Bump versions of boot media now capable of un-hibernating from non-DEV_BSIZE
sectored media.

Bump to common version (3.67) to indicate new MI capability.

Reminded by deraadt@

Add boot.conf(8) 'mach idle [secs]' to halt at idle passphrase prompts

Enable users to power down their machines if there was no input after N
seconds during disk descryption.

Motivation is to save battery and prevent pocket heaters when notebooks
unhibernate (e.g. lid accidentially opened) and sit at "Passphrase: ".

Only available on efi(4) systems as the timeout is saved as EFI variable;
mostly because that's trivial to do, but also because we lack a better
mechanism to configure that and persist such data without the root disk.

Discussed with many, starting at h2k23
OK Tests gnezdo

BOOTARG_UCODE for AMD
ok deraadt@

Do not attempt to write to read-only softraid

Bootloaders have no write support for softraid volumes, which manifests in,
e.g. /bsd.upgrade not being stripped of its 'x' permission bit to prevent
sysupgrade loops in case of upgrade failure.

Set a no-write flag handled by libsa to bail out early in write calls.
There should be no real behaviour change, writes just fail earlier now.

amd64 EFI bits, other architectues to come. Crank minor.

"seems sensible" jsing

branches: 1.40.4;
Let the EFI bootloader make a copy of the EFI System Resource Table (ESRT)
and pass it to the kernel.

ok jca@, patrick@

branches: 1.39.2;
Crank amd64 boot loader version numbers for softraid(4) RAID 1C boot support.

Switch bootloaders to the extended BOOTARG_CONSDEV struct.
Make the EFI bootloader provide the extra parameters that are necessary
for using the non-standard UART on the AMD Ryzen Embedded V1000 SoCs.

ok anton@

When there are multiple GOPs, try to select first one from which we
can get a handle of DevicePath protocol if any, otherwise select first
one. This is expected to workaround the garbled screen problem when
booting with efiboot happened on some machines.

origin diff from Alexei K.

Replace hand rolled memory allocation in efid_io() with
BS->AllocatePages() and BS->FreePages() as in all the other
efid_io() versions.

Don't leak the pages on success.

Bump boot version to 3.59.

ok yasuoka@

Some machines (e.g. some Intel Macs) have a EFI memory map with more than
64 entries. Instead of writing beyond the array that we use to construct
a BIOS compatible memory map, check that we don't overflow the array and
print a message if we do. Bump the size of the array from 64 to 128
entries.

Issue reported and debugged by David N. Arnold.
Further input from yasuoka@

ok deraadt@ (earlier version) and yasuaka@

Always use an allocated buffer for {Read,Write}Blocks() to make
efid_io() simpler. Also fixes the problem on some machines when boot
from CD-ROM. It happened because the previous version passed
unaligned pointers to the functions even if it is restricted by the
IoAlign property of the media. idea from kettenis, work with asou

ok kettenis

Use daddr_t and not daddr32_t in boot media.

At a minimum, amd64/i386 should now boot from 4TB GPT formatted disks.

More daddr32_t terminations with extreme prejudice to follow.

Tested by various, in snaps for a few days.

ok deraadt@

Use a 64MB block to load the kernel to deal with kernel growth.
Note that the first 16MB of the block are currently unused since
we link our kernels at physical address 0x01000000. Therefore
32MB is no longer enough to load a kernel that is now larger than
16MB.

Fixes the "entry point at 0x10010000" hang that people have reported
on some machines.

ok patrick@, naddy@, deraadt@

Fix write un-protecting of kernel memory. p was used uninitialized
at the beginning of the loop. We need to use cr3 at the start of each
iteration for the top level page directory.

From and ok sf@

Improve write un-protecting of kernel memory. For the Computrace module
on the HP EliteBook 830 G6 we added a workaround which tries to re-map
the pages where we want to place to kernel read-write. On some machines
though this workaround causes a regression. Fix those by changing a few
things: Only set the writeable bit if it isn't set yet. Un-protect
write-protected page directories. Skip lower levels if large-page is
set, since the next level is already a page. Don't do anything at all
if paging is disabled.

From Christian Ehrhardt
ok bluhm@ tobhe@

crank version number

increment version numbers, due to recent RB_GOODSEED and fchmod +T changes

Make efi_device_path_depth() return the full device path depth if we don't
find a media device path node. Fixes booting OpenBSD on some older U-Boot
versions that are in wide circulation such as 2017.09 and 2017.11.

ok patrick@

Allow amd64 boot(8) and friends to read from an ffs2 filesystem.
Also enable ffs2 for floppy, so that its kernel kan access ffs2. ok deraadt@

Pass the EFI memory map to the kernel.

ok deraadt@

Use arc4 to bit-spread the 512-byte random buffer over the .openbsd.randomdata
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer

Allow PXE booting using u-boot by relaxing our requirements
of the EFI PXE protocol. This also brings us in line with
the GRUB2 implementation.

Tested by naddy@ to behave the same
Tested by sven falempin on his Pine64

crank version, following fchmod change

In the bootblocks, after discovering and opening /bsd.upgrade, fchmod -x
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.

Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.

based upon a discussion florian
tested in snapshots for more than a week without any complaints

Add support for the EFI Random Number Generator Protocol and use it to XOR
random data into the buffer that we feed the kernel.

ok deraadt@, mlarkin@

crank versions

crank version; looks good deraadt

Many machines with serial ports ship with uefi firmware which does not
have the serial io protocol. Fallback to direct inb/outb hardware access
in this case using code derived from arch/amd64/stand/libsa/bioscons.c

ok kettenis@

Bump boot loader versions for softraid passphrase handling change.

crank version

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and features, we need
to load it earlier. Thus, make the bootloader look for the microcode
and supply it to the kernel as another bootarg. This way we can update
the cores' microcode before we identify them.

ok deraadt@

Fix TFTP reading of zero-size files:

The AllocatePages EFI call returns an error when the allocation
size is 0. Skip allocating memory and actually transferring the
file when it is empty.

Properly return the number of unread bytes so that a read() of n
bytes does not return n if no bytes were read.

While here, disallow lseek() beyond the TFTP file buffer for SEEK_CUR
as we already do for SEEK_SET.

ok patrick@

Implement network boot support in efiboot(8). This changes efiboot(8)
to recognize if it has been booted via PXE. The new TFTP file system
layer will then use the matching PXE base code protocol handle to load
the files. Since this uses the PXE base code protocol for abstraction
instead of the raw Simple Network protocol this will at this point not
work on u-boot based machines as needed on ARM.

Feedback and ok tom@
Also tested by afresh1@

If you use sys/param.h, you don't need sys/types.h

Back out previous commit but handle the case where the device path consists
of a single MEDIA_DEVICE_PATH component specially to cater for U-Boot's
somewhat broken device path handling. Add comments to prevent confusion
in the future. Bump the version number once again.

ok brynet@

Fix off-by-one in return value of efi_device_path_depth().

ok patrick@

Don't panic when we cannot locate a handle for the Serial IO protocol.
Fixes reports on tech and in private.

ok yasuoka@ stsp@

Add serial console support for efiboot.

Bump boot loader versions due to bcrypt pbkdf support.

crank bootloader version after .SUNW_ctf change

as discussed with jsing@ it's easier this way to ensure people have
bootblocks capable of loading the section

Enable cd9660 in efiboot.

belatedly bump bootstrap version after mdrandom() changes; ok deraadt@

Bring the boot changes on amd64 to i386. alloca is deleted.
Also fix the boot from BIOS and bump the version.

input and ok deraadt

Initial commit of uefi boot loader of OpenBSD.

ok deraadt yuo

Add boot.conf(8) 'mach idle [secs]' to halt at idle passphrase prompts

Enable users to power down their machines if there was no input after N
seconds during disk descryption.

Motivation is to save battery and prevent pocket heaters when notebooks
unhibernate (e.g. lid accidentially opened) and sit at "Passphrase: ".

Only available on efi(4) systems as the timeout is saved as EFI variable;
mostly because that's trivial to do, but also because we lack a better
mechanism to configure that and persist such data without the root disk.

