Re: snapshot boot fails with error "entry point at 0x1001000"
On Sat, Jul 04, 2020 at 11:09:54AM +, Michael Baehr wrote: > Kastus Shchuka wrote: > “I installed 2020-07-03 snapshot on ASRock J4105M system and I am not able to > boot it. > Boot stops at the line > > entry point at 0x1001000 > > If I try bsd.rd kernel, it boots just fine. After this failure with snapshot > I > installed 6.7-release, and it boots without any issues.” > > > I've experienced something similar, including the sensitivity to kernel size. > As best I can observe, the EFI bootloader is being handed a different block > of RAM than where the kernel is actually loaded (which is at a fixed address > defined in boot.c). Which block of memory gets returned, and whether boot > fails, seems to be dependent on the particular UEFI ROM/chipset. In my case, > debugging over serial, I observe a page fault while the kernel is still being > loaded into RAM. > “Are there any other solutions than compiling a custom smaller kernel?” > > > Patching efiboot.c as follows and recompiling bootia32/bootx64 resolved it > for me: > --- a/sys/arch/amd64/stand/efiboot/efiboot.c > +++ b/sys/arch/amd64/stand/efiboot/efiboot.c > @@ -303,9 +303,9 @@ efi_memprobe(void) > bios_memmap_t *bm; > EFI_STATUS status; > EFI_PHYSICAL_ADDRESS > -addr = 0x1000ULL; /* Below 256MB */ > +addr = 0x100; > > - status = EFI_CALL(BS->AllocatePages, AllocateMaxAddress, > EfiLoaderData, > + status = EFI_CALL(BS->AllocatePages, AllocateAddress, EfiLoaderData, > EFI_SIZE_TO_PAGES(KERN_LOADSPACE_SIZE), &addr); > if (status != EFI_SUCCESS) > panic("BS->AllocatePages()"); > Let me know if that helps. I can't guarantee that this is actually what is > causing your issue but it worked for me. I tried this patch and was able to boot kernel from snapshot 2007-07-03 with recompiled BOOTX64.EFI. It fixes the problem with EFI memory mapping on ASRock J4105M motherboard. I wonder what would it take for the patch to be accepted in -current? Thanks, Kastus
Re: no u-boot serial output on raspberry pi 3
On Sun, Jul 05, 2020 at 09:18:55PM +0100, testing999...@zohomail.eu wrote: > i can't get any u-boot serial output from miniroot67.fs on a raspberry > pi 3. i'm using a 'FTDI232' which cost ~$4 - USB to 3.3V jumper > cables, connecting TX to RX and vice versa on GPIO header. > > my serial console setup works without issue with a pi 1 and a pi 3, > running raspbian, with: > $ screen /dev/ttyUSB0 115200 > i had to add 'enable_uart=1' to /boot/config.txt before with console > became accessible, on the pi 3. > > i tried mounting the partitions after dd'ing miniroot67.fs and > looking for some text files to edit, but there were only binaries > > any ideas? i can only think of trying older miniroots or snapshots > next. thanks The arm64 miniroot contains a fat filesystem with raspberry pi firmware, config.txt and rpi_3 u-boot. The config.txt already has serial enabled (with pl011 uart): arm_64bit=1 enable_uart=1 dtoverlay=disable-bt kernel=u-boot.bin You can force the firmware stage which runs before u-boot to output on serial by modifying bootcode.bin as described at the end of https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/README.md If you try miniroot67.img from a snapshot you'll get a more recent version of u-boot. May be worth trying.
Prohibit WiFi interface from transmitting?
I've installed OpenBSD 6.7 on a system that have an athn(4) wireless network adapter. Before setting up this device, I wanted to verify the configuration of pf, unbound etc. which required the interface to have an IP address, so I added the following line to /etc/hostname.athn0: inet 192.168.10.1 255.255.255.0 This enabled the interface, which allowed pf, unbound etc. to start: # ifconfig athn0 athn0: flags=8843 mtu 1500 lladdr XX:XX:XX:XX:XX:XX index 4 priority 4 llprio 3 groups: wlan media: IEEE802.11 autoselect (DS1) status: no network ieee80211: nwid "" inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255 However, it also automatically made the interface start scanning: # netstat -W athn0 | grep scans 1 active scans started 0 passive scans started Is it possible to configure the athn0 interface with an IP address, but prohibit any kind of wireless communication? The reason for this is that I have to verify many systems with different configuration, which requires athn0 to be configured with an IP address. I want to do the verification and install patches before any wireless communication happens, as I can't guarantee that none of the devices within wireless range are malicious. Regards, Mogens Jensen
no u-boot serial output on raspberry pi 3
i can't get any u-boot serial output from miniroot67.fs on a raspberry pi 3. i'm using a 'FTDI232' which cost ~$4 - USB to 3.3V jumper cables, connecting TX to RX and vice versa on GPIO header. my serial console setup works without issue with a pi 1 and a pi 3, running raspbian, with: $ screen /dev/ttyUSB0 115200 i had to add 'enable_uart=1' to /boot/config.txt before with console became accessible, on the pi 3. i tried mounting the partitions after dd'ing miniroot67.fs and looking for some text files to edit, but there were only binaries any ideas? i can only think of trying older miniroots or snapshots next. thanks
Re: Prohibit WiFi interface from transmitting?
