} __packed;
|
||||
|
||||
/* Selection of PSP commands of the SEV-SNP ABI Version 1.55 */
|
||||
|
||||
#define PSP_CMD_SNP_PLATFORMSTATUS 0x81
|
||||
|
||||
struct psp_snp_platform_status {
|
||||
uint8_t api_major;
|
||||
uint8_t api_minor;
|
||||
uint8_t state;
|
||||
uint8_t is_rmp_init;
|
||||
uint32_t build;
|
||||
uint32_t features;
|
||||
uint32_t guest_count;
|
||||
uint64_t current_tcb;
|
||||
uint64_t reported_tcb;
|
||||
} __packed;
|
||||
|
||||
#define PSP_IOC_GET_PSTATUS _IOR('P', 0, struct psp_platform_status)
|
||||
#define PSP_IOC_DF_FLUSH _IO('P', 1)
|
||||
#define PSP_IOC_DECOMMISSION _IOW('P', 2, struct psp_decommission)
|
||||
#define PSP_IOC_GET_GSTATUS _IOWR('P', 3, struct psp_guest_status)
|
||||
#define PSP_IOC_LAUNCH_START _IOWR('P', 4, struct psp_launch_start)
|
||||
#define PSP_IOC_LAUNCH_UPDATE_DATA \
|
||||
_IOW('P', 5, struct psp_launch_update_data)
|
||||
#define PSP_IOC_LAUNCH_MEASURE _IOWR('P', 6, struct psp_launch_measure)
|
||||
#define PSP_IOC_LAUNCH_FINISH _IOW('P', 7, struct psp_launch_finish)
|
||||
#define PSP_IOC_ATTESTATION _IOWR('P', 8, struct psp_attestation)
|
||||
#define PSP_IOC_ACTIVATE _IOW('P', 9, struct psp_activate)
|
||||
#define PSP_IOC_DEACTIVATE _IOW('P', 10, struct psp_deactivate)
|
||||
#define PSP_IOC_SNP_GET_PSTATUS _IOR('P', 11, struct psp_snp_platform_status)
|
||||
#define PSP_IOC_GUEST_SHUTDOWN _IOW('P', 255, struct psp_guest_shutdown)
|
||||
|
||||
#ifdef _KERNEL
|
||||
|
||||
int psp_attach(struct ccp_softc *);
|
||||
|
||||
int pspclose(dev_t, int, int, struct proc *);
|
||||
int pspopen(dev_t, int, int, struct proc *);
|
||||
int pspioctl(dev_t, u_long, caddr_t, int, struct proc *);
|
||||
|
||||
#endif /* _KERNEL */
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ccp_pci.c,v 1.11 2024/06/13 17:59:08 bluhm Exp $ */
|
||||
/* $OpenBSD: ccp_pci.c,v 1.12 2024/09/03 00:23:05 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2018 David Gwynne <dlg@openbsd.org>
|
||||
@ -27,16 +27,15 @@
|
||||
#include <dev/pci/pcivar.h>
|
||||
|
||||
#include <dev/ic/ccpvar.h>
|
||||
#include <dev/ic/pspvar.h>
|
||||
|
||||
#define CCP_PCI_BAR 0x18
|
||||
|
||||
int ccp_pci_match(struct device *, void *, void *);
|
||||
void ccp_pci_attach(struct device *, struct device *, void *);
|
||||
|
||||
#ifdef __amd64__
|
||||
void psp_pci_attach(struct device *, struct device *, void *);
|
||||
int psp_pci_intr(void *);
|
||||
#endif
|
||||
|
||||
const struct cfattach ccp_pci_ca = {
|
||||
sizeof(struct ccp_softc),
|
||||
@ -79,14 +78,11 @@ ccp_pci_attach(struct device *parent, struct device *self, void *aux)
|
||||
return;
|
||||
}
|
||||
|
||||
#ifdef __amd64__
|
||||
psp_pci_attach(parent, self, aux);
|
||||
#endif
|
||||
|
||||
ccp_attach(sc);
|
||||
}
|
||||
|
||||
#ifdef __amd64__
|
||||
void
|
||||
psp_pci_attach(struct device *parent, struct device *self, void *aux)
|
||||
{
|
||||
@ -140,4 +136,3 @@ psp_pci_intr(void *arg)
|
||||
|
||||
return (1);
|
||||
}
|
||||
#endif /* __amd64__ */
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: virtio_pci.c,v 1.40 2024/08/27 19:01:11 sf Exp $ */
|
||||
/* $OpenBSD: virtio_pci.c,v 1.42 2024/09/02 08:26:26 sf Exp $ */
|
||||
/* $NetBSD: virtio.c,v 1.3 2011/11/02 23:05:52 njoly Exp $ */
|
||||
|
||||
/*
|
||||
@ -73,6 +73,7 @@ void virtio_pci_write_device_config_4(struct virtio_softc *, int, uint32_t);
|
||||
void virtio_pci_write_device_config_8(struct virtio_softc *, int, uint64_t);
|
||||
uint16_t virtio_pci_read_queue_size(struct virtio_softc *, uint16_t);
|
||||
void virtio_pci_setup_queue(struct virtio_softc *, struct virtqueue *, uint64_t);
|
||||
void virtio_pci_setup_intrs(struct virtio_softc *);
|
||||
int virtio_pci_get_status(struct virtio_softc *);
|
||||
void virtio_pci_set_status(struct virtio_softc *, int);
|
||||
int virtio_pci_negotiate_features(struct virtio_softc *, const struct virtio_feature_name *);
|
||||
@ -99,6 +100,11 @@ enum irq_type {
|
||||
IRQ_MSIX_PER_VQ, /* vec 0: config irq, vec n: irq of vq[n-1] */
|
||||
};
|
||||
|
||||
struct virtio_pci_intr {
|
||||
char name[16];
|
||||
void *ih;
|
||||
};
|
||||
|
||||
struct virtio_pci_softc {
|
||||
struct virtio_softc sc_sc;
|
||||
pci_chipset_tag_t sc_pc;
|
||||
@ -132,7 +138,8 @@ struct virtio_pci_softc {
|
||||
bus_space_handle_t sc_isr_ioh;
|
||||
bus_size_t sc_isr_iosize;
|
||||
|
||||
void *sc_ih[MAX_MSIX_VECS];
|
||||
struct virtio_pci_intr *sc_intr;
|
||||
int sc_nintr;
|
||||
|
||||
enum irq_type sc_irq_type;
|
||||
};
|
||||
@ -163,6 +170,7 @@ const struct virtio_ops virtio_pci_ops = {
|
||||
virtio_pci_write_device_config_8,
|
||||
virtio_pci_read_queue_size,
|
||||
virtio_pci_setup_queue,
|
||||
virtio_pci_setup_intrs,
|
||||
virtio_pci_get_status,
|
||||
virtio_pci_set_status,
|
||||
virtio_pci_negotiate_features,
|
||||
@ -265,23 +273,23 @@ virtio_pci_setup_queue(struct virtio_softc *vsc, struct virtqueue *vq,
|
||||
bus_space_write_4(sc->sc_iot, sc->sc_ioh,
|
||||
VIRTIO_CONFIG_QUEUE_ADDRESS, addr / VIRTIO_PAGE_SIZE);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* This path is only executed if this function is called after
|
||||
* the child's attach function has finished. In other cases,
|
||||
* it's done in virtio_pci_setup_msix().