Discussed with many, starting at h2k23
OK Tests gnezdo

BOOTARG_UCODE for AMD
ok deraadt@

Do not attempt to write to read-only softraid

Bootloaders have no write support for softraid volumes, which manifests in,
e.g. /bsd.upgrade not being stripped of its 'x' permission bit to prevent
sysupgrade loops in case of upgrade failure.

Set a no-write flag handled by libsa to bail out early in write calls.
There should be no real behaviour change, writes just fail earlier now.

amd64 EFI bits, other architectues to come. Crank minor.

"seems sensible" jsing

branches: 1.40.4;
Let the EFI bootloader make a copy of the EFI System Resource Table (ESRT)
and pass it to the kernel.

ok jca@, patrick@

branches: 1.39.2;
Crank amd64 boot loader version numbers for softraid(4) RAID 1C boot support.

Switch bootloaders to the extended BOOTARG_CONSDEV struct.
Make the EFI bootloader provide the extra parameters that are necessary
for using the non-standard UART on the AMD Ryzen Embedded V1000 SoCs.

ok anton@

When there are multiple GOPs, try to select first one from which we
can get a handle of DevicePath protocol if any, otherwise select first
one. This is expected to workaround the garbled screen problem when
booting with efiboot happened on some machines.

origin diff from Alexei K.

Replace hand rolled memory allocation in efid_io() with
BS->AllocatePages() and BS->FreePages() as in all the other
efid_io() versions.

Don't leak the pages on success.

Bump boot version to 3.59.

ok yasuoka@

Some machines (e.g. some Intel Macs) have a EFI memory map with more than
64 entries. Instead of writing beyond the array that we use to construct
a BIOS compatible memory map, check that we don't overflow the array and
print a message if we do. Bump the size of the array from 64 to 128
entries.

Issue reported and debugged by David N. Arnold.
Further input from yasuoka@

ok deraadt@ (earlier version) and yasuaka@

Always use an allocated buffer for {Read,Write}Blocks() to make
efid_io() simpler. Also fixes the problem on some machines when boot
from CD-ROM. It happened because the previous version passed
unaligned pointers to the functions even if it is restricted by the
IoAlign property of the media. idea from kettenis, work with asou

ok kettenis

Use daddr_t and not daddr32_t in boot media.

At a minimum, amd64/i386 should now boot from 4TB GPT formatted disks.

More daddr32_t terminations with extreme prejudice to follow.

Tested by various, in snaps for a few days.

ok deraadt@

Use a 64MB block to load the kernel to deal with kernel growth.
Note that the first 16MB of the block are currently unused since
we link our kernels at physical address 0x01000000. Therefore
32MB is no longer enough to load a kernel that is now larger than
16MB.

Fixes the "entry point at 0x10010000" hang that people have reported
on some machines.

ok patrick@, naddy@, deraadt@

Fix write un-protecting of kernel memory. p was used uninitialized
at the beginning of the loop. We need to use cr3 at the start of each
iteration for the top level page directory.

From and ok sf@

Improve write un-protecting of kernel memory. For the Computrace module
on the HP EliteBook 830 G6 we added a workaround which tries to re-map
the pages where we want to place to kernel read-write. On some machines
though this workaround causes a regression. Fix those by changing a few
things: Only set the writeable bit if it isn't set yet. Un-protect
write-protected page directories. Skip lower levels if large-page is
set, since the next level is already a page. Don't do anything at all
if paging is disabled.

From Christian Ehrhardt
ok bluhm@ tobhe@

crank version number

increment version numbers, due to recent RB_GOODSEED and fchmod +T changes

Make efi_device_path_depth() return the full device path depth if we don't
find a media device path node. Fixes booting OpenBSD on some older U-Boot
versions that are in wide circulation such as 2017.09 and 2017.11.

ok patrick@

Allow amd64 boot(8) and friends to read from an ffs2 filesystem.
Also enable ffs2 for floppy, so that its kernel kan access ffs2. ok deraadt@

Pass the EFI memory map to the kernel.

ok deraadt@

Use arc4 to bit-spread the 512-byte random buffer over the .openbsd.randomdata
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer

Allow PXE booting using u-boot by relaxing our requirements
of the EFI PXE protocol. This also brings us in line with
the GRUB2 implementation.

Tested by naddy@ to behave the same
Tested by sven falempin on his Pine64

crank version, following fchmod change

In the bootblocks, after discovering and opening /bsd.upgrade, fchmod -x
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.

Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.

based upon a discussion florian
tested in snapshots for more than a week without any complaints

Add support for the EFI Random Number Generator Protocol and use it to XOR
random data into the buffer that we feed the kernel.

ok deraadt@, mlarkin@

crank versions

crank version; looks good deraadt

Many machines with serial ports ship with uefi firmware which does not
have the serial io protocol. Fallback to direct inb/outb hardware access
in this case using code derived from arch/amd64/stand/libsa/bioscons.c

ok kettenis@

Bump boot loader versions for softraid passphrase handling change.

crank version

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and features, we need
to load it earlier. Thus, make the bootloader look for the microcode
and supply it to the kernel as another bootarg. This way we can update
the cores' microcode before we identify them.

ok deraadt@

Fix TFTP reading of zero-size files:

The AllocatePages EFI call returns an error when the allocation
size is 0. Skip allocating memory and actually transferring the
file when it is empty.

Properly return the number of unread bytes so that a read() of n
bytes does not return n if no bytes were read.

While here, disallow lseek() beyond the TFTP file buffer for SEEK_CUR
as we already do for SEEK_SET.

ok patrick@

Implement network boot support in efiboot(8). This changes efiboot(8)
to recognize if it has been booted via PXE. The new TFTP file system
layer will then use the matching PXE base code protocol handle to load
the files. Since this uses the PXE base code protocol for abstraction
instead of the raw Simple Network protocol this will at this point not
work on u-boot based machines as needed on ARM.

Feedback and ok tom@
Also tested by afresh1@

If you use sys/param.h, you don't need sys/types.h

Back out previous commit but handle the case where the device path consists
of a single MEDIA_DEVICE_PATH component specially to cater for U-Boot's
somewhat broken device path handling. Add comments to prevent confusion
in the future. Bump the version number once again.

ok brynet@

Fix off-by-one in return value of efi_device_path_depth().

ok patrick@

Don't panic when we cannot locate a handle for the Serial IO protocol.
Fixes reports on tech and in private.

ok yasuoka@ stsp@

Add serial console support for efiboot.

Bump boot loader versions due to bcrypt pbkdf support.

crank bootloader version after .SUNW_ctf change

as discussed with jsing@ it's easier this way to ensure people have
bootblocks capable of loading the section

Enable cd9660 in efiboot.

belatedly bump bootstrap version after mdrandom() changes; ok deraadt@

Bring the boot changes on amd64 to i386. alloca is deleted.
Also fix the boot from BIOS and bump the version.

input and ok deraadt

Initial commit of uefi boot loader of OpenBSD.

ok deraadt yuo

BOOTARG_UCODE for AMD
ok deraadt@

Do not attempt to write to read-only softraid

Bootloaders have no write support for softraid volumes, which manifests in,
e.g. /bsd.upgrade not being stripped of its 'x' permission bit to prevent
sysupgrade loops in case of upgrade failure.

Set a no-write flag handled by libsa to bail out early in write calls.
There should be no real behaviour change, writes just fail earlier now.

amd64 EFI bits, other architectues to come. Crank minor.

"seems sensible" jsing

Let the EFI bootloader make a copy of the EFI System Resource Table (ESRT)
and pass it to the kernel.

ok jca@, patrick@

Crank amd64 boot loader version numbers for softraid(4) RAID 1C boot support.

Switch bootloaders to the extended BOOTARG_CONSDEV struct.
Make the EFI bootloader provide the extra parameters that are necessary
for using the non-standard UART on the AMD Ryzen Embedded V1000 SoCs.

ok anton@

When there are multiple GOPs, try to select first one from which we
can get a handle of DevicePath protocol if any, otherwise select first
one. This is expected to workaround the garbled screen problem when
booting with efiboot happened on some machines.

origin diff from Alexei K.

Replace hand rolled memory allocation in efid_io() with
BS->AllocatePages() and BS->FreePages() as in all the other
efid_io() versions.

Don't leak the pages on success.

