From 4728f534ff6d6644c6f80d2028503670859af576 Mon Sep 17 00:00:00 2001 From: Warner Losh Date: Fri, 10 Nov 2017 23:54:48 +0000 Subject: [PATCH] Move LOADER_{NO,}_GELI_SUPPORT to MK_LOADER_GELI Transition to WITH/WITHOUT_LOADER_GELI to flag support or not of GELI in the boot loaders. Add HAVE_GELI so components can flag they need support (since it's too large to include everywhere). Add temporary warnings for the old forms to ease transition. Also, update test script to build without GELI on x86. Sponsored by: Netflix --- UPDATING | 3 ++- share/mk/src.opts.mk | 1 + sys/boot/defs.mk | 20 ++++++++++++++++++-- sys/boot/geli/Makefile | 4 ++++ sys/boot/i386/gptboot/Makefile | 14 ++++---------- sys/boot/i386/gptzfsboot/Makefile | 10 ++-------- sys/boot/i386/libi386/Makefile | 9 +++------ sys/boot/i386/loader/Makefile | 11 ++--------- sys/boot/i386/zfsboot/Makefile | 8 ++++---- sys/boot/i386/zfsloader/Makefile | 3 +-- sys/boot/sparc64/loader/Makefile | 1 + sys/boot/sparc64/zfsloader/Makefile | 2 -- tools/boot/universe.sh | 11 ++++++++++- tools/build/options/WITHOUT_LOADER_GEIL | 2 ++ 14 files changed, 54 insertions(+), 45 deletions(-) create mode 100644 tools/build/options/WITHOUT_LOADER_GEIL diff --git a/UPDATING b/UPDATING index a84a9ecd63ef..6f852439bc7d 100644 --- a/UPDATING +++ b/UPDATING @@ -53,7 +53,8 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 12.x IS SLOW: 201711xx: The LOADER_FIREWIRE_SUPPORT build variable as been renamed to - WITH_LOADER_FIREWIRE (or WITHOUT_LOADER_FIREWIRE). + WITH/OUT_LOADER_FIREWIRE. LOADER_{NO_,}GELI_SUPPORT has been renamed + to WITH/OUT_LOADER_GELI. 20171106: The naive and non-compliant support of posix_fallocate(2) in ZFS diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk index 4ef52cb1689c..b8ba2586617b 100644 --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -119,6 +119,7 @@ __DEFAULT_YES_OPTIONS = \ LIB32 \ LIBPTHREAD \ LIBTHR \ + LOADER_GELI \ LOCALES \ LOCATE \ LPR \ diff --git a/sys/boot/defs.mk b/sys/boot/defs.mk index 75c354c6254a..b08ffa7c9b20 100644 --- a/sys/boot/defs.mk +++ b/sys/boot/defs.mk @@ -85,10 +85,26 @@ CFLAGS+= -DLOADER_GPT_SUPPORT .if ${LOADER_MBR_SUPPORT:Uyes} == "yes" CFLAGS+= -DLOADER_MBR_SUPPORT .endif -.if ${LOADER_GELI_SUPPORT:Uyes} == "yes" -CFLAGS+= -DLOADER_GELI_SUPPORT + +# GELI Support, with backward compat hooks +.if defined(HAVE_GELI) +.if defined(LOADER_NO_GELI_SUPPORT) +MK_LOADER_GELI=no +.warning "Please move from LOADER_NO_GELI_SUPPORT to WITHOUT_LOADER_GELI" +.endif +.if defined(LOADER_GELI_SUPPORT) +MK_LOADER_GELI=yes +.warning "Please move from LOADER_GELI_SUPPORT to WITH_LOADER_GELI" +.endif +.if ${MK_LOADER_GELI} == "yes" +CFLAGS+= -DLOADER_GELI_SUPPORT +CFLAGS+= -I${BOOTSRC}/geli +LIBGELIBOOT= ${BOOTOBJ}/geli/libgeliboot.a .endif .endif +.endif + +CFLAGS+= -I${SYSDIR} # All PowerPC builds are 32 bit. We have no 64-bit loaders on powerpc # or powerpc64. diff --git a/sys/boot/geli/Makefile b/sys/boot/geli/Makefile index b16f7a8c5ab3..89d6a9f956e8 100644 --- a/sys/boot/geli/Makefile +++ b/sys/boot/geli/Makefile @@ -49,5 +49,9 @@ SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael-api.c CFLAGS+= -D_STAND SRCS+= geliboot_crypto.c g_eli_hmac.c g_eli_key.c g_eli_key_cache.c pkcs5v2.c +# aes +.PATH: ${SYSDIR}/opencrypto +SRCS+= xform_aes_xts.c + .include .include diff --git a/sys/boot/i386/gptboot/Makefile b/sys/boot/i386/gptboot/Makefile index 9d3048a89c56..efe45cb6dbdc 100644 --- a/sys/boot/i386/gptboot/Makefile +++ b/sys/boot/i386/gptboot/Makefile @@ -1,5 +1,7 @@ # $FreeBSD$ +HAVE_GELI= yes + .include .PATH: ${BOOTSRC}/i386/boot2 ${BOOTSRC}/i386/common ${SASRC} @@ -41,14 +43,6 @@ CFLAGS+=-DBOOTPROG=\"gptboot\" \ CFLAGS.gcc+= --param max-inline-insns-single=100 -.if ${LOADER_GELI_SUPPORT:Uyes} == "yes" -CFLAGS+= -DLOADER_GELI_SUPPORT -CFLAGS+= -I${BOOTSRC}/geli -LIBGELIBOOT= ${BOOTOBJ}/geli/libgeliboot.a -.PATH: ${SYSDIR}/opencrypto -OPENCRYPTO_XTS= xform_aes_xts.o -.endif - LD_FLAGS+=${LD_FLAGS_BIN} CLEANFILES= gptboot @@ -66,12 +60,12 @@ gptldr.out: gptldr.o ${LD} ${LD_FLAGS} -e start -Ttext ${ORG1} -o ${.TARGET} gptldr.o CLEANFILES+= gptboot.bin gptboot.out gptboot.o sio.o crc32.o drv.o \ - cons.o util.o ${OPENCRYPTO_XTS} + cons.o ${OPENCRYPTO_XTS} gptboot.bin: gptboot.out ${OBJCOPY} -S -O binary gptboot.out ${.TARGET} -gptboot.out: ${BTXCRT} gptboot.o sio.o crc32.o drv.o cons.o util.o ${OPENCRYPTO_XTS} +gptboot.out: ${BTXCRT} gptboot.o sio.o crc32.o drv.o cons.o ${OPENCRYPTO_XTS} ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} ${LIBGELIBOOT} ${LIBSA32} gptboot.o: ${SASRC}/ufsread.c diff --git a/sys/boot/i386/gptzfsboot/Makefile b/sys/boot/i386/gptzfsboot/Makefile index b9df313dd291..d2751c217e7c 100644 --- a/sys/boot/i386/gptzfsboot/Makefile +++ b/sys/boot/i386/gptzfsboot/Makefile @@ -1,5 +1,7 @@ # $FreeBSD$ +HAVE_GPT= yes + .include .PATH: ${BOOTSRC}/i386/boot2 ${BOOTSRC}/i386/gptboot \ @@ -50,14 +52,6 @@ LIBZFSBOOT=${BOOTOBJ}/zfs32/libzfsboot.a LIBZFSBOOT=${BOOTOBJ}/zfs/libzfsboot.a .endif -.if ${LOADER_GELI_SUPPORT:Uyes} == "yes" -CFLAGS+= -DLOADER_GELI_SUPPORT -CFLAGS+= -I${BOOTSRC}/geli -LIBGELIBOOT= ${BOOTOBJ}/geli/libgeliboot.a -.PATH: ${SYSDIR}/opencrypto -OPENCRYPTO_XTS= xform_aes_xts.o -.endif - CFLAGS.gcc+= --param max-inline-insns-single=100 LD_FLAGS+=${LD_FLAGS_BIN} diff --git a/sys/boot/i386/libi386/Makefile b/sys/boot/i386/libi386/Makefile index 20ce255fd50b..43d191dec195 100644 --- a/sys/boot/i386/libi386/Makefile +++ b/sys/boot/i386/libi386/Makefile @@ -1,5 +1,8 @@ # $FreeBSD$ +HAVE_GPT= yes +HAVE_GELI= yes + .include LIB= i386 @@ -25,12 +28,6 @@ CFLAGS+= -DCOMSPEED=${BOOT_COMCONSOLE_SPEED} CFLAGS+= -DDISK_DEBUG .endif -.if ${LOADER_GELI_SUPPORT:Uyes} == "yes" -# Decrypt encrypted drives -CFLAGS+= -DLOADER_GELI_SUPPORT -CFLAGS+= -I${BOOTSRC}/geli -.endif - .if !defined(BOOT_HIDE_SERIAL_NUMBERS) # Export serial numbers, UUID, and asset tag from loader. CFLAGS+= -DSMBIOS_SERIAL_NUMBERS diff --git a/sys/boot/i386/loader/Makefile b/sys/boot/i386/loader/Makefile index e9d8f897a164..a79b4fbdbcc2 100644 --- a/sys/boot/i386/loader/Makefile +++ b/sys/boot/i386/loader/Makefile @@ -1,5 +1,7 @@ # $FreeBSD$ +HAVE_GELI= yes + LOADER_NET_SUPPORT?= yes LOADER_NFS_SUPPORT?= yes LOADER_TFTP_SUPPORT?