Re: [RFC] acpi: add acpitimer_delay(), acpihpet_delay()
On Wed, Aug 24, 2022 at 11:05:30PM -0500, Scott Cheloha wrote: > On Wed, Aug 24, 2022 at 05:51:14PM +1000, Jonathan Gray wrote: > > On Tue, Aug 23, 2022 at 12:20:39PM -0500, Scott Cheloha wrote: > > > > Hyper-V generation 1 VMs are bios boot with emulation of the usual > > > > devices. 32-bit and 64-bit guests. > > > > > > > > Hyper-V generation 2 VMs are 64-bit uefi with paravirtualised devices. > > > > 64-bit guests only. > > > > > > > > There is no 8254 in generation 2. > > > > No HPET in either generation. > > > > > > > > hv_delay uses the "Partition Reference Counter MSR" described in > > > > https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/timers > > > > It seems it is available in both generations and could be used from > > > > i386? > > > > > > > > From reading that page hv_delay() should be preferred over lapic_delay() > > > > > > Alright, I have nudged hv_delay's quality up over lapic_delay's > > > quality. > > > > Before these changes, tsc is probed before pvbus. Do the tsc sanity > > checks result in it not being considered an option on hyper-v? I think > > the tsc_delay and hv_delay numbers should be swapped in a later commit. > > It is unclear if that would change the final delay_func setting. > > Why would we prefer hv_delay() to tsc_delay() if we had a > constant/invariant TSC available in our Hyper-V guest? > > When patrick@ emailed me last year about issues with delay(9) on > Hyper-V, he started by saying that the root of the problem was that > the OpenBSD guest was not opting to use tsc_delay() because the host > wasn't reporting a constant/invariant TSC. So the guest was trying to > use i8254_delay(), which was impossible because Hyper-V Gen2 guests > don't have an i8254. Hence, hv_delay() was added to the tree. > > So, my understanding is that the addition of hv_delay() does not mean > tsc_delay() is worse than hv_delay(). hv_delay() was added because > tsc_delay() isn't always an option and (to our surprise) neither is > i8254_delay(). I'm not clear on when rdtsc and rdmsr would cause a vm exit. Presumably the reference tsc page is provided to avoid that, but we don't use it. rdtsc and rdmsr don't always cause an exit. The wording of Microsoft's "Hypervisor Top Level Functional Specification" reads as the interface is only available when the underlying machine has a constant frequency tsc. It also makes the point that the interface being in time not cycles avoids problems when the tsc frequency changes on live migration. "12.3 Partition Reference Time Enlightenment The partition reference time enlightenment presents a reference time source to a partition which does not require an intercept into the hypervisor. This enlightenment is available only when the underlying platform provides support of an invariant processor Time Stamp Counter (TSC), or iTSC. In such platforms, the processor TSC frequency remains constant irrespective of changes in the processor's clock frequency due to the use of power management states such as ACPI processor performance states, processor idle sleep states (ACPI C-states), etc. The partition reference time enlightenment uses a virtual TSC value, an offset and a multiplier to enable a guest partition to compute the normalized reference time since partition creation, in 100nS units. The mechanism also allows a guest partition to atomically compute the reference time when the guest partition is migrated to a platform with a different TSC rate, and provides a fallback mechanism to support migration to platforms without the constant rate TSC feature. This facility is not intended to be used a source of wall clock time, since the reference time computed using this facility will appear to stop during the time that a guest partition is saved until the subsequent restore."
Re: libutil: opendev: require block/character devices
On Wed, Aug 24, 2022 at 08:02:03PM -0600, Todd C. Miller wrote:
> On Wed, 24 Aug 2022 20:06:00 -, Klemens Nanni wrote:
>
> > Feedback? Am I missing anything?
>
> If fstat(2) fails you should not try to access sb. Perhaps:
>
> if (((dflags & OPENDEV_BLCK) && ...
>
> should be an "else if (..."
Ah yes, the failure check does not return early but falls through, so
all further logic needs to check fd and/or errno (like the isduid() case
already does).
Index: opendev.3
===
RCS file: /cvs/src/lib/libutil/opendev.3,v
retrieving revision 1.22
diff -u -p -r1.22 opendev.3
--- opendev.3 15 Jan 2015 19:06:32 - 1.22
+++ opendev.3 24 Aug 2022 19:34:20 -
@@ -90,10 +90,12 @@ is not
.Dv NULL ,
it is modified to point at the fully expanded device name.
.Sh RETURN VALUES
-The
+If successful,
.Fn opendev
-return value and errors are the same as the return value and errors of
-.Xr open 2 .
+returns a file descriptor.
+Otherwise, a value of -1 is returned and
+.Va errno
+is set to indicate the error.
.Sh SEE ALSO
.Xr open 2 ,
.Xr getrawpartition 3 ,
Index: opendev.c
===
RCS file: /cvs/src/lib/libutil/opendev.c,v
retrieving revision 1.15
diff -u -p -r1.15 opendev.c
--- opendev.c 30 Jun 2011 15:04:58 - 1.15
+++ opendev.c 25 Aug 2022 05:34:25 -
@@ -38,6 +38,7 @@
#include
#include
#include
+#include
#include "util.h"
@@ -63,8 +64,23 @@ opendev(const char *path, int oflags, in
prefix = "r"; /* character device */
if ((slash = strchr(path, '/'))) {
+ struct stat sb;
+
strlcpy(namebuf, path, sizeof(namebuf));
fd = open(namebuf, oflags);
+
+ if (fd != -1) {
+ if (fstat(fd, ) == -1) {
+ close(fd);
+ fd = -1;
+ } else if (((dflags & OPENDEV_BLCK) &&
+ !S_ISBLK(sb.st_mode)) ||
+ !S_ISCHR(sb.st_mode)) {
+ close(fd);
+ fd = -1;
+ errno = ENOTBLK;
+ }
+ }
} else if (isduid(path, dflags)) {
strlcpy(namebuf, path, sizeof(namebuf));
if ((fd = open("/dev/diskmap", oflags)) != -1) {
Re: [RFC] acpi: add acpitimer_delay(), acpihpet_delay()
On Wed, Aug 24, 2022 at 05:51:14PM +1000, Jonathan Gray wrote:
> On Tue, Aug 23, 2022 at 12:20:39PM -0500, Scott Cheloha wrote:
> > > Hyper-V generation 1 VMs are bios boot with emulation of the usual
> > > devices. 32-bit and 64-bit guests.