Bump boot version to 3.59.

ok yasuoka@

Some machines (e.g. some Intel Macs) have a EFI memory map with more than
64 entries. Instead of writing beyond the array that we use to construct
a BIOS compatible memory map, check that we don't overflow the array and
print a message if we do. Bump the size of the array from 64 to 128
entries.

Issue reported and debugged by David N. Arnold.
Further input from yasuoka@

ok deraadt@ (earlier version) and yasuaka@

Always use an allocated buffer for {Read,Write}Blocks() to make
efid_io() simpler. Also fixes the problem on some machines when boot
from CD-ROM. It happened because the previous version passed
unaligned pointers to the functions even if it is restricted by the
IoAlign property of the media. idea from kettenis, work with asou

ok kettenis

Use daddr_t and not daddr32_t in boot media.

At a minimum, amd64/i386 should now boot from 4TB GPT formatted disks.

More daddr32_t terminations with extreme prejudice to follow.

Tested by various, in snaps for a few days.

ok deraadt@

Use a 64MB block to load the kernel to deal with kernel growth.
Note that the first 16MB of the block are currently unused since
we link our kernels at physical address 0x01000000. Therefore
32MB is no longer enough to load a kernel that is now larger than
16MB.

Fixes the "entry point at 0x10010000" hang that people have reported
on some machines.

ok patrick@, naddy@, deraadt@

Fix write un-protecting of kernel memory. p was used uninitialized
at the beginning of the loop. We need to use cr3 at the start of each
iteration for the top level page directory.

From and ok sf@

Improve write un-protecting of kernel memory. For the Computrace module
on the HP EliteBook 830 G6 we added a workaround which tries to re-map
the pages where we want to place to kernel read-write. On some machines
though this workaround causes a regression. Fix those by changing a few
things: Only set the writeable bit if it isn't set yet. Un-protect
write-protected page directories. Skip lower levels if large-page is
set, since the next level is already a page. Don't do anything at all
if paging is disabled.

From Christian Ehrhardt
ok bluhm@ tobhe@

crank version number

increment version numbers, due to recent RB_GOODSEED and fchmod +T changes

Make efi_device_path_depth() return the full device path depth if we don't
find a media device path node. Fixes booting OpenBSD on some older U-Boot
versions that are in wide circulation such as 2017.09 and 2017.11.

ok patrick@

Allow amd64 boot(8) and friends to read from an ffs2 filesystem.
Also enable ffs2 for floppy, so that its kernel kan access ffs2. ok deraadt@

Pass the EFI memory map to the kernel.

ok deraadt@

Use arc4 to bit-spread the 512-byte random buffer over the .openbsd.randomdata
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer

Allow PXE booting using u-boot by relaxing our requirements
of the EFI PXE protocol. This also brings us in line with
the GRUB2 implementation.

Tested by naddy@ to behave the same
Tested by sven falempin on his Pine64

crank version, following fchmod change

In the bootblocks, after discovering and opening /bsd.upgrade, fchmod -x
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.

Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.

based upon a discussion florian
tested in snapshots for more than a week without any complaints

Add support for the EFI Random Number Generator Protocol and use it to XOR
random data into the buffer that we feed the kernel.

ok deraadt@, mlarkin@

crank versions

crank version; looks good deraadt

Many machines with serial ports ship with uefi firmware which does not
have the serial io protocol. Fallback to direct inb/outb hardware access
in this case using code derived from arch/amd64/stand/libsa/bioscons.c

ok kettenis@

Bump boot loader versions for softraid passphrase handling change.

crank version

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and features, we need
to load it earlier. Thus, make the bootloader look for the microcode
and supply it to the kernel as another bootarg. This way we can update
the cores' microcode before we identify them.

ok deraadt@

Fix TFTP reading of zero-size files:

The AllocatePages EFI call returns an error when the allocation
size is 0. Skip allocating memory and actually transferring the
file when it is empty.

Properly return the number of unread bytes so that a read() of n
bytes does not return n if no bytes were read.

While here, disallow lseek() beyond the TFTP file buffer for SEEK_CUR
as we already do for SEEK_SET.

ok patrick@

Implement network boot support in efiboot(8). This changes efiboot(8)
to recognize if it has been booted via PXE. The new TFTP file system
layer will then use the matching PXE base code protocol handle to load
the files. Since this uses the PXE base code protocol for abstraction
instead of the raw Simple Network protocol this will at this point not
work on u-boot based machines as needed on ARM.

Feedback and ok tom@
Also tested by afresh1@

If you use sys/param.h, you don't need sys/types.h

Back out previous commit but handle the case where the device path consists
of a single MEDIA_DEVICE_PATH component specially to cater for U-Boot's
somewhat broken device path handling. Add comments to prevent confusion
in the future. Bump the version number once again.

ok brynet@

Fix off-by-one in return value of efi_device_path_depth().

ok patrick@

Don't panic when we cannot locate a handle for the Serial IO protocol.
Fixes reports on tech and in private.

ok yasuoka@ stsp@

Add serial console support for efiboot.

Bump boot loader versions due to bcrypt pbkdf support.

crank bootloader version after .SUNW_ctf change

as discussed with jsing@ it's easier this way to ensure people have
bootblocks capable of loading the section

Enable cd9660 in efiboot.

belatedly bump bootstrap version after mdrandom() changes; ok deraadt@

Bring the boot changes on amd64 to i386. alloca is deleted.
Also fix the boot from BIOS and bump the version.

input and ok deraadt

Initial commit of uefi boot loader of OpenBSD.

ok deraadt yuo

Do not attempt to write to read-only softraid

Bootloaders have no write support for softraid volumes, which manifests in,
e.g. /bsd.upgrade not being stripped of its 'x' permission bit to prevent
sysupgrade loops in case of upgrade failure.

Set a no-write flag handled by libsa to bail out early in write calls.
There should be no real behaviour change, writes just fail earlier now.

amd64 EFI bits, other architectues to come. Crank minor.

"seems sensible" jsing

Let the EFI bootloader make a copy of the EFI System Resource Table (ESRT)
and pass it to the kernel.

ok jca@, patrick@

Crank amd64 boot loader version numbers for softraid(4) RAID 1C boot support.

Switch bootloaders to the extended BOOTARG_CONSDEV struct.
Make the EFI bootloader provide the extra parameters that are necessary
for using the non-standard UART on the AMD Ryzen Embedded V1000 SoCs.

ok anton@

When there are multiple GOPs, try to select first one from which we
can get a handle of DevicePath protocol if any, otherwise select first
one. This is expected to workaround the garbled screen problem when
booting with efiboot happened on some machines.

origin diff from Alexei K.

Replace hand rolled memory allocation in efid_io() with
BS->AllocatePages() and BS->FreePages() as in all the other
efid_io() versions.

Don't leak the pages on success.

Bump boot version to 3.59.

ok yasuoka@

Some machines (e.g. some Intel Macs) have a EFI memory map with more than
64 entries. Instead of writing beyond the array that we use to construct
a BIOS compatible memory map, check that we don't overflow the array and
print a message if we do. Bump the size of the array from 64 to 128
entries.

Issue reported and debugged by David N. Arnold.
Further input from yasuoka@

ok deraadt@ (earlier version) and yasuaka@

Always use an allocated buffer for {Read,Write}Blocks() to make
efid_io() simpler. Also fixes the problem on some machines when boot
from CD-ROM. It happened because the previous version passed
unaligned pointers to the functions even if it is restricted by the
IoAlign property of the media. idea from kettenis, work with asou

ok kettenis

Use daddr_t and not daddr32_t in boot media.

At a minimum, amd64/i386 should now boot from 4TB GPT formatted disks.

More daddr32_t terminations with extreme prejudice to follow.

Tested by various, in snaps for a few days.

ok deraadt@

Use a 64MB block to load the kernel to deal with kernel growth.
Note that the first 16MB of the block are currently unused since
we link our kernels at physical address 0x01000000. Therefore
32MB is no longer enough to load a kernel that is now larger than
16MB.

Fixes the "entry point at 0x10010000" hang that people have reported
on some machines.

ok patrick@, naddy@, deraadt@

Fix write un-protecting of kernel memory. p was used uninitialized
at the beginning of the loop. We need to use cr3 at the start of each
iteration for the top level page directory.

