OpenSSL provides implementations of several AES modes which use
bitslicing and can be accelerated on CPUs which support the NEON
extension. This patch adds arm platform support to ossl(4) and provides
an AES-CBC implementation, though bsaes_cbc_encrypt() only implements
decryption. The real goal is to provide an accelerated AES-GCM
implementation; this will be added in a subsequent patch.
Initially derived from https://reviews.freebsd.org/D37420.
Reviewed by: jhb
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
MFC after: 3 months
Differential Revision: https://reviews.freebsd.org/D41304
Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.
Sponsored by: Netflix
Just skip compiling this file if RACCT isn't defined. This allows to
skip including headers that no code uses at all, and also to remove the
whole file's #ifdef/#endif bracketing.
Reviewed by: markj
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Armv8.5 adds an optional random number generator. This is implemented
as two special registers one to read a random number, the other to
re-seed the entropy pool before reading a random number. Both registers
will set the condition flags to tell the caller they can't produce a
random number in a reasonable amount of time.
Without a signal to reseed the entropy pool use the latter register
to provide random numbers to the kernel pool. If at a later time we
had a way to tell the provider if it needs to reseed or not we could
use the former.
On an Amazon AWS Graviton3 VM this never failed, however this may not
be the case on low end CPUs so retry reading the random number 10 times
before returning an error.
Reviewed by: imp, delphij (csprng)
Sponsored by: The FreeBSD Foundation
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D35411
By default this warns about sizes larger than PTRDIFF_MAX passed to
malloc (rather than SIZE_MAX). This doesn't trigger
deterministically, but it does trigger for kmalloc() of struct_size()
in iwlwifi's iwl_configure_rxq even when struct_size() is changed to
use PTRDIFF_MAX. NB: struct_size() in Linux caps the size at
SIZE_MAX, not PTRDIFF_MAX via size_mul().
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D42587
When building with kernel.bin enabled we need to set KERNEL_EXTRA and
KERNEL_EXTRA_INSTALL before they are used otherwise kernel.bin isn't
built.
Reviewed by: imp
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D42531
The IMX5 configs were removed in advance of FreeBSD 14.0 in
cdb0c2a73d ("arm: Remove IMX5 specific kernel configs"). This code
isn't built with GENERIC and doesn't actually build today as-is, so
let's remove it to avoid needless maintenance work to it that won't be
tested. As usual, revival is welcome with a committed user and work to
maintain it with upstream DTS and, ideally, in GENERIC.
I note that vt_early_fb is now effectively orphaned as nothing else will
use it, but I haven't yet removed it since I have not done anything to
ascertain if it could be integrated easily enough for other SoC. It is
among the files that doesn't actually build with today's clang, though.
Reviewed by: imp, manu
Differential Revision: https://reviews.freebsd.org/D41836
It's sometimes desirable to generate kernel.bin and install it. While
the mainstream has moved on to UEFI booting on arm, some specialized
gear can't support it. For that gear, we unconditionally generate
kernel.bin. Add a knob so that WITH_KERNEL_BIN or WITHOUT_KERNEL_BIN
control its generation and installation. config files should add
'makeoptions WITH_KERNEL_BIN=t' to enable it. Since its use is
specialized, it is off by default now since the arm world has largely
moved on to UEFI.
It only affects arm and arm64 (since those are the only two that support
it).
Sponsored by: Netflix
Reviewed by: mmel
Differential Revision: https://reviews.freebsd.org/D39013
During recent testing related to the IETF NFSv4 Bakeathon, it was
discovered that Kerberized NFSv4.1/4.2 mounts to pNFS servers
(sec=krb5[ip],pnfs mount options) was broken.
The FreeBSD client was using the "service principal" for
the MDS to try and establish a rpcsec_gss credential for a DS,
which is incorrect. (A "service principal" looks like
"nfs@<fqdn-of-server>" and the <fqdn-of-server> for the DS is not
the same as the MDS for most pNFS servers.)
To fix this, the rpcsec_gss code needs to be able to do a
reverse DNS lookup of the DS's IP address. A new kgssapi upcall
to the gssd(8) daemon is added by this patch to do the reverse DNS
along with a new rpcsec_gss function to generate the "service
principal".
A separate patch to the gssd(8) will be committed, so that this
patch will fix the problem. Without the gssd(8) patch, the new
upcall fails and current/incorrect behaviour remains.
This bug only affects the rare case of a Kerberized (sec=krb5[ip],pnfs)
mount using pNFS.