> > >
> > > Hyper-V generation 2 VMs are 64-bit uefi with paravirtualised devices.
> > > 64-bit guests only.
> > >
> > > There is no 8254 in generation 2.
> > > No HPET in either generation.
> > >
> > > hv_delay uses the "Partition Reference Counter MSR" described in
> > > https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/timers
> > > It seems it is available in both generations and could be used from i386?
> > >
> > > From reading that page hv_delay() should be preferred over lapic_delay()
> >
> > Alright, I have nudged hv_delay's quality up over lapic_delay's
> > quality.
>
> Before these changes, tsc is probed before pvbus. Do the tsc sanity
> checks result in it not being considered an option on hyper-v? I think
> the tsc_delay and hv_delay numbers should be swapped in a later commit.
> It is unclear if that would change the final delay_func setting.
Why would we prefer hv_delay() to tsc_delay() if we had a
constant/invariant TSC available in our Hyper-V guest?
When patrick@ emailed me last year about issues with delay(9) on
Hyper-V, he started by saying that the root of the problem was that
the OpenBSD guest was not opting to use tsc_delay() because the host
wasn't reporting a constant/invariant TSC. So the guest was trying to
use i8254_delay(), which was impossible because Hyper-V Gen2 guests
don't have an i8254. Hence, hv_delay() was added to the tree.
So, my understanding is that the addition of hv_delay() does not mean
tsc_delay() is worse than hv_delay(). hv_delay() was added because
tsc_delay() isn't always an option and (to our surprise) neither is
i8254_delay().
> It would be a good idea to have different commits for the places new
> delay callbacks are introduced.
>
> - add delay_init()
> - use delay_init() in lapic, tsc, hv_delay
> - commit acpihpet
> - commit acpitimer
I had planned to do separate commits. This ordering seems right.
> - swap tsc and hv_delay numbers
See above.
> > How are we looking now?
>
> some minor suggestions inline
>
> have you built a release with this?
Just finished building a release and upgrading with it from physical
media. I think we are good to go. I incorporated your suggestions
below and I'm going to do the first four suggested commits tomorrow
unless I hear otherwise.
Current combined patch is attached.
> > Index: sys/arch/amd64/amd64/lapic.c
> > ===
> > RCS file: /cvs/src/sys/arch/amd64/amd64/lapic.c,v
> > retrieving revision 1.60
> > diff -u -p -r1.60 lapic.c
> > --- sys/arch/amd64/amd64/lapic.c15 Aug 2022 04:17:50 - 1.60
> > +++ sys/arch/amd64/amd64/lapic.c23 Aug 2022 17:18:30 -
> > @@ -486,8 +486,6 @@ wait_next_cycle(void)
> > }
> > }
> >
> > -extern void tsc_delay(int);
> > -
>
> this cleanup is unrelated and should be a different diff/commit
Ack, will do it separately.
> > /*
> > * Calibrate the local apic count-down timer (which is running at
> > * bus-clock speed) vs. the i8254 counter/timer (which is running at
> > @@ -592,8 +590,7 @@ skip_calibration:
> > * Now that the timer's calibrated, use the apic timer routines
> > * for all our timing needs..
> > */
> > - if (delay_func == i8254_delay)
> > - delay_func = lapic_delay;
> > + delay_init(lapic_delay, 3000);
> > initclock_func = lapic_initclocks;
> > }
> > }
> > Index: sys/arch/amd64/amd64/machdep.c
> > ===
> > RCS file: /cvs/src/sys/arch/amd64/amd64/machdep.c,v
> > retrieving revision 1.279
> > diff -u -p -r1.279 machdep.c
> > --- sys/arch/amd64/amd64/machdep.c 7 Aug 2022 23:56:06 - 1.279
> > +++ sys/arch/amd64/amd64/machdep.c 23 Aug 2022 17:18:31 -
> > @@ -2069,3 +2069,13 @@ check_context(const struct reg *regs, st
> >
> > return 0;
> > }
> > +
> > +void
> > +delay_init(void(*fn)(int), int fn_quality)
> > +{
> > + static int cur_quality = 0;
> > + if (fn_quality > cur_quality) {
> > + delay_func = fn;
> > + cur_quality = fn_quality;
> > + }
> > +}
> > Index: sys/arch/amd64/amd64/tsc.c
> > ===
> > RCS file: /cvs/src/sys/arch/amd64/amd64/tsc.c,v
> > retrieving revision 1.25
> > diff -u -p -r1.25 tsc.c
> > --- sys/arch/amd64/amd64/tsc.c 12 Aug 2022 02:20:36 - 1.25
> > +++ sys/arch/amd64/amd64/tsc.c 23 Aug 2022 17:18:31 -
> > @@ -109,7 +109,7 @@ tsc_identify(struct cpu_info *ci)
> >
> > tsc_frequency = tsc_freq_cpuid(ci);
> > if (tsc_frequency > 0)
> > - delay_func = tsc_delay;
> > +
Re: bgpd move nexthop connected magic to kroute
On Tue, Aug 23, 2022 at 11:06:05AM +0200, Claudio Jeker wrote:
> The RDE does some magic dance around connected networks and their gateway
> which should be done in kroute.c instead. At least then both functions doing
> gateway lookups do this magic in the same .c file.