From and ok sf@

Improve write un-protecting of kernel memory. For the Computrace module
on the HP EliteBook 830 G6 we added a workaround which tries to re-map
the pages where we want to place to kernel read-write. On some machines
though this workaround causes a regression. Fix those by changing a few
things: Only set the writeable bit if it isn't set yet. Un-protect
write-protected page directories. Skip lower levels if large-page is
set, since the next level is already a page. Don't do anything at all
if paging is disabled.

From Christian Ehrhardt
ok bluhm@ tobhe@

crank version number

increment version numbers, due to recent RB_GOODSEED and fchmod +T changes

Make efi_device_path_depth() return the full device path depth if we don't
find a media device path node. Fixes booting OpenBSD on some older U-Boot
versions that are in wide circulation such as 2017.09 and 2017.11.

ok patrick@

Allow amd64 boot(8) and friends to read from an ffs2 filesystem.
Also enable ffs2 for floppy, so that its kernel kan access ffs2. ok deraadt@

Pass the EFI memory map to the kernel.

ok deraadt@

Use arc4 to bit-spread the 512-byte random buffer over the .openbsd.randomdata
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer

Allow PXE booting using u-boot by relaxing our requirements
of the EFI PXE protocol. This also brings us in line with
the GRUB2 implementation.

Tested by naddy@ to behave the same
Tested by sven falempin on his Pine64

crank version, following fchmod change

In the bootblocks, after discovering and opening /bsd.upgrade, fchmod -x
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.

Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.

based upon a discussion florian
tested in snapshots for more than a week without any complaints

Add support for the EFI Random Number Generator Protocol and use it to XOR
random data into the buffer that we feed the kernel.

ok deraadt@, mlarkin@

crank versions

crank version; looks good deraadt

Many machines with serial ports ship with uefi firmware which does not
have the serial io protocol. Fallback to direct inb/outb hardware access
in this case using code derived from arch/amd64/stand/libsa/bioscons.c

ok kettenis@

Bump boot loader versions for softraid passphrase handling change.

crank version

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and features, we need
to load it earlier. Thus, make the bootloader look for the microcode
and supply it to the kernel as another bootarg. This way we can update
the cores' microcode before we identify them.

ok deraadt@

Fix TFTP reading of zero-size files:

The AllocatePages EFI call returns an error when the allocation
size is 0. Skip allocating memory and actually transferring the
file when it is empty.

Properly return the number of unread bytes so that a read() of n
bytes does not return n if no bytes were read.

While here, disallow lseek() beyond the TFTP file buffer for SEEK_CUR
as we already do for SEEK_SET.

ok patrick@

Implement network boot support in efiboot(8). This changes efiboot(8)
to recognize if it has been booted via PXE. The new TFTP file system
layer will then use the matching PXE base code protocol handle to load
the files. Since this uses the PXE base code protocol for abstraction
instead of the raw Simple Network protocol this will at this point not
work on u-boot based machines as needed on ARM.

Feedback and ok tom@
Also tested by afresh1@

If you use sys/param.h, you don't need sys/types.h

Back out previous commit but handle the case where the device path consists
of a single MEDIA_DEVICE_PATH component specially to cater for U-Boot's
somewhat broken device path handling. Add comments to prevent confusion
in the future. Bump the version number once again.

ok brynet@

Fix off-by-one in return value of efi_device_path_depth().

ok patrick@

Don't panic when we cannot locate a handle for the Serial IO protocol.
Fixes reports on tech and in private.

ok yasuoka@ stsp@

Add serial console support for efiboot.

Bump boot loader versions due to bcrypt pbkdf support.

crank bootloader version after .SUNW_ctf change

as discussed with jsing@ it's easier this way to ensure people have
bootblocks capable of loading the section

Enable cd9660 in efiboot.

belatedly bump bootstrap version after mdrandom() changes; ok deraadt@

Bring the boot changes on amd64 to i386. alloca is deleted.
Also fix the boot from BIOS and bump the version.

input and ok deraadt

Initial commit of uefi boot loader of OpenBSD.

ok deraadt yuo

Let the EFI bootloader make a copy of the EFI System Resource Table (ESRT)
and pass it to the kernel.

ok jca@, patrick@

Crank amd64 boot loader version numbers for softraid(4) RAID 1C boot support.

Switch bootloaders to the extended BOOTARG_CONSDEV struct.
Make the EFI bootloader provide the extra parameters that are necessary
for using the non-standard UART on the AMD Ryzen Embedded V1000 SoCs.

ok anton@

When there are multiple GOPs, try to select first one from which we
can get a handle of DevicePath protocol if any, otherwise select first
one. This is expected to workaround the garbled screen problem when
booting with efiboot happened on some machines.

origin diff from Alexei K.

Replace hand rolled memory allocation in efid_io() with
BS->AllocatePages() and BS->FreePages() as in all the other
efid_io() versions.

Don't leak the pages on success.

Bump boot version to 3.59.

ok yasuoka@

Some machines (e.g. some Intel Macs) have a EFI memory map with more than
64 entries. Instead of writing beyond the array that we use to construct
a BIOS compatible memory map, check that we don't overflow the array and
print a message if we do. Bump the size of the array from 64 to 128
entries.

Issue reported and debugged by David N. Arnold.
Further input from yasuoka@

ok deraadt@ (earlier version) and yasuaka@

Always use an allocated buffer for {Read,Write}Blocks() to make
efid_io() simpler. Also fixes the problem on some machines when boot
from CD-ROM. It happened because the previous version passed
unaligned pointers to the functions even if it is restricted by the
IoAlign property of the media. idea from kettenis, work with asou

ok kettenis

Use daddr_t and not daddr32_t in boot media.

At a minimum, amd64/i386 should now boot from 4TB GPT formatted disks.

More daddr32_t terminations with extreme prejudice to follow.

Tested by various, in snaps for a few days.

ok deraadt@

Use a 64MB block to load the kernel to deal with kernel growth.
Note that the first 16MB of the block are currently unused since
we link our kernels at physical address 0x01000000. Therefore
32MB is no longer enough to load a kernel that is now larger than
16MB.

Fixes the "entry point at 0x10010000" hang that people have reported
on some machines.

ok patrick@, naddy@, deraadt@

Fix write un-protecting of kernel memory. p was used uninitialized
at the beginning of the loop. We need to use cr3 at the start of each
iteration for the top level page directory.

From and ok sf@

Improve write un-protecting of kernel memory. For the Computrace module
on the HP EliteBook 830 G6 we added a workaround which tries to re-map
the pages where we want to place to kernel read-write. On some machines
though this workaround causes a regression. Fix those by changing a few
things: Only set the writeable bit if it isn't set yet. Un-protect
write-protected page directories. Skip lower levels if large-page is
set, since the next level is already a page. Don't do anything at all
if paging is disabled.

From Christian Ehrhardt
ok bluhm@ tobhe@

crank version number

increment version numbers, due to recent RB_GOODSEED and fchmod +T changes

Make efi_device_path_depth() return the full device path depth if we don't
find a media device path node. Fixes booting OpenBSD on some older U-Boot
versions that are in wide circulation such as 2017.09 and 2017.11.

ok patrick@

Allow amd64 boot(8) and friends to read from an ffs2 filesystem.
Also enable ffs2 for floppy, so that its kernel kan access ffs2. ok deraadt@

Pass the EFI memory map to the kernel.

ok deraadt@

Use arc4 to bit-spread the 512-byte random buffer over the .openbsd.randomdata
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer

Allow PXE booting using u-boot by relaxing our requirements
of the EFI PXE protocol. This also brings us in line with
the GRUB2 implementation.

Tested by naddy@ to behave the same
Tested by sven falempin on his Pine64

crank version, following fchmod change

In the bootblocks, after discovering and opening /bsd.upgrade, fchmod -x
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.

Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.

based upon a discussion florian
tested in snapshots for more than a week without any complaints

Add support for the EFI Random Number Generator Protocol and use it to XOR
random data into the buffer that we feed the kernel.

ok deraadt@, mlarkin@

crank versions

crank version; looks good deraadt

Many machines with serial ports ship with uefi firmware which does not
have the serial io protocol. Fallback to direct inb/outb hardware access
in this case using code derived from arch/amd64/stand/libsa/bioscons.c

ok kettenis@

Bump boot loader versions for softraid passphrase handling change.

crank version

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and features, we need
to load it earlier. Thus, make the bootloader look for the microcode
and supply it to the kernel as another bootarg. This way we can update
the cores' microcode before we identify them.

ok deraadt@

Fix TFTP reading of zero-size files:

The AllocatePages EFI call returns an error when the allocation
size is 0. Skip allocating memory and actually transferring the
file when it is empty.

Properly return the number of unread bytes so that a read() of n
bytes does not return n if no bytes were read.

While here, disallow lseek() beyond the TFTP file buffer for SEEK_CUR
as we already do for SEEK_SET.

ok patrick@

Implement network boot support in efiboot(8). This changes efiboot(8)
to recognize if it has been booted via PXE. The new TFTP file system
layer will then use the matching PXE base code protocol handle to load
the files. Since this uses the PXE base code protocol for abstraction
instead of the raw Simple Network protocol this will at this point not
work on u-boot based machines as needed on ARM.

Feedback and ok tom@
Also tested by afresh1@

If you use sys/param.h, you don't need sys/types.h

Back out previous commit but handle the case where the device path consists
of a single MEDIA_DEVICE_PATH component specially to cater for U-Boot's
somewhat broken device path handling. Add comments to prevent confusion
in the future. Bump the version number once again.

ok brynet@

Fix off-by-one in return value of efi_device_path_depth().

ok patrick@

Don't panic when we cannot locate a handle for the Serial IO protocol.
Fixes reports on tech and in private.

ok yasuoka@ stsp@

Add serial console support for efiboot.

Bump boot loader versions due to bcrypt pbkdf support.

crank bootloader version after .SUNW_ctf change

as discussed with jsing@ it's easier this way to ensure people have
bootblocks capable of loading the section

Enable cd9660 in efiboot.

belatedly bump bootstrap version after mdrandom() changes; ok deraadt@

Bring the boot changes on amd64 to i386. alloca is deleted.
Also fix the boot from BIOS and bump the version.

input and ok deraadt

Initial commit of uefi boot loader of OpenBSD.

ok deraadt yuo

Crank amd64 boot loader version numbers for softraid(4) RAID 1C boot support.

Switch bootloaders to the extended BOOTARG_CONSDEV struct.
Make the EFI bootloader provide the extra parameters that are necessary
for using the non-standard UART on the AMD Ryzen Embedded V1000 SoCs.

ok anton@

When there are multiple GOPs, try to select first one from which we
can get a handle of DevicePath protocol if any, otherwise select first
one. This is expected to workaround the garbled screen problem when
booting with efiboot happened on some machines.

origin diff from Alexei K.

Replace hand rolled memory allocation in efid_io() with
BS->AllocatePages() and BS->FreePages() as in all the other
efid_io() versions.

Don't leak the pages on success.

Bump boot version to 3.59.

ok yasuoka@

Some machines (e.g. some Intel Macs) have a EFI memory map with more than
64 entries. Instead of writing beyond the array that we use to construct
a BIOS compatible memory map, check that we don't overflow the array and
print a message if we do. Bump the size of the array from 64 to 128
entries.

Issue reported and debugged by David N. Arnold.
Further input from yasuoka@

ok deraadt@ (earlier version) and yasuaka@

Always use an allocated buffer for {Read,Write}Blocks() to make
efid_io() simpler. Also fixes the problem on some machines when boot
from CD-ROM. It happened because the previous version passed
unaligned pointers to the functions even if it is restricted by the
IoAlign property of the media. idea from kettenis, work with asou

ok kettenis

Use daddr_t and not daddr32_t in boot media.

At a minimum, amd64/i386 should now boot from 4TB GPT formatted disks.

More daddr32_t terminations with extreme prejudice to follow.

Tested by various, in snaps for a few days.

ok deraadt@

Use a 64MB block to load the kernel to deal with kernel growth.
Note that the first 16MB of the block are currently unused since
we link our kernels at physical address 0x01000000. Therefore
32MB is no longer enough to load a kernel that is now larger than
16MB.

Fixes the "entry point at 0x10010000" hang that people have reported
on some machines.

ok patrick@, naddy@, deraadt@

Fix write un-protecting of kernel memory. p was used uninitialized
at the beginning of the loop. We need to use cr3 at the start of each
iteration for the top level page directory.

From and ok sf@

Improve write un-protecting of kernel memory. For the Computrace module
on the HP EliteBook 830 G6 we added a workaround which tries to re-map
the pages where we want to place to kernel read-write. On some machines
though this workaround causes a regression. Fix those by changing a few
things: Only set the writeable bit if it isn't set yet. Un-protect
write-protected page directories. Skip lower levels if large-page is
set, since the next level is already a page. Don't do anything at all
if paging is disabled.

From Christian Ehrhardt
ok bluhm@ tobhe@

crank version number

increment version numbers, due to recent RB_GOODSEED and fchmod +T changes

Make efi_device_path_depth() return the full device path depth if we don't
find a media device path node. Fixes booting OpenBSD on some older U-Boot
versions that are in wide circulation such as 2017.09 and 2017.11.

ok patrick@

Allow amd64 boot(8) and friends to read from an ffs2 filesystem.
Also enable ffs2 for floppy, so that its kernel kan access ffs2. ok deraadt@

Pass the EFI memory map to the kernel.

ok deraadt@

Use arc4 to bit-spread the 512-byte random buffer over the .openbsd.randomdata
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer

Allow PXE booting using u-boot by relaxing our requirements
of the EFI PXE protocol. This also brings us in line with
the GRUB2 implementation.

Tested by naddy@ to behave the same
Tested by sven falempin on his Pine64

crank version, following fchmod change

In the bootblocks, after discovering and opening /bsd.upgrade, fchmod -x
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.

Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.

based upon a discussion florian
tested in snapshots for more than a week without any complaints

Add support for the EFI Random Number Generator Protocol and use it to XOR
random data into the buffer that we feed the kernel.

ok deraadt@, mlarkin@

crank versions

crank version; looks good deraadt

Many machines with serial ports ship with uefi firmware which does not
have the serial io protocol. Fallback to direct inb/outb hardware access
in this case using code derived from arch/amd64/stand/libsa/bioscons.c

ok kettenis@

Bump boot loader versions for softraid passphrase handling change.

crank version

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and features, we need
to load it earlier. Thus, make the bootloader look for the microcode
and supply it to the kernel as another bootarg. This way we can update
the cores' microcode before we identify them.

ok deraadt@

Fix TFTP reading of zero-size files:

The AllocatePages EFI call returns an error when the allocation
size is 0. Skip allocating memory and actually transferring the
file when it is empty.

Properly return the number of unread bytes so that a read() of n
bytes does not return n if no bytes were read.

While here, disallow lseek() beyond the TFTP file buffer for SEEK_CUR
as we already do for SEEK_SET.

ok patrick@

Implement network boot support in efiboot(8). This changes efiboot(8)
to recognize if it has been booted via PXE. The new TFTP file system
layer will then use the matching PXE base code protocol handle to load
the files. Since this uses the PXE base code protocol for abstraction
instead of the raw Simple Network protocol this will at this point not
work on u-boot based machines as needed on ARM.

Feedback and ok tom@
Also tested by afresh1@

If you use sys/param.h, you don't need sys/types.h

Back out previous commit but handle the case where the device path consists
of a single MEDIA_DEVICE_PATH component specially to cater for U-Boot's
somewhat broken device path handling. Add comments to prevent confusion
in the future. Bump the version number once again.

ok brynet@

Fix off-by-one in return value of efi_device_path_depth().

ok patrick@

Don't panic when we cannot locate a handle for the Serial IO protocol.
Fixes reports on tech and in private.

ok yasuoka@ stsp@

Add serial console support for efiboot.

