libecc is not intended to be general use, other applications should
really be using openssl. pkg(7) uses libecc to align with the pkg(8)
project and its goals. This will be used in the upcoming support for
ECC in pkg(7).
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D48117
libder will be used in upcoming ECC support in the pkg(7) bootstrap to
read DER-encoded keys and signatures.
Differential Revision: https://reviews.freebsd.org/D48116
For requests that handoff queues from userspace to the kernel as well
as the request to fetch reconnect parameters from the kernel, switch
from using flat structures to nvlists. In particular, this will
permit adding support for additional transports in the future without
breaking the ABI of the structures.
Note that this is an ABI break for the ioctls used by nvmf(4) and
nvmft(4). Since this is only present in main I did not bother
implementing compatability shims.
Inspired by: imp (suggestion on a different review)
Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D48230
In 2020, an improved implementation of the bc and dc commands
developed by Gavin D. Howard has been imported into FreeBSD.
It has replaced the OpenBSD-derived versions of these commands
in all currently supported FreeBSD releases.
The OpenBSD versions could still be built using the WITHOUT_GH_BC
option. There have been no reports of problems or unexpected
deviations from the OpenBSD version for some time, therefore
keeping the OpenBSD version is no longer required in FreeBSD.
This commit removes the option to build the OpenBSD version and
corresponding source files from -CURRENT. No MFC is planned, all
currently released FreeBSD versions should retain the build option.
The WITHOUT_GH_BC option is no longer accepted and will cause
make buildworld to fail.
Reviewed by: des, emaste
Approved by: des
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D46876
It was disabled by default in fe52b7f60e. We planned to (but did not)
remove the option before FreeBSD 14. Remove it now, for FreeBSD 15.
Relnotes: Yes
Reviewed by: imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31558
libcrypt bundles the various hash functions it needs,
duplicating code that is also found in libmd.
Unbundle the hash functions and apply the same hack used
for libncursesw so static consumers link -lmd in addition
to -lcrypt.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D47062
After talking with a number of people about the removal of some things
to make the loader fit, readjust things a little.
Add back GZIP and BZIP2 compression support. Many of the downstream MFC
packaging systems depend on this. This adds back 20k to the size of the
loader.
Make the boot loader text-only by default. This saves 40k in size. Net,
we're 20k smaller. The graphics loader for BIOS is less useful than the
zip functionality: You can still boot w/a text only one it and you can
build a custom one if you really want it. It's also the default we use
for dual console.
This should be merged back into stable/14 and stable/13 so it's in the
next release for each of these. That way we have only one release (13.4)
with the other defaults.
MFC After: 3 days
Sponsored by: Netflix
Reviewed by: olce, rgrimes, emaste
Differential Revision: https://reviews.freebsd.org/D47203
It turns out the new libc++ 19 headers result in a -Werror warning from
gcc 13:
In file included from /usr/obj/usr/src/freebsd/src/amd64.amd64/tmp/usr/include/c++/v1/__memory/shared_ptr.h:31:
/usr/obj/usr/src/freebsd/src/amd64.amd64/tmp/usr/include/c++/v1/__memory/uninitialized_algorithms.h: In instantiation of 'constexpr void std::__1::__uninitialized_allocator_relocate(_Alloc&, _Tp*, _Tp*, _Tp*) [with _Alloc = allocator<basic_string<char> >; _Tp = basic_string<char>]':
/usr/obj/usr/src/freebsd/src/amd64.amd64/tmp/usr/include/c++/v1/vector:1052:42: required from 'void std::__1::vector<_Tp, _Alloc>::__swap_out_circular_buffer(std::__1::__split_buffer<_Tp, _Allocator&>&) [with _Tp = std::__1::basic_string<char>; _Allocator = std::__1::allocator<std::__1::basic_string<char> >]'
/usr/obj/usr/src/freebsd/src/amd64.amd64/tmp/usr/include/c++/v1/vector:1469:31: required from 'void std::__1::vector<_Tp, _Alloc>::reserve(size_type) [with _Tp = std::__1::basic_string<char>; _Allocator = std::__1::allocator<std::__1::basic_string<char> >; size_type = long unsigned int]'