> It also makes the RDE code a simpler which is good. The RDE actually no
> longer uses this information apart from reporting it to bgpctl.
ok tb
>
> --
> :wq Claudio
>
> Index: kroute.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
> retrieving revision 1.295
> diff -u -p -r1.295 kroute.c
> --- kroute.c 19 Aug 2022 09:11:18 - 1.295
> +++ kroute.c 23 Aug 2022 09:01:26 -
> @@ -2265,11 +2265,11 @@ knexthop_send_update(struct knexthop *kn
> kr = kn->kroute;
> n.valid = kroute_validate(kr);
> n.connected = kr->flags & F_CONNECTED;
> - if (kr->nexthop.s_addr != 0) {
> + if (!n.connected) {
> n.gateway.aid = AID_INET;
> n.gateway.v4.s_addr = kr->nexthop.s_addr;
> - }
> - if (n.connected) {
> + } else {
> + n.gateway = n.nexthop;
> n.net.aid = AID_INET;
> n.net.v4.s_addr = kr->prefix.s_addr;
> n.netlen = kr->prefixlen;
> @@ -2279,13 +2279,12 @@ knexthop_send_update(struct knexthop *kn
> kr6 = kn->kroute;
> n.valid = kroute6_validate(kr6);
> n.connected = kr6->flags & F_CONNECTED;
> - if (memcmp(>nexthop, _any,
> - sizeof(struct in6_addr)) != 0) {
> + if (!n.connected) {
> n.gateway.aid = AID_INET6;
> n.gateway.v6 = kr6->nexthop;
> n.gateway.scope_id = kr6->nexthop_scope_id;
> - }
> - if (n.connected) {
> + } else {
> + n.gateway = n.nexthop;
> n.net.aid = AID_INET6;
> n.net.v6 = kr6->prefix;
> n.net.scope_id = kr6->prefix_scope_id;
> Index: rde_rib.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde_rib.c,v
> retrieving revision 1.243
> diff -u -p -r1.243 rde_rib.c
> --- rde_rib.c 10 Aug 2022 14:17:01 - 1.243
> +++ rde_rib.c 23 Aug 2022 09:01:26 -
> @@ -1739,12 +1739,10 @@ nexthop_update(struct kroute_nexthop *ms
> TAILQ_REMOVE(_runners, nh, runner_l);
> }
>
> - if (msg->connected) {
> + if (msg->connected)
> nh->flags |= NEXTHOP_CONNECTED;
> - nh->true_nexthop = nh->exit_nexthop;
> - } else
> - nh->true_nexthop = msg->gateway;
>
> + nh->true_nexthop = msg->gateway;
> nh->nexthop_net = msg->net;
> nh->nexthop_netlen = msg->netlen;
>
>
Re: libutil: opendev: require block/character devices
On Wed, 24 Aug 2022 20:06:00 -, Klemens Nanni wrote: > Feedback? Am I missing anything? If fstat(2) fails you should not try to access sb. Perhaps: if (((dflags & OPENDEV_BLCK) && ... should be an "else if (..." Otherwise looks OK to me. - todd
Re: rpki-client: add mode to print encapsulated certs/crls in human-readable & PEM format
Theo Buehler wrote:
> > > + if (pemmode) {
> > > + if (pledge("stdio rpath", NULL) == -1)
> > > + err(1, "pledge");
> > > +
> > > + if (argc > 1)
> > > + goto usage;
> >
> > This should be argc > 0 to match your synopsis.
>
> Ugh. I confused myself here, it was actually correct but a bit quirky.
>
> I think it would be better to use "p:" in the getopt string and assign
> the file argument to a new variable or do a loop over argv as indicated
> below.
Right.
Re: rpki-client: add mode to print encapsulated certs/crls in human-readable & PEM format
> > + if (pemmode) {
> > + if (pledge("stdio rpath", NULL) == -1)
> > + err(1, "pledge");
> > +
> > + if (argc > 1)
> > + goto usage;
>
> This should be argc > 0 to match your synopsis.
Ugh. I confused myself here, it was actually correct but a bit quirky.
I think it would be better to use "p:" in the getopt string and assign
the file argument to a new variable or do a loop over argv as indicated
below.
>
> Or should this behave like file mode and accept an arbitrary number of
> file arguments? For example you could drop the argc check and do:
>
> for (i = 0; i < argc; i++) {
> if ((rc = print_pem(argv[i])) != 0)
> return rc
> }
Re: rpki-client: add mode to print encapsulated certs/crls in human-readable & PEM format
On Wed, Aug 24, 2022 at 06:41:12PM -0600, Theo de Raadt wrote:
> argv += optind;
> argc -= optind;
>
> + if (pemmode) {
> + if (pledge("stdio rpath", NULL) == -1)
> + err(1, "pledge");
> +
>
>
> rpki-client is starting to develop quite a number of run-time "modes".
There are currently two (or if you count -V as a separate mode three).
Except for -V, extra arguments are handled correctly.
> I think it is time to add some checks (right around argc -=optind) to
> identify non-sensical combinations and not proceed.
That would make sense, but should probably be done independently of this
diff. I agree that this is currently a bit sloppy.
> Also, there should be no extra arguments.
You removed an argc > 1 check (which should have been argc > 0).
Re: rpki-client: add mode to print encapsulated certs/crls in human-readable & PEM format
On Wed, Aug 24, 2022 at 11:35:01PM +, Job Snijders wrote:
> Hi all,
>
> Scratching an itch: When debugging RPKI things, I've grown tired of
> typing stuff like the below 2 commands to get to the CMS encapsulated
> DER encoded EE certificate in RPKI Signed Objects.
>
> $ openssl cms -verify -noverify -inform DER -signer signer.pem \
> -in OOFPkv3HzPv8GCNhUjrifWl-lS8.mft > /dev/zero
> $ openssl x509 -in signer.pem -text
>
> Life is too short to type that many letters - instead, I'd rather:
>
> $ rpki-client -p OOFPkv3HzPv8GCNhUjrifWl-lS8.mft
>
> For completeness' sake, also print all other (not-CMS encapsulated)
> file types such as CA certs, BGPsec Router Keys, and CRLs.
Kind of makes sense to me. Instead of adding another mode, could this be
done as a -p flag in file mode (or even be hidden behind the -v flag)?
Or is this too ugly due to repeated info?
Some comments inline.
>
> OK?
>
> Kind regards,
>
> Job
>
> Index: extern.h
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
> retrieving revision 1.150
> diff -u -p -r1.150 extern.h
> --- extern.h 19 Aug 2022 12:45:53 - 1.150
> +++ extern.h 24 Aug 2022 23:33:24 -
> @@ -664,6 +664,7 @@ void mft_print(const X509 *, const str
> void roa_print(const X509 *, const struct roa *);
> void gbr_print(const X509 *, const struct gbr *);
> void rsc_print(const X509 *, const struct rsc *);
> +int print_pem(char *);
This should probably be pem_print() to match all the other print functions.