|
||||
*/
|
||||
if (sc->sc_irq_type != IRQ_NO_MSIX) {
|
||||
int vec = 1;
|
||||
if (sc->sc_irq_type == IRQ_MSIX_PER_VQ)
|
||||
vec += vq->vq_index;
|
||||
if (sc->sc_sc.sc_version_1) {
|
||||
CWRITE(sc, queue_msix_vector, vec);
|
||||
} else {
|
||||
bus_space_write_2(sc->sc_iot, sc->sc_ioh,
|
||||
VIRTIO_MSI_QUEUE_VECTOR, vec);
|
||||
}
|
||||
void
|
||||
virtio_pci_setup_intrs(struct virtio_softc *vsc)
|
||||
{
|
||||
struct virtio_pci_softc *sc = (struct virtio_pci_softc *)vsc;
|
||||
int i;
|
||||
|
||||
if (sc->sc_irq_type == IRQ_NO_MSIX)
|
||||
return;
|
||||
|
||||
for (i = 0; i <= vsc->sc_nvqs; i++) {
|
||||
unsigned vec = vsc->sc_vqs[i].vq_intr_vec;
|
||||
virtio_pci_set_msix_queue_vector(sc, i, vec);
|
||||
}
|
||||
if (vsc->sc_config_change)
|
||||
virtio_pci_set_msix_config_vector(sc, 0);
|
||||
}
|
||||
|
||||
int
|
||||
@ -585,7 +593,6 @@ virtio_pci_attach(struct device *parent, struct device *self, void *aux)
|
||||
char const *intrstr;
|
||||
pci_intr_handle_t ih;
|
||||
struct virtio_pci_attach_args vpa = { { 0 }, pa };
|
||||
int n;
|
||||
|
||||
revision = PCI_REVISION(pa->pa_class);
|
||||
switch (revision) {
|
||||
@ -617,9 +624,12 @@ virtio_pci_attach(struct device *parent, struct device *self, void *aux)
|
||||
virtio_pci_dump_caps(sc);
|
||||
#endif
|
||||
|
||||
n = MIN(MAX_MSIX_VECS, pci_intr_msix_count(pa));
|
||||
n = MAX(n, 1);
|
||||
vpa.vpa_va.va_nintr = n;
|
||||
sc->sc_nintr = min(MAX_MSIX_VECS, pci_intr_msix_count(pa));
|
||||
sc->sc_nintr = max(sc->sc_nintr, 1);
|
||||
vpa.vpa_va.va_nintr = sc->sc_nintr;
|
||||
|
||||
sc->sc_intr = mallocarray(sc->sc_nintr, sizeof(*sc->sc_intr),
|
||||
M_DEVBUF, M_WAITOK | M_ZERO);
|
||||
|
||||
vsc->sc_ops = &virtio_pci_ops;
|
||||
if ((vsc->sc_dev.dv_cfdata->cf_flags & VIRTIO_CF_NO_VERSION_1) == 0 &&
|
||||
@ -633,13 +643,13 @@ virtio_pci_attach(struct device *parent, struct device *self, void *aux)
|
||||
}
|
||||
if (ret != 0) {
|
||||
printf(": Cannot attach (%d)\n", ret);
|
||||
return;
|
||||
goto fail_0;
|
||||
}
|
||||
|
||||
sc->sc_devcfg_offset = VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI;
|
||||
sc->sc_irq_type = IRQ_NO_MSIX;
|
||||
if (virtio_pci_adjust_config_region(sc) != 0)
|
||||
return;
|
||||
goto fail_0;
|
||||
|
||||
virtio_device_reset(vsc);
|
||||
virtio_set_status(vsc, VIRTIO_CONFIG_DEVICE_STATUS_ACK);
|
||||
@ -680,9 +690,10 @@ virtio_pci_attach(struct device *parent, struct device *self, void *aux)
|
||||
*/
|
||||
if (vsc->sc_ipl & IPL_MPSAFE)
|
||||
ih_func = virtio_pci_legacy_intr_mpsafe;
|
||||
sc->sc_ih[0] = pci_intr_establish(pc, ih, vsc->sc_ipl | IPL_MPSAFE,
|
||||
ih_func, sc, vsc->sc_dev.dv_xname);
|
||||
if (sc->sc_ih[0] == NULL) {
|
||||
sc->sc_intr[0].ih = pci_intr_establish(pc, ih,
|
||||
vsc->sc_ipl | IPL_MPSAFE, ih_func, sc,
|
||||
vsc->sc_child->dv_xname);
|
||||
if (sc->sc_intr[0].ih == NULL) {
|
||||
printf("%s: couldn't establish interrupt", vsc->sc_dev.dv_xname);
|
||||
if (intrstr != NULL)
|
||||
printf(" at %s", intrstr);
|
||||
@ -690,6 +701,7 @@ virtio_pci_attach(struct device *parent, struct device *self, void *aux)
|
||||
goto fail_2;
|
||||
}
|
||||
}
|
||||
virtio_pci_setup_intrs(vsc);
|
||||
printf("%s: %s\n", vsc->sc_dev.dv_xname, intrstr);
|
||||
|
||||
return;
|
||||
@ -699,6 +711,8 @@ fail_2:
|
||||
fail_1:
|
||||
/* no pci_mapreg_unmap() or pci_intr_unmap() */
|
||||
virtio_set_status(vsc, VIRTIO_CONFIG_DEVICE_STATUS_FAILED);
|
||||
fail_0:
|
||||
free(sc->sc_intr, M_DEVBUF, sc->sc_nintr * sizeof(*sc->sc_intr));
|
||||
}
|
||||
|
||||
int
|
||||
@ -929,6 +943,8 @@ virtio_pci_msix_establish(struct virtio_pci_softc *sc,
|
||||
struct virtio_softc *vsc = &sc->sc_sc;
|
||||
pci_intr_handle_t ih;
|
||||
|
||||
KASSERT(idx < sc->sc_nintr);
|
||||
|
||||
if (pci_intr_map_msix(vpa->vpa_pa, idx, &ih) != 0) {
|
||||
#if VIRTIO_DEBUG
|
||||
printf("%s[%d]: pci_intr_map_msix failed\n",
|
||||
@ -936,9 +952,11 @@ virtio_pci_msix_establish(struct virtio_pci_softc *sc,
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
sc->sc_ih[idx] = pci_intr_establish(sc->sc_pc, ih, vsc->sc_ipl,
|
||||
handler, ih_arg, vsc->sc_dev.dv_xname);
|
||||
if (sc->sc_ih[idx] == NULL) {
|
||||
snprintf(sc->sc_intr[idx].name, sizeof(sc->sc_intr[idx].name), "%s:%d",
|
||||
vsc->sc_child->dv_xname, idx);
|
||||
sc->sc_intr[idx].ih = pci_intr_establish(sc->sc_pc, ih, vsc->sc_ipl,
|
||||
handler, ih_arg, sc->sc_intr[idx].name);
|
||||
if (sc->sc_intr[idx].ih == NULL) {
|
||||
printf("%s[%d]: couldn't establish msix interrupt\n",
|
||||
vsc->sc_dev.dv_xname, idx);
|
||||
return 1;
|
||||
@ -985,10 +1003,10 @@ virtio_pci_free_irqs(struct virtio_pci_softc *sc)
|
||||
}
|
||||
}
|
||||
|
||||
for (i = 0; i < MAX_MSIX_VECS; i++) {
|
||||
if (sc->sc_ih[i]) {
|
||||
pci_intr_disestablish(sc->sc_pc, sc->sc_ih[i]);
|
||||
sc->sc_ih[i] = NULL;
|
||||
for (i = 0; i < sc->sc_nintr; i++) {
|
||||
if (sc->sc_intr[i].ih) {
|
||||
pci_intr_disestablish(sc->sc_pc, sc->sc_intr[i].ih);
|
||||
sc->sc_intr[i].ih = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1014,7 +1032,6 @@ virtio_pci_setup_msix(struct virtio_pci_softc *sc,
|
||||
return 1;
|
||||
sc->sc_devcfg_offset = VIRTIO_CONFIG_DEVICE_CONFIG_MSI;
|
||||
virtio_pci_adjust_config_region(sc);
|
||||
virtio_pci_set_msix_config_vector(sc, 0);
|
||||
|
||||
if (shared) {
|
||||
if (virtio_pci_msix_establish(sc, vpa, 1,
|
||||
@ -1023,14 +1040,14 @@ virtio_pci_setup_msix(struct virtio_pci_softc *sc,
|
||||
}
|
||||
|
||||
for (i = 0; i < vsc->sc_nvqs; i++)
|
||||
virtio_pci_set_msix_queue_vector(sc, i, 1);
|
||||
vsc->sc_vqs[i].vq_intr_vec = 1;
|
||||
} else {
|
||||
for (i = 0; i < vsc->sc_nvqs; i++) {
|
||||
if (virtio_pci_msix_establish(sc, vpa, i + 1,
|
||||
virtio_pci_queue_intr, &vsc->sc_vqs[i])) {
|
||||
goto fail;
|
||||
}
|
||||
virtio_pci_set_msix_queue_vector(sc, i, i + 1);
|
||||
vsc->sc_vqs[i].vq_intr_vec = i + 1;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: virtio.c,v 1.31 2024/08/27 18:44:12 sf Exp $ */
|
||||
/* $OpenBSD: virtio.c,v 1.32 2024/09/02 08:26:26 sf Exp $ */
|
||||
/* $NetBSD: virtio.c,v 1.3 2011/11/02 23:05:52 njoly Exp $ */
|
||||
|
||||
/*
|
||||
@ -175,6 +175,7 @@ virtio_reinit_start(struct virtio_softc *sc)
|
||||
virtio_init_vq(sc, vq);
|
||||
virtio_setup_queue(sc, vq, vq->vq_dmamap->dm_segs[0].ds_addr);
|
||||
}
|
||||
sc->sc_ops->setup_intrs(sc);
|
||||
}
|
||||
|
||||
void
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: virtiovar.h,v 1.21 2024/08/27 19:01:11 sf Exp $ */
|
||||
/* $OpenBSD: virtiovar.h,v 1.22 2024/09/02 08:26:26 sf Exp $ */
|
||||
/* $NetBSD: virtiovar.h,v 1.1 2011/10/30 12:12:21 hannken Exp $ */
|
||||
|
||||
/*
|
||||
@ -137,6 +137,7 @@ struct virtqueue {
|
||||
int (*vq_done)(struct virtqueue*);
|
||||
/* 1.x only: offset for notify address calculation */
|
||||
uint32_t vq_notify_off;
|
||||
int vq_intr_vec;
|
||||
};
|
||||
|
||||
struct virtio_feature_name {
|
||||
@ -156,6 +157,7 @@ struct virtio_ops {
|
||||
void (*write_dev_cfg_8)(struct virtio_softc *, int, uint64_t);
|
||||
uint16_t (*read_queue_size)(struct virtio_softc *, uint16_t);
|
||||
void (*setup_queue)(struct virtio_softc *, struct virtqueue *, uint64_t);
|
||||
void (*setup_intrs)(struct virtio_softc *);
|
||||
int (*get_status)(struct virtio_softc *);
|
||||
void (*set_status)(struct virtio_softc *, int);
|
||||
int (*neg_features)(struct virtio_softc *, const struct virtio_feature_name *);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kern_pledge.c,v 1.317 2024/09/01 17:13:46 bluhm Exp $ */
|
||||
/* $OpenBSD: kern_pledge.c,v 1.318 2024/09/02 11:08:41 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
|
||||
@ -73,10 +73,8 @@
|
||||
|
||||
#if defined(__amd64__)
|
||||
#include "vmm.h"
|
||||
#if NVMM > 0
|
||||
#include <machine/conf.h>
|
||||
#endif
|
||||
#include "ccp.h"
|
||||
#include <machine/conf.h>
|
||||
#endif
|
||||
|
||||
#include "drm.h"
|
||||
@ -1350,7 +1348,7 @@ pledge_ioctl(struct proc *p, long com, struct file *fp)
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(__amd64__) && NCCP > 0 && NVMM > 0
|
||||
#if NCCP > 0
|
||||
if ((pledge & PLEDGE_VMM)) {
|
||||
if ((fp->f_type == DTYPE_VNODE) &&
|
||||
(vp->v_type == VCHR) &&
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile.inc,v 1.94 2024/06/17 08:30:29 djm Exp $