/usr/src/freebsd/src/contrib/googletest/googletest/src/gtest.cc:795:27: required from here
/usr/obj/usr/src/freebsd/src/amd64.amd64/tmp/usr/include/c++/v1/__memory/uninitialized_algorithms.h:645:21: error: 'void* __builtin_memcpy(void*, const void*, long unsigned int)' writing to an object of type 'std::__1::__remove_const_t<std::__1::basic_string<char> >' {aka 'class std::__1::basic_string<char>'} with no trivial copy-assignment; use copy-assignment or copy-initialization instead o[-Werror=class-memaccess]
645 | __builtin_memcpy(const_cast<__remove_const_t<_Tp>*>(__result), __first, sizeof(_Tp) * (__last - __first));
| ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/obj/usr/src/freebsd/src/amd64.amd64/tmp/usr/include/c++/v1/__system_error/error_category.h:15,
from /usr/obj/usr/src/freebsd/src/amd64.amd64/tmp/usr/include/c++/v1/__system_error/error_code.h:18,
from /usr/obj/usr/src/freebsd/src/amd64.amd64/tmp/usr/include/c++/v1/__ostream/basic_ostream.h:16:
/usr/obj/usr/src/freebsd/src/amd64.amd64/tmp/usr/include/c++/v1/string:752:7: note: 'std::__1::__remove_const_t<std::__1::basic_string<char> >' {aka 'class std::__1::basic_string<char>'} declared here
752 | class basic_string {
| ^~~~~~~~~~~~
Since this is all benign, turn off errors for -Wclass-memaccess.
PR: 280562
MFC after: 3 days
porch(1), available via sysutils/porch, is an expect(1)-like program
that uses lua instead of tcl for scripting. Imminent use will be to
execute tests of tty canonicalization to ensure we don't regress some of
the corner cases we've fixed, but tests for other interactive programs
are being considered as well.
PLAIN_TESTS_PORCH is being introduced primarily to get the metadata
right without writing it out for every single test; required_programs
ensures that we skip the tests if the port is not installed.
Reviewed by: 0mp (previous version), ngie
Differential Revision: https://reviews.freebsd.org/D46805
The libkldelf library was originally a part of kldxref(8). It exposed
ELF parsing helpers specialized in parsing KLDs and the kernel
executable. The library can be used to read metadata such as linker_set,
mod_depend, mod_version and PNP match info, and raw data from the ELF.
To promote the reuse of the facilities the ELF parsing code is separated
from kldxref(8) into a new private library.
For now, libkldelf's source files will be compiled into kldxref(8)
directly if kldxref is built during bootstrapping phase. The reason is
linking kldxref(8) against the libkldelf static library has an unwanted
side effect which renders the linker sets inside the libkldelf
implementation empty if the static library is not build by ld -r all the
.o files into a single .o before producing the static library.
Sponsored by: Juniper Networks, Inc.
Reviewed by: markj
Suggested by: jrtc27, markj
Differential Revision: https://reviews.freebsd.org/D46719
We need to undo NO_OBJ if we are staging
as it causes us to drop the stage* target cookies in src tree
which is bad, and may break doing the same targets for multiple
architectures.
Reviewed by: stevek
Currently the lib32 crt files (/usr/lib32/Scrt1.o etc.) are placed in
the clibs-dev package rather than the clibs-dev-lib32 package.
The /usr/lib32/dtrace/drti.o file is similarly placed in the dtrace
package rather than the dtrace-lib32 package.
Splitting shared libraries in /usr/lib32 into a -lib32 package is
handled in bsd.lib.mk by adding "lib32" to TAGS. However bsd.files.mk
ignores TAGS and only honors ${group}TAGS since 144c442.
This patch changes the behavior of bsd.files.mk to honor TAGS if the
default FILES group is used. This matches the handling of PACKAGE, which
is also ignored unless the default FILES group is used.
With this patch, both the clibs and dtrace package are split correctly.
PR: 249145
Reviewed by: bapt
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46991
The libkldelf library was originally a part of kldxref(8). It exposed
ELF parsing helpers specialized in parsing KLDs and the kernel
executable. The library can be used to read metadata such as linker_set,
mod_depend, mod_version and PNP match info, and raw data from the ELF.
