* [gentoo-commits] repo/gentoo:master commit in: sys-apps/opal-utils/files/, sys-apps/opal-utils/
@ 2020-10-21 12:36 Georgy Yakovlev
0 siblings, 0 replies; only message in thread
From: Georgy Yakovlev @ 2020-10-21 12:36 UTC (permalink / raw
To: gentoo-commits
commit: 6da9c430a836ad94eea3baf732ccb16ab50adc04
Author: Georgy Yakovlev <gyakovlev <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 21 12:09:04 2020 +0000
Commit: Georgy Yakovlev <gyakovlev <AT> gentoo <DOT> org>
CommitDate: Wed Oct 21 12:10:00 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6da9c430
sys-apps/opal-utils: add noexec devtmpfs patch for opal-prd
Package-Manager: Portage-3.0.8, Repoman-3.0.2
Signed-off-by: Georgy Yakovlev <gyakovlev <AT> gentoo.org>
sys-apps/opal-utils/files/devtmpfs-noexec.patch | 87 ++++++++++++++++++++++
sys-apps/opal-utils/opal-utils-6.6.3-r1.ebuild | 95 +++++++++++++++++++++++++
2 files changed, 182 insertions(+)
diff --git a/sys-apps/opal-utils/files/devtmpfs-noexec.patch b/sys-apps/opal-utils/files/devtmpfs-noexec.patch
new file mode 100644
index 00000000000..45e97308a1f
--- /dev/null
+++ b/sys-apps/opal-utils/files/devtmpfs-noexec.patch
@@ -0,0 +1,87 @@
+From 47005e8d4c9aeda5826c17c4a013cfbda1a3f2de Mon Sep 17 00:00:00 2001
+From: Georgy Yakovlev <gyakovlev@gentoo.org>
+Date: Mon, 12 Oct 2020 14:29:17 -0700
+Subject: [PATCH] opal-prd: handle devtmpfs mounted with noexec
+
+On systems using recent versions of systemd /dev (devtmpfs) is mounted with
+noexec option. Such mount prevents mapping HBRT image code region as RWX
+from /dev. This commit, as suggested in github PR linked below, attempts to
+work around the situation by copying HBRT image to anon mmaped memory
+region and sets mprotect rwx on it, allowing opal-prd to sucessfully
+execute the code region.
+
+Having memory region set as RWX is not ideal for security, but fixing that
+is a separate and hard to solve problem. Original code also mmaped region
+as RWX, so this PR does not make things worse at least.
+
+Closes: https://github.com/open-power/skiboot/issues/258
+Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
+Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
+[oliver: whitespace fix, add a comment, reflow commit message]
+Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
+---
+ external/opal-prd/opal-prd.c | 36 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/external/opal-prd/opal-prd.c b/external/opal-prd/opal-prd.c
+index d74d80398d..12269e8ebb 100644
+--- a/external/opal-prd/opal-prd.c
++++ b/external/opal-prd/opal-prd.c
+@@ -973,7 +973,9 @@ static int map_hbrt_file(struct opal_prd_ctx *ctx, const char *name)
+ static int map_hbrt_physmem(struct opal_prd_ctx *ctx, const char *name)
+ {
+ struct prd_range *range;
++ int rc;
+ void *buf;
++ void *ro_buf;
+
+ range = find_range(name, 0);
+ if (!range) {
+@@ -981,15 +983,45 @@ static int map_hbrt_physmem(struct opal_prd_ctx *ctx, const char *name)
+ return -1;
+ }
+
+- buf = mmap(NULL, range->size, PROT_READ | PROT_WRITE | PROT_EXEC,
++ ro_buf = mmap(NULL, range->size, PROT_READ,
+ MAP_PRIVATE, ctx->fd, range->physaddr);
+- if (buf == MAP_FAILED) {
++ if (ro_buf == MAP_FAILED) {
+ pr_log(LOG_ERR, "IMAGE: mmap(range:%s, "
+ "phys:0x%016lx, size:0x%016lx) failed: %m",
+ name, range->physaddr, range->size);
+ return -1;
+ }
+
++ buf = mmap(NULL, range->size, PROT_READ | PROT_WRITE,
++ MAP_SHARED | MAP_ANONYMOUS, -1 , 0);
++ if (buf == MAP_FAILED) {
++ pr_log(LOG_ERR, "IMAGE: anon mmap(size:0x%016lx) failed: %m",
++ range->size);
++ return -1;
++ }
++
++ memcpy(buf, ro_buf, range->size);
++
++ rc = munmap(ro_buf, range->size);
++ if (rc < 0) {
++ pr_log(LOG_ERR, "IMAGE: munmap("
++ "phys:0x%016lx, size:0x%016lx) failed: %m",
++ range->physaddr, range->size);
++ return -1;
++ }
++
++ /*
++ * FIXME: We shouldn't be mapping the memory as RWX, but HBRT appears to
++ * require the ability to write into the image at runtime.