|
||||
# $OpenBSD: Makefile.inc,v 1.95 2024/09/02 12:13:56 djm Exp $
|
||||
|
||||
.include <bsd.own.mk>
|
||||
|
||||
@ -38,6 +38,8 @@ WARNINGS=yes
|
||||
OPENSSL?= yes
|
||||
ZLIB?= yes
|
||||
DSAKEY?= no
|
||||
# NB. experimental; Internet-draft subject to change.
|
||||
MLKEM?= no
|
||||
|
||||
.if (${OPENSSL:L} == "yes")
|
||||
CFLAGS+= -DWITH_OPENSSL
|
||||
@ -51,6 +53,10 @@ CFLAGS+= -DWITH_ZLIB
|
||||
CFLAGS+= -DWITH_DSA
|
||||
.endif
|
||||
|
||||
.if (${MLKEM:L} == "yes")
|
||||
CFLAGS+= -DWITH_MLKEM
|
||||
.endif
|
||||
|
||||
CFLAGS+= -DENABLE_PKCS11
|
||||
.ifndef NOPIC
|
||||
CFLAGS+= -DHAVE_DLOPEN
|
||||
@ -80,6 +86,9 @@ SRCS_KEX+= smult_curve25519_ref.c
|
||||
SRCS_KEX+= kexgen.c
|
||||
SRCS_KEX+= kexsntrup761x25519.c
|
||||
SRCS_KEX+= sntrup761.c
|
||||
.if (${MLKEM:L} == "yes")
|
||||
SRCS_KEX+= kexmlkem768x25519.c
|
||||
.endif
|
||||
|
||||
SRCS_KEY+= sshkey.c
|
||||
SRCS_KEY+= cipher.c
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: crypto_api.h,v 1.8 2023/01/15 23:05:32 djm Exp $ */
|
||||
/* $OpenBSD: crypto_api.h,v 1.9 2024/09/02 12:13:56 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Assembled from generated headers and source files by Markus Friedl.
|
||||
@ -49,4 +49,9 @@ int crypto_kem_sntrup761_dec(unsigned char *k,
|
||||
const unsigned char *cstr, const unsigned char *sk);
|
||||
int crypto_kem_sntrup761_keypair(unsigned char *pk, unsigned char *sk);
|
||||
|
||||
#define crypto_kem_mlkem768_PUBLICKEYBYTES 1184
|
||||
#define crypto_kem_mlkem768_SECRETKEYBYTES 2400
|
||||
#define crypto_kem_mlkem768_CIPHERTEXTBYTES 1088
|
||||
#define crypto_kem_mlkem768_BYTES 32
|
||||
|
||||
#endif /* crypto_api_h */
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kex-names.c,v 1.2 2024/08/22 23:11:30 djm Exp $ */
|
||||
/* $OpenBSD: kex-names.c,v 1.3 2024/09/02 12:13:56 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -72,6 +72,10 @@ static const struct kexalg kexalgs[] = {
|
||||
SSH_DIGEST_SHA512 },
|
||||
{ KEX_SNTRUP761X25519_SHA512_OLD, KEX_KEM_SNTRUP761X25519_SHA512, 0,
|
||||
SSH_DIGEST_SHA512 },
|
||||
#ifdef WITH_MLKEM
|
||||
{ KEX_MLKEM768X25519_SHA256, KEX_KEM_MLKEM768X25519_SHA256, 0,
|
||||
SSH_DIGEST_SHA256 },
|
||||
#endif
|
||||
{ NULL, 0, -1, -1},
|
||||
};
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kex.h,v 1.125 2024/08/23 04:51:00 deraadt Exp $ */
|
||||
/* $OpenBSD: kex.h,v 1.126 2024/09/02 12:13:56 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
@ -57,6 +57,7 @@
|
||||
#define KEX_CURVE25519_SHA256_OLD "curve25519-sha256@libssh.org"
|
||||
#define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512"
|
||||
#define KEX_SNTRUP761X25519_SHA512_OLD "sntrup761x25519-sha512@openssh.com"
|
||||
#define KEX_MLKEM768X25519_SHA256 "mlkem768x25519-sha256"
|
||||
|
||||
#define COMP_NONE 0
|
||||
#define COMP_DELAYED 2
|
||||
@ -94,6 +95,7 @@ enum kex_exchange {
|
||||
KEX_ECDH_SHA2,
|
||||
KEX_C25519_SHA256,
|
||||
KEX_KEM_SNTRUP761X25519_SHA512,
|
||||
KEX_KEM_MLKEM768X25519_SHA256,
|
||||
KEX_MAX
|
||||
};
|
||||
|
||||
@ -172,6 +174,7 @@ struct kex {
|
||||
u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 + KEM */
|
||||
u_char c25519_client_pubkey[CURVE25519_SIZE]; /* 25519 */
|
||||
u_char sntrup761_client_key[crypto_kem_sntrup761_SECRETKEYBYTES]; /* KEM */
|
||||
u_char mlkem768_client_key[crypto_kem_mlkem768_SECRETKEYBYTES]; /* KEM */
|
||||
struct sshbuf *client_pub;
|
||||
};
|
||||
|
||||
@ -238,6 +241,12 @@ int kex_kem_sntrup761x25519_enc(struct kex *, const struct sshbuf *,
|
||||
int kex_kem_sntrup761x25519_dec(struct kex *, const struct sshbuf *,
|
||||
struct sshbuf **);
|
||||
|
||||
int kex_kem_mlkem768x25519_keypair(struct kex *);
|
||||
int kex_kem_mlkem768x25519_enc(struct kex *, const struct sshbuf *,
|
||||
struct sshbuf **, struct sshbuf **);
|
||||
int kex_kem_mlkem768x25519_dec(struct kex *, const struct sshbuf *,
|
||||
struct sshbuf **);
|
||||
|
||||
int kex_dh_keygen(struct kex *);
|
||||
int kex_dh_compute_key(struct kex *, BIGNUM *, struct sshbuf *);
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kexc25519.c,v 1.17 2019/01/21 10:40:11 djm Exp $ */
|
||||
/* $OpenBSD: kexc25519.c,v 1.18 2024/09/02 12:13:56 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2010 Damien Miller. All rights reserved.
|
||||
@ -69,7 +69,7 @@ kexc25519_shared_key_ext(const u_char key[CURVE25519_SIZE],
|
||||
return SSH_ERR_KEY_INVALID_EC_VALUE;
|
||||
|
||||
#ifdef DEBUG_KEXECDH
|
||||
dump_digest("shared secret", shared_key, CURVE25519_SIZE);
|
||||
dump_digest("shared secret 25519", shared_key, CURVE25519_SIZE);
|
||||
#endif
|
||||
if (raw)
|
||||
r = sshbuf_put(out, shared_key, CURVE25519_SIZE);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: kexgen.c,v 1.8 2021/12/19 22:08:06 djm Exp $ */
|
||||
/* $OpenBSD: kexgen.c,v 1.9 2024/09/02 12:13:56 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -117,6 +117,11 @@ kex_gen_client(struct ssh *ssh)
|
||||
case KEX_KEM_SNTRUP761X25519_SHA512:
|
||||
r = kex_kem_sntrup761x25519_keypair(kex);
|
||||
break;
|
||||
#ifdef WITH_MLKEM
|
||||
case KEX_KEM_MLKEM768X25519_SHA256:
|
||||
r = kex_kem_mlkem768x25519_keypair(kex);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
r = SSH_ERR_INVALID_ARGUMENT;
|
||||
break;
|
||||
@ -189,6 +194,12 @@ input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh)
|
||||
r = kex_kem_sntrup761x25519_dec(kex, server_blob,
|
||||
&shared_secret);
|
||||
break;
|
||||
#ifdef WITH_MLKEM
|
||||
case KEX_KEM_MLKEM768X25519_SHA256:
|
||||
r = kex_kem_mlkem768x25519_dec(kex, server_blob,
|
||||
&shared_secret);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
r = SSH_ERR_INVALID_ARGUMENT;
|
||||
break;
|
||||
@ -240,6 +251,8 @@ out:
|
||||
explicit_bzero(kex->c25519_client_key, sizeof(kex->c25519_client_key));
|
||||
explicit_bzero(kex->sntrup761_client_key,
|
||||
sizeof(kex->sntrup761_client_key));
|
||||
explicit_bzero(kex->mlkem768_client_key,
|
||||
sizeof(kex->mlkem768_client_key));
|
||||
sshbuf_free(server_host_key_blob);
|
||||
free(signature);
|
||||
sshbuf_free(tmp);
|
||||
@ -307,6 +320,12 @@ input_kex_gen_init(int type, u_int32_t seq, struct ssh *ssh)
|
||||
r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
|
||||
&server_pubkey, &shared_secret);
|
||||
break;
|
||||
#ifdef WITH_MLKEM
|
||||
case KEX_KEM_MLKEM768X25519_SHA256:
|
||||
r = kex_kem_mlkem768x25519_enc(kex, client_pubkey,
|
||||
&server_pubkey, &shared_secret);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
r = SSH_ERR_INVALID_ARGUMENT;
|
||||
break;
|
||||
|
||||
252
usr.bin/ssh/kexmlkem768x25519.c
Normal file
252
usr.bin/ssh/kexmlkem768x25519.c
Normal file
@ -0,0 +1,252 @@
|
||||
/* $OpenBSD: kexmlkem768x25519.c,v 1.1 2024/09/02 12:13:56 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2023 Markus Friedl. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <stdbool.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
|
||||
#include "sshkey.h"
|
||||
#include "kex.h"
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
#include "ssherr.h"
|
||||
#include "log.h"
|
||||
|
||||
#include "libcrux_mlkem768_sha3.h"
|
||||
|
||||
int
|
||||
kex_kem_mlkem768x25519_keypair(struct kex *kex)
|
||||
{
|
||||
struct sshbuf *buf = NULL;
|
||||
u_char rnd[LIBCRUX_ML_KEM_KEY_PAIR_PRNG_LEN], *cp = NULL;
|
||||
size_t need;
|
||||
int r = SSH_ERR_INTERNAL_ERROR;
|
||||
struct libcrux_mlkem768_keypair keypair;
|
||||
|
||||
if ((buf = sshbuf_new()) == NULL)
|
||||
return SSH_ERR_ALLOC_FAIL;
|
||||
need = crypto_kem_mlkem768_PUBLICKEYBYTES + CURVE25519_SIZE;
|
||||
if ((r = sshbuf_reserve(buf, need, &cp)) != 0)
|
||||
goto out;
|
||||
arc4random_buf(rnd, sizeof(rnd));
|
||||
keypair = libcrux_ml_kem_mlkem768_portable_generate_key_pair(rnd);
|
||||
memcpy(cp, keypair.pk.value, crypto_kem_mlkem768_PUBLICKEYBYTES);
|
||||
memcpy(kex->mlkem768_client_key, keypair.sk.value,
|
||||
sizeof(kex->mlkem768_client_key));
|
||||
#ifdef DEBUG_KEXECDH
|
||||
dump_digest("client public key mlkem768:", cp,
|
||||
crypto_kem_mlkem768_PUBLICKEYBYTES);
|
||||
#endif
|
||||
cp += crypto_kem_mlkem768_PUBLICKEYBYTES;
|
||||
kexc25519_keygen(kex->c25519_client_key, cp);
|
||||
#ifdef DEBUG_KEXECDH
|
||||
dump_digest("client public key c25519:", cp, CURVE25519_SIZE);
|
||||
#endif
|
||||
/* success */
|
||||
r = 0;
|
||||
kex->client_pub = buf;
|
||||
buf = NULL;
|
||||
out:
|
||||
explicit_bzero(&keypair, sizeof(keypair));
|
||||
explicit_bzero(rnd, sizeof(rnd));
|
||||
sshbuf_free(buf);
|
||||
return r;
|
||||
}
|
||||
|
||||
int
|
||||
kex_kem_mlkem768x25519_enc(struct kex *kex,
|
||||
const struct sshbuf *client_blob, struct sshbuf **server_blobp,
|
||||
struct sshbuf **shared_secretp)
|
||||
{
|
||||
struct sshbuf *server_blob = NULL;
|
||||
struct sshbuf *buf = NULL;
|
||||
const u_char *client_pub;
|
||||
u_char rnd[LIBCRUX_ML_KEM_ENC_PRNG_LEN];
|
||||
u_char server_pub[CURVE25519_SIZE], server_key[CURVE25519_SIZE];
|
||||
u_char hash[SSH_DIGEST_MAX_LENGTH];
|
||||
size_t need;
|
||||
int r = SSH_ERR_INTERNAL_ERROR;
|
||||
struct libcrux_mlkem768_enc_result enc;
|
||||
struct libcrux_mlkem768_pk mlkem_pub;
|
||||
|
||||
*server_blobp = NULL;
|
||||
*shared_secretp = NULL;
|
||||
memset(&mlkem_pub, 0, sizeof(mlkem_pub));
|
||||
|
||||
/* client_blob contains both KEM and ECDH client pubkeys */
|
||||
need = crypto_kem_mlkem768_PUBLICKEYBYTES + CURVE25519_SIZE;
|
||||
if (sshbuf_len(client_blob) != need) {
|
||||
r = SSH_ERR_SIGNATURE_INVALID;
|
||||
goto out;
|
||||
}
|
||||
client_pub = sshbuf_ptr(client_blob);
|
||||
#ifdef DEBUG_KEXECDH
|
||||
dump_digest("client public key mlkem768:", client_pub,
|
||||
crypto_kem_mlkem768_PUBLICKEYBYTES);
|
||||
dump_digest("client public key 25519:",
|
||||
client_pub + crypto_kem_mlkem768_PUBLICKEYBYTES,
|
||||
CURVE25519_SIZE);
|
||||
#endif
|
||||
/* check public key validity */
|
||||
memcpy(mlkem_pub.value, client_pub, crypto_kem_mlkem768_PUBLICKEYBYTES);
|
||||
if (!libcrux_ml_kem_mlkem768_portable_validate_public_key(&mlkem_pub)) {
|
||||
r = SSH_ERR_SIGNATURE_INVALID;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* allocate buffer for concatenation of KEM key and ECDH shared key */
|
||||
/* the buffer will be hashed and the result is the shared secret */
|
||||
if ((buf = sshbuf_new()) == NULL) {
|
||||
r = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
/* allocate space for encrypted KEM key and ECDH pub key */
|
||||
if ((server_blob = sshbuf_new()) == NULL) {
|
||||
r = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
/* generate and encrypt KEM key with client key */
|
||||
arc4random_buf(rnd, sizeof(rnd));
|
||||
enc = libcrux_ml_kem_mlkem768_portable_encapsulate(&mlkem_pub, rnd);
|
||||
