From 4728f534ff6d6644c6f80d2028503670859af576 Mon Sep 17 00:00:00 2001 From: Warner Losh Date: Fri, 10 Nov 2017 23:54:48 +0000 Subject: [PATCH] Move LOADER_{NO,}_GELI_SUPPORT to MK_LOADER_GELI Transition to WITH/WITHOUT_LOADER_GELI to flag support or not of GELI in the boot loaders. Add HAVE_GELI so components can flag they need support (since it's too large to include everywhere). Add temporary warnings for the old forms to ease transition. Also, update test script to build without GELI on x86. Sponsored by: Netflix --- UPDATING | 3 ++- share/mk/src.opts.mk | 1 + sys/boot/defs.mk | 20 ++++++++++++++++++-- sys/boot/geli/Makefile | 4 ++++ sys/boot/i386/gptboot/Makefile | 14 ++++---------- sys/boot/i386/gptzfsboot/Makefile | 10 ++-------- sys/boot/i386/libi386/Makefile | 9 +++------ sys/boot/i386/loader/Makefile | 11 ++--------- sys/boot/i386/zfsboot/Makefile | 8 ++++---- sys/boot/i386/zfsloader/Makefile | 3 +-- sys/boot/sparc64/loader/Makefile | 1 + sys/boot/sparc64/zfsloader/Makefile | 2 -- tools/boot/universe.sh | 11 ++++++++++- tools/build/options/WITHOUT_LOADER_GEIL | 2 ++ 14 files changed, 54 insertions(+), 45 deletions(-) create mode 100644 tools/build/options/WITHOUT_LOADER_GEIL diff --git a/UPDATING b/UPDATING index a84a9ecd63e..6f852439bc7 100644 --- a/UPDATING +++ b/UPDATING @@ -53,7 +53,8 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 12.x IS SLOW: 201711xx: The LOADER_FIREWIRE_SUPPORT build variable as been renamed to - WITH_LOADER_FIREWIRE (or WITHOUT_LOADER_FIREWIRE). + WITH/OUT_LOADER_FIREWIRE. LOADER_{NO_,}GELI_SUPPORT has been renamed + to WITH/OUT_LOADER_GELI. 20171106: The naive and non-compliant support of posix_fallocate(2) in ZFS diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk index 4ef52cb1689..b8ba2586617 100644 --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -119,6 +119,7 @@ __DEFAULT_YES_OPTIONS = \ LIB32 \ LIBPTHREAD \ LIBTHR \ + LOADER_GELI \ LOCALES \ LOCATE \ LPR \ diff --git a/sys/boot/defs.mk b/sys/boot/defs.mk index 75c354c6254..b08ffa7c9b2 100644 --- a/sys/boot/defs.mk +++ b/sys/boot/defs.mk @@ -85,10 +85,26 @@ CFLAGS+= -DLOADER_GPT_SUPPORT .if ${LOADER_MBR_SUPPORT:Uyes} == "yes" CFLAGS+= -DLOADER_MBR_SUPPORT .endif -.if ${LOADER_GELI_SUPPORT:Uyes} == "yes" -CFLAGS+= -DLOADER_GELI_SUPPORT + +# GELI Support, with backward compat hooks +.if defined(HAVE_GELI) +.if defined(LOADER_NO_GELI_SUPPORT) +MK_LOADER_GELI=no +.warning "Please move from LOADER_NO_GELI_SUPPORT to WITHOUT_LOADER_GELI" +.endif +.if defined(LOADER_GELI_SUPPORT) +MK_LOADER_GELI=yes +.warning "Please move from LOADER_GELI_SUPPORT to WITH_LOADER_GELI" +.endif +.if ${MK_LOADER_GELI} == "yes" +CFLAGS+= -DLOADER_GELI_SUPPORT +CFLAGS+= -I${BOOTSRC}/geli +LIBGELIBOOT= ${BOOTOBJ}/geli/libgeliboot.a .endif .endif +.endif + +CFLAGS+= -I${SYSDIR} # All PowerPC builds are 32 bit. We have no 64-bit loaders on powerpc # or powerpc64. diff --git a/sys/boot/geli/Makefile b/sys/boot/geli/Makefile index b16f7a8c5ab..89d6a9f956e 100644 --- a/sys/boot/geli/Makefile +++ b/sys/boot/geli/Makefile @@ -49,5 +49,9 @@ SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael-api.c CFLAGS+= -D_STAND SRCS+= geliboot_crypto.c g_eli_hmac.c g_eli_key.c g_eli_key_cache.c pkcs5v2.c +# aes +.PATH: ${SYSDIR}/opencrypto +SRCS+= xform_aes_xts.c + .include .include diff --git a/sys/boot/i386/gptboot/Makefile b/sys/boot/i386/gptboot/Makefile index 9d3048a89c5..efe45cb6dbd 100644 --- a/sys/boot/i386/gptboot/Makefile +++ b/sys/boot/i386/gptboot/Makefile @@ -1,5 +1,7 @@ # $FreeBSD$ +HAVE_GELI= yes + .include .PATH: ${BOOTSRC}/i386/boot2 ${BOOTSRC}/i386/common ${SASRC} @@ -41,14 +43,6 @@ CFLAGS+=-DBOOTPROG=\"gptboot\" \ CFLAGS.gcc+= --param max-inline-insns-single=100 -.if ${LOADER_GELI_SUPPORT:Uyes} == "yes" -CFLAGS+= -DLOADER_GELI_SUPPORT -CFLAGS+= -I${BOOTSRC}/geli -LIBGELIBOOT= ${BOOTOBJ}/geli/libgeliboot.a -.PATH: ${SYSDIR}/opencrypto -OPENCRYPTO_XTS= xform_aes_xts.o -.endif - LD_FLAGS+=${LD_FLAGS_BIN} CLEANFILES= gptboot @@ -66,12 +60,12 @@ gptldr.out: gptldr.o ${LD} ${LD_FLAGS} -e start -Ttext ${ORG1} -o ${.TARGET} gptldr.o CLEANFILES+= gptboot.bin gptboot.out gptboot.o sio.o crc32.o drv.o \ - cons.o util.o ${OPENCRYPTO_XTS} + cons.o ${OPENCRYPTO_XTS} gptboot.bin: gptboot.out ${OBJCOPY} -S -O binary gptboot.out ${.TARGET} -gptboot.out: ${BTXCRT} gptboot.o sio.o crc32.o drv.o cons.o util.o ${OPENCRYPTO_XTS} +gptboot.out: ${BTXCRT} gptboot.o sio.o crc32.o drv.o cons.o ${OPENCRYPTO_XTS} ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} ${LIBGELIBOOT} ${LIBSA32} gptboot.o: ${SASRC}/ufsread.c diff --git a/sys/boot/i386/gptzfsboot/Makefile b/sys/boot/i386/gptzfsboot/Makefile index b9df313dd29..d2751c217e7 100644 --- a/sys/boot/i386/gptzfsboot/Makefile +++ b/sys/boot/i386/gptzfsboot/Makefile @@ -1,5 +1,7 @@ # $FreeBSD$ +HAVE_GPT= yes + .include .PATH: ${BOOTSRC}/i386/boot2 ${BOOTSRC}/i386/gptboot \ @@ -50,14 +52,6 @@ LIBZFSBOOT=${BOOTOBJ}/zfs32/libzfsboot.a LIBZFSBOOT=${BOOTOBJ}/zfs/libzfsboot.a .endif -.if ${LOADER_GELI_SUPPORT:Uyes} == "yes" -CFLAGS+= -DLOADER_GELI_SUPPORT -CFLAGS+= -I${BOOTSRC}/geli -LIBGELIBOOT= ${BOOTOBJ}/geli/libgeliboot.a -.PATH: ${SYSDIR}/opencrypto -OPENCRYPTO_XTS= xform_aes_xts.o -.endif - CFLAGS.gcc+= --param max-inline-insns-single=100 LD_FLAGS+=${LD_FLAGS_BIN} diff --git a/sys/boot/i386/libi386/Makefile b/sys/boot/i386/libi386/Makefile index 20ce255fd50..43d191dec19 100644 --- a/sys/boot/i386/libi386/Makefile +++ b/sys/boot/i386/libi386/Makefile @@ -1,5 +1,8 @@ # $FreeBSD$ +HAVE_GPT= yes +HAVE_GELI= yes + .include LIB= i386 @@ -25,12 +28,6 @@ CFLAGS+= -DCOMSPEED=${BOOT_COMCONSOLE_SPEED} CFLAGS+= -DDISK_DEBUG .endif -.if ${LOADER_GELI_SUPPORT:Uyes} == "yes" -# Decrypt encrypted drives -CFLAGS+= -DLOADER_GELI_SUPPORT -CFLAGS+= -I${BOOTSRC}/geli -.endif - .if !defined(BOOT_HIDE_SERIAL_NUMBERS) # Export serial numbers, UUID, and asset tag from loader. CFLAGS+= -DSMBIOS_SERIAL_NUMBERS diff --git a/sys/boot/i386/loader/Makefile b/sys/boot/i386/loader/Makefile index e9d8f897a16..a79b4fbdbcc 100644 --- a/sys/boot/i386/loader/Makefile +++ b/sys/boot/i386/loader/Makefile @@ -1,5 +1,7 @@ # $FreeBSD$ +HAVE_GELI= yes + LOADER_NET_SUPPORT?= yes LOADER_NFS_SUPPORT?= yes LOADER_TFTP_SUPPORT?