1/* $NetBSD: i386.c,v 1.43 2021/12/05 04:47:18 msaitoh Exp $ */ 2 3/*- 4 * Copyright (c) 2003 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by David Laight. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32#if HAVE_NBTOOL_CONFIG_H 33#include "nbtool_config.h" 34#endif 35 36#include <sys/cdefs.h> 37#if !defined(__lint) 38__RCSID("$NetBSD: i386.c,v 1.43 2021/12/05 04:47:18 msaitoh Exp $"); 39#endif /* !__lint */ 40 41#include <sys/param.h> 42#ifndef HAVE_NBTOOL_CONFIG_H 43#include <sys/ioctl.h> 44#include <sys/dkio.h> 45#endif 46 47#include <assert.h> 48#include <errno.h> 49#include <err.h> 50#include <md5.h> 51#include <stddef.h> 52#include <stdio.h> 53#include <stdlib.h> 54#include <string.h> 55#include <unistd.h> 56 57#include "installboot.h" 58 59static const struct console_name { 60 const char *name; /* Name of console selection */ 61 const int dev; /* value matching CONSDEV_* from sys/arch/i386/stand/lib/libi386.h */ 62} consoles[] = { 63 { "pc", 0 /* CONSDEV_PC */ }, 64 { "com0", 1 /* CONSDEV_COM0 */ }, 65 { "com1", 2 /* CONSDEV_COM1 */ }, 66 { "com2", 3 /* CONSDEV_COM2 */ }, 67 { "com3", 4 /* CONSDEV_COM3 */ }, 68 { "com0kbd", 5 /* CONSDEV_COM0KBD */ }, 69 { "com1kbd", 6 /* CONSDEV_COM1KBD */ }, 70 { "com2kbd", 7 /* CONSDEV_COM2KBD */ }, 71 { "com3kbd", 8 /* CONSDEV_COM3KBD */ }, 72 { "auto", -1 /* CONSDEV_AUTO */ }, 73}; 74 75static int i386_setboot(ib_params *); 76static int i386_editboot(ib_params *); 77 78struct ib_mach ib_mach_i386 = { 79 .name = "i386", 80 .setboot = i386_setboot, 81 .clearboot = no_clearboot, 82 .editboot = i386_editboot, 83 .valid_flags = IB_RESETVIDEO | IB_CONSOLE | IB_CONSPEED | 84 IB_CONSADDR | IB_KEYMAP | IB_PASSWORD | 85 IB_TIMEOUT | IB_MODULES | IB_BOOTCONF | 86 IB_STAGE1START 87}; 88 89struct ib_mach ib_mach_amd64 = { 90 .name = "amd64", 91 .setboot = i386_setboot, 92 .clearboot = no_clearboot, 93 .editboot = i386_editboot, 94 .valid_flags = IB_RESETVIDEO | IB_CONSOLE | IB_CONSPEED | 95 IB_CONSADDR | IB_KEYMAP | IB_PASSWORD | 96 IB_TIMEOUT | IB_MODULES | IB_BOOTCONF | 97 IB_STAGE1START 98}; 99 100/* 101 * Attempting to write the 'labelsector' (or a sector near it - within 8k?) 102 * using the non-raw disk device fails silently. This can be detected (today) 103 * by doing a fsync() and a read back. 104 * This is very likely to affect installboot, indeed the code may need to 105 * be written into the 'labelsector' itself - especially on non-512 byte media. 106 * We do all writes with a read verify. 107 * If EROFS is returned we also try to enable writes to the label sector. 108 * (Maybe these functions should be in the generic part of installboot.) 109 */ 110static int 111pwrite_validate(int fd, const void *buf, size_t n_bytes, off_t offset) 112{ 113 void *r_buf; 114 ssize_t rv; 115 116 r_buf = malloc(n_bytes); 117 if (r_buf == NULL) 118 return -1; 119 rv = pwrite(fd, buf, n_bytes, offset); 120 if (rv == -1) { 121 free(r_buf); 122 return -1; 123 } 124 fsync(fd); 125 if (pread(fd, r_buf, rv, offset) == rv && memcmp(r_buf, buf, rv) == 0) { 126 free(r_buf); 127 return rv; 128 } 129 free(r_buf); 130 errno = EROFS; 131 return -1; 132} 133 134static int 135write_boot_area(ib_params *params, uint8_t *buf, size_t len) 136{ 137 int rv, i; 138 139 /* 140 * Writing the 'label' sector (likely to be bytes 512-1023) could 141 * fail, so we try to avoid writing that area. 142 * Unfortunately, if we are accessing the raw disk, and the sector 143 * size is larger than 512 bytes that is also doomed. 