/* generate ECDH key pair, store server pubkey after ciphertext */
|
||||
kexc25519_keygen(server_key, server_pub);
|
||||
if ((r = sshbuf_put(buf, enc.snd, sizeof(enc.snd))) != 0 ||
|
||||
(r = sshbuf_put(server_blob, enc.fst.value, sizeof(enc.fst.value))) != 0 ||
|
||||
(r = sshbuf_put(server_blob, server_pub, sizeof(server_pub))) != 0)
|
||||
goto out;
|
||||
/* append ECDH shared key */
|
||||
client_pub += crypto_kem_mlkem768_PUBLICKEYBYTES;
|
||||
if ((r = kexc25519_shared_key_ext(server_key, client_pub, buf, 1)) < 0)
|
||||
goto out;
|
||||
if ((r = ssh_digest_buffer(kex->hash_alg, buf, hash, sizeof(hash))) != 0)
|
||||
goto out;
|
||||
#ifdef DEBUG_KEXECDH
|
||||
dump_digest("server public key 25519:", server_pub, CURVE25519_SIZE);
|
||||
dump_digest("server cipher text:",
|
||||
enc.fst.value, sizeof(enc.fst.value));
|
||||
dump_digest("server kem key:", enc.snd, sizeof(enc.snd));
|
||||
dump_digest("concatenation of KEM key and ECDH shared key:",
|
||||
sshbuf_ptr(buf), sshbuf_len(buf));
|
||||
#endif
|
||||
/* string-encoded hash is resulting shared secret */
|
||||
sshbuf_reset(buf);
|
||||
if ((r = sshbuf_put_string(buf, hash,
|
||||
ssh_digest_bytes(kex->hash_alg))) != 0)
|
||||
goto out;
|
||||
#ifdef DEBUG_KEXECDH
|
||||
dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
|
||||
#endif
|
||||
/* success */
|
||||
r = 0;
|
||||
*server_blobp = server_blob;
|
||||
*shared_secretp = buf;
|
||||
server_blob = NULL;
|
||||
buf = NULL;
|
||||
out:
|
||||
explicit_bzero(hash, sizeof(hash));
|
||||
explicit_bzero(server_key, sizeof(server_key));
|
||||
explicit_bzero(rnd, sizeof(rnd));
|
||||
explicit_bzero(&enc, sizeof(enc));
|
||||
sshbuf_free(server_blob);
|
||||
sshbuf_free(buf);
|
||||
return r;
|
||||
}
|
||||
|
||||
int
|
||||
kex_kem_mlkem768x25519_dec(struct kex *kex,
|
||||
const struct sshbuf *server_blob, struct sshbuf **shared_secretp)
|
||||
{
|
||||
struct sshbuf *buf = NULL;
|
||||
u_char mlkem_key[crypto_kem_mlkem768_BYTES];
|
||||
const u_char *ciphertext, *server_pub;
|
||||
u_char hash[SSH_DIGEST_MAX_LENGTH];
|
||||
size_t need;
|
||||
int r;
|
||||
struct libcrux_mlkem768_sk mlkem_priv;
|
||||
struct libcrux_mlkem768_ciphertext mlkem_ciphertext;
|
||||
|
||||
*shared_secretp = NULL;
|
||||
memset(&mlkem_priv, 0, sizeof(mlkem_priv));
|
||||
memset(&mlkem_ciphertext, 0, sizeof(mlkem_ciphertext));
|
||||
|
||||
need = crypto_kem_mlkem768_CIPHERTEXTBYTES + CURVE25519_SIZE;
|
||||
if (sshbuf_len(server_blob) != need) {
|
||||
r = SSH_ERR_SIGNATURE_INVALID;
|
||||
goto out;
|
||||
}
|
||||
ciphertext = sshbuf_ptr(server_blob);
|
||||
server_pub = ciphertext + crypto_kem_mlkem768_CIPHERTEXTBYTES;
|
||||
/* hash concatenation of KEM key and ECDH shared key */
|
||||
if ((buf = sshbuf_new()) == NULL) {
|
||||
r = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
memcpy(mlkem_priv.value, kex->mlkem768_client_key,
|
||||
sizeof(kex->mlkem768_client_key));
|
||||
memcpy(mlkem_ciphertext.value, ciphertext,
|
||||
sizeof(mlkem_ciphertext.value));
|
||||
#ifdef DEBUG_KEXECDH
|
||||
dump_digest("server cipher text:", mlkem_ciphertext.value,
|
||||
sizeof(mlkem_ciphertext.value));
|
||||
dump_digest("server public key c25519:", server_pub, CURVE25519_SIZE);
|
||||
#endif
|
||||
libcrux_ml_kem_mlkem768_portable_decapsulate(&mlkem_priv,
|
||||
&mlkem_ciphertext, mlkem_key);
|
||||
if ((r = sshbuf_put(buf, mlkem_key, sizeof(mlkem_key))) != 0)
|
||||
goto out;
|
||||
if ((r = kexc25519_shared_key_ext(kex->c25519_client_key, server_pub,
|
||||
buf, 1)) < 0)
|
||||
goto out;
|
||||
if ((r = ssh_digest_buffer(kex->hash_alg, buf,
|
||||
hash, sizeof(hash))) != 0)
|
||||
goto out;
|
||||
#ifdef DEBUG_KEXECDH
|
||||
dump_digest("client kem key:", mlkem_key, sizeof(mlkem_key));
|
||||
dump_digest("concatenation of KEM key and ECDH shared key:",
|
||||
sshbuf_ptr(buf), sshbuf_len(buf));
|
||||
#endif
|
||||
sshbuf_reset(buf);
|
||||
if ((r = sshbuf_put_string(buf, hash,
|
||||
ssh_digest_bytes(kex->hash_alg))) != 0)
|
||||
goto out;
|
||||
#ifdef DEBUG_KEXECDH
|
||||
dump_digest("encoded shared secret:", sshbuf_ptr(buf), sshbuf_len(buf));
|
||||
#endif
|
||||
/* success */
|
||||
r = 0;
|
||||
*shared_secretp = buf;
|
||||
buf = NULL;
|
||||
out:
|
||||
explicit_bzero(hash, sizeof(hash));
|
||||
explicit_bzero(&mlkem_priv, sizeof(mlkem_priv));
|
||||
explicit_bzero(&mlkem_ciphertext, sizeof(mlkem_ciphertext));
|
||||
explicit_bzero(mlkem_key, sizeof(mlkem_key));
|
||||
sshbuf_free(buf);
|
||||
return r;
|
||||
}
|
||||
12332
usr.bin/ssh/libcrux_mlkem768_sha3.h
Normal file
12332
usr.bin/ssh/libcrux_mlkem768_sha3.h
Normal file
File diff suppressed because it is too large
Load Diff
148
usr.bin/ssh/mlkem768.sh
Executable file
148
usr.bin/ssh/mlkem768.sh
Executable file
@ -0,0 +1,148 @@
|
||||
#!/bin/sh
|
||||
# $OpenBSD: mlkem768.sh,v 1.1 2024/09/02 12:13:56 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
#
|
||||
|
||||
WANT_LIBCRUX_REVISION="origin/main"
|
||||
|
||||
FILES="
|
||||
libcrux/libcrux-ml-kem/cg/eurydice_glue.h
|
||||
libcrux/libcrux-ml-kem/cg/libcrux_core.h
|
||||
libcrux/libcrux-ml-kem/cg/libcrux_ct_ops.h
|
||||
libcrux/libcrux-ml-kem/cg/libcrux_sha3_portable.h
|
||||
libcrux/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h
|
||||
"
|
||||
|
||||
START="$PWD"
|
||||
die() {
|
||||
echo "$@" 1>&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
set -xeuo pipefail
|
||||
test -d libcrux || git clone https://github.com/cryspen/libcrux
|
||||
cd libcrux
|
||||
test `git diff | wc -l` -ne 0 && die "tree has unstaged changes"
|
||||
git fetch
|
||||
git checkout -B extract 1>&2
|
||||
git reset --hard $WANT_LIBCRUX_REVISION 1>&2
|
||||
LIBCRUX_REVISION=`git rev-parse HEAD`
|
||||
set +x
|
||||
|
||||
cd $START
|
||||
(
|
||||
echo -n '/* $OpenBSD: mlkem768.sh,v 1.1 2024/09/02 12:13:56 djm Exp $ */'
|
||||
echo
|
||||
echo "/* Extracted from libcrux revision $LIBCRUX_REVISION */"
|
||||
echo
|
||||
echo '/*'
|
||||
cat libcrux/LICENSE-MIT | sed 's/^/ * /;s/ *$//'
|
||||
echo ' */'
|
||||
echo
|
||||
echo '#if !defined(__GNUC__) || (__GNUC__ < 2)'
|
||||
echo '# define __attribute__(x)'
|
||||
echo '#endif'
|
||||
echo '#define KRML_MUSTINLINE inline'
|
||||
echo '#define KRML_NOINLINE __attribute__((noinline, unused))'
|
||||
echo '#define KRML_HOST_EPRINTF(...)'
|
||||
echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
|
||||
echo
|
||||
for i in $FILES; do
|
||||
echo "/* from $i */"