This patch changes the internal KAPI between the kgssapi and
nfscl modules, but since I did a version bump a few days ago,
I will not do one this time.
MFC after: 1 month
Support early printf for the ns8250 uart driver. Adding
options UART_NS8250_EARLY_PORT=0xYYY
options EARLY_PRINTF
to your kernel config will enable it. The code is rather simple minded,
so caveat emptor. This will enable printf before cninit. cninit
automatically disables this and switches to the real routine. It only
works for port-mapped COM ports, and only if you know the port's address
at compile time. It's intended for be a debugging aide, not a general
purpose thing.
Sponsored by: Netflix
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D42306
While here, drop the EXTRA_TCP_STACKS option, which serves no purpose and
should never have been added. Instead, build bbr and rack as long as
either or both of INET and INET6 is enabled. There is no risk to anyone
who doesn't load one or both and then twiddle the relevant sysctls.
Differential Revision: https://reviews.freebsd.org/D42088
As of LLVM 16, -fsanitize-memory-param-retval is the default. It yields
significantly smaller code, but the KMSAN runtime interceptors need to
be updated to stop checking shadow state of parameters. Apply a minimal
workaround for now.
MFC after: 3 days
Sponsored by: Klara, Inc.
Sponsored by: Juniper Networks, Inc.
Move the NETLINK define into opt_global.h so we can rely on it being
set correctly, without having to remember to include opt_netlink.h.
This ensures that the NETLINK define is correctly set. If not we
may end up with unloadable modules, due to missing symbols (such as
nlmsg_get_group_writer).
PR: 274306
Reviewed by: imp, markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D42179
da8324a925 removed one of the two instances of NVME_2X_RESET. It
failed to snag the other one, and remove it from the options file.
Remove from both of those here.
Sponsored by: Netflix
Reviewed by: chuck, gallatin, jhb
Differential Revision: https://reviews.freebsd.org/D42049
Add the build flags to enable branch protection on arm64. This enable
the use of PAC and BTI in the kernel.
For PAC we already install the kernel keys when entering the kernel
from userspace so this will start using these to sign the stack.
For BTI we need to mark the kernel page tables with a new guarded page
field. As this will require all code that could be reached through a
function pointer with an appropriate branch target instruction we
are enabling this before setting the field.
As the pointer authentication support shouldn't be reached via a
function pointer it is safe to not enable the use of BTI there.
Reviewed by: markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D42079
Use it wherever COMPAT_FREEBSD13 is currently specified.
Reviewed by: brooks, zlei
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42100
Use netlink to export pf's state table.
The primary motivation is to improve how we deal with very large state
stables. With the previous implementation we had to build the entire
list (both in the kernel and in userspace) before we could start
processing. With netlink we start to get data in userspace while the
kernel is still generating more. This reduces peak memory consumption
(which can get to the GB range once we hit millions of states).
Netlink also makes future extension easier, in that we can easily add
fields to the state export without breaking userspace. In that regard
it's similar to an nvlist-based approach, except that it also deals
with transport to userspace and that it performs significantly better
than nvlists. Testing has failed to measure a performance difference
between the previous struct-copy based ioctl and the netlink approach.
Differential Revision: https://reviews.freebsd.org/D38888
svnliteversion was provided by the base system copy of subversion,
which was disabled in a2bc17474b ("Disable building svnlite(1) by
default.")
Reviewed by: zlei
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42034
Synopsis/Designware controller have multiple version. The version currently
supported by dwc(4) is the version 3 and it's usually called 1000 for gigabit.
In the goal to support all of those in the same base driver start splitting the
core function to a new file.
No functional changes intended.
Synopsis/Designware controller have multiple dma version, the one included
in the driver is the base one. if_awg is one example of a dwc variant that
have another DMA controller. eqos is a newer variant of dwc that have a newer
dma controller.
In the goal to support all of those in the same base driver start splitting the
dma function to a new file.
No functional changes intended.
It makes it easier to find all the sub drivers and change them if needed.
While here do not gate dwc_rk with soc options, dwc_rk is made for all rockchip
SoCs. Same thing for dwc_socfpga
This is a simple RTC driver for the rv3032 from Microcrystal.
Just the basic functionality is implemented (no timer, alarm etc ..).
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D41995
This IP is found in Xilinx SoC, it only been tested on ZynqMP (arm64)
so only enable it there for now.
