mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-04 23:22:22 +01:00
Merge branch 'freebsd/current/main' into hardened/current/master
This commit is contained in:
commit
e317cb86c3
@ -38,6 +38,10 @@ ec2_common() {
|
||||
echo 'autoboot_delay="-1"' >> ${DESTDIR}/boot/loader.conf
|
||||
echo 'beastie_disable="YES"' >> ${DESTDIR}/boot/loader.conf
|
||||
|
||||
# The EFI RNG on Graviton 2 is particularly slow if we ask for the
|
||||
# default 2048 bytes of entropy; ask for 64 bytes instead.
|
||||
echo 'entropy_efi_seed_size="64"' >> ${DESTDIR}/boot/loader.conf
|
||||
|
||||
# Tell gptboot not to wait 3 seconds for a keypress which will
|
||||
# never arrive.
|
||||
printf -- "-n\n" > ${DESTDIR}/boot.config
|
||||
|
@ -190,7 +190,9 @@ interp_builtin_cmd(int argc, char *argv[])
|
||||
|
||||
cmd = interp_lookup_cmd(argv[0]);
|
||||
if (cmd != NULL && cmd->c_fn) {
|
||||
TSENTER2(argv[0]);
|
||||
result = cmd->c_fn(argc, argv);
|
||||
TSEXIT();
|
||||
} else {
|
||||
command_errmsg = "unknown command";
|
||||
}
|
||||
|
@ -48,8 +48,12 @@ entropy_cache_type="boot_entropy_cache" # Required for the kernel to find
|
||||
# the boot-time entropy cache. This
|
||||
# must not change value even if the
|
||||
# _name above does change!
|
||||
entropy_efi_seed="YES" # Set this to NO to disable loading
|
||||
# entropy from the UEFI hardware random number generator API
|
||||
entropy_efi_seed="YES" # Set this to NO to disable loading
|
||||
# entropy from the UEFI hardware
|
||||
# random number generator API
|
||||
entropy_efi_seed_size="2048" # Set this to a different value to
|
||||
# change the amount of entropy
|
||||
# requested from EFI
|
||||
|
||||
### RAM Blacklist configuration ############################
|
||||
ram_blacklist_load="NO" # Set this to YES to load a file
|
||||
|
@ -57,6 +57,9 @@
|
||||
#include <bootstrap.h>
|
||||
#include <smbios.h>
|
||||
|
||||
#include <dev/random/fortuna.h>
|
||||
#include <geom/eli/pkcs5v2.h>
|
||||
|
||||
#include "efizfs.h"
|
||||
#include "framebuffer.h"
|
||||
|
||||
@ -1250,11 +1253,27 @@ command_seed_entropy(int argc, char *argv[])
|
||||
{
|
||||
EFI_STATUS status;
|
||||
EFI_RNG_PROTOCOL *rng;
|
||||
unsigned int size = 2048;
|
||||
unsigned int size_efi = RANDOM_FORTUNA_DEFPOOLSIZE * RANDOM_FORTUNA_NPOOLS;
|
||||
unsigned int size = RANDOM_FORTUNA_DEFPOOLSIZE * RANDOM_FORTUNA_NPOOLS;
|
||||
void *buf_efi;
|
||||
void *buf;
|
||||
|
||||
if (argc > 1) {
|
||||
size = strtol(argv[1], NULL, 0);
|
||||
size_efi = strtol(argv[1], NULL, 0);
|
||||
|
||||
/* Don't *compress* the entropy we get from EFI. */
|
||||
if (size_efi > size)
|
||||
size = size_efi;
|
||||
|
||||
/*
|
||||
* If the amount of entropy we get from EFI is less than the
|
||||
* size of a single Fortuna pool -- i.e. not enough to ensure
|
||||
* that Fortuna is safely seeded -- don't expand it since we
|
||||
* don't want to trick Fortuna into thinking that it has been
|
||||
* safely seeded when it has not.
