Prepare for the possibility of creating ISO and USB disk images that
support UEFI Secure Boot by downloading the Microsoft-signed binaries
from the latest release of the iPXE shim.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
We currently use the ipxe-signer container for the step that combines
the BIOS and UEFI build artifacts to produce the multi-architecture
ISO and USB images.
Switch to using the generic architecture-independent utility toolchain
container, thereby allowing the ipxe-signer container to minimise its
attack surface by removing tools that are not required for the signing
operation.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Include the relevant CA certificate in the UEFI Secure Boot build
artifacts. This allows for easy identification of test-signed builds
without having to extract the certificate from the signed binary.
This also eases the process of adding the ephemeral test-signing
certificate to the UEFI trusted certificate list, if a user wants to
test a non-release build with Secure Boot enabled. (The corresponding
private key is deliberately not preserved, to minimise the attack
surface that this would otherwise open up on the user's system.)
Include the commit hash and build architecture within the ephemeral
test-signing certificate's subject name, to make it obvious that the
scope is limited to signing only that single build.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Add a job that takes the bin-x86_64-efi-sb and bin-arm64-efi-sb build
artifacts and signs them for UEFI Secure Boot.
The hardware token containing the trusted signing key is attached to a
dedicated self-hosted GitHub Actions runner. Only tagged release
versions (and commits on the "sbsign" testing branch) will be signed
on this dedicated runner. All other commits will be signed on a
standard GitHub hosted runner using an ephemeral test certificate that
is not trusted for UEFI Secure Boot.
No other work is done as part of the signing job. The iPXE source
code is not even checked out, minimising any opportunity to grant
untrusted code access to the hardware token.
The hardware token password is held as a deployment environment
secret, with the environment being restricted to allow access only for
tagged release versions (and commits on the "sbsign" testing branch)
to provide an additional layer of security.
The signing certificates and intermediate certificates are obtained
from the iPXE Secure Boot CA repository, with the certificate selected
via deployment environment variables.
To minimise hidden state held on the self-hosted runner, the pcscd
service is run via a service container, with the hardware token passed
in via "--devices /dev/bus/usb".
Select the deployment environment name (and hence runner tag) via a
repository variable SBSIGN_ENVIRONMENT, so that forks do not attempt
to start jobs on a non-existent self-hosted runner.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Trigger the daily Coverity Scan submission via a GitHub Actions
schedule (or via a manual workflow run), rather than relying on an
external process pushing to the "coverity_scan" branch.
Since the scheduled workflow will run even on forks of the repository,
add a check to cause the submission to be skipped if the relevant
secret is not configured.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Including USB drivers has some unavoidable side effects. With a BIOS
firmware, attaching the host controller drivers will necessarily
disable the SMM-based USB legacy support which emulates a PS/2
keyboard. With a UEFI firmware, loading the host controller drivers
may disconnect some of the less compliant vendor USB device drivers.
We have historically erred on the side of caution and avoided
including any USB drivers in the all-drivers build. Time has moved
on, USB NICs have become more common (especially for laptops, which
now rarely include physical Ethernet ports), and the UEFI Secure Boot
model makes it prohibitively difficult for users to compile their own
binaries to add support for non-default drivers.
Switch to including USB drivers by default in the all-drivers build.
Provide a fallback build target that matches the existing driver set
(i.e. excluding any USB drivers) and can be built using e.g.:
make bin/ipxe-legacy.iso
make bin-x86_64-efi/ipxe-legacy.efi
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Handle construction of the EFI, Linux, Xen, and VMBus driver build
rules via parserom.pl to ensure consistency. In particular, this
allows those drivers to appear in the DRIVERS_SECBOOT list used to
filter out non-permitted drivers in a Secure Boot build.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The Xen netfront driver and the core architecture-independent files
such as xenstore.c and xenbus.c are already marked as permitted for
UEFI Secure Boot, but the x86-specific HVM driver (which attaches to
the PCI device and instantiates the Xen devices) is not.
Review the HVM-specific files and mark them as permitted for UEFI
Secure Boot.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
libslirp introduced a new API for constructing polling lists, to
accommodate Windows platforms where a handle descriptor may be too
large for an int.
Older versions of libslirp do not have the new API calls, and the
older API calls were immediately marked as deprecated, with no
overlap. We would therefore need to use #ifdef and always have some
code that is deliberately not compiled, depending on the version of
libslirp that we find on the user's system. This is highly
undesirable.
Work around this by disabling the deprecation warning (which is what
libslirp itself does for the portions of its code that necessarily
touch the deprecated functions).