To promote the reuse of the facilities the ELF parsing code is separated
from kldxref(8) into a new private library.
kldxref(8) is modified to link against the libkldelf library.
Sponsored by: Juniper Networks, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D46719
and allow to revert it back to 48 with WITHOUT_JEMALLOC_LG_VADDR_WIDE build
option.
Reviewed by: andrew, emaste
Sponsored by: Advanced Micro Devices (AMD)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D46686
In preparation for supporting 64-bit machines with 32-bit UEFI firmware,
add a build option for compiling the ia32 loader. Currently unused.
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1098
The in-tree ZFS test suite is somewhat outdated and I see a number of
failures there. I tend to think that we want to integrate the OpenZFS
test suite somehow, replacing the legacy one, though it's also possible
to run that as a separate test suite.
In any case, if one wants to run the OpenZFS test suite separately, it's
useful to be able to disable installation of the legacy ZFS test suite,
so let's provide a src.conf option to do that.
Reviewed by: asomers
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46476
Add support for specifying how to report the missing Branch Target
Identification (BTI) linker feature on AArch64.
For:
Kernel: bti-report on when the linker supports it
Userspace: bti-report on when the linker supports it and
BTI_REPORT_ERROR is defined
Fixes: 43e8849bc2 ("conf: Enable BTI checking in the arm64 kernel")
Pull Request: https://github.com/freebsd/freebsd-src/pull/1393
This allows us to support symbols optionally available based on
configuration, not just on compiler built-in #defines.
Reviewed by: brooks, jrtc27
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45346
Make it possible to disable pxeboot. This loader will fail to build when
it's too large. When /boot/loader needs to be larger like that, this
options will disable a component whose build will fail. It is an explicit
option rather than implicit when things are too large to force the user to
make the explicit tradeoffs rather than wonder why they have a stale pxeboot
or other odd failure mode.
MFC After: 3 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D46212
As discussed on the freebsd-arch mailing list[1]. For historical
reasons FreeBSD's buildworld and buildkernel targets started by cleaning
the object tree, for traditional (non-metamode) builds.
Cleaning is not necessary when dependencies are properly tracked, and we
have a somewhat kludgey script[2] to handle some known cases where deps
were mishandled by traditional builds. Be consistent with the vast
majority of open source build systems by default, and do not clean at
the beginning of buildworld or buildkernel.
Users may set WITH_CLEAN in src.conf(5) to restore the previous
behaviour, or run `make cleanworld` and/or `make cleankernel` before
starting a build.
[1] https://lists.freebsd.org/archives/freebsd-arch/2024-July/000727.html
[2] tools/build/depend-cleanup.sh
Reviewed by: jhb, imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46172
Following is a changelog of new features and fixes to wpa:
hostapd:
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* HE/IEEE 802.11ax/Wi-Fi 6
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* SAE: add support for fetching the password from a RADIUS server
* support OpenSSL 3.0 API changes
* support background radar detection and CAC with some additional
drivers
* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
* EAP-SIM/AKA: support IMSI privacy
* improve 4-way handshake operations
- use Secure=1 in message 3 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* extend PASN support for secure ranging
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible
* improved ACS to cover additional channel types/bandwidths
* extended Multiple BSSID support
* fix beacon protection with FT protocol (incorrect BIGTK was provided)
* support unsynchronized service discovery (USD)
* add preliminary support for RADIUS/TLS
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* use stricter validation for some RADIUS messages
* a large number of other fixes, cleanup, and extensions
wpa_supplicant:
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* MACsec
- add support for GCM-AES-256 cipher suite
- remove incorrect EAP Session-Id length constraint
- add hardware offload support for additional drivers
* HE/IEEE 802.11ax/Wi-Fi 6
- support BSS color updates
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* support OpenSSL 3.0 API changes
* improve EAP-TLS support for TLSv1.3
* EAP-SIM/AKA: support IMSI privacy
* improve mitigation against DoS attacks when PMF is used
* improve 4-way handshake operations
- discard unencrypted EAPOL frames in additional cases
- use Secure=1 in message 2 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* improve cross-AKM roaming with driver-based SME/BSS selection
* PASN
- extend support for secure ranging
- allow PASN implementation to be used with external programs for
Wi-Fi Aware
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible, but PMKSA
caching with FT-EAP was, and still is, disabled by default
* support a pregenerated MAC (mac_addr=3) as an alternative mechanism
for using per-network random MAC addresses
* EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
to improve security for still unfortunately common invalid
configurations that do not set ca_cert
* extend SCS support for QoS Characteristics
* extend MSCS support
* support unsynchronized service discovery (USD)
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
- in addition, verify SSID after key setup when beacon protection is
used
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* a large number of other fixes, cleanup, and extensions
MFC after: 2 months
Merge commit '6377230b3cf4f238dcd0dc2d76ff25943d3040e5'
It is being removed from the tree. Remove the build infrastructure to
configure armv6 builds.