Differential Revision: https://reviews.freebsd.org/D41994
No reason that they should live directly under iicbus
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D41913
No reason that they should live directly under iicbus
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D41911
Those are (mainly) pwm controller so move it under a new subdirectory.
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D41910
No reason that they should live directly under iicbus
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D41908
The folder is a mess so start moving stuff into sub-directories.
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D41907
Use ?= when setting the default value for CSTD so it can be set by
Makefiles before inclusion and not be overridden by the .mk file.
Reviewed by: imp, sjg
Obtained from: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D42019
The SCCS ID is still the most reliable way to dig out the version
information from the kernel w/o false positives. Add a comment to that
effect. savecore(8) neglects to save the kerneldumpheader that would
have the version information at a fixed location. savecore(8) needs to
be augmented to have the right data in the right places, but until then
the old-school SCCS id needs to remain. Once that's fixed, we plan to
remove it.
The reason it needs to be in a fixed or easily findable location is
because if you have an arbitrary core and want to pull the source and
build artificts that went along with that core, you don't yet have the
symbols you need to read the version string. To solve the chicken / egg
problem, one needs an independent way to know what to use so that
automated analysis of cores can happen. The sccs id being in the kernel
ensures that it is in the core image written. The what(1) utility makes
extracting the version easy.
Sponsored by: Netflix
Reviewed by: cy, emaste
Differential Revision: https://reviews.freebsd.org/D41984
This string is still in active use to find versions for core files
before we have symbols. This is premature.
This reverts commit e6dc6a2723.
Sponsored by: Netflix
Add clock and reset drivers for the ZynqMP SoC.
The clocks are discovered by talking to the firmware as the topology isn't
fixed on this SoC.
Differential Revision: https://reviews.freebsd.org/D41812
Sponsored by: Beckhoff Automation GmbH & Co. KG
The ZynqMP SoC have a MCU running a firmware to control clocks, resets,
fpga loading etc ...
Add a driver that can be use to communicate with it.
For now only the clock and reset part are implemented.
Differential Revision: https://reviews.freebsd.org/D41811
Sponsored by: Beckhoff Automation GmbH & Co. KG
89f361f742 added a mechanism to allow arbitrary overrides from the
command line. Unfortunately, it also had the (likely unintended)
effect of allowing RELEASE and VERSION to be passed in from the
environment, and Makefile.inc1 happens to define VERSION for the
benefit of pkgbase. To restore the status quo, unset RELEASE and
VERSION at the top of the script.
Fixes: 89f361f742
MFC after: 3 days
Reviewed by: gallatin, sjg, emaste
Differential Revision: https://reviews.freebsd.org/D41845
The M1 uses FDT, and has bge to start with. Add a SOC_* option for
the first SoC we'll be supporting.
IOMMU is added commented out because it does have it, but IOMMU is not
well-tested on aarch64. An initial version of the DART driver will be
upstreamed that just puts the DARTs that support bypass mode into bypass
mode -- we'll be missing some functionality, but we at least still end
up with some USB ports.
Reviewed by: karels, manu
Input from: jrtc27 (IOMMU)
Differential Revision: https://reviews.freebsd.org/D39823
This option replaces WITH_INIT_ALL_PATTERN and WITH_INIT_ALL_ZERO with
INIT_ALL=pattern and INIT_ALL=zero respectively. As these are
relatively rarely used options no backwards compatibility is
implemented.
Reviewed by: emaste
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D41675
Support group options where 1 of n values will be selected (or a default
value will be used). After processing, an OPT_FOO will be set to one
value from __FOO_OPTIONS for each FOO in __SINGLE_OPTIONS. If the user
sets FOO that value will be used, otherwise __FOO_DEFAULT will be used.
Options that don't work an a particular system can be remapped to an
alternative using BROKEN_SINGLE_OPTIONS which can be set to a list of
3-tuples of the form:
OPTION broken_value replacement_value
This is somewhat inspired by OPTIONS_SINGLE from ports, but the
structure is quite different with a per-option variable in the style of
MK_FOO={yes,no}.
Reviewed by: imp, emaste
Differential Revision: https://reviews.freebsd.org/D41659
This is intended to be used with the upcoming updated ice(4) version
1.38.16-k.
Signed-off-by: Eric Joyner <erj@FreeBSD.org>
MFC after: 3 days
Sponsored by: Intel Corporation
This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.
There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.
The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.
We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.
Add -l option to sbin/veriexec to report labels.
Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41431
