Ed Maste [Wed, 13 Apr 2022 20:00:56 +0000 (16:00 -0400)]
ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.
* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
e1000: Try auto-negotiation for fixed 100 or 10 configuration
Currently if an e1000 interface is set to a fixed media configuration,
for gigabit, it will participate in auto-negotiation as required by
IEEE 802.3-2018 Clause 37. However, if set to fixed media configuration
for 100 or 10, it does NOT participate in auto-negotiation.
By my reading of Clauses 28 and 37, while auto-negotiation is optional
for 100 and 10, it is not prohibited and is, in fact, "highly
recommended".
This patch enables auto-negotiation for fixed 100 and 10 media
configuration, in a similar manner to that already performed for 1000.
I.e., the patch enables advertising of just the manually configured
settings with the goal of allowing the remote end to match the manually
configured settings if it has them available.
To be clear, this patch does NOT allow an em(4) interface that has been
manually configured with specific media settings to respond to
auto-negotiation by then configuring different parameters to those that
were manually configured. The intent of this patch is to fully comply
with the requirements of Clause 37, but for 100 and 10.
The need for this has arisen on an em(4) link where the other end is
under a different administrative control and is set to full
auto-negotiation. Due to the cable length GigE is not working well. It
is desired to set the em(4) end to "media 100baseTX mediatype
full-duplex" which does work when both ends are configured that way.
Currently, because em(4) does not participate in autoneg for this
setting, the remote defaults to half-duplex - i.e., there's a duplex
mismatch and things don't work. With this patch, em(4) would inform the
remote that it has only 100baseTX full, the remote would match that and
it will work.
Mark Johnston [Wed, 13 Apr 2022 14:47:08 +0000 (10:47 -0400)]
libsysdecode: Fix decoding of Capsicum rights
Capsicum rights are a bit tricky since some of them are subsets of
others, and one can have rights R1 and R2 such that R1 is a subset of
R2, but there is no collection of named rights whose union is R2. So,
they don't behave like most other flag sets. sysdecode_cap_rights(3)
does not handle this properly and so can emit misleading decodings.
Try to fix all of these problems:
- Include composite rights in the caprights table.
- Use a constructor to sort the caprights table such that "larger"
rights appear first and thus are matched first.
- Don't print rights that are a subset of rights already printed, so as
to minimize the length of the output.
- Print a trailing message if some of the specific rights are not
matched by the table.
PR: 263165
Reviewed by: pauamma_gundo.com (doc), jhb, emaste
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34874
Rick Macklem [Wed, 13 Apr 2022 14:43:13 +0000 (07:43 -0700)]
nfscl: Clean up the code by removing unused arguments
The "void *stuff" (also called fstuff and dstuff) argument
was used by the Mac OSX port. For FreeBSD, this argument
is always NULL, so remove it to clean up the code.
This commit gets rid of "stuff" for nfscl_loadattrcache().
Future commits will do the same for other functions.
loader: userboot: provide a getsecs() implementation
We don't need it for userboot, but it avoids issues with BIND_NOW, so
just provide it. time(3) isn't defined but ends up being provided by
libc linked into the host process, which is generally fine.
Printing device followed by interface matches, e.g., edk2. Note that
this is only a fallback, many firmware implementations will provide the
protocol that we'll use to format device paths.
This device is present on the Allwinner D1-based SoCs. Without this
driver, the watchdog timeout will trigger a reset a few seconds after
control is given to the kernel.
Milan Obuch [Thu, 7 Apr 2022 13:04:18 +0000 (10:04 -0300)]
cgem: support SGMII PHY connection mode
As the PolarFire SoC needs SGMII to connect the PHY, check the
'phy-mode' property of device tree node for ethernet and act on it
appropriately.
Add the compatible strings for the PolarFire SoC device tree.
'microchip,mpfs-mss-gem" is not officially documented but has been
observed in the available firmware for this platform, so it is included
for now.
Milan Obuch [Thu, 7 Apr 2022 12:57:25 +0000 (09:57 -0300)]
cgem: rework hardware quirk detection
Rather than doing these checks based on the detected hardware variant, allow
quirks to be specified as a set of flags for each compatible string.
This simplifies adding support for new compatible hardware.
John Baldwin [Tue, 12 Apr 2022 21:58:59 +0000 (14:58 -0700)]
netgraph: Remove the rethook parameter from NG_NODE_FOREACH_HOOK.