144 * See how we get on.... 145 * 146 * NB: Even if the physical sector size is not 512, the space for 147 * the label is 512 bytes from the start of the disk. 148 * So all the '512' constants in these functions are correct. 149 */ 150 151 /* Write out first 512 bytes - the pbr code */ 152 rv = pwrite_validate(params->fsfd, buf, 512, 0); 153 if (rv == 512) { 154 /* That worked, do the rest */ 155 if (len == 512) 156 return 1; 157 len -= 512 * 2; 158 rv = pwrite_validate(params->fsfd, buf + 512 * 2, len, 512 * 2); 159 if (rv != (ssize_t)len) 160 goto bad_write; 161 return 1; 162 } 163 if (rv != -1 || (errno != EINVAL && errno != EROFS)) 164 goto bad_write; 165 166 if (errno == EINVAL) { 167 /* Assume the failure was due to to the sector size > 512 */ 168 rv = pwrite_validate(params->fsfd, buf, len, 0); 169 if (rv == (ssize_t)len) 170 return 1; 171 if (rv != -1 || (errno != EROFS)) 172 goto bad_write; 173 } 174 175#ifdef DIOCWLABEL 176 /* Pesky label is protected, try to unprotect it */ 177 i = 1; 178 rv = ioctl(params->fsfd, DIOCWLABEL, &i); 179 if (rv != 0) { 180 warn("Cannot enable writes to the label sector"); 181 return 0; 182 } 183 /* Try again with label write-enabled */ 184 rv = pwrite_validate(params->fsfd, buf, len, 0); 185 186 /* Reset write-protext */ 187 i = 0; 188 ioctl(params->fsfd, DIOCWLABEL, &i); 189 if (rv == (ssize_t)len) 190 return 1; 191#endif 192 193 bad_write: 194 if (rv == -1) 195 warn("Writing `%s'", params->filesystem); 196 else 197 warnx("Writing `%s': short write, %u bytes", 198 params->filesystem, rv); 199 return 0; 200} 201 202static void 203show_i386_boot_params(struct x86_boot_params *bpp) 204{ 205 size_t i; 206 207 printf("Boot options: "); 208 printf("timeout %d, ", le32toh(bpp->bp_timeout)); 209 printf("flags %x, ", le32toh(bpp->bp_flags)); 210 printf("speed %d, ", le32toh(bpp->bp_conspeed)); 211 printf("ioaddr %x, ", le32toh(bpp->bp_consaddr)); 212 for (i = 0; i < __arraycount(consoles); i++) { 213 if (consoles[i].dev == (int)le32toh(bpp->bp_consdev)) 214 break; 215 } 216 if (i == __arraycount(consoles)) 217 printf("console %d\n", le32toh(bpp->bp_consdev)); 218 else 219 printf("console %s\n", consoles[i].name); 220 if (bpp->bp_keymap[0]) 221 printf(" keymap %s\n", bpp->bp_keymap); 222} 223 224static int 225is_zero(const uint8_t *p, unsigned int len) 226{ 227 return len == 0 || (p[0] == 0 && memcmp(p, p + 1, len - 1) == 0); 228} 229 230static int 231update_i386_boot_params(ib_params *params, struct x86_boot_params *bpp) 232{ 233 struct x86_boot_params bp; 234 uint32_t bplen; 235 size_t i; 236 237 bplen = le32toh(bpp->bp_length); 238 if (bplen > sizeof bp) 239 /* Ignore pad space in bootxx */ 240 bplen = sizeof bp; 241 242 /* Take (and update) local copy so we handle size mismatches */ 243 memset(&bp, 0, sizeof bp); 244 memcpy(&bp, bpp, bplen); 245 246 if (params->flags & IB_TIMEOUT) 247 bp.bp_timeout = htole32(params->timeout); 248 if (params->flags & IB_RESETVIDEO) 249 bp.bp_flags ^= htole32(X86_BP_FLAGS_RESET_VIDEO); 250 if (params->flags & IB_CONSPEED) 251 bp.bp_conspeed = htole32(params->conspeed); 252 if (params->flags & IB_CONSADDR) 253 bp.bp_consaddr = htole32(params->consaddr); 254 if (params->flags & IB_CONSOLE) { 255 for (i = 0; i < __arraycount(consoles); i++) 