Jiri B | 15 Apr 15:05 2015
Picon

compilation fails on openbsd

Hi,

I reported on irc but no big success.

I tried to build ipxe on OpenBSD 5.7 amd64 (recent -current snapshot)
and I used following git commit:

# since https://git.ipxe.org/ipxe.git/commit/86ae6e6c1836e43993a14db278398fc54e5419bd
# newer binutils are needed otherwise compilation fails
GH_COMMIT =     04c1ea81709b3de2658331761eb94843110c165f

So I can't use newer than 86ae6e6c1836e43993a14db278398fc54e5419bd but the
previous one fails as well :(

Help would be appreciated as I'd like to use ipxe to install securely
on an OpenStack env where I cannot trust their tftp etc...

Stuff used:
OpenBSD 5.7-current (GENERIC.MP) #903: Thu Apr  2 13:47:34 MDT 2015
ipxe 04c1ea81709b3de2658331761eb94843110c165f
binutils version 2.23.52.0.1-30.el7_1.1 20130226 (not possible to use higher version)
gcc-4.8.4p2

j.

~~~
gcc  -DARCH=i386 -DPLATFORM=pcbios -march=i386 -fomit-frame-pointer -fstrength-reduce
-falign-jumps=1 -falign-loops=1 -falign-functions=1 -mpreferred-stack-boundary=2 -mregparm=3
-mrtd -freg-struct-return -m32 -fshort-wchar -Ui386 -Ulinux -DNVALGRIND -Iinclude -I.
-Iarch/x86/include -Iarch/i386/include -Iarch/i386/include/pcbios -Os -g -ffreestanding -Wall -W
(Continue reading)

Gerd Hoffmann | 14 Apr 09:28 2015
Picon

[RESEND PATCH] [efi] make load file protocol optional

The load file implementation added by commit
c7c3d839fc9120aee28de9aabe452dc85ad91502 doesn't support loading
arbitrary files from the tftp server, so efi applications trying
to do exactly that fail to boot:

  iPXE 1.0.0+ (17ace) -- Open Source Network Boot Firmware -- http://ipxe.org
  Features: HTTP DNS TFTP EFI Menu

  net0: 52:54:00:47:d3:07 using virtio-net on PCI00:09.0 (open)
    [Link:up, TX:0 TXE:0 RX:13 RXE:2]
    [RXE: 2 x "Operation not supported (http://ipxe.org/3c086083)"]
  Configuring (net0 52:54:00:47:d3:07)...... ok
  net0: 192.168.132.93/255.255.255.0 gw 192.168.132.1
  Next server: 192.168.132.1
  Filename: shim.efi
  tftp://192.168.132.1/shim.efi... ok
  Failed to open grubx64.efi - Not Found
  Failed to load image grubx64.efi: Not Found
  Failed to open MokManager.efi - Not Found
  Failed to load image MokManager.efi: Not Found
  Could not boot image: Error 0x7f04828e (http://ipxe.org/7f04828e)

  Boot Failed. EFI Network

This is not acceptable for qemu.  efi pxe configurations which work
just fine with real hardware must work with qemu virtual machines too.

This patch adds a config option for the load file protocol
implementation, to allow it being disabled, so we can turn it off
for the pxe roms shipped with qemu.
(Continue reading)

Gerd Hoffmann | 14 Apr 09:27 2015
Picon

[RESEND PATCH] efi_snp: improve compliance with the EFI_SIMPLE_NETWORK_PROTOCOL spec

From: Laszlo Ersek <lersek@...>

The efi_snp interface dates back to 2008, when the GetStatus() interface
must have been seriously under-specified. The UEFI Specification (2.4)
specifies EFI_SIMPLE_NETWORK_PROTOCOL in detail however. In short:

- the Transmit() interface is assumed to link (not copy) the SNP client's
  buffer and return at once (without blocking), taking ownership of the
  buffer temporarily;

- the GetStatus() interface releases one of the completed (transmitted or
  internally copied) buffers back to the caller. If there are several
  completed buffers, it is unspecified which one is returned.

The EFI build of the grub boot loader actually verifies the buffer address
returned by GetStatus(), therefore in efi_snp we must at least fake the
queueing of client buffers. This patch doesn't track client buffers
together with the internally queued io_buffer structures, we consider a
client buffer recyclable as soon as we make a deep copy of it and queue
the copy internally.

Signed-off-by: Laszlo Ersek <lersek@...>
Signed-off-by: Gerd Hoffmann <kraxel@...>