Bump boot loader versions due to bcrypt pbkdf support.

crank bootloader version after .SUNW_ctf change

as discussed with jsing@ it's easier this way to ensure people have
bootblocks capable of loading the section

Enable cd9660 in efiboot.

belatedly bump bootstrap version after mdrandom() changes; ok deraadt@

Bring the boot changes on amd64 to i386. alloca is deleted.
Also fix the boot from BIOS and bump the version.

input and ok deraadt

Initial commit of uefi boot loader of OpenBSD.

ok deraadt yuo

Switch bootloaders to the extended BOOTARG_CONSDEV struct.
Make the EFI bootloader provide the extra parameters that are necessary
for using the non-standard UART on the AMD Ryzen Embedded V1000 SoCs.

ok anton@

When there are multiple GOPs, try to select first one from which we
can get a handle of DevicePath protocol if any, otherwise select first
one. This is expected to workaround the garbled screen problem when
booting with efiboot happened on some machines.

origin diff from Alexei K.

Replace hand rolled memory allocation in efid_io() with
BS->AllocatePages() and BS->FreePages() as in all the other
efid_io() versions.

Don't leak the pages on success.

Bump boot version to 3.59.

ok yasuoka@

Some machines (e.g. some Intel Macs) have a EFI memory map with more than
64 entries. Instead of writing beyond the array that we use to construct
a BIOS compatible memory map, check that we don't overflow the array and
print a message if we do. Bump the size of the array from 64 to 128
entries.

Issue reported and debugged by David N. Arnold.
Further input from yasuoka@

ok deraadt@ (earlier version) and yasuaka@

Always use an allocated buffer for {Read,Write}Blocks() to make
efid_io() simpler. Also fixes the problem on some machines when boot
from CD-ROM. It happened because the previous version passed
unaligned pointers to the functions even if it is restricted by the
IoAlign property of the media. idea from kettenis, work with asou

ok kettenis

Use daddr_t and not daddr32_t in boot media.

At a minimum, amd64/i386 should now boot from 4TB GPT formatted disks.

More daddr32_t terminations with extreme prejudice to follow.

Tested by various, in snaps for a few days.

ok deraadt@

Use a 64MB block to load the kernel to deal with kernel growth.
Note that the first 16MB of the block are currently unused since
we link our kernels at physical address 0x01000000. Therefore
32MB is no longer enough to load a kernel that is now larger than
16MB.

Fixes the "entry point at 0x10010000" hang that people have reported
on some machines.

ok patrick@, naddy@, deraadt@

Fix write un-protecting of kernel memory. p was used uninitialized
at the beginning of the loop. We need to use cr3 at the start of each
iteration for the top level page directory.

From and ok sf@

Improve write un-protecting of kernel memory. For the Computrace module
on the HP EliteBook 830 G6 we added a workaround which tries to re-map
the pages where we want to place to kernel read-write. On some machines
though this workaround causes a regression. Fix those by changing a few
things: Only set the writeable bit if it isn't set yet. Un-protect
write-protected page directories. Skip lower levels if large-page is
set, since the next level is already a page. Don't do anything at all
if paging is disabled.

From Christian Ehrhardt
ok bluhm@ tobhe@

crank version number

increment version numbers, due to recent RB_GOODSEED and fchmod +T changes

Make efi_device_path_depth() return the full device path depth if we don't
find a media device path node. Fixes booting OpenBSD on some older U-Boot
versions that are in wide circulation such as 2017.09 and 2017.11.

ok patrick@

Allow amd64 boot(8) and friends to read from an ffs2 filesystem.
Also enable ffs2 for floppy, so that its kernel kan access ffs2. ok deraadt@

Pass the EFI memory map to the kernel.

ok deraadt@

Use arc4 to bit-spread the 512-byte random buffer over the .openbsd.randomdata
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer

Allow PXE booting using u-boot by relaxing our requirements
of the EFI PXE protocol. This also brings us in line with
the GRUB2 implementation.

Tested by naddy@ to behave the same
Tested by sven falempin on his Pine64

crank version, following fchmod change

In the bootblocks, after discovering and opening /bsd.upgrade, fchmod -x
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.

Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.

based upon a discussion florian
tested in snapshots for more than a week without any complaints

Add support for the EFI Random Number Generator Protocol and use it to XOR
random data into the buffer that we feed the kernel.

ok deraadt@, mlarkin@

crank versions

crank version; looks good deraadt

Many machines with serial ports ship with uefi firmware which does not
have the serial io protocol. Fallback to direct inb/outb hardware access
in this case using code derived from arch/amd64/stand/libsa/bioscons.c

ok kettenis@

Bump boot loader versions for softraid passphrase handling change.

crank version

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and features, we need
to load it earlier. Thus, make the bootloader look for the microcode
and supply it to the kernel as another bootarg. This way we can update
the cores' microcode before we identify them.

ok deraadt@

Fix TFTP reading of zero-size files:

The AllocatePages EFI call returns an error when the allocation
size is 0. Skip allocating memory and actually transferring the
file when it is empty.

Properly return the number of unread bytes so that a read() of n
bytes does not return n if no bytes were read.

While here, disallow lseek() beyond the TFTP file buffer for SEEK_CUR
as we already do for SEEK_SET.

ok patrick@

Implement network boot support in efiboot(8). This changes efiboot(8)
to recognize if it has been booted via PXE. The new TFTP file system
layer will then use the matching PXE base code protocol handle to load
the files. Since this uses the PXE base code protocol for abstraction
instead of the raw Simple Network protocol this will at this point not
work on u-boot based machines as needed on ARM.

Feedback and ok tom@
Also tested by afresh1@

If you use sys/param.h, you don't need sys/types.h

Back out previous commit but handle the case where the device path consists
of a single MEDIA_DEVICE_PATH component specially to cater for U-Boot's
somewhat broken device path handling. Add comments to prevent confusion
in the future. Bump the version number once again.

ok brynet@

Fix off-by-one in return value of efi_device_path_depth().

ok patrick@

Don't panic when we cannot locate a handle for the Serial IO protocol.
Fixes reports on tech and in private.

ok yasuoka@ stsp@

Add serial console support for efiboot.

Bump boot loader versions due to bcrypt pbkdf support.

crank bootloader version after .SUNW_ctf change

as discussed with jsing@ it's easier this way to ensure people have
bootblocks capable of loading the section

Enable cd9660 in efiboot.

belatedly bump bootstrap version after mdrandom() changes; ok deraadt@

Bring the boot changes on amd64 to i386. alloca is deleted.
Also fix the boot from BIOS and bump the version.

input and ok deraadt

Initial commit of uefi boot loader of OpenBSD.

ok deraadt yuo

When there are multiple GOPs, try to select first one from which we
can get a handle of DevicePath protocol if any, otherwise select first
one. This is expected to workaround the garbled screen problem when
booting with efiboot happened on some machines.

origin diff from Alexei K.

Replace hand rolled memory allocation in efid_io() with
BS->AllocatePages() and BS->FreePages() as in all the other
efid_io() versions.

Don't leak the pages on success.

Bump boot version to 3.59.

ok yasuoka@

Some machines (e.g. some Intel Macs) have a EFI memory map with more than
64 entries. Instead of writing beyond the array that we use to construct
a BIOS compatible memory map, check that we don't overflow the array and
print a message if we do. Bump the size of the array from 64 to 128
entries.

Issue reported and debugged by David N. Arnold.
Further input from yasuoka@

ok deraadt@ (earlier version) and yasuaka@

Always use an allocated buffer for {Read,Write}Blocks() to make
efid_io() simpler. Also fixes the problem on some machines when boot
from CD-ROM. It happened because the previous version passed
unaligned pointers to the functions even if it is restricted by the
IoAlign property of the media. idea from kettenis, work with asou

ok kettenis

Use daddr_t and not daddr32_t in boot media.

At a minimum, amd64/i386 should now boot from 4TB GPT formatted disks.

More daddr32_t terminations with extreme prejudice to follow.

Tested by various, in snaps for a few days.

ok deraadt@

Use a 64MB block to load the kernel to deal with kernel growth.
Note that the first 16MB of the block are currently unused since
we link our kernels at physical address 0x01000000. Therefore
32MB is no longer enough to load a kernel that is now larger than
16MB.