++ */
++ rc = mprotect(buf, range->size, PROT_READ | PROT_WRITE | PROT_EXEC);
++ if (rc < 0) {
++ pr_log(LOG_ERR, "IMAGE: mprotect(phys:%p, "
++ "size:0x%016lx, rwx) failed: %m",
++ buf, range->size);
++ return -1;
++ }
++
+ ctx->code_addr = buf;
+ ctx->code_size = range->size;
+ return 0;
diff --git a/sys-apps/opal-utils/opal-utils-6.6.3-r1.ebuild b/sys-apps/opal-utils/opal-utils-6.6.3-r1.ebuild
new file mode 100644
index 00000000000..5dca4f59dc1
--- /dev/null
+++ b/sys-apps/opal-utils/opal-utils-6.6.3-r1.ebuild
@@ -0,0 +1,95 @@
+# Copyright 2019-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{6,7,8} )
+
+inherit linux-info python-any-r1 systemd toolchain-funcs
+
+DESCRIPTION="OPAL firmware utilities"
+HOMEPAGE="https://github.com/open-power/skiboot"
+SRC_URI="https://github.com/open-power/skiboot/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0 GPL-2+"
+SLOT="0"
+KEYWORDS="~ppc64"
+IUSE="doc"
+
+DEPEND=""
+RDEPEND="${DEPEND}"
+BDEPEND="doc? (
+ $(python_gen_any_dep '
+ dev-python/sphinx[${PYTHON_USEDEP}]
+ dev-python/recommonmark[${PYTHON_USEDEP}]
+ ')
+)"
+
+CONFIG_CHECK="~MTD_POWERNV_FLASH ~OPAL_PRD ~PPC_DT_CPU_FTRS ~SCOM_DEBUGFS"
+ERROR_MTD_POWERND_FLASH="CONFIG_MTD_POWERND_FLASH is required to use pflash and opal-gard"
+ERROR_OPAL_PRD="CONFIG_OPAL_PRD is required to run opal-prd daemon"
+ERROR_SCOM_DEBUGFS="CONFIG_SCOM_DEBUGFS is required to use xscom-utils"
+
+S="${WORKDIR}/skiboot-${PV}"
+
+PATCHES=(
+ "${FILESDIR}/flags.patch"
+ "${FILESDIR}/devtmpfs-noexec.patch"
+)
+
+python_check_deps() {
+ has_version "dev-python/recommonmark[${PYTHON_USEDEP}]" &&
+ has_version "dev-python/sphinx[${PYTHON_USEDEP}]"
+}
+
+pkg_setup() {
+ linux-info_pkg_setup
+ use doc && python-any-r1_pkg_setup
+}
+
+src_configure() {
+ tc-export CC LD
+ export OPAL_PRD_VERSION="${PV}"
+ export GARD_VERSION="${PV}"
+ export PFLASH_VERSION="${PV}"
+ export XSCOM_VERSION="${PV}"
+ export FFSPART_VERSION="${PV}"
+}
+
+src_compile() {
+ emake V=1 -C external/opal-prd
+ emake V=1 -C external/gard
+ emake V=1 -C external/pflash
+ emake V=1 -C external/xscom-utils
+ emake V=1 -C external/ffspart
+
+ use doc && emake V=1 -C doc html
+}
+
+src_install() {
+ emake -C external/opal-prd DESTDIR="${D}" prefix="${EPREFIX}/usr" install
+ emake -C external/gard DESTDIR="${D}" prefix="${EPREFIX}/usr" install
+ emake -C external/pflash DESTDIR="${D}" prefix="${EPREFIX}/usr" install
+ emake -C external/xscom-utils DESTDIR="${D}" prefix="${EPREFIX}/usr" install
+ dosbin external/ffspart/ffspart
+
+ newinitd "${FILESDIR}"/opal-prd.initd opal-prd
+ newconfd "${FILESDIR}"/opal-prd.confd opal-prd
+
+ systemd_dounit external/opal-prd/opal-prd.service
+
+ if use doc; then
+ rm -r doc/_build/html/_sources || die
+ local HTML_DOCS=( doc/_build/html/. )
+ fi
+ einstalldocs
+}
+
+src_test() {
+ emake V=1 -C external/opal-prd test
+ emake V=1 -C external/gard check
+ # this test is fragile and fails because of filename path
+ rm external/pflash/test/tests/01-info || die
+ emake V=1 -C external/pflash check
+ emake V=1 -C external/ffspart check
+}
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-10-21 12:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-21 12:36 [gentoo-commits] repo/gentoo:master commit in: sys-apps/opal-utils/files/, sys-apps/opal-utils/ Georgy Yakovlev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox