From 1258293a25d43550426545c4e77382616f706598 Mon Sep 17 00:00:00 2001 From: "Simon J. Gerraty" Date: Fri, 10 Apr 2020 05:13:15 +0000 Subject: [PATCH] veloader use vectx API for kernel and modules The vectx API, computes the hash for verifying a file as it is read. This avoids the overhead of reading files twice - once to verify, then again to load. For doing an install via loader, avoiding the need to rewind large files is critical. This API is only used for modules, kernel and mdimage as these are the biggest files read by the loader. The reduction in boot time depends on how expensive the I/O is on any given platform. On a fast VM we see 6% improvement. For install via loader the first file to be verified is likely to be the kernel, so some of the prep work (finding manifest etc) done by verify_file() needs to be factored so it can be reused for vectx_open(). For missing or unrecognized fingerprint entries, we fail in vectx_open() unless verifying is disabled. Otherwise fingerprint check happens in vectx_close() and since this API is only used for files which must be verified (VE_MUST) we panic if we get an incorrect hash. MFC of r358811 Reviewed by: imp,tsoome Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org//D23827 --- stand/liblua/lstd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stand/liblua/lstd.c b/stand/liblua/lstd.c index 8efdaf7256b..12675842f65 100644 --- a/stand/liblua/lstd.c +++ b/stand/liblua/lstd.c @@ -83,7 +83,7 @@ fopen(const char *filename, const char *mode) #ifdef LOADER_VERIEXEC /* only regular files and only reading makes sense */ if (S_ISREG(st.st_mode) && !(m & O_WRONLY)) { - if (verify_file(fd, filename, 0, VE_GUESS) < 0) { + if (verify_file(fd, filename, 0, VE_GUESS, __func__) < 0) { free(f); close(fd); return (NULL); -- 2.45.0