While FIDO/U2F keys were already supported by the generic uhid(4) and
hidraw(4) drivers, this driver adds some additional features an does
steps to tighten the security of FIDO/U2F access.
- It automatically loads through devd.
- Automatically enables HQ_NO_READAHEAD for FIDO/U2F devices.
- Implements only miminum set of features.
- Do not requires external devfs configuration to set character device
permissions.
- Names character device as u2f/# to make possible capsicum or any
other pledge()-style sandboxing.
PR: 265528
Differential Revision: https://reviews.freebsd.org/D51612
With factoring out of supporting code from ugen(4) driver.
The ioctl is used in FIDO/U2F security key drivers to get
USB product and manufacturer strings.
PR: 264843
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D51609
instead of renaming uhid(4) to hidraw to make easier import of coming
u2f(4) driver which has similar option.
Differential Revision: https://reviews.freebsd.org/D51608
It disables interrupt emulation on poll-driven buses like USB and
forces aquiring of only one USB frame per read(2) operation.
This avoids an FIDO/U2F issue where IN endpoint data received from
the device right before the file handle is closed, gets lost.
PR: 263995
Reviewed by: aokblast
Differential revision: https://reviews.freebsd.org/D51605
We frequently need to check if a vnode refers to either a character or
block special, so we might as well have a macro for it.
We somewhat less frequently need to perform similar checks on things
that aren't vnodes (usually a struct vattr *), so add VATTR_ISDEV()
and a generic VTYPE_ISDEV() as well.
Sponsored by: Klara, Inc.
Sponsored by: NetApp, Inc.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D51947
If the mntfromname of a mountpoint is not a device (e.g. nullfs, tarfs,
procfs) we shouldn't compare st_rdev, as any match will be spurious.
MFC after: 1 week
Sponsored by: Klara, Inc.
Sponsored by: NetApp, Inc.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D51945
ints can be up to 10 digits, plus NUL. Make the val array 12 to silences
a lame gcc warning (the range of the int is such that we'll never
truncate, but this is a cheap fix).
Sponsored by: Netflix
gcc doesn't like something about the initializer that comes with
jemalloc. Since it's vendor code, make this warning not an error
for -Werror purposes.
Sponsored by: Netflix
Instead of leaking di_db[0] (for regular files this is the index of the
first block of the file), return NODEV when not a special node.
Reported and reviewed by: des
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D51943
It benefits KVA. For userspace la57 is disabled by default for quite
some time, to avoid compat issues.
Reviewed by: alc, imp, olce
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D51929
krb5/util contains both programs and libraries; trying to build that
for compat confuses bsd.prog.mk and results in unwanted files being
created in the source tree. Remove krb5/util and instead list only
the directories underneath krb5/util which contain libraries.
The libdata change from the diff isn't included; that will be fixed
in a different way.
Fixes: fb13ae28b2 ("Makefile.libcompat: Add krb5/util")
Reviewed by: ngie (previous version)
Differential Revision: https://reviews.freebsd.org/D51937
The reimplementation of certctl, while much needed, broke the release
build and 72 hours later corrections are still under review (D51896).
This revert should be reverted once that is ready to land; I just need
this out of the tree temporarily because breakage is interfering with
release engineering for the upcoming 15.0-RELEASE.
Unsquashed reversions:
Revert "etc: add missing mtree entry for certctl tests"
This reverts commit f751757259.
Revert "certctl: Fix bootstrap build"
This reverts commit c989e3cc3d.
Revert "certctl: Reimplement in C"
This reverts commit 81d8827ad8.
With hat: re@
- Make it platform agnostic
- Separate FreeBSD related code
- Fix tests
- Make it report all non-loaded modules instead of the first occurrence
only
- Update kyuafile.5 man page
Reviewed by: ngie
MFC after: 2 weeks
Pull Request: https://github.com/freebsd/kyua/pull/270
Many things other than sendmail itself use the milter API, for example
mail/opendkim from ports. Putting the library in its own package means
those applications don't need to depend on FreeBSD-sendmail.