Any reason it can't take a const char *?
>
> /* Output! */
>
> Index: main.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
> retrieving revision 1.209
> diff -u -p -r1.209 main.c
> --- main.c4 Aug 2022 13:44:07 - 1.209
> +++ main.c24 Aug 2022 23:33:25 -
> @@ -64,6 +64,7 @@ const char *bird_tablename = "ROAS";
> int verbose;
> int noop;
> int filemode;
> +int pemmode;
> int rrdpon = 1;
> int repo_timeout;
>
> @@ -819,7 +820,7 @@ main(int argc, char *argv[])
> "proc exec unveil", NULL) == -1)
> err(1, "pledge");
>
> - while ((c = getopt(argc, argv, "b:Bcd:e:fjnorRs:S:t:T:vV")) != -1)
> + while ((c = getopt(argc, argv, "b:Bcd:e:fjnoprRs:S:t:T:vV")) != -1)
> switch (c) {
> case 'b':
> bind_addr = optarg;
> @@ -849,6 +850,9 @@ main(int argc, char *argv[])
> case 'o':
> outformats |= FORMAT_OPENBGPD;
> break;
> + case 'p':
> + pemmode = 1;
> + break;
> case 'R':
> rrdpon = 0;
> break;
> @@ -888,6 +892,17 @@ main(int argc, char *argv[])
> argv += optind;
> argc -= optind;
>
> + if (pemmode) {
> + if (pledge("stdio rpath", NULL) == -1)
> + err(1, "pledge");
> +
> + if (argc > 1)
> + goto usage;
This should be argc > 0 to match your synopsis.
Or should this behave like file mode and accept an arbitrary number of
file arguments? For example you could drop the argc check and do:
for (i = 0; i < argc; i++) {
if ((rc = print_pem(argv[i])) != 0)
return rc
}
> +
> + rc = print_pem(argv[0]);
> + return rc;
> + }
> +
> if (!filemode) {
> if (argc == 1)
> outputdir = argv[0];
> @@ -1278,6 +1293,7 @@ usage:
> " [-e rsync_prog]\n"
> " [-S skiplist] [-s timeout] [-T table] [-t tal]"
> " [outputdir]\n"
> - " rpki-client [-Vv] [-d cachedir] [-t tal] -f file ...\n");
> + " rpki-client [-Vv] [-d cachedir] [-t tal] -f file ...\n"
> + " rpki-client -p file\n");
> return 1;
> }
> Index: print.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v
> retrieving revision 1.14
> diff -u -p -r1.14 print.c
> --- print.c 14 Jul 2022 13:24:56 - 1.14
> +++ print.c 24 Aug 2022 23:33:25 -
> @@ -1,5 +1,6 @@
> /* $OpenBSD: print.c,v 1.14 2022/07/14 13:24:56 job Exp $ */
> /*
> + * Copyright (c) 2022 Job Snijders
> * Copyright (c) 2021 Claudio Jeker
> * Copyright (c) 2019 Kristaps Dzonsons
> *
> @@ -26,6 +27,8 @@
> #include
>
> #include
> +#include
> +#include
>
> #include "extern.h"
>
> @@ -567,4 +570,100 @@ rsc_print(const X509 *x, const struct rs
>
> if (outformats & FORMAT_JSON)
> printf("\t],\n");
> +}
> +
> +/*
> + * Read a file, extract the encapsulated X509 cert and print in PEM format.
> + * Return zero on
Re: rpki-client: add mode to print encapsulated certs/crls in human-readable & PEM format
argv += optind;
argc -= optind;
+ if (pemmode) {
+ if (pledge("stdio rpath", NULL) == -1)
+ err(1, "pledge");
+
rpki-client is starting to develop quite a number of run-time "modes".
I think it is time to add some checks (right around argc -=optind) to
identify non-sensical combinations and not proceed. Also, there should
be no extra arguments.
To give an example, what does this do:
$ rpki-client -p OOFPkv3HzPv8GCNhUjrifWl-lS8.mft foo foo foo
It ignores the additional arguments.
I'm just saying this has become a bit sloppy, there are so many
non-sensical combinations now and it isn't clear what they will do.
Time to get strict?
rpki-client: add mode to print encapsulated certs/crls in human-readable & PEM format
Hi all,
Scratching an itch: When debugging RPKI things, I've grown tired of
typing stuff like the below 2 commands to get to the CMS encapsulated
DER encoded EE certificate in RPKI Signed Objects.
$ openssl cms -verify -noverify -inform DER -signer signer.pem \
-in OOFPkv3HzPv8GCNhUjrifWl-lS8.mft > /dev/zero
$ openssl x509 -in signer.pem -text
Life is too short to type that many letters - instead, I'd rather:
$ rpki-client -p OOFPkv3HzPv8GCNhUjrifWl-lS8.mft
For completeness' sake, also print all other (not-CMS encapsulated)
file types such as CA certs, BGPsec Router Keys, and CRLs.
OK?
Kind regards,
Job
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
retrieving revision 1.150
diff -u -p -r1.150 extern.h
--- extern.h19 Aug 2022 12:45:53 - 1.150
+++ extern.h24 Aug 2022 23:33:24 -
@@ -664,6 +664,7 @@ void mft_print(const X509 *, const str
voidroa_print(const X509 *, const struct roa *);
voidgbr_print(const X509 *, const struct gbr *);
voidrsc_print(const X509 *, const struct rsc *);
+int print_pem(char *);
/* Output! */
Index: main.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
retrieving revision 1.209
diff -u -p -r1.209 main.c
--- main.c 4 Aug 2022 13:44:07 - 1.209
+++ main.c 24 Aug 2022 23:33:25 -
@@ -64,6 +64,7 @@ const char*bird_tablename = "ROAS";
intverbose;
intnoop;
intfilemode;
+intpemmode;
intrrdpon = 1;
intrepo_timeout;
@@ -819,7 +820,7 @@ main(int argc, char *argv[])
"proc exec unveil", NULL) == -1)
err(1, "pledge");
- while ((c = getopt(argc, argv, "b:Bcd:e:fjnorRs:S:t:T:vV")) != -1)
+ while ((c = getopt(argc, argv, "b:Bcd:e:fjnoprRs:S:t:T:vV")) != -1)
switch (c) {
case 'b':
bind_addr = optarg;
@@ -849,6 +850,9 @@ main(int argc, char *argv[])
case 'o':
outformats |= FORMAT_OPENBGPD;
break;
+ case 'p':
+ pemmode = 1;
+ break;
case 'R':
rrdpon = 0;
break;
@@ -888,6 +892,17 @@ main(int argc, char *argv[])
argv += optind;
argc -= optind;
+ if (pemmode) {
+ if (pledge("stdio rpath", NULL) == -1)
+ err(1, "pledge");
+
+ if (argc > 1)
+ goto usage;
+
+ rc = print_pem(argv[0]);
+ return rc;
+ }
+
if (!filemode) {
if (argc == 1)
outputdir = argv[0];
@@ -1278,6 +1293,7 @@ usage:
" [-e rsync_prog]\n"
" [-S skiplist] [-s timeout] [-T table] [-t tal]"
" [outputdir]\n"
- " rpki-client [-Vv] [-d cachedir] [-t tal] -f file ...\n");
+ " rpki-client [-Vv] [-d cachedir] [-t tal] -f file ...\n"
+ " rpki-client -p file\n");
return 1;
}
Index: print.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v
retrieving revision 1.14
diff -u -p -r1.14 print.c
--- print.c 14 Jul 2022 13:24:56 - 1.14
+++ print.c 24 Aug 2022 23:33:25 -
@@ -1,5 +1,6 @@
/* $OpenBSD: print.c,v 1.14 2022/07/14 13:24:56 job Exp $ */
/*
+ * Copyright (c) 2022 Job Snijders
* Copyright (c) 2021 Claudio Jeker
* Copyright (c) 2019 Kristaps Dzonsons
*
@@ -26,6 +27,8 @@
#include
#include
+#include
+#include
#include "extern.h"
@@ -567,4 +570,100 @@ rsc_print(const X509 *x, const struct rs
if (outformats & FORMAT_JSON)
printf("\t],\n");
+}
+
+/*
+ * Read a file, extract the encapsulated X509 cert and print in PEM format.
+ * Return zero on success, non-zero on failure.
+ */
+int
+print_pem(char *fn)
+{
+ BIO *bio_out = NULL;
+ X509 *x = NULL;
+ X509_CRL *c = NULL;
+ struct gbr *gbr = NULL;
+ struct mft *mft = NULL;
+ struct roa *roa = NULL;
+ struct rsc *rsc = NULL;
+ unsigned char *buf;
+ size_t len;
+ enum rtype type;
+ int rc = 1;
+
+ x509_init_oid();
+
+ type = rtype_from_file_extension(fn);
+ if (type == RTYPE_INVALID) {
+ buf = NULL;
+ warnx("%s: unsupported file type", fn);
+ goto out;
+ }
+
+ if ((buf = load_file(fn, )) == NULL) {
+ warnx("load_file failed");
+ goto out;
+ }
+
+ if ((bio_out = BIO_new_fp(stdout, BIO_NOCLOSE)) == NULL)
+ errx(1, "BIO_new_fp");
+
+ switch (type) {
+ case RTYPE_CER:
+ if
distrib/special: zap useless MAN bits
Makefile.inc sets NOMAN=1 and MAN= to the empty string, so all
definitions in program Makefiles are useless and misleading.
disklabel and fdisk certainly won't embed the manual in size constrained
install media, so also remove the logic around NOMAN.
No functional change.
OK?
Index: dhcpleased/Makefile
===
RCS file: /cvs/src/distrib/special/dhcpleased/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- dhcpleased/Makefile 18 Jun 2021 11:46:06 - 1.2
+++ dhcpleased/Makefile 24 Aug 2022 21:18:47 -
@@ -5,8 +5,6 @@ COPTS+= -DSMALL
.PATH: ${.CURDIR}/../../../sbin/dhcpleased
SRCS= bpf.c checksum.c dhcpleased.c engine.c frontend.c
-MAN=
-
LDADD+=-levent -lutil
DPADD+= ${LIBEVENT} ${LIBUTIL}
Index: resolvd/Makefile
===
RCS file: /cvs/src/distrib/special/resolvd/Makefile,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile
--- resolvd/Makefile18 Jun 2021 11:43:38 - 1.3
+++ resolvd/Makefile24 Aug 2022 21:18:56 -
@@ -5,6 +5,4 @@ COPTS+= -DSMALL
.PATH: ${.CURDIR}/../../../sbin/resolvd
SRCS= resolvd.c
-MAN=
-
.include
Index: umount/Makefile
===
RCS file: /cvs/src/distrib/special/umount/Makefile,v
retrieving revision 1.1
diff -u -p -r1.1 Makefile
--- umount/Makefile 21 Feb 2014 19:01:02 - 1.1
+++ umount/Makefile 24 Aug 2022 21:15:48 -
@@ -1,7 +1,6 @@
# $OpenBSD: Makefile,v 1.1 2014/02/21 19:01:02 deraadt Exp $
PROG= umount
-MAN= umount.8
CFLAGS+= -DNO_NFS
DPADD+=${LIBUTIL}
Index: sync/Makefile
===
RCS file: /cvs/src/distrib/special/sync/Makefile,v
retrieving revision 1.1
diff -u -p -r1.1 Makefile
--- sync/Makefile 23 Dec 2014 17:16:03 - 1.1
+++ sync/Makefile 24 Aug 2022 21:15:48 -
@@ -1,7 +1,6 @@
# $OpenBSD: Makefile,v 1.1 2014/12/23 17:16:03 deraadt Exp $
PROG= sync
-MAN= sync.8
.PATH: ${.CURDIR}/../../../bin/sync
.include
Index: slaacd/Makefile
===
RCS file: /cvs/src/distrib/special/slaacd/Makefile,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile
--- slaacd/Makefile 20 Mar 2021 16:36:52 - 1.3
+++ slaacd/Makefile 24 Aug 2022 21:19:16 -
@@ -5,8 +5,6 @@ COPTS+= -DSMALL