Fixes the "entry point at 0x10010000" hang that people have reported
on some machines.

ok patrick@, naddy@, deraadt@

Fix write un-protecting of kernel memory. p was used uninitialized
at the beginning of the loop. We need to use cr3 at the start of each
iteration for the top level page directory.

From and ok sf@

Improve write un-protecting of kernel memory. For the Computrace module
on the HP EliteBook 830 G6 we added a workaround which tries to re-map
the pages where we want to place to kernel read-write. On some machines
though this workaround causes a regression. Fix those by changing a few
things: Only set the writeable bit if it isn't set yet. Un-protect
write-protected page directories. Skip lower levels if large-page is
set, since the next level is already a page. Don't do anything at all
if paging is disabled.

From Christian Ehrhardt
ok bluhm@ tobhe@

crank version number

increment version numbers, due to recent RB_GOODSEED and fchmod +T changes

Make efi_device_path_depth() return the full device path depth if we don't
find a media device path node. Fixes booting OpenBSD on some older U-Boot
versions that are in wide circulation such as 2017.09 and 2017.11.

ok patrick@

Allow amd64 boot(8) and friends to read from an ffs2 filesystem.
Also enable ffs2 for floppy, so that its kernel kan access ffs2. ok deraadt@

Pass the EFI memory map to the kernel.

ok deraadt@

Use arc4 to bit-spread the 512-byte random buffer over the .openbsd.randomdata
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer

Allow PXE booting using u-boot by relaxing our requirements
of the EFI PXE protocol. This also brings us in line with
the GRUB2 implementation.

Tested by naddy@ to behave the same
Tested by sven falempin on his Pine64

crank version, following fchmod change

In the bootblocks, after discovering and opening /bsd.upgrade, fchmod -x
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.

Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.

based upon a discussion florian
tested in snapshots for more than a week without any complaints

Add support for the EFI Random Number Generator Protocol and use it to XOR
random data into the buffer that we feed the kernel.

ok deraadt@, mlarkin@

crank versions

crank version; looks good deraadt

Many machines with serial ports ship with uefi firmware which does not
have the serial io protocol. Fallback to direct inb/outb hardware access
in this case using code derived from arch/amd64/stand/libsa/bioscons.c

ok kettenis@

Bump boot loader versions for softraid passphrase handling change.

crank version

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and features, we need
to load it earlier. Thus, make the bootloader look for the microcode
and supply it to the kernel as another bootarg. This way we can update
the cores' microcode before we identify them.

ok deraadt@

Fix TFTP reading of zero-size files:

The AllocatePages EFI call returns an error when the allocation
size is 0. Skip allocating memory and actually transferring the
file when it is empty.

Properly return the number of unread bytes so that a read() of n
bytes does not return n if no bytes were read.

While here, disallow lseek() beyond the TFTP file buffer for SEEK_CUR
as we already do for SEEK_SET.

ok patrick@

Implement network boot support in efiboot(8). This changes efiboot(8)
to recognize if it has been booted via PXE. The new TFTP file system
layer will then use the matching PXE base code protocol handle to load
the files. Since this uses the PXE base code protocol for abstraction
instead of the raw Simple Network protocol this will at this point not
work on u-boot based machines as needed on ARM.

Feedback and ok tom@
Also tested by afresh1@

If you use sys/param.h, you don't need sys/types.h

Back out previous commit but handle the case where the device path consists
of a single MEDIA_DEVICE_PATH component specially to cater for U-Boot's
somewhat broken device path handling. Add comments to prevent confusion
in the future. Bump the version number once again.

ok brynet@

Fix off-by-one in return value of efi_device_path_depth().

ok patrick@

Don't panic when we cannot locate a handle for the Serial IO protocol.
Fixes reports on tech and in private.

ok yasuoka@ stsp@

Add serial console support for efiboot.

Bump boot loader versions due to bcrypt pbkdf support.

crank bootloader version after .SUNW_ctf change

as discussed with jsing@ it's easier this way to ensure people have
bootblocks capable of loading the section

Enable cd9660 in efiboot.

belatedly bump bootstrap version after mdrandom() changes; ok deraadt@

Bring the boot changes on amd64 to i386. alloca is deleted.
Also fix the boot from BIOS and bump the version.

input and ok deraadt

Initial commit of uefi boot loader of OpenBSD.

ok deraadt yuo

Replace hand rolled memory allocation in efid_io() with
BS->AllocatePages() and BS->FreePages() as in all the other
efid_io() versions.

Don't leak the pages on success.

Bump boot version to 3.59.

ok yasuoka@

Some machines (e.g. some Intel Macs) have a EFI memory map with more than
64 entries. Instead of writing beyond the array that we use to construct
a BIOS compatible memory map, check that we don't overflow the array and
print a message if we do. Bump the size of the array from 64 to 128
entries.

Issue reported and debugged by David N. Arnold.
Further input from yasuoka@

ok deraadt@ (earlier version) and yasuaka@

Always use an allocated buffer for {Read,Write}Blocks() to make
efid_io() simpler. Also fixes the problem on some machines when boot
from CD-ROM. It happened because the previous version passed
unaligned pointers to the functions even if it is restricted by the
IoAlign property of the media. idea from kettenis, work with asou

ok kettenis

Use daddr_t and not daddr32_t in boot media.

At a minimum, amd64/i386 should now boot from 4TB GPT formatted disks.

More daddr32_t terminations with extreme prejudice to follow.

Tested by various, in snaps for a few days.

ok deraadt@

Use a 64MB block to load the kernel to deal with kernel growth.
Note that the first 16MB of the block are currently unused since
we link our kernels at physical address 0x01000000. Therefore
32MB is no longer enough to load a kernel that is now larger than
16MB.

Fixes the "entry point at 0x10010000" hang that people have reported
on some machines.

ok patrick@, naddy@, deraadt@

Fix write un-protecting of kernel memory. p was used uninitialized
at the beginning of the loop. We need to use cr3 at the start of each
iteration for the top level page directory.

From and ok sf@

Improve write un-protecting of kernel memory. For the Computrace module
on the HP EliteBook 830 G6 we added a workaround which tries to re-map
the pages where we want to place to kernel read-write. On some machines
though this workaround causes a regression. Fix those by changing a few
things: Only set the writeable bit if it isn't set yet. Un-protect
write-protected page directories. Skip lower levels if large-page is
set, since the next level is already a page. Don't do anything at all
if paging is disabled.

From Christian Ehrhardt
ok bluhm@ tobhe@

crank version number

increment version numbers, due to recent RB_GOODSEED and fchmod +T changes

Make efi_device_path_depth() return the full device path depth if we don't
find a media device path node. Fixes booting OpenBSD on some older U-Boot
versions that are in wide circulation such as 2017.09 and 2017.11.

ok patrick@

Allow amd64 boot(8) and friends to read from an ffs2 filesystem.
Also enable ffs2 for floppy, so that its kernel kan access ffs2. ok deraadt@

Pass the EFI memory map to the kernel.

ok deraadt@

Use arc4 to bit-spread the 512-byte random buffer over the .openbsd.randomdata
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer

Allow PXE booting using u-boot by relaxing our requirements
of the EFI PXE protocol. This also brings us in line with
the GRUB2 implementation.

Tested by naddy@ to behave the same
Tested by sven falempin on his Pine64

crank version, following fchmod change

In the bootblocks, after discovering and opening /bsd.upgrade, fchmod -x
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.

Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.

based upon a discussion florian
tested in snapshots for more than a week without any complaints

Add support for the EFI Random Number Generator Protocol and use it to XOR
random data into the buffer that we feed the kernel.

ok deraadt@, mlarkin@

crank versions

crank version; looks good deraadt

Many machines with serial ports ship with uefi firmware which does not
have the serial io protocol. Fallback to direct inb/outb hardware access
in this case using code derived from arch/amd64/stand/libsa/bioscons.c

ok kettenis@

Bump boot loader versions for softraid passphrase handling change.

crank version

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and features, we need
to load it earlier. Thus, make the bootloader look for the microcode
and supply it to the kernel as another bootarg. This way we can update
the cores' microcode before we identify them.

ok deraadt@

Fix TFTP reading of zero-size files:

The AllocatePages EFI call returns an error when the allocation
size is 0. Skip allocating memory and actually transferring the
file when it is empty.