= yes @@ -38,15 +40,6 @@ CFLAGS+= -DLOADER_FIREWIRE_SUPPORT LIBFIREWIRE= ${BOOTOBJ}/i386/libfirewire/libfirewire.a .endif -.if ${LOADER_GELI_SUPPORT:Uyes} == "yes" -CFLAGS+= -DLOADER_GELI_SUPPORT -CFLAGS+= -I${BOOTSRC}/geli -LIBGELIBOOT= ${BOOTOBJ}/geli/libgeliboot.a -.PATH: ${SYSDIR}/opencrypto -SRCS+= xform_aes_xts.c -CFLAGS+= -I${SYSDIR} -D_STAND -.endif - # Always add MI sources .include "${BOOTSRC}/loader.mk" CFLAGS+= -I. diff --git a/sys/boot/i386/zfsboot/Makefile b/sys/boot/i386/zfsboot/Makefile index a83bfa960590..81ab6f39a3d1 100644 --- a/sys/boot/i386/zfsboot/Makefile +++ b/sys/boot/i386/zfsboot/Makefile @@ -1,6 +1,6 @@ # $FreeBSD$ -LOADER_GELI_SUPPORT=no +HAVE_GELI=yes .include @@ -60,7 +60,7 @@ zfsldr.out: zfsldr.o ${LD} ${LD_FLAGS} -e start -Ttext ${ORG1} -o ${.TARGET} zfsldr.o CLEANFILES+= zfsboot2 zfsboot.ld zfsboot.ldr zfsboot.bin zfsboot.out \ - zfsboot.o zfsboot.s zfsboot.s.tmp sio.o cons.o drv.o util.o + zfsboot.o zfsboot.s zfsboot.s.tmp sio.o cons.o drv.o # We currently allow 128k bytes for zfsboot - in practice it could be # any size up to 3.5Mb but keeping it fixed size simplifies zfsldr. @@ -82,8 +82,8 @@ zfsboot.ldr: zfsboot.bin: zfsboot.out ${OBJCOPY} -S -O binary zfsboot.out ${.TARGET} -zfsboot.out: ${BTXCRT} zfsboot.o sio.o drv.o cons.o util.o - ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} ${LIBZFSBOOT} ${LIBSA32} +zfsboot.out: ${BTXCRT} zfsboot.o sio.o drv.o cons.o + ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} ${LIBZFSBOOT} ${LIBGELIBOOT} ${LIBSA32} SRCS= zfsboot.c diff --git a/sys/boot/i386/zfsloader/Makefile b/sys/boot/i386/zfsloader/Makefile index 67aa8e943879..6111e47f12fb 100644 --- a/sys/boot/i386/zfsloader/Makefile +++ b/sys/boot/i386/zfsloader/Makefile @@ -5,6 +5,5 @@ NEWVERSWHAT= "ZFS enabled bootstrap loader" x86 LOADER_ONLY= yes HAVE_ZFS= yes -.include -.include "${BOOTSRC}/i386/loader/Makefile" +.include "${.CURDIR}/../loader/Makefile" diff --git a/sys/boot/sparc64/loader/Makefile b/sys/boot/sparc64/loader/Makefile index 7eb0b3420108..f7fb0300d411 100644 --- a/sys/boot/sparc64/loader/Makefile +++ b/sys/boot/sparc64/loader/Makefile @@ -22,6 +22,7 @@ VERSION_FILE= ${.CURDIR}/../loader/version INSTALLFLAGS= -b # Architecture-specific loader code +.PATH: ${BOOTSRC}/sparc64/loader SRCS= locore.S main.c metadata.c vers.c .if ${LOADER_DEBUG} == "yes" diff --git a/sys/boot/sparc64/zfsloader/Makefile b/sys/boot/sparc64/zfsloader/Makefile index a5d433ce401f..b4c554b5cb15 100644 --- a/sys/boot/sparc64/zfsloader/Makefile +++ b/sys/boot/sparc64/zfsloader/Makefile @@ -1,7 +1,5 @@ # $FreeBSD$ -.PATH: ${.CURDIR}/../loader - PROG= zfsloader NEWVERSWHAT= "ZFS enabled bootstrap loader" sparc64 HAVE_ZFS= yes diff --git a/tools/boot/universe.sh b/tools/boot/universe.sh index 2f367c1c2bd0..3b607b4c4a1a 100755 --- a/tools/boot/universe.sh +++ b/tools/boot/universe.sh @@ -63,7 +63,7 @@ for i in \ sparc64/sparc64 \ ; do ta=${i##*/} - dobuild $ta _.boot.${ta}.noZFS.log "MK_ZFS=no" + dobuild $ta _.boot.${ta}.no_zfs.log "MK_ZFS=no" done # Build with firewire @@ -74,3 +74,12 @@ for i in \ ta=${i##*/} dobuild $ta _.boot.${ta}.firewire.log "MK_LOADER_FIREWIRE=yes" done + +# Build without GELI +for i in \ + amd64/amd64 \ + i386/i386 \ + ; do + ta=${i##*/} + dobuild $ta _.boot.${ta}.no_geli.log "MK_LOADER_GELI=no" +done diff --git a/tools/build/options/WITHOUT_LOADER_GEIL b/tools/build/options/WITHOUT_LOADER_GEIL new file mode 100644 index 000000000000..114bea6bfe0d --- /dev/null +++ b/tools/build/options/WITHOUT_LOADER_GEIL @@ -0,0 +1,2 @@ +.\" $FreeBSD$ +Disable inclusion of GELI crypto support in the boot chain binaries.