#
357082 |
|
24-Jan-2020 |
kevans |
MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructure
Infrastructure only -- no plans in place currently to commit any certs to these branches.
r352948: [1/3] Initial infrastructure for SSL root bundle in base
This setup will add the trusted certificates from the Mozilla NSS bundle to base.
This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions
A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts.
This work was done primarily by allanjude@, with minor contributions by myself.
r352949: [2/3] Add certctl(8)
This is a simple utility to hash all trusted on the system into /etc/ssl/certs. It also allows the user to blacklist certificates they do not trust.
This work was done primarily by allanjude@, with minor contributions by myself.
r352950: [3/3] etcupdate and mergemaster support for certctl
This commit add support for certctl in mergemaster and etcupdate. Both will either rehash or prompt for rehash as new certificates are trusted/blacklisted.
This work was done primarily by allanjude@, with minor contributions by myself.
r352951: caroot: add @generated tags to extracted .pem
As is the current trend; while these files are manually curated, they are still generated. If they end up in a review, it would be helpful to also take the hint and hide them.
r353002: Unbreak etcupdate(8) and mergemaster(8) after r352950
r352950 introduced improper case fall-through for shell scripts. Fix it with a pipe.
r353066: certctl(8): realpath the file before creating the symlink
Otherwise we end up creating broken relative symlinks in /etc/ssl/blacklisted.
r353070: certctl(8): let one blacklist based on hashed filenames
It seems reasonable to allow, for instance:
$ certctl list # reviews output -- ah, yeah, I don't trust that one $ certctl blacklist ce5e74ef.0 $ certctl rehash
We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've described it to them in `certctl list` output -- I see little sense in forcing another level of filesystem inspection to determien what cert file this physically corresponds to.
Relnotes: yes
|
#
346518 |
|
22-Apr-2019 |
ian |
MFC r335527, r335529, r335593
r335527: Add spi(8), a utility for communicating with a device on a SPI bus from userland, conceptually similar to what i2c(8) provides for i2c devices.
Submitted by: Bob Frazier Differential Revision: https://reviews.freebsd.org/D15029
r335529: Eliminate gcc "shadowed declaration" warnings by using idx rather than index as a variable name.
r335593: Add an example for displaying the manufacturer and size info from a standard spiflash chip.
|
#
344689 |
|
01-Mar-2019 |
eugen |
MFC r343118: new small tool trim(8) to delete contents for blocks on flash based storage devices that use wear-leveling algorithms.
|
#
332126 |
|
06-Apr-2018 |
kevans |
MFC efibootmgr: r326725-r326728, r326771, r326800-r326804, r326806, r327163 r327572-r327573, r327610-r327611, r327877, r331069
r326725: Import Netflix's efibootmgr to help manage UEFI boot variables
efibootmgr manages the UEFI BootXXXX variables that implement the UEFI Boot Manager protocol defined in the UEFI standards. It is modeled after the Linux program of the same name with a mostly compatible set of command line options. Since there's a fair amount of OS specifioc code due to differeing names and methods of doing things, the compatibility isn't 100%.
Basic functionality is implemented, though the more advanced next boot functionality that's been defined elsewhere is unimplemented.
Submitted by: Matt Williams (with unix / efi path xlate by me) Sponsored by: Netflix
r326726: Forgotten in 326725
Release Notes: Yes
r326727: Remove vestiges of -d and -p commands. Fix two core dumps when optional data isn't specified.
Sponsored by: Netflix
r326728: Indent multiple device path entries correctly.
Sponsored by: Netflix
r326771: Unbreak gcc build by using (void) for functions that take no args.
Sponsored by: Netflix
r326800: Check return value for set_bootvar and give a good error message.
CID: 1383601 Sponsored by: Netflix
r326801: Don't leak new_data.
CID: 1383605 Sponsored by: Netflix
r326802: Fix resource leak. Free converted description after printing it. Also minor style sort of local vars.
CID: 1383606 Sponsored by: Netflix
r326803: Free load_opt_buf after we're done with it.
CID: 1383607 Sponsored by: Netflix
r326804: Add sanity testing against maximum sane lengths for device paths for loader and kernel.
CID: 1383608 Sponsored by: Netflix
r326806: Actually insert the free(d) call missed in r326802.
Noticed by: rpokala@
r327163: Remove write-only opt and useless optlen variables.
This squashes the warning gebnerated by GCC 6.x. Since variables that are now removed had come documentation value, put relevant bits in comment, so they can be resurrected from there when actually needed.
r327572: Ensure that we have a description string. When unspecified, default to "".
Sponsored by: Netflix
r327573: Free options before setting them. This will prevent us from leaking memory when we have multiple copies of the same option from being specified.
Sponsored by: Netflix
r327610: Fix usage strings. -d and -p were removed before this was committed to FreeBSD, but the strings weren't updated.
Sponsored by: Netflix
r327611: There's no need / benefit from deleting the variable before we set it.
Sponsored by: Netflix
r327877: Fix error in determining the next available boot slot.