Signed-off-by: Michael Brown <mcb30@ipxe.org>
We currently have no PCI bus abstractions for Linux userspace or for
RISC-V SBI. Limit PCI drivers to being included in the all-drivers
build only for BIOS and UEFI platforms.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Add DT_ROM() and DT_ID() macros following the pattern for PCI_ROM()
and PCI_ID(), to allow for the possibility of including devicetree
network devices within the "all-drivers" build of iPXE.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The Xen and Hyper-V drivers cannot be included in the Linux userspace
build since they require MMIO accesses. Limit these drivers to being
included in the all-drivers build only for BIOS and UEFI platforms.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Include all three of the Linux-specific network drivers (af_packet,
slirp, and tap) in the all-drivers Linux userspace build.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
ISA hardware is vanishingly unlikely to be encountered in anything
other than pre-64-bit x86 hardware with a BIOS firmware. Exclude the
ISA drivers from all other builds.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The all-drivers targets (e.g. ipxe.efi) cannot currently be used in a
Secure Boot build since the permissibility check will (correctly) fail
due to the inclusion of non-permitted drivers.
In a Secure Boot build, filter the all-drivers list to include only
the subset of drivers that are marked as being permitted for UEFI
Secure Boot.
Note that this automatic filter is a convenience shortcut: it is not
the enforcement mechanism. The filter exists only to provide a
meaningful definition for the otherwise unusable all-drivers targets
in Secure Boot builds. The enforcement mechanism remains the
permissiblity check introduced in commit 1d5b1d9 ("[build] Fail Secure
Boot builds unless all files are permitted").
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Include Xen and Hyper-V support in the all-drivers build by dragging
in the netfront and netvsc drivers, since these are the functional
drivers that provide network interfaces.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Parse USB_ROM() lines to create build rules to allow for e.g.
make bin/smsc9500.usb
(i.e. using the driver name as a build target, rather than having to
use the source file name).
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Include the underlying bus type (e.g. "pci" or "isa") within the lists
constructed to describe the available drivers, to allow for the
possibility that platforms may want to define a platform-specific
subset of drivers to be present in the all-drivers build. For
example, non-x86 platforms such as RISC-V SBI do not need to include
the ISA network drivers since the corresponding hardware cannot ever
be present on a RISC-V system.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Add USB_ROM() and USB_ID() macros following the pattern for PCI_ROM()
and PCI_ID(), to allow for the possibility of including USB network
devices within the "all-drivers" build of iPXE.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Detailed experiments show that at least one model of 386 CPU has a
previously undocumented errata in the "popal" instruction.
Specifically: when the stack-address size is 16 bits and the operand
size is 32 bits, the "popal" instruction will erroneously load the
high 16 bits of %esp from the value stored on the stack.
The "movl -20(%esp), %esp" instruction near the end of virt_call()
currently relies on the assumption that the high 16 bits of %esp will
already be zero, since they were set to zero by the "movzwl %bp, %esp"
instruction at the end of prot_to_real() and will not have been
subsequently modified by the "popal". This 386 CPU errata invalidates
that assumption, with the result that we end up loading the stack
pointer from an essentially undefined memory location.
Fix by inserting a "movzwl %sp, %esp" after the "popal" to explicitly
zero the high 16 bits of %esp.
Inserting this instruction also happens to work around another (known
and documented) errata in the 386, in which the CPU may malfunction if
"popal" is followed immediately by an instruction that uses a base
address register to form an effective address.
Debugged-by: Jaromir Capik <jaromir.capik@email.cz>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The original implementation in commit 943b300 ("[syslog] Add basic
support for encrypted syslog via TLS") was based on examples found in
the rsyslog documentation rather than on RFC 5425, and unfortunately
used the default syslog port number 514 rather than the syslog-tls
port number 6514 defined in the RFC.
Extend parsing of the syslog server name to allow for an optional port
number (in the relatively intuitive format "server[:port]"). Retain
the existing (and incorrect) default port number to avoid breaking
backwards compatibility with existing setups.
Reported-by: Christian Nilsson <nikize@gmail.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The initial code contribution from Loongson defined ASM_NO_PREFIX as
being "a" for this architecture. This seems to result in small values
such as error line numbers being rendered as "$r0, <value>" rather
than just "<value>".
This seems to hit an undocumented behaviour path in the GNU assembler.
For some reason ".long $r0" is not treated as a syntax error but will
instead be treated as a zero value. The net effect is therefore that
an extra zero value is emitted before the line number in the einfo
structure, which in turn causes the error information parser to see
all source code line numbers as zero. (The overall structure remains
valid since the length and all string offsets are encoded within the
structure itself, so nothing breaks when a spurious extra integer
field is appended.)
Fix by setting ASM_NO_PREFIX to the empty string (as for RISC-V),
since there are no literal value prefixes anyway in LoongArch64
assembly.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Some systems (observed on a Dell C6615) fail to correctly populate the
subordinate PCI bus number on some PCI bridges. We do not currently
guard against this behaviour, causing us to subsequently scan through
a huge expanse of the PCI bus:dev.fn address range.
Fix by ignoring the subordinate bus number if it is lower than the
bridge's own bus number.