256 if (strcmp(consoles[i].name, params->console) == 0) 257 break; 258 259 if (i == __arraycount(consoles)) { 260 warnx("invalid console name, valid names are:"); 261 (void)fprintf(stderr, "\t%s", consoles[0].name); 262 for (i = 1; i < __arraycount(consoles); i++) 263 (void)fprintf(stderr, ", %s", consoles[i].name); 264 (void)fprintf(stderr, "\n"); 265 return 1; 266 } 267 bp.bp_consdev = htole32(consoles[i].dev); 268 } 269 if (params->flags & IB_PASSWORD) { 270 if (params->password[0]) { 271 MD5_CTX md5ctx; 272 MD5Init(&md5ctx); 273 MD5Update(&md5ctx, params->password, 274 strlen(params->password)); 275 MD5Final(bp.bp_password, &md5ctx); 276 bp.bp_flags |= htole32(X86_BP_FLAGS_PASSWORD); 277 } else { 278 memset(&bp.bp_password, 0, sizeof bp.bp_password); 279 bp.bp_flags &= ~htole32(X86_BP_FLAGS_PASSWORD); 280 } 281 } 282 if (params->flags & IB_KEYMAP) 283 strlcpy(bp.bp_keymap, params->keymap, sizeof bp.bp_keymap); 284 if (params->flags & IB_MODULES) 285 bp.bp_flags ^= htole32(X86_BP_FLAGS_NOMODULES); 286 if (params->flags & IB_BOOTCONF) 287 bp.bp_flags ^= htole32(X86_BP_FLAGS_NOBOOTCONF); 288 289 if (params->flags & (IB_NOWRITE | IB_VERBOSE)) 290 show_i386_boot_params(&bp); 291 292 /* Check we aren't trying to set anything we can't save */ 293 if (!is_zero((char *)&bp + bplen, sizeof bp - bplen)) { 294 warnx("Patch area in stage1 bootstrap is too small"); 295 return 1; 296 } 297 memcpy(bpp, &bp, bplen); 298 return 0; 299} 300 301static int 302i386_setboot(ib_params *params) 303{ 304 unsigned int u; 305 ssize_t rv; 306 uint32_t *magic, expected_magic; 307 union { 308 struct mbr_sector mbr; 309 uint8_t b[8192]; 310 } disk_buf, bootstrap; 311 312 assert(params != NULL); 313 assert(params->fsfd != -1); 314 assert(params->filesystem != NULL); 315 assert(params->s1fd != -1); 316 assert(params->stage1 != NULL); 317 318 /* 319 * There is only 8k of space in a FFSv1 partition (and ustarfs) 320 * so ensure we don't splat over anything important. 321 */ 322 if (params->s1stat.st_size > (off_t)(sizeof bootstrap)) { 323 warnx("stage1 bootstrap `%s' (%u bytes) is larger than 8192 bytes", 324 params->stage1, (unsigned int)params->s1stat.st_size); 325 return 0; 326 } 327 if (params->s1stat.st_size < 3 * 512 && params->s1stat.st_size != 512) { 328 warnx("stage1 bootstrap `%s' (%u bytes) is too small", 329 params->stage1, (unsigned int)params->s1stat.st_size); 330 return 0; 331 } 332 333 /* Read in the existing disk header and boot code */ 334 rv = pread(params->fsfd, &disk_buf, sizeof (disk_buf), 0); 335 if (rv != sizeof(disk_buf)) { 336 if (rv == -1) 337 warn("Reading `%s'", params->filesystem); 338 else 339 warnx("Reading `%s': short read, %ld bytes" 340 " (should be %ld)", params->filesystem, (long)rv, 341 (long)sizeof(disk_buf)); 342 return 0; 343 } 344 345 if (disk_buf.mbr.mbr_magic != le16toh(MBR_MAGIC)) { 346 if (params->flags & IB_VERBOSE) { 347 printf( 348 "Ignoring PBR with invalid magic in sector 0 of `%s'\n", 349 params->filesystem); 350 } 351 memset(&disk_buf, 0, 512); 352 } 353 354 /* Read the new bootstrap code. */ 355 rv = pread(params->s1fd, &bootstrap, params->s1stat.st_size, 0); 356 if (rv != params->s1stat.st_size) { 357 if (rv == -1) 358 warn("Reading `%s'", params->stage1); 359 else 360 warnx("Reading `%s': short read, %ld bytes" 361 " (should be %ld)", params->stage1, (long)rv, 362 (long)params->s1stat.st_size); 363 return 0; 364 } 365 366 /* 367 * The bootstrap code is either 512 bytes for booting FAT16, or best 368 * part of 8k (with bytes 512-1023 all zeros). 