Reviewed by: manu
Differential Revision: https://reviews.freebsd.org/D51914
This fixes missing libraries (libcom_err, libkrb5profile, ...)
for the 32-bit build, since these libraries live in krb5/util.
Reviewed by: ngie, des
Differential Revision: https://reviews.freebsd.org/D51926
This commit adds UTP Task Management Request functions and revisits the
UTR/UTRM construction logic.
It also introduces ufshci_ctrlr_cmd_send_task_mgmt_request(), which
will be used for timeout handling in a follow-up commit.
Test: I temporarily added the code below to the ufshci_ctrlr_start()
function to test it on a Galaxy Book S.
```
static void
ufshci_ctrlr_start(struct ufshci_controller *ctrlr)
{
...
/* Test: Task Mangement Request */
ufshci_printf(ctrlr,
"Test: Task Mangement Request\n");
struct ufshci_completion_poll_status status;
status.done = 0;
ufshci_ctrlr_cmd_send_task_mgmt_request(ctrlr,
ufshci_completion_poll_cb, &status,
UFSHCI_TASK_MGMT_FUNCTION_QUERY_TASK, 0, 0, 0);
ufshci_completion_poll(&status);
if (status.error) {
ufshci_printf(ctrlr,
"ufshci_ctrlr_cmd_send_task_mgmt_request failed!\n");
return;
}
uint32_t service_response;
service_response =
status.cpl.response_upiu.task_mgmt_response_upiu.output_param1;
ufshci_printf(ctrlr, "Task Management Service Response = 0x%x\n",
service_response);
...
}
```
Sponsored by: Samsung Electronics
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D51506
Using the cfparam variant of add_param() will actually copy the name and
flags from the passed-in param, which I hadn't considered. We actually
want the name/flags from the "name" param so that we can do variable
expansion against it right after that -- otherwise it cannot be found,
since variable expansion actually searches by name.
While we're here, `jls -e` was the intermediate name for `jls -c` that
never saw the light of the day. Fix our existence test.
Reviewed by: jamie
Fixes: 02944d8c49 ("jail: consistently populate the KP_JID [...]")
Differential Revision: https://reviews.freebsd.org/D51831
Subtracing addr is only appropriate for position-dependent objects,
where vaddrbase would also be the same value. For position-independent
objects, like the VDSO (which we already assume due to setting vaddrbase
to 0), the segments start at 0, not addr.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D51924
This brings in a merge from jemalloc 5.3.0. It's almost fully scripted, except:
Three conflicts resolved by hand:
include/jemalloc/internal/test_hooks.h Use the new name
src/extent.c Use the new code
src/jemalloc.c Use the new code since je_realloc has moved
The script is recorded in FREEBSD-upgrade. The old script did svn
commands that were basically a rebase of our changes. This update has a
series of diff reduction changes before this.
Note: I'd planned on fixing the above three conflicts with commits, but
ran out of time when I did this work in January. I got discouraged when
jemalloc was EOL'd and didn't pick this back up. I did the above by hand
to get this into FreeBSD 15.0
This work is a repeat of the work by Minsoo Choo who did all these
changes and created a pull request. Given the importance of jemalloc, I
audited these changes by redoing them in this series of commits (and
with the script that was checked in). I did this to confince myself and
anybody else in doubt that there was no supply chain attack. The diffs
between this series of commits and Minsoo's work are minor (though the
version skew makes adds some noise). Interested parties can independent
audit each step, I hope. I've listed Minsoo as a co-author since without
his pull request to test again, this wouldn't have been possible.
Thanks to brooks@ for help with getting the jemalloc 3 ABI compat
symbols right.
Co-authored-by: Minsoo Choo <minsoochoo0122@proton.me>
Pull Request: https://github.com/freebsd/freebsd-src/pull/1337
Sponsored by: Netflix
When we're not doing the private namespace remap, we don't need to do
this pragma. This is needed for the bootstrapping path when we import a
new version of jemalloc.
No functional change.
Sponsored by: Netflix
Gate the namespace dance on this define. This allows us to bootstrap new
versions of jemalloc more easily. One of the steps of import is building
to find what symbols need to be private. When we do that, we don't want
to do this dance.
No functional change.
Sponsored by: Netflix