.PATH: ${.CURDIR}/../../../sbin/slaacd
SRCS= engine.c frontend.c slaacd.c
-MAN=
-
YFLAGS=
LDADD+=-levent -lutil
DPADD+= ${LIBEVENT} ${LIBUTIL}
Index: route/Makefile
===
RCS file: /cvs/src/distrib/special/route/Makefile,v
retrieving revision 1.4
diff -u -p -r1.4 Makefile
--- route/Makefile 17 Oct 2017 19:31:56 - 1.4
+++ route/Makefile 24 Aug 2022 21:15:48 -
@@ -1,7 +1,6 @@
# $OpenBSD: Makefile,v 1.4 2017/10/17 19:31:56 naddy Exp $
PROG= route
-MAN= route.8
SRCS= route.c show.c
CFLAGS+= -Wall -DSMALL
Index: reboot/Makefile
===
RCS file: /cvs/src/distrib/special/reboot/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- reboot/Makefile 30 Mar 2016 06:38:40 - 1.2
+++ reboot/Makefile 24 Aug 2022 21:15:48 -
@@ -3,7 +3,6 @@
PROG= reboot
DPADD= ${LIBUTIL}
LDADD= -lutil
-MAN= reboot.8
LINKS= ${BINDIR}/reboot ${BINDIR}/halt
.PATH: ${.CURDIR}/../../../sbin/reboot
Index: pdisk/Makefile
===
RCS file: /cvs/src/distrib/special/pdisk/Makefile,v
retrieving revision 1.10
diff -u -p -r1.10 Makefile
--- pdisk/Makefile 27 Jan 2016 14:19:59 - 1.10
+++ pdisk/Makefile 24 Aug 2022 21:23:41 -
@@ -12,8 +12,5 @@ SRCS= dump.c file_media.c io.c partition
NOPROG=yes
.endif
-MAN= pdisk.8
-MANSUBDIR=macppc
-
.PATH: ${.CURDIR}/../../../sbin/pdisk
.include
Index: newfs_msdos/Makefile
===
RCS file: /cvs/src/distrib/special/newfs_msdos/Makefile,v
retrieving revision 1.1
diff -u -p -r1.1 Makefile
--- newfs_msdos/Makefile23 Dec 2014 17:16:02 - 1.1
+++ newfs_msdos/Makefile24 Aug 2022 21:15:48 -
@@ -2,7 +2,6 @@
# $FreeBSD: src/sbin/newfs_msdos/Makefile,v 1.2 1999/08/28 00:13:52 peter Exp $
PROG= newfs_msdos
-MAN= newfs_msdos.8
DPADD= ${LIBUTIL}
LDADD= -lutil
Index: newfs_ext2fs/Makefile
===
RCS file: /cvs/src/distrib/special/newfs_ext2fs/Makefile,v
retrieving revision 1.1
diff -u -p -r1.1 Makefile
--- newfs_ext2fs/Makefile 23 Dec 2014 17:16:02 - 1.1
+++ newfs_ext2fs/Makefile 24 Aug 2022 21:15:48 -
@@ -1,7 +1,6 @@
# $OpenBSD: Makefile,v 1.1 2014/12/23 17:16:02 deraadt Exp $
PROG=
libutil: opendev: require block/character devices
On Mon, Aug 22, 2022 at 10:38:29AM +, Klemens Nanni wrote:
> The real problem seems to be that opendev(3) happily opens a regular
> file as device, but only if the argument contains a slash:
>
> # installboot -v ./biosboot
> Using / as root
> installing bootstrap on ./biosboot
> using first-stage /usr/mdec/biosboot, second-stage /usr/mdec/boot
>
> # installboot -v biosboot
> installboot: open: /dev/rbiosboot: No such file or directory
>
> This points at the same file and "biosboot" is obviously neither a short
> form device name nor a DUID.
opendev(3) blindly open(2)s its path argument and returns the return
code if the path contains a slash -- no checks are performed, which
results in usages like the first demo.
If path has no slash, it is taken as DUID and diskmap(4) makes sure that
it either maps to a valid device or fails, see the second usage.
Make opendev(3) require a character (or block if OPENDEV_BLCK is passed)
and fail otherwise, yielding a more accurate:
$ doas ./obj/installboot -v /usr/mdec/biosboot
installboot: open: ./Makefile: Block device required
This seems much clearer and prevents tools from openening arbitrary
files as "devices".
Feedback? Am I missing anything?
Index: opendev.3
===
RCS file: /cvs/src/lib/libutil/opendev.3,v
retrieving revision 1.22
diff -u -p -r1.22 opendev.3
--- opendev.3 15 Jan 2015 19:06:32 - 1.22
+++ opendev.3 24 Aug 2022 19:34:20 -
@@ -90,10 +90,12 @@ is not
.Dv NULL ,
it is modified to point at the fully expanded device name.
.Sh RETURN VALUES
-The
+If successful,
.Fn opendev
-return value and errors are the same as the return value and errors of
-.Xr open 2 .
+returns a file descriptor.
+Otherwise, a value of -1 is returned and
+.Va errno
+is set to indicate the error.
.Sh SEE ALSO
.Xr open 2 ,
.Xr getrawpartition 3 ,
Index: opendev.c
===
RCS file: /cvs/src/lib/libutil/opendev.c,v
retrieving revision 1.15
diff -u -p -r1.15 opendev.c
--- opendev.c 30 Jun 2011 15:04:58 - 1.15
+++ opendev.c 24 Aug 2022 19:54:25 -
@@ -38,6 +38,7 @@
#include
#include
#include
+#include
#include "util.h"
@@ -63,8 +64,25 @@ opendev(const char *path, int oflags, in
prefix = "r"; /* character device */
if ((slash = strchr(path, '/'))) {
+ struct stat sb;
+
strlcpy(namebuf, path, sizeof(namebuf));
fd = open(namebuf, oflags);
+
+ if (fd != -1) {
+ if (fstat(fd, ) == -1) {
+ close(fd);
+ fd = -1;
+ }
+
+ if (((dflags & OPENDEV_BLCK) &&
+ !S_ISBLK(sb.st_mode)) ||
+ !S_ISCHR(sb.st_mode)) {
+ close(fd);
+ fd = -1;
+ errno = ENOTBLK;
+ }
+ }
} else if (isduid(path, dflags)) {
strlcpy(namebuf, path, sizeof(namebuf));
if ((fd = open("/dev/diskmap", oflags)) != -1) {
Re: bgpd silence "connection from non-peer" unless verbose
Le Tue, Aug 23, 2022 at 06:28:12PM +0200, Claudio Jeker a écrit :
> I noticed that the "connection from non-peer" message can fill the log and
> be so chatty that it is hard to see the other messages. The system I see
> this on is a bit special since it gets hammered by incorrectly configured
> systems. Maybe other people find this message helpful. If so please
> speak up now because I think the message does not add much info and should
> be skipped unless verbose logging is used.