---
 src/include/ipxe/efi/efi_snp.h |  6 +++++
 src/interface/efi/efi_snp.c    | 54 ++++++++++++++++++++++++------------------
 2 files changed, 37 insertions(+), 23 deletions(-)

diff --git a/src/include/ipxe/efi/efi_snp.h b/src/include/ipxe/efi/efi_snp.h
index a18bced..863a81a 100644
(Continue reading)

Laszlo Ersek | 10 Apr 21:53 2015
Picon

[PATCH 0/2] virtio-net shutdown fix for ExitBootServices()

While exercising OVMF PXE booting with the iPXE SNP drivers, with the
patches under [1] applied, a memory layout dependent bug emerged. I
first mistook it for a  qemu regression [2], but ultimately it turned
out to be an iPXE issue.

[1] http://lists.ipxe.org/pipermail/ipxe-devel/2015-April/004063.html
[2] http://thread.gmane.org/gmane.comp.bios.tianocore.devel/13548/focus=13701

Cc: Michael Brown <mcb30@...>
Cc: Stefan Hajnoczi <stefanha@...>
Cc: Gerd Hoffmann <kraxel@...>
Cc: BALATON Zoltan <balaton@...>

Laszlo Ersek (2):
  virtio-net: downgrade iobuf-level debug messages to DBGC2
  virtio-net: reset virtio NICs when booting under UEFI

 src/drivers/net/virtio-net.c | 54 +++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 48 insertions(+), 6 deletions(-)

--

-- 
1.8.3.1

Nicolas Sylvain | 9 Apr 23:41 2015
Picon

Embedding certificates

Hello,

Since my firewall blocks pretty much everything, including ca.ipxe.org. I got around to making https connections with iPXE by mirroring ca.ipxe.org and using the crosscert command.  Unfortunately, to make that work, I had to disable OCSP in the code. 

I'd like to unfork my code, and to do that, I believe I need to create my own CA and cross signed certificates.

Right now I'm only accessing some resources hosted on Google servers. (appengine, google cloud storage). It seems like all those servers have certificates trusted by GeoTrust Global CA.

Here's what I tried to do:

1. Follow the instructions on http://ipxe.org/crypto to create my own CA

2. Download the Geotrust Global CA certs from http://ca.ipxe.org/raw/

3. Cross sign those certs using the instructions on the page above.

4. Build iPXE using :


 make bin/ipxe.usb EMBED=startup.ipxe CERT=geotrust-global-ca-2-cross.crt,geotrust-global-ca-cross.crt,ca.crt TRUST=ca.crt

Then during boot, on the first attempt at using https, I get this error : http://ipxe.org/err/0216eb


I also tried to pass the geotrust certs as-in on both CERT and TRUST, but that did not work either.

Any idea what I'm doing wrong? I assume it's pretty obvious, as I don't understand much about certificates yet...  but if you need more verbose logs, let me know and I can provide them.

Thanks

Nicolas




<div><div dir="ltr">Hello,<div><br></div>
<div>Since my firewall blocks pretty much everything, including <a href="http://ca.ipxe.org">ca.ipxe.org</a>. I got around to making https connections with iPXE by mirroring <a href="http://ca.ipxe.org">ca.ipxe.org</a> and using the crosscert command.&nbsp; Unfortunately, to make that work, I had to disable OCSP in the code.&nbsp;<br>
</div>
<div><br></div>
<div>I'd like to unfork my code, and to do that, I believe I need to create my own CA and cross signed certificates.</div>
<div><br></div>
<div>Right now I'm only accessing some resources hosted on Google servers. (appengine, google cloud storage). It seems like all those servers have certificates trusted by GeoTrust Global CA.</div>
<div><br></div>
<div>Here's what I tried to do:</div>
<div><br></div>
<div>1. Follow the instructions on&nbsp;<a href="http://ipxe.org/crypto">http://ipxe.org/crypto</a> to create my own CA</div>
<div><br></div>
<div>2. Download the Geotrust Global CA certs from&nbsp;<a href="http://ca.ipxe.org/raw/">http://ca.ipxe.org/raw/</a>
</div>
<div><br></div>
<div>3. Cross sign those certs using the instructions on the page above.</div>
<div><br></div>
<div>4. Build iPXE using :</div>