Reported-by: Anisse Astier <an.astier@criteo.com>
Reported-by: Ahmad Mahagna <ahmhad@nvidia.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Construct and show the URL for the workflow runs that are triggered to
publish the rolling release binaries.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Reduce the overhead of PCI configuration space accesses (and the
verbosity of debug messages) by caching the identified PCI root bridge
I/O protocol handle for the most recently accessed PCI device.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The automated tests that are run in the GitHub Actions workflow are
now as comprehensive as those that are run manually. Run tests on
pull requests as well as pushes, since the results are now
meaningfully informative.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
MS-CHAPv2 and the underlying DES algorithm are cryptographically
obsolete, but still relatively widely used. There is no impact to
UEFI Secure Boot from using these obsolete algorithms: the only
untrusted inputs are the username, password, and received network
packets, and all of these are thoroughly validated before use.
Review these files and mark them as permitted for UEFI Secure Boot.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The core/version.c file is built into multiple objects (since it
incorporates the build target name such as "snponly.efi"), and is
handled separately from the standard build rules.
Add the missing line (taken from the standard build rules template) to
ensure that the dependency file is itself updated when the
dependencies change.
In particular, this ensures that the dependencies for core/version.c
will be updated when switching named configurations.
Reported-by: Christian I. Nilsson <ChristianN@2PintSoftware.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Commit dee71adda ("[build] Exclude external files from annotation
checks") excluded local top-level config headers from annotation
checks, but not local named config headers.
These are generated if missing when building with CONFIG= and will
most of the time be empty. Exclude these files from the list of
annotated files used to perform licensing and UEFI Secure Boot
eligibility checks.
Non-local named config headers intended to be used with Secure Boot
can be annotated with FILE_SECBOOT().
Signed-off-by: Christian I. Nilsson <ChristianN@2PintSoftware.com>
Modified-by: Michael Brown <mcb30@ipxe.org>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The boot.ipxe.org website is now hosted on GitHub Pages and built via
a GitHub Actions workflow. The rolling release binaries are fetched
from the build artifacts created by this repository.
Remove the rolling release tag mechanism, and instead trigger a
workflow run on the boot.ipxe.org repository to publish the updated
binaries.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Publish the binaries built from commits on the master branch under
stable URLs such as:
https://github.com/ipxe/ipxe/releases/download/rolling/bin/undionly.kpxe
Since filenames such as "ipxe.iso" may exist in each of several build
directories, we implement this as one release tag per build directory.
The GitHub Actions workflow automatically moves the tag to the most
recent commit and overwrites the existing release assets.
One downside of this is that running a local "git log" or similar may
show a large number of uninformative tags of the form "rolling/bin",
"rolling/bin-x86_64-efi", "rolling-arm64-efi", etc, all pointing at
the most recent commit. This clutter may be hidden using:
git config --local log.excludeDecoration refs/tags/rolling/*
To avoid the unintentional creation of rolling release tags on forks,
we skip the whole publication job unless the environment variable
ROLLING_PREFIX is defined.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Use util/genfsimg to combine the 64-bit BIOS and all UEFI builds into
a single multi-architecture image in both ISO and USB formats.
Include an editable autoexec.ipxe script (that matches the default
iPXE behaviour) in the USB image, so that users can just mount and
edit this file.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
External files such as embedded scripts or X.509 certificates are not
expected to include source file annotations such as FILE_LICENCE() or
FILE_SECBOOT(). Exclude these external files from the list of
annotated files used to perform licensing and UEFI Secure Boot
eligibility checks.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Some older distributions (such as RHEL 8) provide their AArch64
kernels as gzip-compressed EFI binaries (with no self-decompressing
EFI stub present). We therefore enable support for gzip images by
default for arm64 EFI builds.
Review the files used to implement the gzip (and zlib) formats and
mark these as permitted for UEFI Secure Boot.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
An EFI build of iPXE does not directly make use of a flattened device
tree (FDT) itself, but may pass on a device tree that the user chose
to download using the "fdt" command.
Review the simple files used to implement the "fdt" command and mark
these as permitted for UEFI Secure Boot.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Update to the headers from the latest Xen stable release, and mark all
imported headers as permitted for UEFI Secure Boot.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
The dummy header files in include/bits/*.h are placeholders for
architectures that do not need to define any architecture-specific
functionality in these areas. Mark these trivial files as permitted
for UEFI Secure Boot.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Our long-standing policy for EFI platforms is that we support invoking
binary executables only via the LoadImage() and StartImage() boot
services calls, so that all security policy decisions are delegated to
the platform firmware.
Most binary executable formats that we support are BIOS-only and
cannot in any case be linked in to an EFI executable. The only
cross-platform format is the generic Linux kernel image format as used
for RISC-V (and potentially also for AArch64).
Mark all files associated with direct loading of a kernel binary as
explicitly forbidden for UEFI Secure Boot.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Enabling the GDB debugger functionality would provide an immediate and
trivial Secure Boot exploit. Mark all GDB-related files as explicitly
forbidden for UEFI Secure Boot.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Michael Brown