Reviewed by: manu, imp, emaste
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D45643
I fixed this when I tested the patch, but apparently forgot to commit
the typo fix into my local git tree. ".ORDER" -> ".ORDER:".
MFC after: 5 minutes
Fixes: 187d696a0a "bsd.progs.mk: Create directories first"
Sponsored by: Amazon
Order installdirs before the $p.install targets; this is necessary
when a user of <bsd.progs.mk> also creates the directory into which
the binaries are installed.
In particular, without this patch running `make installworld -jN` can
break when installing tests since the /usr/tests/foo/bar directories
are created during installworld; this has been causing the stable/14
weekly snapshot builds to intermittently fail for months.
MFC after: 5 minutes
Sponsored by: Amazon
Differential Revision: https://reviews.freebsd.org/D45923
These are already removed from the tree, or are in the process of being
removed.
Reviewed by: manu, imp, emaste
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D45638
Unfortunately this results in make universe's environment, i.e.
corresponding to the host, being used for every one of its sub-makes, so
they're in the wrong place and trample over each other.
This reverts commit 2b7c1402f9.
If we had to set OBJTOP we want to .export it (if .MAKE.LEVEL > 0)
for the benefit of things like x!= ${.MAKE} -r ... and similar.
Without OBJTOP, the default MAKEOBJDIR setting will result in
attempting to use an objdir like /lib or /bin etc in some cases.
This patch is based on D30990
with the addition of the check for level > 0.
Reviewed by: jrtc27
Differential Revision: <https://reviews.freebsd.org/D30990>
Add the WITH/WITHOUT_BRANCH_PROTECTION build flags. This can be used
to enable the use of pointer authentication (FEAT_PAuth) and branch
target identification (FEAT_BTI) in userspace.
The kernel already handles both of these is userspace, we just need
to enable it.
Leave disabled for a short period for this to settle before enabling.
Reviewed by: emaste
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D42596
Link with --no-undefined-version by default. Will detect and prevent
the accidental removal of symbols from versioned libraries.
(cherry picked from commit 4510f2ca91)
This reverts commit b25ceb97ed.
Reviewed by: arichardson, kib, dim, emaste
Differential Revision: https://reviews.freebsd.org/D44216
gcc doesn't have -m32 support on aarch64 so mark LIB32 broken there.
We have to check both COMPILER_TYPE and X_COMPILER_TYPE becuase
X_COMPILER_TYPE is only conditionally set and COMPILER_TYPE is the host
compiler in Makefile.inc1.
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D45089
In the future, we will Default to _FORTIFY_SOURCE=2 if SSP is enabled,
otherwise default to _FORTIFY_SOURCE=0. For now we default it to 0
unconditionally to ease bisect across older versions without the new
symbols, and we'll put out a call for testing.
include/*.h include their ssp/*.h equivalents as needed based on the
knob. Programs and users are allowed to override FORTIFY_SOURCE in their
Makefiles or src.conf/make.conf to force it off.
Reviewed by: des, markj
Relnotes: yes
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D32308
libnvmf provides APIs for transmitting and receiving Command and
Response capsules along with data associated with NVMe commands.
Capsules are represented by 'struct nvmf_capsule' objects.
Capsules are transmitted and received on queue pairs represented by
'struct nvmf_qpair' objects.