Sponsored by: Netflix
r331069: Make not getting BootOrder a warning, not a fatal error when printing.
Sponsored by: Netflix
Relnotes: yes
|
#
331586 |
|
26-Mar-2018 |
hselasky |
MFC r330653: Add kernel and userspace code to dump the firmware state of supported ConnectX-4/5 devices in mlx5core.
The dump is obtained by reading a predefined register map from the non-destructive crspace, accessible by the vendor-specific PCIe capability (VSC). The dump is stored in preallocated kernel memory and managed by the mlx5tool(8), which communicates with the driver using a character device node.
The utility allows to store the dump in format <address> <value> into a file, to reset the dump content, and to manually initiate the dump.
A call to mlx5_fwdump() should be added at the places where a dump must be fetched automatically. The most likely place is right before a firmware reset request.
Submitted by: kib@ Sponsored by: Mellanox Technologies
|
#
330769 |
|
11-Mar-2018 |
emaste |
MFC r322277 by jlh:
rwho/ruptime/rwhod shouldn't be gated by RCMDS.
As peter@ points out in pr/220953: "rwho, rwhod and ruptime are not part of the remote login suite (rsh, rlogin etc).
They should *not* be in the rcmds package which is disabled by default. We rely on rwho/rwhod/ruptime in the freebsd.org cluster."
This commit is a re-commit of r322029 and r322031 with a better commit log, as pointed out by ngie@.
This also includes the necesary changes to OptionalObsoleteFiles.inc, as requested by jhb@.
PR: 220953
|
#
323302 |
|
08-Sep-2017 |
ngie |
MFC r320701:
Remove SUBDIR ordering/uniquifying in *bin/Makefile
After the addition of SUBDIR.yes, uniquifying/ordering the SUBDIRs doesn't make a whole lot of sense, and it's in effect a half measure.
Ordering SUBDIR (after adding SUBDIR.yes to it) in bsd.subdir.mk is a separate change that warrants more discussion/testing, because while the SUBDIR_PARALLEL work largely fixed dependency ordering for SUBDIRs, there might be downstream FreeBSD consumers that rely on the SUBDIR ordering.
|
#
319388 |
|
01-Jun-2017 |
ngie |
MFC r314579,r314785:
r314579 (by np):
Add cxgbetool(8) to the base system.
Move cxgbetool from tools/tools to usr.sbin. Compile and install it on platforms where cxgbe(4) is built by default. Knobs (WITH_CXGBETOOL and WITHOUT_CXGBETOOL) have been added so that the user can override the default setting.
r314785:
Fix some trivial manlint warnings
Sentences should begin on new lines, per manlint.
Bump .Dd for the change
|
#
319192 |
|
30-May-2017 |
ngie |
MFC r306375,r307802:
r306375 (by emaste):
Add a WITHOUT_DIALOG src.conf(5) knob
It also turns off dependencies (bsdinstall, bsdconfig, dpv, tzsetup).
r307802 (by bapt):
Fix build of tzsetup when WITHOUT_DIALOG is set
Hide dialog specific code behind HAVE_DIALOG. It allows to build a stripped down version (missing the dialog UI) but perfectly function tzsetup when world is built WITHOUT_DIALOG
Reorganise a bit the code to limit the number of blocks under HAVE_DIALOG
|
#
318576 |
|
20-May-2017 |
kib |
MFC efivar(8) (by imp):
List of revisions merged: r307070 r307071 r307072 r307074 r307189 r307224 r307339 r307390 r307391 r309776 r314231 r314232 r314615 r314616 r314617 r314618 r314619 r314620 r314621 r314623 r314890 r314925 r314926 r314927 r314928 r315770 r315771
Discussed with: gjb (re), imp Sponsored by: The FreeBSD Foundation
|
#
307788 |
|
22-Oct-2016 |
bapt |
MFC r303784, r303785, r305620:
r303784: etcupdate: directly use diff3(1) instead of merge(1)
During the last attempt to rmeove GNU rcs, 2 blockers were spotted: We need an ident(1) and etcupdate(8) uses merge(1).
Now nothing should prevent to remove rcs from base
Reviewed by: jhb Differential Revision: https://reviews.freebsd.org/D7401
r303785: always install etcupdate
Now that etcupdate does not depend on rcs anymore there is no need to conditionnally install it
r305620: (by vangyzen ) etcupdate: preserve the metadata of the destination file
When using diff3 to perform a three-way merge, etcupdate lost the destination file's metadata. The metadata from the temporary file were used instead. This was unpleasant for rc.d scripts, which require execute permission. Use "cat >" to overwrite the destination file's contents while preserving its metadata.
Reviewed by: bapt Sponsored by: Dell Technologies Differential Revision: https://reviews.freebsd.org/D7817
|
#
303675 |
|
02-Aug-2016 |
bdrewery |
MFC r303410,r303419:
r303410: Reconnect pmcstudy, lost in r291021 r303419: Fix non-amd64 build from r292043 after reconnecting in r303410.
Approved by: re (kib)
|