|
||||
# Changes to all files:
|
||||
# - remove all includes, we inline everything required.
|
||||
# - cleanup whitespace
|
||||
sed -e "/#include/d" \
|
||||
-e 's/[ ]*$//' \
|
||||
$i | \
|
||||
case "$i" in
|
||||
# XXX per-file handling goes here.
|
||||
# Default: pass through.
|
||||
*)
|
||||
cat
|
||||
;;
|
||||
esac
|
||||
echo
|
||||
done
|
||||
|
||||
echo
|
||||
echo '/* rename some types to be a bit more ergonomic */'
|
||||
echo '#define libcrux_mlkem768_keypair libcrux_ml_kem_mlkem768_MlKem768KeyPair_s'
|
||||
echo '#define libcrux_mlkem768_pk_valid_result Option_92_s'
|
||||
echo '#define libcrux_mlkem768_pk libcrux_ml_kem_types_MlKemPublicKey_15_s'
|
||||
echo '#define libcrux_mlkem768_sk libcrux_ml_kem_types_MlKemPrivateKey_55_s'
|
||||
echo '#define libcrux_mlkem768_ciphertext libcrux_ml_kem_mlkem768_MlKem768Ciphertext_s'
|
||||
echo '#define libcrux_mlkem768_enc_result tuple_3c_s'
|
||||
) > libcrux_mlkem768_sha3.h_new
|
||||
|
||||
# Do some checks on the resultant file
|
||||
|
||||
cat > libcrux_mlkem768_sha3_check.c << _EOF
|
||||
#include <sys/types.h>
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdbool.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
#include <err.h>
|
||||
#include "crypto_api.h"
|
||||
#define fatal_f(x) exit(1)
|
||||
#include "libcrux_mlkem768_sha3.h_new"
|
||||
int main(void) {
|
||||
struct libcrux_mlkem768_keypair keypair = {0};
|
||||
struct libcrux_mlkem768_pk pk = {0};
|
||||
struct libcrux_mlkem768_sk sk = {0};
|
||||
struct libcrux_mlkem768_ciphertext ct = {0};
|
||||
struct libcrux_mlkem768_enc_result enc_result = {0};
|
||||
uint8_t kp_seed[64] = {0}, enc_seed[32] = {0};
|
||||
uint8_t shared_key[crypto_kem_mlkem768_BYTES];
|
||||
|
||||
if (sizeof(keypair.pk.value) != crypto_kem_mlkem768_PUBLICKEYBYTES)
|
||||
errx(1, "keypair.pk bad");
|
||||
if (sizeof(keypair.sk.value) != crypto_kem_mlkem768_SECRETKEYBYTES)
|
||||
errx(1, "keypair.sk bad");
|
||||
if (sizeof(pk.value) != crypto_kem_mlkem768_PUBLICKEYBYTES)
|
||||
errx(1, "pk bad");
|
||||
if (sizeof(sk.value) != crypto_kem_mlkem768_SECRETKEYBYTES)
|
||||
errx(1, "sk bad");
|
||||
if (sizeof(ct.value) != crypto_kem_mlkem768_CIPHERTEXTBYTES)
|
||||
errx(1, "ct bad");
|
||||
if (sizeof(enc_result.fst.value) != crypto_kem_mlkem768_CIPHERTEXTBYTES)
|
||||
errx(1, "enc_result ct bad");
|
||||
if (sizeof(enc_result.snd) != crypto_kem_mlkem768_BYTES)
|
||||
errx(1, "enc_result shared key bad");
|
||||
|
||||
keypair = libcrux_ml_kem_mlkem768_portable_generate_key_pair(kp_seed);
|
||||
if (!libcrux_ml_kem_mlkem768_portable_validate_public_key(&keypair.pk))
|
||||
errx(1, "valid smoke failed");
|
||||
enc_result = libcrux_ml_kem_mlkem768_portable_encapsulate(&keypair.pk,
|
||||
enc_seed);
|
||||
libcrux_ml_kem_mlkem768_portable_decapsulate(&keypair.sk,
|
||||
&enc_result.fst, shared_key);
|
||||
if (memcmp(shared_key, enc_result.snd, sizeof(shared_key)) != 0)
|
||||
errx(1, "smoke failed");
|
||||
return 0;
|
||||
}
|
||||
_EOF
|
||||
cc -Wall -Wextra -Wno-unused-parameter -o libcrux_mlkem768_sha3_check \
|
||||
libcrux_mlkem768_sha3_check.c
|
||||
./libcrux_mlkem768_sha3_check
|
||||
|
||||
# Extract PRNG inputs; there's no nice #defines for these
|
||||
key_pair_rng_len=`sed -e '/^libcrux_ml_kem_mlkem768_portable_kyber_generate_key_pair[(]$/,/[)] {$/!d' < libcrux_mlkem768_sha3.h_new | grep 'uint8_t randomness\[[0-9]*U\][)]' | sed 's/.*randomness\[\([0-9]*\)U\].*/\1/'`
|
||||
enc_rng_len=`sed -e '/^static inline tuple_3c libcrux_ml_kem_mlkem768_portable_kyber_encapsulate[(]$/,/[)] {$/!d' < libcrux_mlkem768_sha3.h_new | grep 'uint8_t randomness\[[0-9]*U\][)]' | sed 's/.*randomness\[\([0-9]*\)U\].*/\1/'`
|
||||
test -z "$key_pair_rng_len" && die "couldn't find size of libcrux_ml_kem_mlkem768_portable_kyber_generate_key_pair randomness argument"
|
||||
test -z "$enc_rng_len" && die "couldn't find size of libcrux_ml_kem_mlkem768_portable_kyber_encapsulate randomness argument"
|
||||
|
||||
(
|
||||
echo "/* defines for PRNG inputs */"
|
||||
echo "#define LIBCRUX_ML_KEM_KEY_PAIR_PRNG_LEN $key_pair_rng_len"
|
||||
echo "#define LIBCRUX_ML_KEM_ENC_PRNG_LEN $enc_rng_len"
|
||||
) >> libcrux_mlkem768_sha3.h_new
|
||||
|
||||
mv libcrux_mlkem768_sha3.h_new libcrux_mlkem768_sha3.h
|
||||
rm libcrux_mlkem768_sha3_check libcrux_mlkem768_sha3_check.c
|
||||
echo 1>&2
|
||||
echo "libcrux_mlkem768_sha3.h OK" 1>&2
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: monitor.c,v 1.240 2024/06/06 17:15:25 djm Exp $ */
|
||||
/* $OpenBSD: monitor.c,v 1.241 2024/09/02 12:13:56 djm Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -1456,6 +1456,9 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||
#endif
|
||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||
#ifdef WITH_MLKEM
|
||||
kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
|
||||
#endif
|
||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||
kex->load_host_private_key=&get_hostkey_private_by_type;
|
||||
kex->host_key_index=&get_hostkey_index;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: readconf.c,v 1.388 2024/08/23 04:51:00 deraadt Exp $ */
|
||||
/* $OpenBSD: readconf.c,v 1.389 2024/09/03 05:29:55 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -622,6 +622,63 @@ check_match_ifaddrs(const char *addrlist)
|
||||
return found;
|
||||
}
|
||||
|
||||
/*
|
||||
* Expand a "match exec" command or an Include path, caller must free returned
|
||||
* value.
|
||||
*/
|
||||
static char *
|
||||
expand_match_exec_or_include_path(const char *path, Options *options,
|
||||
struct passwd *pw, const char *host_arg, const char *original_host,
|
||||
int final_pass, int is_include_path)
|
||||
{
|
||||
char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
|
||||
char uidstr[32], *conn_hash_hex, *keyalias, *jmphost, *ruser;
|
||||
char *host, *ret;
|
||||
int port;
|
||||
|
||||
port = options->port <= 0 ? default_ssh_port() : options->port;
|
||||
ruser = options->user == NULL ? pw->pw_name : options->user;
|
||||
if (final_pass) {
|
||||
host = xstrdup(options->hostname);
|
||||
} else if (options->hostname != NULL) {
|
||||
/* NB. Please keep in sync with ssh.c:main() */
|
||||
host = percent_expand(options->hostname,
|
||||
"h", host_arg, (char *)NULL);
|
||||
} else {
|
||||
host = xstrdup(host_arg);
|
||||
}
|
||||
if (gethostname(thishost, sizeof(thishost)) == -1)
|
||||
fatal("gethostname: %s", strerror(errno));
|
||||
jmphost = option_clear_or_none(options->jump_host) ?
|
||||
"" : options->jump_host;
|
||||
strlcpy(shorthost, thishost, sizeof(shorthost));
|
||||
shorthost[strcspn(thishost, ".")] = '\0';
|
||||
snprintf(portstr, sizeof(portstr), "%d", port);
|
||||
snprintf(uidstr, sizeof(uidstr), "%llu",
|
||||
(unsigned long long)pw->pw_uid);
|
||||
conn_hash_hex = ssh_connection_hash(thishost, host,
|
||||
portstr, ruser, jmphost);
|
||||
keyalias = options->host_key_alias ? options->host_key_alias : host;
|
||||
|
||||
ret = (is_include_path ? percent_dollar_expand : percent_expand)(path,
|
||||
"C", conn_hash_hex,
|
||||
"L", shorthost,
|
||||
"d", pw->pw_dir,
|
||||
"h", host,
|
||||
"k", keyalias,
|
||||
"l", thishost,
|
||||
"n", original_host,
|
||||
"p", portstr,
|
||||
"r", ruser,
|
||||
"u", pw->pw_name,
|
||||
"i", uidstr,
|
||||
"j", jmphost,
|
||||
(char *)NULL);
|
||||
free(host);
|
||||
free(conn_hash_hex);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse and execute a Match directive.
|
||||
*/
|
||||
@ -632,15 +689,12 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
|
||||
{
|
||||
char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
|
||||
const char *ruser;
|
||||
int r, port, this_result, result = 1, attributes = 0, negate;
|
||||
char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
|
||||
char uidstr[32];
|
||||
int r, this_result, result = 1, attributes = 0, negate;
|
||||
|
||||
/*
|
||||
* Configuration is likely to be incomplete at this point so we
|
||||
* must be prepared to use default values.
|
||||
*/
|
||||
port = options->port <= 0 ? default_ssh_port() : options->port;
|
||||
ruser = options->user == NULL ? pw->pw_name : options->user;
|
||||
if (final_pass) {
|
||||
host = xstrdup(options->hostname);
|
||||
@ -742,37 +796,12 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
|
||||
if (r == (negate ? 1 : 0))
|
||||
this_result = result = 0;
|
||||
} else if (strcasecmp(attrib, "exec") == 0) {
|
||||
char *conn_hash_hex, *keyalias, *jmphost;
|
||||
|
||||
if (gethostname(thishost, sizeof(thishost)) == -1)
|
||||
fatal("gethostname: %s", strerror(errno));
|
||||
jmphost = option_clear_or_none(options->jump_host) ?
