From 32ca39b78e588ed74b96f070d8b58a3dd9179015 Mon Sep 17 00:00:00 2001
From: sjg <sjg@FreeBSD.org>
Date: Mon, 9 Mar 2020 16:02:54 +0000
Subject: [PATCH] veloader use vectx API for kernel and modules

The vectx API, computes the hash for verifying a file as it is read.
This avoids the overhead of reading files twice - once to verify, then
again to load.

For doing an install via loader, avoiding the need to rewind
large files is critical.

This API is only used for modules, kernel and mdimage as these are the
biggest files read by the loader.
The reduction in boot time depends on how expensive the I/O is
on any given platform.  On a fast VM we see 6% improvement.

For install via loader the first file to be verified is likely to be the
kernel, so some of the prep work (finding manifest etc) done by
verify_file() needs to be factored so it can be reused for
vectx_open().

For missing or unrecognized fingerprint entries, we fail
in vectx_open() unless verifying is disabled.

Otherwise fingerprint check happens in vectx_close() and
since this API is only used for files which must be verified
(VE_MUST) we panic if we get an incorrect hash.

Reviewed by:	imp,tsoome
MFC after:	1 week
Sponsored by:	Juniper Networks
Differential Revision:	https://reviews.freebsd.org//D23827
---
 stand/ficl/fileaccess.c   | 2 +-
 stand/i386/loader/chain.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/stand/ficl/fileaccess.c b/stand/ficl/fileaccess.c
index b5e993b02dc..9dd23f9d34b 100644
--- a/stand/ficl/fileaccess.c
+++ b/stand/ficl/fileaccess.c
@@ -69,7 +69,7 @@ static void ficlFopen(FICL_VM *pVM, char *writeMode) /* ( c-addr u fam -- fileid
     else
 #ifdef LOADER_VERIEXEC
 	if (*mode == 'r' &&
-	    verify_file(fileno(f), filename, 0, VE_GUESS) < 0) {
+	    verify_file(fileno(f), filename, 0, VE_GUESS, __func__) < 0) {
 	    fclose(f);
 	    stackPushPtr(pVM->pStack, NULL);
 	} else
diff --git a/stand/i386/loader/chain.c b/stand/i386/loader/chain.c
index 96d029f4818..d4e3936e13d 100644
--- a/stand/i386/loader/chain.c
+++ b/stand/i386/loader/chain.c
@@ -95,7 +95,7 @@ command_chain(int argc, char *argv[])
 	}
 #else
 #ifdef LOADER_VERIEXEC
-	if (verify_file(fd, argv[1], 0, VE_MUST) < 0) {
+	if (verify_file(fd, argv[1], 0, VE_MUST, __func__) < 0) {
 		sprintf(command_errbuf, "can't verify: %s", argv[1]);
 		close(fd);
 		return (CMD_ERROR);
-- 
2.45.0