<div><br></div>
<div><br></div>
<div><div>&nbsp;make bin/ipxe.usb EMBED=startup.ipxe CERT=geotrust-global-ca-2-cross.crt,geotrust-global-ca-cross.crt,ca.crt TRUST=ca.crt</div></div>
<div><br></div>
<div>Then during boot, on the first attempt at using https, I get this error : <a href="http://ipxe.org/err/0216eb">http://ipxe.org/err/0216eb</a>
</div>
<div><br></div>
<div><br></div>
<div>I also tried to pass the geotrust certs as-in on both CERT and TRUST, but that did not work either.</div>
<div><br></div>
<div>Any idea what I'm doing wrong? I assume it's pretty obvious, as I don't understand much about certificates yet... &nbsp;but if you need more verbose logs, let me know and I can provide them.</div>
<div><br></div>
<div>Thanks</div>
<div><br></div>
<div>Nicolas</div>
<div><br></div>
<div><br></div>
<div><br></div>
<div><br></div>
</div></div>
Alexander Todorov | 8 Apr 14:05 2015
Picon

RFE: update error page for LIO

Hi guys,
one of your error pages needs updating. Not sure how can I make this happen.

On http://ipxe.org/err/1d7045 there's this paragraph:

Note that the default configuration when Linux is the target is for the disk to 
be LUN 1. For example, use 
“iscsi:iscsi.example.com:::1:iqn.1992-01.com.example.iscsi:target” instead of 
“iscsi:iscsi.example.com::::iqn.1992-01.com.example.iscsi:target”. On your Linux 
iSCSI target, “tgtadm –lld iscsi –op show –mode target” will show you details of 
each target.

This all works great when the target system uses tgtd for example. But when it 
uses LIO (targetcli) then the default LUN is 0 not 1. I've just spent an hour 
trying to figure out why stuff doesn't work when I moved my iSCSI target onto 
newer system. Changing :1: for :0: as the LUN number in the above syntax worked 
like a charm.

I propose to append the following text to this page:

Note: If your target is Linux-IO the default LUN number is 0 instead of 1!

--
Alex
_______________________________________________
ipxe-devel mailing list
ipxe-devel <at> lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
Christian Hesse | 7 Apr 16:07 2015
Picon

[PATCH 1/1] [build] allow to build ISO image with EFI support (ipxe.eiso)

From: Christian Hesse <mail@...>

Signed-off-by: Christian Hesse <mail@...>
---
 src/arch/i386/Makefile.pcbios |  6 ++++++
 src/util/geniso               | 39 ++++++++++++++++++++++++++++++---------
 2 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/src/arch/i386/Makefile.pcbios b/src/arch/i386/Makefile.pcbios
index ff82373..c7a58eb 100644
--- a/src/arch/i386/Makefile.pcbios
+++ b/src/arch/i386/Makefile.pcbios
 <at>  <at>  -59,6 +59,12  <at>  <at>  NON_AUTO_MEDIA	+= iso
 	$(QM)$(ECHO) "  [GENISO] $ <at> "
 	$(Q)ISOLINUX_BIN=$(ISOLINUX_BIN) VERSION="$(VERSION)" bash util/geniso -o $ <at>  $<

+# rule to make a non-emulation ISO boot image with EFI support
+NON_AUTO_MEDIA	+= eiso
+%eiso:	%lkrn bin-i386-efi/ipxe.efi bin-x86_64-efi/ipxe.efi util/geniso
+	$(QM)$(ECHO) "  [GENISO] $ <at> "
+	$(Q)ISOLINUX_BIN=$(ISOLINUX_BIN) VERSION="$(VERSION)" bash util/geniso -e -o $ <at>  $<
+
 # rule to make a floppy emulation ISO boot image
 NON_AUTO_MEDIA	+= liso
 %liso:	%lkrn util/geniso
diff --git a/src/util/geniso b/src/util/geniso
index 521c929..998370d 100755
--- a/src/util/geniso
+++ b/src/util/geniso
 <at>  <at>  -6,16 +6,21  <at>  <at>  function help() {
 	echo "usage: ${0} [OPTIONS] foo.lkrn [bar.lkrn,...]"
 	echo
 	echo "where OPTIONS are:"
+	echo " -e	build image with EFI support"
 	echo " -h       show this help"
 	echo " -l       build legacy image with floppy emulation"
 	echo " -o FILE  save iso image to file"
 }

+EFI=0
 LEGACY=0
 FIRST=""

-while getopts "hlo:" opt; do
+while getopts "ehlo:" opt; do
 	case ${opt} in
+		e)
+			EFI=1
+			;;
 		h)
 			help
 			exit 0
 <at>  <at>  -37,23 +42,24  <at>  <at>  if [ -z "${OUT}" ]; then