|
||||
"" : options->jump_host;
|
||||
strlcpy(shorthost, thishost, sizeof(shorthost));
|
||||
shorthost[strcspn(thishost, ".")] = '\0';
|
||||
snprintf(portstr, sizeof(portstr), "%d", port);
|
||||
snprintf(uidstr, sizeof(uidstr), "%llu",
|
||||
(unsigned long long)pw->pw_uid);
|
||||
conn_hash_hex = ssh_connection_hash(thishost, host,
|
||||
portstr, ruser, jmphost);
|
||||
keyalias = options->host_key_alias ?
|
||||
options->host_key_alias : host;
|
||||
|
||||
cmd = percent_expand(arg,
|
||||
"C", conn_hash_hex,
|
||||
"L", shorthost,
|
||||
"d", pw->pw_dir,
|
||||
"h", host,
|
||||
"k", keyalias,
|
||||
"l", thishost,
|
||||
"n", original_host,
|
||||
"p", portstr,
|
||||
"r", ruser,
|
||||
"u", pw->pw_name,
|
||||
"i", uidstr,
|
||||
"j", jmphost,
|
||||
(char *)NULL);
|
||||
free(conn_hash_hex);
|
||||
if ((cmd = expand_match_exec_or_include_path(arg,
|
||||
options, pw, host_arg, original_host,
|
||||
final_pass, 0)) == NULL) {
|
||||
fatal("%.200s line %d: failed to expand match "
|
||||
"exec '%.100s'", filename, linenum, arg);
|
||||
}
|
||||
if (result != 1) {
|
||||
/* skip execution if prior predicate failed */
|
||||
debug3("%.200s line %d: skipped exec "
|
||||
@ -1967,6 +1996,15 @@ parse_pubkey_algos:
|
||||
filename, linenum, keyword);
|
||||
goto out;
|
||||
}
|
||||
/* Expand %tokens and environment variables */
|
||||
if ((p = expand_match_exec_or_include_path(arg,
|
||||
options, pw, host, original_host,
|
||||
flags & SSHCONF_FINAL, 1)) == NULL) {
|
||||
error("%.200s line %d: Unable to expand user "
|
||||
"config file '%.100s'",
|
||||
filename, linenum, arg);
|
||||
continue;
|
||||
}
|
||||
/*
|
||||
* Ensure all paths are anchored. User configuration
|
||||
* files may begin with '~/' but system configurations
|
||||
@ -1974,17 +2012,19 @@ parse_pubkey_algos:
|
||||
* as living in ~/.ssh for user configurations or
|
||||
* /etc/ssh for system ones.
|
||||
*/
|
||||
if (*arg == '~' && (flags & SSHCONF_USERCONF) == 0) {
|
||||
if (*p == '~' && (flags & SSHCONF_USERCONF) == 0) {
|
||||
error("%.200s line %d: bad include path %s.",
|
||||
filename, linenum, arg);
|
||||
filename, linenum, p);
|
||||
goto out;
|
||||
}
|
||||
if (!path_absolute(arg) && *arg != '~') {
|
||||
if (!path_absolute(p) && *p != '~') {
|
||||
xasprintf(&arg2, "%s/%s",
|
||||
(flags & SSHCONF_USERCONF) ?
|
||||
"~/" _PATH_SSH_USER_DIR : SSHDIR, arg);
|
||||
} else
|
||||
arg2 = xstrdup(arg);
|
||||
"~/" _PATH_SSH_USER_DIR : SSHDIR, p);
|
||||
} else {
|
||||
arg2 = xstrdup(p);
|
||||
}
|
||||
free(p);
|
||||
memset(&gl, 0, sizeof(gl));
|
||||
r = glob(arg2, GLOB_TILDE, NULL, &gl);
|
||||
if (r == GLOB_NOMATCH) {
|
||||
@ -2010,8 +2050,9 @@ parse_pubkey_algos:
|
||||
(oactive ? 0 : SSHCONF_NEVERMATCH),
|
||||
activep, want_final_pass, depth + 1);
|
||||
if (r != 1 && errno != ENOENT) {
|
||||
error("Can't open user config file "
|
||||
"%.100s: %.100s", gl.gl_pathv[i],
|
||||
error("%.200s line %d: Can't open user "
|
||||
"config file %.100s: %.100s",
|
||||
filename, linenum, gl.gl_pathv[i],
|
||||
strerror(errno));
|
||||
globfree(&gl);
|
||||
goto out;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh-keyscan.c,v 1.158 2024/06/14 00:25:25 djm Exp $ */
|
||||
/* $OpenBSD: ssh-keyscan.c,v 1.159 2024/09/02 12:13:56 djm Exp $ */
|
||||
/*
|
||||
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
||||
*
|
||||
@ -277,6 +277,9 @@ keygrab_ssh2(con *c)
|
||||
#endif
|
||||
c->c_ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
||||
c->c_ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||
#ifdef WITH_MLKEM
|
||||
c->c_ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
|
||||
#endif
|
||||
ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper);
|
||||
/*
|
||||
* do the key-exchange until an error occurs or until
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh_api.c,v 1.29 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: ssh_api.c,v 1.30 2024/09/02 12:13:56 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2012 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -130,6 +130,9 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
|
||||
#endif /* WITH_OPENSSL */
|
||||
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||
#ifdef WITH_MLKEM
|
||||
ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
|
||||
#endif
|
||||
ssh->kex->load_host_public_key=&_ssh_host_public_key;
|
||||
ssh->kex->load_host_private_key=&_ssh_host_private_key;
|
||||
ssh->kex->sign=&_ssh_host_key_sign;
|
||||
@ -146,6 +149,9 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
|
||||
#endif /* WITH_OPENSSL */
|
||||
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
||||
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||
#ifdef WITH_MLKEM
|
||||
ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
|
||||
#endif
|
||||
ssh->kex->verify_host_key =&_ssh_verify_host_key;
|
||||
}
|
||||
*sshp = ssh;
|
||||
|
||||
@ -33,8 +33,8 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.399 2024/08/22 23:11:30 djm Exp $
|
||||
.Dd $Mdocdate: August 22 2024 $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.401 2024/09/03 06:17:48 jmc Exp $
|
||||
.Dd $Mdocdate: September 3 2024 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -1182,7 +1182,12 @@ to unknown options that appear before it.
|
||||
Include the specified configuration file(s).
|
||||
Multiple pathnames may be specified and each pathname may contain
|
||||
.Xr glob 7
|
||||
wildcards and, for user configurations, shell-like
|
||||
wildcards,
|
||||
tokens as described in the
|
||||
.Sx TOKENS
|
||||
section, environment variables as described in the
|
||||
.Sx ENVIRONMENT VARIABLES
|
||||
section and, for user configurations, shell-like
|
||||
.Sq ~
|
||||
references to user home directories.
|
||||
Wildcards will be expanded and processed in lexical order.
|
||||
@ -2271,6 +2276,7 @@ The local username.