Queue pairs belong to an association represented by a 'struct
nvmf_association' object.
libnvmf provides additional helper APIs to assist with constructing
command capsules for a host, response capsules for a controller,
connecting queue pairs to a remote controller and optionally
offloading connected queues to an in-kernel host, accepting queue pair
connections from remote hosts and optionally offloading connected
queues to an in-kernel controller, constructing controller data
structures for local controllers, etc.
libnvmf also includes an internal transport abstraction as well as an
implementation of a userspace TCP transport.
libnvmf is primarily intended for ease of use and low-traffic use cases
such as establishing connections that are handed off to the kernel.
As such, it uses a simple API built on blocking I/O.
For a host, a consumer first populates an 'struct
nvmf_association_params' with a set of parameters shared by all queue
pairs for a single association such as whether or not to use SQ flow
control and header and data digests and creates a 'struct
nvmf_association' object. The consumer is responsible for
establishing a TCP socket for each queue pair. This socket is
included in the 'struct nvmf_qpair_params' passed to 'nvmf_connect' to
complete transport-specific negotiation, send a Fabrics Connect
command, and wait for the Connect reply. Upon success, a new 'struct
nvmf_qpair' object is returned. This queue pair can then be used to
send and receive capsules. A command capsule is allocated, populated
with an SQE and optional data buffer, and transmitted via
nvmf_host_transmit_command. The consumer can then wait for a reply
via nvmf_host_wait_for_response. The library also provides some
wrapper functions such as nvmf_read_property and nvmf_write_property
which send a command and wait for a response synchronously.
For a controller, a consumer uses a single association for a set of
incoming connections. A consumer can choose to use multiple
associations (e.g. a separate association for connections to a
discovery controller listening on a different port than I/O
controllers). The consumer is responsible for accepting TCP sockets
directly, but once a socket has been accepted it is passed to
nvmf_accept to perform transport-specific negotiation and wait for the
Connect command. Similar to nvmf_connect, nvmf_accept returns a newly
construct nvmf_qpair. However, in contrast to nvmf_connect,
nvmf_accept does not complete the Fabrics negotiation. The consumer
must explicitly send a response capsule before waiting for additional
command capsules to arrive. In particular, in the kernel offload
case, the Connect command and data are provided to the kernel
controller and the Connect response capsule is sent by the kernel once
it is ready to handle the new queue pair.
For userspace controller command handling, the consumer uses
nvmf_controller_receive_capsule to wait for a command capsule.
nvmf_receive_controller_data is used to retrieve any data from a
command (e.g. the data for a WRITE command). It can be called
multiple times to split the data transfer into smaller sizes.
nvmf_send_controller_data is used to send data to a remote host in
response to a command. It also sends a response capsule indicating
success, or an error if an internal error occurs. nvmf_send_response
is used to send a response without associated data. There are also
several convenience wrappers such as nvmf_send_success and
nvmf_send_generic_error.
Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D44710
Link with --no-undefined-version by default. Will detect and prevent
the accidental removal of symbols from versioned libraries.
Reviewed by: arichardson, kib, dim, emaste
Differential Revision: https://reviews.freebsd.org/D44216
This commit broke "make makeman" checks in github CI due to a lack of
option description files. The split between VIMAGE and VIMAGE_SUPPORT
is not clearly justified and the code is broken because there is no
opt_vimage.h (it's in opt_global.h).
This reverts commit 22ca6db50f.
The drivers and utilities are now built and installed unconditionally.
Reviewed by: imp, emaste
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D44843
Capsicum is non-optional as of c24c117b96 ("Remove
WITHOUT_{CAPSICUM,CASPER} options").
`#ifndef WITHOUT_CAPSICUM` is left in the source for the benefit of
downstream consumers, but is never defined in FreeBSD.
Reviewed by: oshogbo
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42077
- Remove superfluous whitespace by removing trailing whitespace
before `\` (line continuation character)
- Quote `SUBDIR.` to clarify the fact that this is a variable
reference--not the end of a sentence.
As discussed in bug 278417, some ports require the F16C instruction set
to compile, but there is no way yet to detect whether the currently
chosen CPUTYPE supports this feature.
Add the feature to the MACHINE_CPU variable, for each processor that
supports it. The list of processors was extracted from clang 18's -dM
output, filtered on the __F16C__ define.
PR: 278417
Reviewed by: brooks, emaste
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D44848