 	exit 1
 fi

-# There should either be mkisofs or the compatible genisoimage program
-for command in genisoimage mkisofs; do
+# We require xorriso (from libisoburn) for EFI support
+# genisoimage and mkisofs are missing some features
+for command in xorriso; do
 	if ${command} --version >/dev/null 2>/dev/null; then
-		mkisofs=(${command})
+		xorriso=(${command})
 		break
 	fi
 done

-if [ -z "${mkisofs}" ]; then
-	echo "${0}: mkisofs or genisoimage not found, please install or set PATH" >&2
+if [ -z "${xorriso}" ]; then
+	echo "${0}: xorriso not found, please install or set PATH" >&2
 	exit 1
 fi

 dir=$(mktemp -d bin/iso.dir.XXXXXX)
 cfg=${dir}/isolinux.cfg

-mkisofs+=(-quiet -l -volid "iPXE" -preparer "iPXE build system"
+xorriso+=(-as mkisofs -quiet -l -volid "iPXE" -preparer "iPXE build system"
 	-appid "iPXE ${VERSION} - Open Source Network Boot Firmware"
 	-publisher "http://ipxe.org/" -c boot.cat)

 <at>  <at>  -116,12 +122,27  <at>  <at>  case "${LEGACY}" in
 		fi

 		# generate the iso image
-		"${mkisofs[ <at> ]}" -b boot.img -output ${OUT} ${dir}
+		"${xorriso[ <at> ]}" -b boot.img -output ${OUT} ${dir}
 		;;
 	0)
 		# copy isolinux bootloader
 		cp ${ISOLINUX_BIN} ${dir}

+		xorriso+=(-b isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table)
+
+		if [ "${EFI}" -eq 1 ]; then
+			# generate EFI image
+			img=${dir}/efiboot.img
+
+			mformat -f 2880 -C -i ${img} ::
+			mmd -i ${img} "::/EFI"
+			mmd -i ${img} "::/EFI/BOOT"
+			mcopy -m -i ${img} bin-x86_64-efi/ipxe.efi "::EFI/BOOT/BOOTX64.EFI"
+			mcopy -m -i ${img} bin-i386-efi/ipxe.efi "::EFI/BOOT/BOOTIA32.EFI"
+
+			xorriso+=(-eltorito-alt-boot -e efiboot.img -isohybrid-gpt-basdat -no-emul-boot)
+		fi
+
 		# syslinux 6.x needs a file called ldlinux.c32
 		LDLINUX_C32=$(dirname ${ISOLINUX_BIN})/ldlinux.c32
 		if [ -s ${LDLINUX_C32} ]; then
 <at>  <at>  -129,7 +150,7  <at>  <at>  case "${LEGACY}" in
 		fi

 		# generate the iso image
-		"${mkisofs[ <at> ]}" -b isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table -output ${OUT} ${dir}
+		"${xorriso[ <at> ]}" -output ${OUT} ${dir}

 		# isohybrid will be used if available
 		if isohybrid --version >/dev/null 2>/dev/null; then
--

-- 
2.3.5

Robin Smidsrød | 6 Apr 17:11 2015

[ipxe] [build] Rewrite parserom.pl to support multiple source files (#35)

Running util/parserom.pl on all source files (637) one by one takes
approximately 35 seconds because of the startup cost of each invocation.
With the utility rewritten to support multiple source files it now takes
approximately 1 second to scan all source files for ROM declarations.

The --exclude-driver and --exclude-driver-class options have been added,
making it possible to skip certain source files from being scanned at all.

In addition --debug option has been added to more easily trace progress.

Finally --help option was added to show usage information.

Signed-off-by: Robin Smidsrød robin-GtUsJBLa5GcXWF+eFR7m5Q@public.gmane.org

You can view, comment on, or merge this pull request online at:

  https://github.com/ipxe/ipxe/pull/35

Commit Summary

  • [build] Rewrite parserom.pl to support multiple source files

File Changes

Patch Links:


Reply to this email directly or view it on GitHub.

<div>
<p>Running util/parserom.pl on all source files (637) one by one takes<br>
approximately 35 seconds because of the startup cost of each invocation.<br>
With the utility rewritten to support multiple source files it now takes<br>
approximately 1 second to scan all source files for ROM declarations.</p>

<p>The --exclude-driver and --exclude-driver-class options have been added,<br>
making it possible to skip certain source files from being scanned at all.</p>

<p>In addition --debug option has been added to more easily trace progress.</p>

<p>Finally --help option was added to show usage information.</p>