|
||||
.Cm ControlPath ,
|
||||
.Cm IdentityAgent ,
|
||||
.Cm IdentityFile ,
|
||||
.Cm Include ,
|
||||
.Cm KnownHostsCommand ,
|
||||
.Cm LocalForward ,
|
||||
.Cm Match exec ,
|
||||
@ -2319,6 +2325,7 @@ The keywords
|
||||
.Cm ControlPath ,
|
||||
.Cm IdentityAgent ,
|
||||
.Cm IdentityFile ,
|
||||
.Cm Include ,
|
||||
.Cm KnownHostsCommand ,
|
||||
and
|
||||
.Cm UserKnownHostsFile
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshconnect2.c,v 1.373 2024/05/17 06:38:00 jsg Exp $ */
|
||||
/* $OpenBSD: sshconnect2.c,v 1.374 2024/09/02 12:13:56 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||
@ -267,6 +267,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
|
||||
#endif
|
||||
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
||||
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||
#ifdef WITH_MLKEM
|
||||
ssh->kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_client;
|
||||
#endif
|
||||
ssh->kex->verify_host_key=&verify_host_key_callback;
|
||||
|
||||
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshd-session.c,v 1.6 2024/07/31 12:00:18 dlg Exp $ */
|
||||
/* $OpenBSD: sshd-session.c,v 1.8 2024/09/02 12:18:35 djm Exp $ */
|
||||
/*
|
||||
* SSH2 implementation:
|
||||
* Privilege Separation:
|
||||
@ -1334,6 +1334,9 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
#endif
|
||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||
#ifdef WITH_MLKEM
|
||||
kex->kex[KEX_KEM_MLKEM768X25519_SHA256] = kex_gen_server;
|
||||
#endif
|
||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||
kex->load_host_private_key=&get_hostkey_private_by_type;
|
||||
kex->host_key_index=&get_hostkey_index;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: main.c,v 1.264 2024/08/20 13:31:49 claudio Exp $ */
|
||||
/* $OpenBSD: main.c,v 1.265 2024/09/03 15:04:48 job Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
|
||||
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
|
||||
@ -1489,9 +1489,12 @@ main(int argc, char *argv[])
|
||||
"invalid)\n", stats.repo_tal_stats.aspas,
|
||||
stats.repo_tal_stats.aspas_fail,
|
||||
stats.repo_tal_stats.aspas_invalid);
|
||||
printf("Signed Prefix Lists: %u (%u failed parse, %u invalid)\n",
|
||||
stats.repo_tal_stats.spls, stats.repo_tal_stats.spls_fail,
|
||||
stats.repo_tal_stats.spls_invalid);
|
||||
if (experimental) {
|
||||
printf("Signed Prefix Lists: %u "
|
||||
"(%u failed parse, %u invalid)\n",
|
||||
stats.repo_tal_stats.spls, stats.repo_tal_stats.spls_fail,
|
||||
stats.repo_tal_stats.spls_invalid);
|
||||
}
|
||||
printf("BGPsec Router Certificates: %u\n", stats.repo_tal_stats.brks);
|
||||
printf("Certificates: %u (%u invalid)\n",
|
||||
stats.repo_tal_stats.certs, stats.repo_tal_stats.certs_fail);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: output-json.c,v 1.49 2024/04/21 19:27:44 claudio Exp $ */
|
||||
/* $OpenBSD: output-json.c,v 1.50 2024/09/03 15:04:48 job Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
|
||||
*
|
||||
@ -47,9 +47,11 @@ outputheader_json(struct stats *st)
|
||||
json_do_int("roas", st->repo_tal_stats.roas);
|
||||
json_do_int("failedroas", st->repo_tal_stats.roas_fail);
|
||||
json_do_int("invalidroas", st->repo_tal_stats.roas_invalid);
|
||||
json_do_int("spls", st->repo_tal_stats.spls);
|
||||
json_do_int("failedspls", st->repo_tal_stats.spls_fail);
|
||||
json_do_int("invalidspls", st->repo_tal_stats.spls_invalid);
|
||||
if (experimental) {
|
||||
json_do_int("spls", st->repo_tal_stats.spls);
|
||||
json_do_int("failedspls", st->repo_tal_stats.spls_fail);
|
||||
json_do_int("invalidspls", st->repo_tal_stats.spls_invalid);
|
||||
}
|
||||
json_do_int("aspas", st->repo_tal_stats.aspas);
|
||||
json_do_int("failedaspas", st->repo_tal_stats.aspas_fail);
|
||||
json_do_int("invalidaspas", st->repo_tal_stats.aspas_invalid);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: output-ometric.c,v 1.10 2024/04/08 14:02:13 tb Exp $ */
|
||||
/* $OpenBSD: output-ometric.c,v 1.11 2024/09/03 15:04:48 job Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2022 Claudio Jeker <claudio@openbsd.org>
|
||||
*
|
||||
@ -85,12 +85,14 @@ set_common_stats(const struct repotalstats *in, struct ometric *metric,
|
||||
ometric_set_int_with_labels(metric, in->vaps_overflowed,
|
||||
OKV("type", "state"), OKV("vap overflowed"), ol);
|
||||
|
||||
ometric_set_int_with_labels(metric, in->spls,
|
||||
OKV("type", "state"), OKV("spl", "valid"), ol);
|
||||
ometric_set_int_with_labels(metric, in->spls_fail,
|
||||
OKV("type", "state"), OKV("spl", "failed parse"), ol);
|
||||
ometric_set_int_with_labels(metric, in->spls_invalid,
|
||||
OKV("type", "state"), OKV("spl", "invalid"), ol);
|
||||
if (experimental) {
|
||||
ometric_set_int_with_labels(metric, in->spls,
|
||||
OKV("type", "state"), OKV("spl", "valid"), ol);
|
||||
ometric_set_int_with_labels(metric, in->spls_fail,
|
||||
OKV("type", "state"), OKV("spl", "failed parse"), ol);
|
||||
ometric_set_int_with_labels(metric, in->spls_invalid,
|
||||
OKV("type", "state"), OKV("spl", "invalid"), ol);
|
||||
}
|
||||
|
||||
ometric_set_int_with_labels(metric, in->vsps,
|
||||
OKV("type", "state"), OKV("vsp", "total"), ol);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: repo.c,v 1.64 2024/08/29 09:54:13 job Exp $ */
|
||||
/* $OpenBSD: repo.c,v 1.66 2024/09/03 15:37:03 tb Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
|
||||
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
|
||||
@ -656,7 +656,7 @@ rrdp_session_parse(struct rrdprepo *rr)
|
||||
{
|
||||
FILE *f;
|
||||
struct rrdp_session *state;
|
||||
int fd, ln = 0, deltacnt = 0;
|
||||
int fd, i, ln = 0, deltacnt = 0;
|
||||
const char *errstr;
|
||||
char *line = NULL, *file;
|
||||
size_t len = 0;
|
||||
@ -673,6 +673,7 @@ rrdp_session_parse(struct rrdprepo *rr)
|
||||
if (errno != ENOENT)
|
||||
warn("%s: open state file", rr->basedir);
|
||||
free(file);
|
||||
rr->last_reset = now;
|
||||
return state;
|
||||
}
|
||||
free(file);
|
||||
@ -690,13 +691,19 @@ rrdp_session_parse(struct rrdprepo *rr)
|
||||
break;
|
||||
case 1:
|
||||
state->serial = strtonum(line, 1, LLONG_MAX, &errstr);
|
||||
if (errstr)
|
||||
goto fail;
|
||||
if (errstr) {
|
||||
warnx("%s: state file: serial is %s: %s",
|
||||
rr->basedir, errstr, line);
|
||||
goto reset;
|
||||
}
|
||||
break;
|
||||
case 2:
|
||||
rr->last_reset = strtonum(line, 1, LLONG_MAX, &errstr);
|
||||
if (errstr)
|
||||
goto fail;
|
||||
if (errstr) {
|
||||
warnx("%s: state file: last_reset is %s: %s",
|
||||
rr->basedir, errstr, line);
|
||||
goto reset;
|
||||
}
|
||||
break;
|
||||
case 3:
|
||||
if (strcmp(line, "-") == 0)
|
||||
@ -705,8 +712,11 @@ rrdp_session_parse(struct rrdprepo *rr)
|
||||
err(1, NULL);
|
||||
break;
|
||||
default:
|
||||
if (deltacnt >= MAX_RRDP_DELTAS)
|
||||
goto fail;
|
||||
if (deltacnt >= MAX_RRDP_DELTAS) {
|
||||
warnx("%s: state file: too many deltas: %d",
|
||||
rr->basedir, deltacnt);
|
||||
goto reset;
|
||||
}
|
||||
if ((state->deltas[deltacnt++] = strdup(line)) == NULL)
|
||||
err(1, NULL);
|
||||
break;
|
||||
@ -714,6 +724,11 @@ rrdp_session_parse(struct rrdprepo *rr)
|
||||
ln++;
|
||||
}
|
||||
|
||||
if (ferror(f)) {
|
||||
warn("%s: error reading state file", rr->basedir);
|
||||
goto reset;
|
||||
}
|
||||
|
||||
/* check if it's time for reinitialization */
|
||||
weeks = (now - rr->last_reset) / (86400 * 7);
|
||||
if (now <= rr->last_reset || weeks > RRDP_RANDOM_REINIT_MAX) {
|
||||
@ -725,20 +740,17 @@ rrdp_session_parse(struct rrdprepo *rr)
|
||||
goto reset;
|
||||
}
|
||||
|
||||
if (ferror(f))
|
||||
goto fail;
|
||||
fclose(f);
|
||||
free(line);
|
||||
return state;
|
||||
|
||||
fail:
|
||||
warnx("%s: corrupted state file, reinitializing", rr->basedir);
|
||||
|
||||
reset:
|
||||
fclose(f);
|
||||
free(line);
|
||||
free(state->session_id);
|
||||
free(state->last_mod);
|
||||
for (i = 0; i < MAX_RRDP_DELTAS; i++)
|
||||
free(state->deltas[i]);
|
||||
memset(state, 0, sizeof(*state));
|
||||
rr->last_reset = now;
|
||||
return state;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: rrdp.c,v 1.34 2024/08/20 13:31:49 claudio Exp $ */
|
||||
/* $OpenBSD: rrdp.c,v 1.35 2024/09/02 11:56:22 job Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2020 Nils Fisher <nils_fisher@hotmail.com>
|
||||
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
|
||||
@ -33,7 +33,7 @@
|
||||
#include "extern.h"
|
||||
#include "rrdp.h"
|
||||
|
||||
#define MAX_SESSIONS 12
|
||||
#define MAX_SESSIONS 32
|
||||
#define READ_BUF_SIZE (32 * 1024)
|
||||
|
||||
static struct msgbuf msgq;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: smtpd.h,v 1.687 2024/08/12 09:32:44 op Exp $ */
|
||||
/* $OpenBSD: smtpd.h,v 1.688 2024/09/03 12:07:40 gilles Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
|
||||
@ -55,7 +55,7 @@
|
||||
#define SMTPD_QUEUE_EXPIRY (4 * 24 * 60 * 60)
|
||||
#define SMTPD_SOCKET "/var/run/smtpd.sock"
|
||||
#define SMTPD_NAME "OpenSMTPD"
|
||||
#define SMTPD_VERSION "7.5.0"
|
||||
#define SMTPD_VERSION "7.6.0"
|
||||
#define SMTPD_SESSION_TIMEOUT 300
|
||||
#define SMTPD_BACKLOG 5
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user