369 */ 370 if (params->s1stat.st_size == 512) { 371 /* Magic number is at end of pbr code */ 372 magic = (void *)(bootstrap.b + 512 - 16 + 4); 373 expected_magic = htole32(X86_BOOT_MAGIC_FAT); 374 } else { 375 /* Magic number is at start of sector following label */ 376 magic = (void *)(bootstrap.b + 512 * 2 + 4); 377 expected_magic = htole32(X86_BOOT_MAGIC_1); 378 /* 379 * For a variety of reasons we restrict our 'normal' partition 380 * boot code to a size which enable it to be used as mbr code. 381 * IMHO this is bugus (dsl). 382 */ 383 if (!is_zero(bootstrap.b + 512-2-64, 64)) { 384 warnx("Data in mbr partition table of new bootstrap"); 385 return 0; 386 } 387 if (!is_zero(bootstrap.b + 512, 512)) { 388 warnx("Data in label part of new bootstrap"); 389 return 0; 390 } 391 /* Copy mbr table and label from existing disk buffer */ 392 memcpy(bootstrap.b + 512-2-64, disk_buf.b + 512-2-64, 64); 393 memcpy(bootstrap.b + 512, disk_buf.b + 512, 512); 394 } 395 396 /* Validate the 'magic number' that marks the parameter block */ 397 if (*magic != expected_magic) { 398 warnx("Invalid magic in stage1 bootstrap %x != %x", 399 *magic, expected_magic); 400 return 0; 401 } 402 403 /* 404 * If the partition has a FAT (or NTFS) filesystem, then we must 405 * preserve the BIOS Parameter Block (BPB). 406 * It is also very likely that there isn't 8k of space available 407 * for (say) bootxx_msdos, and that blindly installing it will trash 408 * the FAT filesystem. 409 * To avoid this we check the number of 'reserved' sectors to ensure 410 * there there is enough space. 411 * Unfortunately newfs(8) doesn't (yet) splat the BPB (which is 412 * effectively the FAT superblock) when a filesystem is initailised 413 * so this code tends to complain rather too often, 414 * Specifying 'installboot -f' will delete the old BPB info. 415 */ 416 if (!(params->flags & IB_FORCE)) { 417 #define USE_F ", use -f (may invalidate filesystem)" 418 /* 419 * For FAT compatibility, the pbr code starts 'jmp xx; nop' 420 * followed by the BIOS Parameter Block (BPB). 421 * The 2nd byte (jump offset) is the size of the nop + BPB. 422 */ 423 if (bootstrap.b[0] != 0xeb || bootstrap.b[2] != 0x90) { 424 warnx("No BPB in new bootstrap %02x:%02x:%02x" USE_F, 425 bootstrap.b[0], bootstrap.b[1], bootstrap.b[2]); 426 return 0; 427 } 428 429 /* 430 * Find size of old BPB, and copy into new bootcode 431 * 432 * The 2nd byte (b[1]) contains jmp short relative offset. 433 * If it is zero or some invalid input that is smaller than 9, 434 * it will cause overflow and call is_zero() with enormous size. 435 * Add a paranoid check to prevent this scenario. 436 * 437 * Verify that b[0] contains JMP (0xeb) and b[2] NOP (0x90). 