The bootloader will now load the /boot/random.seed file if it exists, in
which case the kernel will use it as the initial kernel entropy. The kernel
warns if no random seed was loaded, unless the --no-random-seed option was
given. This option is used for live environments that inherently have no
prior secret state. The kernel initializes its entropy pool from the random
seed as of the first things, so randomness is available very early on.
init(8) will emit a fresh /boot/random.seed file on boot to avoid the same
entropy being used twice. init(8) also writes out /boot/random.seed on
system shutdown where the system has the most entropy. init(8) will warn if
writing the file fails, except if /boot is a real-only filesystem, and
keeping such state is impossible. The system administrator is then
responsible for ensuring the bootloader somehow passes a fresh random seed
on the next boot.
/boot/random.seed must be owned by the root user and root group and must
have file permissions 600 to avoid unprivileged users can read it. The file
is passed to the kernel by the bootloader as a multiboot module with the
command line --random-seed.
If no random seed is loaded, the kernel attempts a poor quality fallback
where it seeds the kernel arc4random(3) continuously with the current time.
The timing variance may provide some effective entropy. There is no real
kernel entropy gathering yet. The read of the CMOS real time clock is moved
to an early point in the kernel boot, so the current time is available as
fallback entropy.
The kernel access of the random seed module is supposed to be infallible
and happens before the kernel log is set up, but there is not yet a failsafe
API for mapping single pages in the early kernel.
sysupgrade(8) creates /boot/random.seed if it's absent as a temporary
compatibility measure for people upgrading from the 1.0 release. The GRUB
port will need to be upgraded with support for /boot/random.seed in the
10_sortix script. Installation with manual bootloader configuration will
need to load the random seed with the --random-seed command line. With GRUB,
this can be done with: module /boot/random.seed --random-seed
Add short options for most long options. Rename the -i option to -H, but
support -i for compatibility until the next release cycle, where -i will
become the short option of --identifier. Rename --include to --headers
and support --include until the next release cycle.
Add carray(1) manual page which makes --help unnecessary, and remove
--version as it surely matches your local Sortix version.
This change hardens against invalid calls to sigreturn, which is a very
useful gadget when compromising a process. The system call now verifies
it is a real return from a signal and aborts the process otherwise. This
should render such attacks impossible in threads that are not servicing a
signal, and infeasible in threads that are handling signals they are yet to
return from.
The kernel now keeps track for each thread how many signals are being
handled but haven't returned yet.
Each thread now has a random signal value. It is re-randomized when the
thread handles a signal and the current signal counter is zero. This is
xorred with the context address and used as canary on the stack during
signal dispatch, protecting the saved context on the stack. This works
mostly like the regular stack protector.
The kernel now keeps track of the stack pointer for a single handled
signal per thread. It doesn't seem worth it to keep track of multiple
handled signals, as more than one is rare. Note that each delivered signal
will not necessarily result in a sigreturn because it is valid for a thread
to longjmp(3) out of a signal handler to a valid jmp_buf.
The sigreturn system call will abort if either:
- It was not called from the kernel sigreturn page.
- The thread is not currently processing a signal.
- The thread is processing a single signal, and the stack pointer did not
have the expected value.
- It fails to read the context on the stack.
- The canary is wrong.
This properly avoids problems where the compiler is unaware that this is the
implementation and assumes it can rely on the implementation. For instance,
it might implement calloc using a call to calloc.
Restructure the code that wrongly assumed __STDC_HOSTED__ meant userspace.
This system call has five arguments, of which one is a 64-bit uid_t, and
another is a 64-bit gid_t, which means that 7 registers are needed. However,
x86 only has 5 registers available for system calls. Wrap the system call
with a structure like with mmap(2).
I hereby relicense all my work on Sortix under the ISC license as below.
All Sortix contributions by other people are already under this license,
are not substantial enough to be copyrightable, or have been removed.
All imported code from other projects is compatible with this license.
All GPL licensed code from other projects had previously been removed.
Copyright 2011-2016 Jonas 'Sortie' Termansen and contributors.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The debugger has fallen behind and has become a maintenance burden. It was
the only user of the old kernel US layout system, which is good to get rid
of. The debugger didn't work with graphical output and was likely to
conflict with the new keyboard system if used, which no longer triggered it.
The kernel symbol code was removed to simplify the kernel.
The kernel debugger was an useful debugging feature, but it needs to be done
in a better way before it can be added back.
This is reportedly a problem with some emulated PS/2 controllers.
glauxosdever reported his computer responds 0x50 0x00 instead of just 0x00.
OpenBSD has commented out this check in sys/dev/ic/pckbc.c, claiming it's a
problem with some controllers and that some might even hang.
I doubt not testing ports is going to be a problem, as the identitication
code runs next and verifies devices and all relevant modern hardware
probably has this working well enough.
Enable the NX bit on x86_64 and set if not PROT_EXEC and enable the write
protection mode (CR0.WP) that disables the default behavior where the kernel
is able to write to read-only memory. Fix kernel broken assumptions it can
access read-only memory and take care to never set PROT_KWRITE on user-space
pages unless PROT_WRITE is also set, otherwise user-space will be able to
write to read-only memory.
This achieves X^W in the whole system except for the core kernel itself as
it is currently don't know the purpose of pages when identity mapping the
first 4 MiB.