= yes @@ -38,15 +40,6 @@ CFLAGS+= -DLOADER_FIREWIRE_SUPPORT LIBFIREWIRE= ${BOOTOBJ}/i386/libfirewire/libfirewire.a .endif -.if ${LOADER_GELI_SUPPORT:Uyes} == "yes" -CFLAGS+= -DLOADER_GELI_SUPPORT -CFLAGS+= -I${BOOTSRC}/geli -LIBGELIBOOT= ${BOOTOBJ}/geli/libgeliboot.a -.PATH: ${SYSDIR}/opencrypto -SRCS+= xform_aes_xts.c -CFLAGS+= -I${SYSDIR} -D_STAND -.endif - # Always add MI sources .include "${BOOTSRC}/loader.mk" CFLAGS+= -I. diff --git a/sys/boot/i386/zfsboot/Makefile b/sys/boot/i386/zfsboot/Makefile index a83bfa96059..81ab6f39a3d 100644 --- a/sys/boot/i386/zfsboot/Makefile +++ b/sys/boot/i386/zfsboot/Makefile @@ -1,6 +1,6 @@ # $FreeBSD$ -LOADER_GELI_SUPPORT=no +HAVE_GELI=yes .include @@ -60,7 +60,7 @@ zfsldr.out: zfsldr.o ${LD} ${LD_FLAGS} -e start -Ttext ${ORG1} -o ${.TARGET} zfsldr.o CLEANFILES+= zfsboot2 zfsboot.ld zfsboot.ldr zfsboot.bin zfsboot.out \ - zfsboot.o zfsboot.s zfsboot.s.tmp sio.o cons.o drv.o util.o + zfsboot.o zfsboot.s zfsboot.s.tmp sio.o cons.o drv.o # We currently allow 128k bytes for zfsboot - in practice it could be # any size up to 3.5Mb but keeping it fixed size simplifies zfsldr. @@ -82,8 +82,8 @@ zfsboot.ldr: zfsboot.bin: zfsboot.out ${OBJCOPY} -S -O binary zfsboot.out ${.TARGET} -zfsboot.out: ${BTXCRT} zfsboot.o sio.o drv.o cons.o util.o - ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} ${LIBZFSBOOT} ${LIBSA32} +zfsboot.out: ${BTXCRT} zfsboot.o sio.o drv.o cons.o + ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} ${LIBZFSBOOT} ${LIBGELIBOOT} ${LIBSA32} SRCS= zfsboot.c diff --git a/sys/boot/i386/zfsloader/Makefile b/sys/boot/i386/zfsloader/Makefile index 67aa8e94387..6111e47f12f 100644 --- a/sys/boot/i386/zfsloader/Makefile +++ b/sys/boot/i386/zfsloader/Makefile @@ -5,6 +5,5 @@ NEWVERSWHAT= "ZFS enabled bootstrap loader" x86 LOADER_ONLY= yes HAVE_ZFS= yes -.include -.include "${BOOTSRC}/i386/loader/Makefile" +.include "${.CURDIR}/../loader/Makefile" diff --git a/sys/boot/sparc64/loader/Makefile b/sys/boot/sparc64/loader/Makefile index 7eb0b342010..f7fb0300d41 100644 --- a/sys/boot/sparc64/loader/Makefile +++ b/sys/boot/sparc64/loader/Makefile @@ -22,6 +22,7 @@ VERSION_FILE= ${.CURDIR}/../loader/version INSTALLFLAGS= -b # Architecture-specific loader code +.PATH: ${BOOTSRC}/sparc64/loader SRCS= locore.S main.c metadata.c vers.c .if ${LOADER_DEBUG} == "yes" diff --git a/sys/boot/sparc64/zfsloader/Makefile b/sys/boot/sparc64/zfsloader/Makefile index a5d433ce401..b4c554b5cb1 100644 --- a/sys/boot/sparc64/zfsloader/Makefile +++ b/sys/boot/sparc64/zfsloader/Makefile @@ -1,7 +1,5 @@ # $FreeBSD$ -.PATH: ${.CURDIR}/../loader - PROG= zfsloader NEWVERSWHAT= "ZFS enabled bootstrap loader" sparc64 HAVE_ZFS= yes diff --git a/tools/boot/universe.sh b/tools/boot/universe.sh index 2f367c1c2bd..3b607b4c4a1 100755 --- a/tools/boot/universe.sh +++ b/tools/boot/universe.sh @@ -63,7 +63,7 @@ for i in \ sparc64/sparc64 \ ; do ta=${i##*/} - dobuild $ta _.boot.${ta}.noZFS.log "MK_ZFS=no" + dobuild $ta _.boot.${ta}.no_zfs.log "MK_ZFS=no" done # Build with firewire @@ -74,3 +74,12 @@ for i in \ ta=${i##*/} dobuild $ta _.boot.${ta}.firewire.log "MK_LOADER_FIREWIRE=yes" done + +# Build without GELI +for i in \ + amd64/amd64 \ + i386/i386 \ + ; do + ta=${i##*/} + dobuild $ta _.boot.${ta}.no_geli.log "MK_LOADER_GELI=no" +done diff --git a/tools/build/options/WITHOUT_LOADER_GEIL b/tools/build/options/WITHOUT_LOADER_GEIL new file mode 100644 index 00000000000..114bea6bfe0 --- /dev/null +++ b/tools/build/options/WITHOUT_LOADER_GEIL @@ -0,0 +1,2 @@ +.\" $FreeBSD$ +Disable inclusion of GELI crypto support in the boot chain binaries.