438 */ 439 if (disk_buf.b[0] == 0xeb && disk_buf.b[1] >= 9 && 440 disk_buf.b[2] == 0x90 && 441 !is_zero(disk_buf.b + 3 + 8, disk_buf.b[1] - 1 - 8)) { 442 struct mbr_bpbFAT16 *bpb = (void *)(disk_buf.b + 3 + 8); 443 /* Check enough space before the FAT for the bootcode */ 444 u = le16toh(bpb->bpbBytesPerSec) 445 * le16toh(bpb->bpbResSectors); 446 if (u != 0 && u < params->s1stat.st_size) { 447 warnx("Insufficient reserved space before FAT " 448 "(%u bytes available)" USE_F, u); 449 return 0; 450 } 451 /* Check we have enough space for the old bpb */ 452 if (disk_buf.b[1] > bootstrap.b[1]) { 453 /* old BPB is larger, allow if extra zeros */ 454 if (!is_zero(disk_buf.b + 2 + bootstrap.b[1], 455 disk_buf.b[1] - bootstrap.b[1])) { 456 warnx("Old BPB too big" USE_F); 457 return 0; 458 } 459 u = bootstrap.b[1]; 460 } else { 461 /* Old BPB is shorter, leave zero filled */ 462 u = disk_buf.b[1]; 463 } 464 if (params->s1start != 0) 465 /* Fixup physical offset of filesystem */ 466 bpb->bpbHiddenSecs = htole32(params->s1start); 467 memcpy(bootstrap.b + 2, disk_buf.b + 2, u); 468 } 469 #undef USE_F 470 } 471 472 /* 473 * Fill in any user-specified options into the 474 * struct x86_boot_params 475 * that follows the magic number. 476 * See sys/arch/i386/stand/bootxx/bootxx.S for more information. 477 */ 478 if (update_i386_boot_params(params, (void *)(magic + 1))) 479 return 0; 480 481 if (params->flags & IB_NOWRITE) { 482 return 1; 483 } 484 485 /* Copy new bootstrap data into disk buffer, ignoring label area */ 486 memcpy(&disk_buf, &bootstrap, 512); 487 if (params->s1stat.st_size > 512 * 2) { 488 memcpy(disk_buf.b + 2 * 512, bootstrap.b + 2 * 512, 489 params->s1stat.st_size - 2 * 512); 490 /* Zero pad to 512 byte sector boundary */ 491 memset(disk_buf.b + params->s1stat.st_size, 0, 492 (8192 - params->s1stat.st_size) & 511); 493 } 494 495 return write_boot_area(params, disk_buf.b, sizeof disk_buf.b); 496} 497 498static int 499i386_editboot(ib_params *params) 500{ 501 int retval; 502 uint8_t buf[512]; 503 ssize_t rv; 504 uint32_t magic; 505 uint32_t offset; 506 struct x86_boot_params *bpp; 507 508 assert(params != NULL); 509 assert(params->fsfd != -1); 510 assert(params->filesystem != NULL); 511 512 retval = 0; 513 514 /* 515 * Read in the existing bootstrap. 516 * Look in any of the first 4 sectors. 517 */ 518 519 bpp = NULL; 520 for (offset = 0; offset < 4 * 512; offset += 512) { 521 rv = pread(params->fsfd, &buf, sizeof buf, offset); 522 if (rv == -1) { 523 warn("Reading `%s'", params->filesystem); 524 goto done; 525 } else if (rv != sizeof buf) { 526 warnx("Reading `%s': short read", params->filesystem); 527 goto done; 528 } 529 530 /* Magic number is 4 bytes in (to allow for a jmps) */ 531 /* Also allow any of the magic numbers. */ 532 magic = le32toh(*(uint32_t *)(buf + 4)) | 0xf; 533 if (magic != (X86_BOOT_MAGIC_1 | 0xf)) 534 continue; 535 536 /* The parameters are just after the magic number */ 537 bpp = (void *)(buf + 8); 538 break; 539 } 540 if (bpp == NULL) { 541 warnx("Invalid magic in existing bootstrap"); 542 goto done; 543 } 544 545 /* 546 * Fill in any user-specified options into the 547 * struct x86_boot_params 548 * that's 8 bytes in from the start of the third sector. 549 * See sys/arch/i386/stand/bootxx/bootxx.S for more information. 550 */ 551 if (update_i386_boot_params(params, bpp)) 552 goto done; 553 554 if (params->flags & IB_NOWRITE) { 555 retval = 1; 556 goto done; 557 } 558 559 /* 560 * Write boot code back 561 */ 562 rv = pwrite(params->fsfd, buf, sizeof buf, offset); 563 if (rv == -1) { 564 warn("Writing `%s'", params->filesystem); 565 goto done; 566 } else if (rv != sizeof buf) { 567 warnx("Writing `%s': short write, %zd bytes (should be %zu)", 568 params->filesystem, rv, sizeof(buf)); 569 goto done; 570 } 571 572 retval = 1; 573 574 done: 575 return retval; 576} 577