This parameter was set to the hook that terminated the iteration
early. However, none of the remaining callers used this argument and
it was always set to an otherwise-unused variable.
John Baldwin [Tue, 12 Apr 2022 21:58:59 +0000 (14:58 -0700)]
llan: Remove unused variables.
In theory the errors during llan_attach should be handled, but other
errors in llan_attach (e.g. bus_setup_intr) are already ignored, so
just remove the unused variable to preserve the status quo.
Add new french bépo keyboard layout (version 1.1rc2) normalized by
French national organization for standardization as "NF Z71‐300"
PR: 160227
Approved by: emaste
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D34886
John Baldwin [Tue, 12 Apr 2022 17:05:45 +0000 (10:05 -0700)]
Remove checks for __GNUCLIKE_ASM assuming it is always true.
All supported compilers (modern versions of GCC and clang) support
this.
Many places didn't have an #else so would just silently do the wrong
thing. Ancient versions of icc (the original motivation for this) are
no longer a compiler FreeBSD supports.
John Baldwin [Tue, 12 Apr 2022 17:05:39 +0000 (10:05 -0700)]
x86: Remove silly checks for <sys/cdefs.h>.
These headers #include <sys/cdefs.h> right after checking if it has
already been #included. The nested #include already existed when the
check for _SYS_CDEFS_H_ was added, so the check shouldn't have been
added in the first place.
David Bright [Tue, 12 Apr 2022 16:15:06 +0000 (09:15 -0700)]
Extend the length of dirpath to fix failure in kyua test
When an overlength path is set as the temporary directory for test
case sys/audit/inter-process:shm_unlink_success, the test will fail,
e.g.
```
root@freebsd:/usr/tests/sys/audit # env TMPDIR=/var/tmp/tests/kyua kyua test inter-process:shm_unlink_success
inter-process:shm_unlink_success -> failed: shm_unlink.*fileforaudit.*return,success not found in auditpipe within the time limit [10.452s]
Results file id is usr_tests_sys_audit.20220412-221852-924310
Results saved to /root/.kyua/store/results.usr_tests_sys_audit.20220412-221852-924310.db
0/1 passed (1 failed)
```
The root cause is that dirpath is defined too small to handle it.
Reviewers: vangyzen, dab
Differential Revision: https://reviews.freebsd.org/D34885
Submitted by: Yongbo Yao (yongbo.yao@dell.com)
Sponsored by: Dell Technologies
udp: allow udp_tun_func_t() to indicate it did not eat the packet
Allow udp tunnel functions to indicate they have not taken ownership of
the packet, and that normal UDP processing should continue.
This is especially useful for scenarios where the kernel has taken
ownership of a socket that was originally created by userspace. It
allows the tunnel function to pass through certain packets for userspace
processing.
The primary user of this is if_ovpn, when it receives messages from
unknown peers (which might be a new client).
Roger Pau Monné [Thu, 17 Mar 2022 13:40:19 +0000 (14:40 +0100)]
xen/acpi: upload Cx and Px data to Xen
When FreeBSD is running as dom0 (initial domain) on a Xen system it
has access to the native ACPI tables and is the OSPM. However the
hypervisor is the entity in charge of the CPU idle and frequency
states, and in order to perform this duty it requires information
found the ACPI dynamic tables that can only be parsed by the OSPM.
Introduce a new Xen specific ACPI driver to fetch the Processor
related information and upload it to Xen. Note that this driver needs
to take precedence over the generic ACPI CPU driver when running as
dom0, so downgrade the probe score of the native driver to
BUS_PROBE_DEFAULT in order for the Xen specific driver to use
BUS_PROBE_SPECIFIC.
Tested on an Intel NUC to successfully parse and upload both the Cx and
Px states to Xen.
Little refactoring to complete the conversion to bsddialog(3),
not functional changes:
* Delete: remaining code for autosizing using BSDDIALOG_AUTOSIZE.
* Add: constants to delete magical numbers and to avoid unclear
returned values.
* Delete: redundant 'conf.button.default_cancel=false', performed by
bsddialog_initconf().
* Add: a new function message_zoneinfo_file() to merge features.
Adam Wolk [Mon, 11 Apr 2022 22:23:43 +0000 (00:23 +0200)]
protect.1: document existence of _oomprotect
Improve discoverability of the functionality by mentioning in the
userland tool manual. Add a SEE ALSO entry to rc.conf(5) where more
details are provided.