Properly return the number of unread bytes so that a read() of n
bytes does not return n if no bytes were read.

While here, disallow lseek() beyond the TFTP file buffer for SEEK_CUR
as we already do for SEEK_SET.

ok patrick@

Implement network boot support in efiboot(8). This changes efiboot(8)
to recognize if it has been booted via PXE. The new TFTP file system
layer will then use the matching PXE base code protocol handle to load
the files. Since this uses the PXE base code protocol for abstraction
instead of the raw Simple Network protocol this will at this point not
work on u-boot based machines as needed on ARM.

Feedback and ok tom@
Also tested by afresh1@

If you use sys/param.h, you don't need sys/types.h

Back out previous commit but handle the case where the device path consists
of a single MEDIA_DEVICE_PATH component specially to cater for U-Boot's
somewhat broken device path handling. Add comments to prevent confusion
in the future. Bump the version number once again.

ok brynet@

Fix off-by-one in return value of efi_device_path_depth().

ok patrick@

Don't panic when we cannot locate a handle for the Serial IO protocol.
Fixes reports on tech and in private.

ok yasuoka@ stsp@

Add serial console support for efiboot.

Bump boot loader versions due to bcrypt pbkdf support.

crank bootloader version after .SUNW_ctf change

as discussed with jsing@ it's easier this way to ensure people have
bootblocks capable of loading the section

Enable cd9660 in efiboot.

belatedly bump bootstrap version after mdrandom() changes; ok deraadt@

Bring the boot changes on amd64 to i386. alloca is deleted.
Also fix the boot from BIOS and bump the version.

input and ok deraadt

Initial commit of uefi boot loader of OpenBSD.

ok deraadt yuo

Some machines (e.g. some Intel Macs) have a EFI memory map with more than
64 entries. Instead of writing beyond the array that we use to construct
a BIOS compatible memory map, check that we don't overflow the array and
print a message if we do. Bump the size of the array from 64 to 128
entries.

Issue reported and debugged by David N. Arnold.
Further input from yasuoka@

ok deraadt@ (earlier version) and yasuaka@

Always use an allocated buffer for {Read,Write}Blocks() to make
efid_io() simpler. Also fixes the problem on some machines when boot
from CD-ROM. It happened because the previous version passed
unaligned pointers to the functions even if it is restricted by the
IoAlign property of the media. idea from kettenis, work with asou

ok kettenis

Use daddr_t and not daddr32_t in boot media.

At a minimum, amd64/i386 should now boot from 4TB GPT formatted disks.

More daddr32_t terminations with extreme prejudice to follow.

Tested by various, in snaps for a few days.

ok deraadt@

Use a 64MB block to load the kernel to deal with kernel growth.
Note that the first 16MB of the block are currently unused since
we link our kernels at physical address 0x01000000. Therefore
32MB is no longer enough to load a kernel that is now larger than
16MB.

Fixes the "entry point at 0x10010000" hang that people have reported
on some machines.

ok patrick@, naddy@, deraadt@

Fix write un-protecting of kernel memory. p was used uninitialized
at the beginning of the loop. We need to use cr3 at the start of each
iteration for the top level page directory.

From and ok sf@

Improve write un-protecting of kernel memory. For the Computrace module
on the HP EliteBook 830 G6 we added a workaround which tries to re-map
the pages where we want to place to kernel read-write. On some machines
though this workaround causes a regression. Fix those by changing a few
things: Only set the writeable bit if it isn't set yet. Un-protect
write-protected page directories. Skip lower levels if large-page is
set, since the next level is already a page. Don't do anything at all
if paging is disabled.

From Christian Ehrhardt
ok bluhm@ tobhe@

crank version number

increment version numbers, due to recent RB_GOODSEED and fchmod +T changes

Make efi_device_path_depth() return the full device path depth if we don't
find a media device path node. Fixes booting OpenBSD on some older U-Boot
versions that are in wide circulation such as 2017.09 and 2017.11.

ok patrick@

Allow amd64 boot(8) and friends to read from an ffs2 filesystem.
Also enable ffs2 for floppy, so that its kernel kan access ffs2. ok deraadt@

Pass the EFI memory map to the kernel.

ok deraadt@

Use arc4 to bit-spread the 512-byte random buffer over the .openbsd.randomdata
section, which has grown a fair bit with the introduction of retguard.
Mortimer discovered the repeated 512-byte sequence as retguard keys, and
this resolves the issue. (Chacha does not fit on the media, so 1.5K early
drop RC4 is hopefully sufficient in our KARL link universe)
Version crank the bootblocks. sysupgrade -s will install new bootblocks.
ok djm mortimer

Allow PXE booting using u-boot by relaxing our requirements
of the EFI PXE protocol. This also brings us in line with
the GRUB2 implementation.

Tested by naddy@ to behave the same
Tested by sven falempin on his Pine64

crank version, following fchmod change

In the bootblocks, after discovering and opening /bsd.upgrade, fchmod -x
so the file cannot be re-executed upon the next boot. This provides a
stronger one-shot-upgrade model than the upgrade script's rm /bsd.upgrade.
Now various forms of upgrade failure will reboot into /bsd, which is probably
more recoverable. Performing fchmod -x depends on (1) use of MI boot.c
(not alpha/macppc/sparc64/sgi/octeon) and (2) "can write blocks" functionality
in the IO layer. Most architectures have this support now.

Two diagnostics "fchmod a-x %s: failed" and "/bsd.upgrade is not u+x" will
remain in the tree while refinements happen for some of the laggard
architectures.

based upon a discussion florian
tested in snapshots for more than a week without any complaints

Add support for the EFI Random Number Generator Protocol and use it to XOR
random data into the buffer that we feed the kernel.

ok deraadt@, mlarkin@

crank versions

crank version; looks good deraadt

Many machines with serial ports ship with uefi firmware which does not
have the serial io protocol. Fallback to direct inb/outb hardware access
in this case using code derived from arch/amd64/stand/libsa/bioscons.c

ok kettenis@

Bump boot loader versions for softraid passphrase handling change.

crank version

Load the Intel microcode much earlier. So far we had loaded it after
the CPUs identified and then we had to update the CPU flags afterwards.
As microcode updates can add/remove instructions and features, we need
to load it earlier. Thus, make the bootloader look for the microcode
and supply it to the kernel as another bootarg. This way we can update
the cores' microcode before we identify them.

ok deraadt@

Fix TFTP reading of zero-size files:

The AllocatePages EFI call returns an error when the allocation
size is 0. Skip allocating memory and actually transferring the
file when it is empty.

Properly return the number of unread bytes so that a read() of n
bytes does not return n if no bytes were read.

While here, disallow lseek() beyond the TFTP file buffer for SEEK_CUR
as we already do for SEEK_SET.

ok patrick@

Implement network boot support in efiboot(8). This changes efiboot(8)
to recognize if it has been booted via PXE. The new TFTP file system
layer will then use the matching PXE base code protocol handle to load
the files. Since this uses the PXE base code protocol for abstraction
instead of the raw Simple Network protocol this will at this point not
work on u-boot based machines as needed on ARM.

Feedback and ok tom@
Also tested by afresh1@

If you use sys/param.h, you don't need sys/types.h

Back out previous commit but handle the case where the device path consists
of a single MEDIA_DEVICE_PATH component specially to cater for U-Boot's
somewhat broken device path handling. Add comments to prevent confusion
in the future. Bump the version number once again.

ok brynet@

Fix off-by-one in return value of efi_device_path_depth().

ok patrick@

Don't panic when we cannot locate a handle for the Serial IO protocol.
Fixes reports on tech and in private.

ok yasuoka@ stsp@

Add serial console support for efiboot.

Bump boot loader versions due to bcrypt pbkdf support.

crank bootloader version after .SUNW_ctf change

as discussed with jsing@ it's easier this way to ensure people have
bootblocks capable of loading the section

Enable cd9660 in efiboot.

belatedly bump bootstrap version after mdrandom() changes; ok deraadt@

Bring the boot changes on amd64 to i386. alloca is deleted.
Also fix the boot from BIOS and bump the version.

input and ok deraadt

Initial commit of uefi boot loader of OpenBSD.

ok deraadt yuo