|
||||
*/
|
||||
if (size_efi < RANDOM_FORTUNA_DEFPOOLSIZE)
|
||||
size = size_efi;
|
||||
}
|
||||
|
||||
status = BS->LocateProtocol(&rng_guid, NULL, (VOID **)&rng);
|
||||
@ -1268,18 +1287,34 @@ command_seed_entropy(int argc, char *argv[])
|
||||
return (CMD_ERROR);
|
||||
}
|
||||
|
||||
status = rng->GetRNG(rng, NULL, size, (UINT8 *)buf);
|
||||
if ((buf_efi = malloc(size_efi)) == NULL) {
|
||||
free(buf);
|
||||
command_errmsg = "out of memory";
|
||||
return (CMD_ERROR);
|
||||
}
|
||||
|
||||
TSENTER2("rng->GetRNG");
|
||||
status = rng->GetRNG(rng, NULL, size_efi, (UINT8 *)buf_efi);
|
||||
TSEXIT();
|
||||
if (status != EFI_SUCCESS) {
|
||||
free(buf_efi);
|
||||
free(buf);
|
||||
command_errmsg = "GetRNG failed";
|
||||
return (CMD_ERROR);
|
||||
}
|
||||
if (size_efi < size)
|
||||
pkcs5v2_genkey_raw(buf, size, "", 0, buf_efi, size_efi, 1);
|
||||
else
|
||||
memcpy(buf, buf_efi, size);
|
||||
|
||||
if (file_addbuf("efi_rng_seed", "boot_entropy_platform", size, buf) != 0) {
|
||||
free(buf_efi);
|
||||
free(buf);
|
||||
return (CMD_ERROR);
|
||||
}
|
||||
|
||||
explicit_bzero(buf_efi, size_efi);
|
||||
free(buf_efi);
|
||||
free(buf);
|
||||
return (CMD_OK);
|
||||
}
|
||||
|
@ -164,6 +164,10 @@ CFLAGS.bzipfs.c+= -I${SRCTOP}/contrib/bzip2 -DBZ_NO_STDIO -DBZ_NO_COMPRESS
|
||||
.PATH: ${SYSDIR}/libkern
|
||||
SRCS+= explicit_bzero.c crc32_libkern.c
|
||||
|
||||
# Bits from GELI which are reused elsewhere
|
||||
.PATH: ${SYSDIR}/geom/eli
|
||||
SRCS+= g_eli_hmac.c pkcs5v2.c
|
||||
|
||||
# Maybe GELI
|
||||
.if ${MK_LOADER_GELI} == "yes"
|
||||
.include "${SASRC}/geli/Makefile.inc"
|
||||
|
@ -21,10 +21,8 @@ SRCS+= ${i}
|
||||
.endfor
|
||||
SRCS+= geliboot.c \
|
||||
geliboot_crypto.c \
|
||||
g_eli_hmac.c \
|
||||
g_eli_key.c \
|
||||
g_eli_key_cache.c \
|
||||
pkcs5v2.c \
|
||||
|
||||
# aes
|
||||
.PATH: ${SYSDIR}/opencrypto
|
||||
|
@ -369,7 +369,8 @@ end
|
||||
function core.loadEntropy()
|
||||
if core.isUEFIBoot() then
|
||||
if (loader.getenv("entropy_efi_seed") or "no"):lower() == "yes" then
|
||||
loader.perform("efi-seed-entropy")
|
||||
local seedsize = loader.getenv("entropy_efi_seed_size") or "2048"
|
||||
loader.perform("efi-seed-entropy " .. seedsize)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -54,4 +54,6 @@ if not core.isMenuSkipped() then
|
||||
else
|
||||
-- Load kernel/modules before we go
|
||||
config.loadelf()
|
||||
-- Load platform entropy if possible
|
||||
core.loadEntropy()
|
||||
end
|
||||
|
@ -74,8 +74,6 @@
|
||||
#include <dev/random/fortuna.h>
|
||||
|
||||
/* Defined in FS&K */
|
||||
#define RANDOM_FORTUNA_NPOOLS 32 /* The number of accumulation pools */
|
||||
#define RANDOM_FORTUNA_DEFPOOLSIZE 64 /* The default pool size/length for a (re)seed */
|
||||
#define RANDOM_FORTUNA_MAX_READ (1 << 20) /* Max bytes from AES before rekeying */
|
||||
#define RANDOM_FORTUNA_BLOCKS_PER_KEY (1 << 16) /* Max blocks from AES before rekeying */
|
||||
CTASSERT(RANDOM_FORTUNA_BLOCKS_PER_KEY * RANDOM_BLOCKSIZE ==
|
||||
|
@ -27,6 +27,10 @@
|
||||
#ifndef SYS_DEV_RANDOM_FORTUNA_H_INCLUDED
|
||||
#define SYS_DEV_RANDOM_FORTUNA_H_INCLUDED
|
||||
|
||||
/* Defined in FS&K */
|
||||
#define RANDOM_FORTUNA_NPOOLS 32 /* The number of accumulation pools */
|
||||
#define RANDOM_FORTUNA_DEFPOOLSIZE 64 /* The default pool size/length for a (re)seed */
|
||||
|
||||
#ifdef _KERNEL
|
||||
typedef struct mtx mtx_t;
|
||||
#define RANDOM_RESEED_INIT_LOCK(x) mtx_init(&fortuna_state.fs_mtx, "reseed mutex", NULL, MTX_DEF)
|
||||
|
@ -54,6 +54,7 @@
|
||||
#include <crypto/rijndael/rijndael-api-fst.h>
|
||||
#include <crypto/sha2/sha256.h>
|
||||
|
||||
#include <dev/random/fortuna.h>
|
||||
#include <dev/random/hash.h>
|
||||
#include <dev/random/randomdev.h>
|
||||
#include <dev/random/random_harvestq.h>
|
||||
@ -259,8 +260,8 @@ random_sources_feed(void)
|
||||
* stuck for a few seconds with random_kthread gradually collecting a
|
||||
* small chunk of entropy every 1 / RANDOM_KTHREAD_HZ seconds.
|
||||
*
|
||||
* The value 64 below is RANDOM_FORTUNA_DEFPOOLSIZE, i.e. chosen to
|
||||
* fill Fortuna's pools in the default configuration. With another
|
||||
* We collect RANDOM_FORTUNA_DEFPOOLSIZE bytes per pool, i.e. enough
|
||||
* to fill Fortuna's pools in the default configuration. With another
|
||||
* PRNG or smaller pools for Fortuna, we might collect more entropy
|
||||
* than needed to fill the pools, but this is harmless; alternatively,
|
||||
* a different PRNG, larger pools, or fast entropy sources which are
|
||||
@ -270,8 +271,8 @@ random_sources_feed(void)
|
||||
* try again for a large amount of entropy.
|
||||
*/
|
||||
if (!p_random_alg_context->ra_seeded())
|
||||
npools = howmany(p_random_alg_context->ra_poolcount * 64,
|
||||
sizeof(entropy));
|
||||
npools = howmany(p_random_alg_context->ra_poolcount *
|
||||
RANDOM_FORTUNA_DEFPOOLSIZE, sizeof(entropy));
|
||||
|
||||
/*
|
||||
* Step over all of live entropy sources, and feed their output
|
||||
|
@ -586,8 +586,6 @@
|
||||
#define HDA_CODEC_ALC295 HDA_CODEC_CONSTRUCT(REALTEK, 0x0295)
|
||||
#define HDA_CODEC_ALC298 HDA_CODEC_CONSTRUCT(REALTEK, 0x0298)
|
||||
#define HDA_CODEC_ALC299 HDA_CODEC_CONSTRUCT(REALTEK, 0x0299)
|
||||
#define HDA_CODEC_ALC292 HDA_CODEC_CONSTRUCT(REALTEK, 0x0292)
|
||||
#define HDA_CODEC_ALC295 HDA_CODEC_CONSTRUCT(REALTEK, 0x0295)
|
||||
#define HDA_CODEC_ALC300 HDA_CODEC_CONSTRUCT(REALTEK, 0x0300)
|
||||
#define HDA_CODEC_ALC623 HDA_CODEC_CONSTRUCT(REALTEK, 0x0623)
|
||||
#define HDA_CODEC_ALC660 HDA_CODEC_CONSTRUCT(REALTEK, 0x0660)
|
||||
|
@ -51,13 +51,22 @@ void
|
||||
pkcs5v2_genkey(uint8_t *key, unsigned keylen, const uint8_t *salt,
|
||||
size_t saltsize, const char *passphrase, u_int iterations)
|
||||
{
|
||||
|
||||
pkcs5v2_genkey_raw(key, keylen, salt, saltsize, passphrase,
|
||||
strlen(passphrase), iterations);
|
||||
}
|
||||
|
||||
void
|
||||
pkcs5v2_genkey_raw(uint8_t *key, unsigned keylen, const uint8_t *salt,
|
||||
size_t saltsize, const uint8_t *passphrase, size_t passlen,
|
||||
u_int iterations)
|
||||
{
|
||||
uint8_t md[SHA512_MDLEN], saltcount[saltsize + sizeof(uint32_t)];
|
||||
uint8_t *counter, *keyp;
|
||||
u_int i, bsize, passlen;
|
||||
u_int i, bsize;
|
||||
uint32_t count;
|
||||
struct hmac_ctx startpoint, ctx;
|
||||
|
||||
passlen = strlen(passphrase);
|
||||
bzero(key, keylen);
|
||||
bcopy(salt, saltcount, saltsize);
|
||||
counter = saltcount + saltsize;
|
||||
|
@ -30,6 +30,9 @@
|
||||
#define _PKCS5V2_H_
|
||||
void pkcs5v2_genkey(uint8_t *key, unsigned keylen, const uint8_t *salt,
|
||||
size_t saltsize, const char *passphrase, u_int iterations);
|
||||
void pkcs5v2_genkey_raw(uint8_t *key, unsigned keylen, const uint8_t *salt,
|
||||
size_t saltsize, const uint8_t *passphrase, size_t passlen,
|
||||
u_int iterations);
|
||||
#ifndef _KERNEL
|
||||
int pkcs5v2_calculate(int usecs);
|
||||
#endif
|
||||
|
@ -788,6 +788,11 @@ hda_corb_run(struct hda_softc *sc)
|
||||
int err;
|
||||
|
||||
corb->wp = hda_get_reg_by_offset(sc, HDAC_CORBWP);
|
||||
if (corb->wp >= corb->size) {
|
||||
DPRINTF("Invalid HDAC_CORBWP %u >= size %u", corb->wp,
|
||||
corb->size);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
while (corb->rp != corb->wp && corb->run) {
|
||||
corb->rp++;
|
||||
|
Loading…
Reference in New Issue
Block a user