>
I agree with this change (I also have a log full of this message).
> --
> :wq Claudio
>
> Index: logmsg.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/logmsg.c,v
> retrieving revision 1.8
> diff -u -p -r1.8 logmsg.c
> --- logmsg.c 28 Jul 2022 13:11:48 - 1.8
> +++ logmsg.c 23 Aug 2022 14:38:42 -
> @@ -213,11 +213,11 @@ void
> log_conn_attempt(const struct peer *peer, struct sockaddr *sa, socklen_t len)
> {
> char*p;
> - const char *b;
>
> if (peer == NULL) { /* connection from non-peer, drop */
> - b = log_sockaddr(sa, len);
> - logit(LOG_INFO, "connection from non-peer %s refused", b);
> + if (log_getverbose())
> + logit(LOG_INFO, "connection from non-peer %s refused",
> + log_sockaddr(sa, len));
> } else {
> /* only log if there is a chance that the session may come up */
> if (peer->conf.down && peer->state == STATE_IDLE)
>
unbound update
Anyone want to test this? Any OKs? The CVEs mentioned are these: === CVE-2022-30698 Unbound prior to 1.16.2 allows malicious users to trigger continued resolvability of malicious domain names, even after their revocation from the parent zone, via a novel type of the "ghost domain names" attack that targets child-centric DNS resolvers. === CVE-2022-30699 Unbound prior to 1.16.2 allows malicious users to trigger continued resolvability of malicious domain names, even after their revocation from the parent zone, via a novel type of the "ghost domain names" attack that targets child-centric DNS resolvers. More info at https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt Index: doc/Changelog === RCS file: /cvs/src/usr.sbin/unbound/doc/Changelog,v retrieving revision 1.44 diff -u -p -r1.44 Changelog --- doc/Changelog 7 Jun 2022 15:42:53 - 1.44 +++ doc/Changelog 24 Aug 2022 14:00:08 - @@ -1,9 +1,115 @@ 7 February 2022: Wouter - Fix that TCP interface does not use TLS when TLS is also configured. +1 August 2022: Wouter + - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. + - Tests for ghost domain fixes. + +19 July 2022: George + - Update documentation for 'outbound-msg-retry:'. + +19 July 2022: Wouter + - Merge #718: Introduce infra-cache-max-rtt option to config max + retransmit timeout. + +15 July 2022: Wouter + - Merge PR 714: Avoid treat normal hosts as unresponsive servers. + And fixup the lock code. + - iana portlist update. + +12 July 2022: George + - For windows crosscompile, fix setting the IPV6_MTU socket option + equivalent (IPV6_USER_MTU); allows cross compiling with latest + cross-compiler versions. + +12 July 2022: Wouter + - Fix dname count in sldns parse type descriptor for SVCB and HTTPS. + +11 July 2022: Wouter + - Fix verbose EDE error printout. + +4 July 2022: George + - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for + one loop pass'. + - Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on + outbound tcp sockets. + +4 July 2022: Wouter + - Tag for 1.16.1rc1 release. This became 1.16.1 on 11 July 2022. + The code repo continues with version 1.16.2 under development. + +3 July 2022: George + - Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS + mode on openssl3. + - Merge PR #660 from Petr Menšík: Sha1 runtime insecure. + - For #660: formatting, less verbose logging, add EDE information. + - Fix for correct openssl error when adding windows CA certificates to + the openssl trust store. + - Improve val_sigcrypt.c::algo_needs_missing for one loop pass. + - Reintroduce documentation and more EDE support for + val_sigcrypt.c::dnskeyset_verify_rrset_sig. + +1 July 2022: George + - Merge PR #706: NXNS fallback. + - From #706: Cached NXDOMAIN does not increase the target nx + responses. + - From #706: Don't generate parent side queries if we already + have the lame records in cache. + - From #706: When a lame address is the best choice, don't try to + generate target queries when the missing targets are all lame. + +29 June 2022: Wouter + - iana portlist update. + - Fix detection of libz on windows compile with static option. + - Fix compile warning for windows compile. + +29 June 2022: George + - Add debug option to the mini_tdir.sh test code. + - Fix #704: [FR] Statistics counter for number of outgoing UDP queries + sent; introduces 'num.query.udpout' to the 'unbound-control stats' + command. + - Fix to not count cached NXDOMAIN for MAX_TARGET_NX. + - Allow fallback to the parent side when MAX_TARGET_NX is reached. + This will also allow MAX_TARGET_NX more NXDOMAINs. + +28 June 2022: George + - Show the output of the exact .rpl run that failed with 'make test'. + - Fix for cached 0 TTL records to not trigger prefetching when + serve-expired-client-timeout is set. + +28 June 2022: Wouter + - Fix test program dohclient close to use portability routine. + +23 June 2022: Tom + - Clarify -v flag manpage entry (#705) + +22 June 2022: Philip + - Fix #663: use after free issue with edns options. + +21 June 2022: Philip + - Fix for loading locally stored zones that have lines with blanks or + blanks and comments. + +20 June 2022: George + - Remove unused LDNS function check for GOST Engine unloading. + +14 June 2022: George + - Merge PR #688: Rpz url notify issue. + - Note in the unbound.conf text that NOTIFY is allowed from the url: + addresses for auth and rpz zones. + +3 June 2022: George + - Fix for edns client subnet
Re: [RFC] acpi: add acpitimer_delay(), acpihpet_delay()
On Tue, Aug 23, 2022 at 12:20:39PM -0500, Scott Cheloha wrote:
> > Hyper-V generation 1 VMs are bios boot with emulation of the usual
> > devices. 32-bit and 64-bit guests.
> >
> > Hyper-V generation 2 VMs are 64-bit uefi with paravirtualised devices.
> > 64-bit guests only.
> >
> > There is no 8254 in generation 2.
> > No HPET in either generation.
> >
> > hv_delay uses the "Partition Reference Counter MSR" described in
> > https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/timers
> > It seems it is available in both generations and could be used from i386?
> >
> > From reading that page hv_delay() should be preferred over lapic_delay()
>
> Alright, I have nudged hv_delay's quality up over lapic_delay's
> quality.
Before these changes, tsc is probed before pvbus. Do the tsc sanity
checks result in it not being considered an option on hyper-v? I think
the tsc_delay and hv_delay numbers should be swapped in a later commit.
It is unclear if that would change the final delay_func setting.
It would be a good idea to have different commits for the places new
delay callbacks are introduced.
- add delay_init()
- use delay_init() in lapic, tsc, hv_delay
- commit acpihpet
- commit acpitimer
- swap tsc and hv_delay numbers
>
> How are we looking now?
some minor suggestions inline
have you built a release with this?
>
> Index: sys/arch/amd64/amd64/lapic.c
> ===
> RCS file: /cvs/src/sys/arch/amd64/amd64/lapic.c,v
> retrieving revision 1.60
> diff -u -p -r1.60 lapic.c
> --- sys/arch/amd64/amd64/lapic.c 15 Aug 2022 04:17:50 - 1.60
> +++ sys/arch/amd64/amd64/lapic.c 23 Aug 2022 17:18:30 -
> @@ -486,8 +486,6 @@ wait_next_cycle(void)
> }
> }
>
> -extern void tsc_delay(int);
> -
this cleanup is unrelated and should be a different diff/commit
> /*
> * Calibrate the local apic count-down timer (which is running at
> * bus-clock speed) vs. the i8254 counter/timer (which is running at
> @@ -592,8 +590,7 @@ skip_calibration:
>* Now that the timer's calibrated, use the apic timer routines
>* for all our timing needs..
>*/
> - if (delay_func == i8254_delay)
> - delay_func = lapic_delay;
> + delay_init(lapic_delay, 3000);
> initclock_func = lapic_initclocks;
> }
> }
> Index: sys/arch/amd64/amd64/machdep.c
> ===
> RCS file: /cvs/src/sys/arch/amd64/amd64/machdep.c,v
> retrieving revision 1.279
> diff -u -p -r1.279 machdep.c
> --- sys/arch/amd64/amd64/machdep.c7 Aug 2022 23:56:06 - 1.279
> +++ sys/arch/amd64/amd64/machdep.c23 Aug 2022 17:18:31 -
> @@ -2069,3 +2069,13 @@ check_context(const struct reg *regs, st
>
> return 0;
> }
> +
> +void
> +delay_init(void(*fn)(int), int fn_quality)
> +{
> + static int cur_quality = 0;
> + if (fn_quality > cur_quality) {
> + delay_func = fn;
> + cur_quality = fn_quality;
> + }
> +}
> Index: sys/arch/amd64/amd64/tsc.c
> ===
> RCS file: /cvs/src/sys/arch/amd64/amd64/tsc.c,v
> retrieving revision 1.25
> diff -u -p -r1.25 tsc.c
> --- sys/arch/amd64/amd64/tsc.c12 Aug 2022 02:20:36 - 1.25
> +++ sys/arch/amd64/amd64/tsc.c23 Aug 2022 17:18:31 -
> @@ -109,7 +109,7 @@ tsc_identify(struct cpu_info *ci)
>
> tsc_frequency = tsc_freq_cpuid(ci);
> if (tsc_frequency > 0)
> - delay_func = tsc_delay;
> + delay_init(tsc_delay, 5000);
> }
>
> static inline int
> Index: sys/arch/amd64/include/cpu.h
> ===
> RCS file: /cvs/src/sys/arch/amd64/include/cpu.h,v
> retrieving revision 1.148
> diff -u -p -r1.148 cpu.h
> --- sys/arch/amd64/include/cpu.h 22 Aug 2022 08:57:54 - 1.148
> +++ sys/arch/amd64/include/cpu.h 23 Aug 2022 17:18:31 -
> @@ -359,6 +359,7 @@ void signotify(struct proc *);
> * We need a machine-independent name for this.
> */
> extern void (*delay_func)(int);
> +void delay_init(void (*)(int), int);
> struct timeval;
>
> #define DELAY(x) (*delay_func)(x)
> Index: sys/arch/i386/i386/lapic.c
> ===
> RCS file: /cvs/src/sys/arch/i386/i386/lapic.c,v
> retrieving revision 1.49
> diff -u -p -r1.49 lapic.c
> --- sys/arch/i386/i386/lapic.c15 Aug 2022 04:17:50 - 1.49
> +++ sys/arch/i386/i386/lapic.c23 Aug 2022 17:18:31 -
> @@ -395,7 +395,7 @@ lapic_calibrate_timer(struct cpu_info *c
>* Now that the timer's calibrated, use the apic timer routines
>* for all our timing needs..
>*/
> - delay_func = lapic_delay;
> + delay_init(lapic_delay, 3000);
>
Re: libfido2 update
On Wed, 24 Aug 2022, Damien Miller wrote: > Hi, > > https://www.mindrot.org/misc/libfido2-1.11.0.diff contains an update > for src/libfido2 from 1.8 to 1.11 (about 10 months of upstream > development). > > I've tested it with OpenSSH, which is the only thing in src/ that > uses it as well as compiling www/chromium and performing a FIDO login > with it. > > ok? If you tried to fetch the patch and got a HTTP 500, then please try again. Unsure why httpd returns 500 for bad permissions instead of the more usual 403... -d
libfido2 update
Hi, https://www.mindrot.org/misc/libfido2-1.11.0.diff contains an update for src/libfido2 from 1.8 to 1.11 (about 10 months of upstream development). I've tested it with OpenSSH, which is the only thing in src/ that uses it as well as compiling www/chromium and performing a FIDO login with it. ok? -d