<p>Signed-off-by: Robin Smidsr&oslash;d <a href="mailto:robin@...">robin@...</a></p>

<h4>You can view, comment on, or merge this pull request online at:</h4>
<p>&nbsp;&nbsp;<a href="https://github.com/ipxe/ipxe/pull/35">https://github.com/ipxe/ipxe/pull/35</a></p>

<h4>Commit Summary</h4>
<ul>
<li>[build] Rewrite parserom.pl to support multiple source files</li>
</ul>
<h4>File Changes</h4>
<ul>
<li>
    M
    <a href="https://github.com/ipxe/ipxe/pull/35/files#diff-0">src/util/parserom.pl</a>
    (295)
  </li>
</ul>
<h4>Patch Links:</h4>
<ul>
<li><a href="https://github.com/ipxe/ipxe/pull/35.patch">https://github.com/ipxe/ipxe/pull/35.patch</a></li>
  <li><a href="https://github.com/ipxe/ipxe/pull/35.diff">https://github.com/ipxe/ipxe/pull/35.diff</a></li>
</ul>
<p>&mdash;<br>Reply to this email directly or <a href="https://github.com/ipxe/ipxe/pull/35">view it on GitHub</a>.</p>
<div itemscope itemtype="http://schema.org/EmailMessage">
  <div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
    </div>
  </div>
</div>
Christian Hesse | 2 Apr 16:36 2015
X-Face
Face
Picon

kernel panic with ipxe.efi

Hello everybody,

trying to boot a UEFI device with iPXE (bin-x86_64-efi/ipxe.efi) results in a
kernel panic. iPXE starts just fine, then downloads three files via http...

* linux64 (Linux bzImage)
* intel-ucode.img (uncompressed cpio archive with intel ucode)
* initrd64 (xz compressed initramfs)

...boots the kernel, which panics. I took a picture of the kernel panic:
http://www.eworm.de/tmp/DSC_0038.JPG

The same files work just fine with iPXE bios version.
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Chris           get my mail address:    */=0;b=c[a++];)
putchar(b-1/(/*               gcc -o sig sig.c && ./sig    */b/42*2-3)*42);}
Hello everybody,

trying to boot a UEFI device with iPXE (bin-x86_64-efi/ipxe.efi) results in a
kernel panic. iPXE starts just fine, then downloads three files via http...

* linux64 (Linux bzImage)
* intel-ucode.img (uncompressed cpio archive with intel ucode)
* initrd64 (xz compressed initramfs)

...boots the kernel, which panics. I took a picture of the kernel panic:
http://www.eworm.de/tmp/DSC_0038.JPG

The same files work just fine with iPXE bios version.
--

-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Chris           get my mail address:    */=0;b=c[a++];)
putchar(b-1/(/*               gcc -o sig sig.c && ./sig    */b/42*2-3)*42);}
Bjørnar Ness | 2 Apr 15:35 2015
Picon

Serial port info

When using IPMI and SOL, the SOL serial port number varies from
hardware to hardware, but is (as far as I have seen) allways the
highest numbered ttyS.

Is it possible in ipxe, to detect what serial port is the last one? I
need this to
set console= later in the process.

Best regards,

--

-- 
Bj(/)rnar
Christian Hesse | 2 Apr 13:15 2015
Picon

[PATCH 1/1] make sure not to generate position independent code

From: Christian Hesse <mail@...>

We have assembler code that breaks when generating position independent
code. So make sure we do not.

Signed-off-by: Christian Hesse <mail@...>
---
 src/Makefile.housekeeping | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping
index f54008c..5687c66 100644
--- a/src/Makefile.housekeeping
+++ b/src/Makefile.housekeeping
 <at>  <at>  -179,6 +179,11  <at>  <at>  WNA_FLAGS := $(shell $(WNA_TEST) && $(ECHO) '-Wno-address')
 WORKAROUND_CFLAGS += $(WNA_FLAGS)
 endif

+# we have assembler code, that does not work with position independent code
+PIC_TEST = $(CC) -dM -E - < /dev/null | grep -q '__PIC__'
+PIC_FLAGS := $(shell $(PIC_TEST) && $(ECHO) '-fno-pic')
+WORKAROUND_CFLAGS += $(PIC_FLAGS)
+
 # Some versions of gas choke on division operators, treating them as
 # comment markers.  Specifying --divide will work around this problem,
 # but isn't available on older gas versions.
--

-- 
2.3.5


Gmane