On Sun, Jul 05, 2020 at 08:37:40PM +, Mogens Jensen wrote: > I've installed OpenBSD 6.7 on a system that have an athn(4) wireless > network adapter. Before setting up this device, I wanted to verify the > configuration of pf, unbound etc. which required the interface to have > an IP address, so I added the following line to /etc/hostname.athn0: > > inet 192.168.10.1 255.255.255.0 > > This enabled the interface, which allowed pf, unbound etc. to start: > > # ifconfig athn0 > athn0: flags=8843 mtu 1500 > lladdr XX:XX:XX:XX:XX:XX > index 4 priority 4 llprio 3 > groups: wlan > media: IEEE802.11 autoselect (DS1) > status: no network > ieee80211: nwid "" > inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255 > > However, it also automatically made the interface start scanning: > > # netstat -W athn0 | grep scans > 1 active scans started > 0 passive scans started > > Is it possible to configure the athn0 interface with an IP address, but > prohibit any kind of wireless communication? Setting an IP address will implicitly mark the interface UP. This is long-standing behaviour and unlikely to change. And when a wifi interfaces is marked UP it will search for access points. Since you don't have an nwid configured, what will happen is: 1) The device will send a probe request with a wildcard SSID. Afterwards it will continue to listen for beacons indefinitely. 2) The device will receive beacons which are parsed by the kernel to populate the list of networks shown by 'ifconfig athn0 scan'. Because no nwid is configured no connection attempt will be made. (Note that this is new behaviour in OpenBSD 6.7. Before 6.7, the kernel would try to find an unencrypted network to connect to.) It is impossible to exchange data frames with the system over wifi in this unassociated state because any incoming data frames will be dropped. So if that's your concern then there is no actual reason to worry. > The reason for this is that I have to verify many systems with > different configuration, which requires athn0 to be configured with an > IP address. I want to do the verification and install patches before any > wireless communication happens, as I can't guarantee that none of the > devices within wireless range are malicious. As a workaround you could add 'down' to your hostname.if file after configuring the IP: inet 192.168.10.1 255.255.255.0 down That will disable the device after IP configuration. The address will remain configured and the interface will remain inactive until marked UP. Though I cannot tell if this would satisfy your verification process.
Re: Relayd with TLS and non-TLS backends - bug
This specific Backend in my test lab is an IIS machine, but in production I have OpenBSD/HAProxy in front of IIS, Apache, Tomcat, etc. I'm not doing anything fancy either... although the certificate in the lab is signed by an internal CA. Here's the relevant output from openssl s_client: The cert verifies perfectly fine. openssl s_client -connect 192.168.42.61:443 --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-SHA384 Session-ID: C0138246D3973B3106A378C0DB503D4BCDE02C6461AB073949027C90CDCF Session-ID-ctx: Master-Key: AACBE3A3E34406F9371B4E85D4DC82C177C641C94806562053C000FE0E019D2E1456702F69DECFB6D11C4B4A12A0D555 Start Time: 1593970747 Timeout : 7200 (sec) Verify return code: 0 (ok) --- and Netcat: nc -zv 192.168.42.61 443 Connection to 192.168.42.61 443 port [tcp/https] succeeded! On Fri, Jul 3, 2020 at 9:40 PM Daniel Jakots wrote: > > On Fri, 3 Jul 2020 19:14:17 -0400, Henry Bonath > wrote: > > > Daniel, > > > > Thanks for taking the time to test this out. > > I just reloaded a test machine from scratch with -current and > > installed the HAProxy 2.0.15-4f39279 package. > > I loaded a very basic config file, and am also seeing the same exact > > issue on this one as well. > > Very strange that you are not - > > Would you mind sharing any additional details of your config file? > > Is there anything special about the certificate you have on the > > backend server? > > > > I would love to understand what is going on here and what the > > difference is with my experience. > > What is your backend running? Can you connect from the haproxy host with > nc(1) and/or openssl(1)? > > I try to do my stuff as vanilla as possible so it's an RSA key signed > by LE.
Re: An Athn ar9280 client seems to require cold boots of late?
On Mon, Jun 29, 2020 at 12:09:12PM +, Kapfhammer, Stefan wrote: > Hi, > > I am using exactly the same WLE-200NX wifi card in an APU2B4. I have a > BlackBerry KeyONE > running at Android 8.1 / Version ABT975 which I use as hotspot for the APU2. > > After setting athn0 down, it is impossible to establish the connection - > without further intervention - > a second time. > > What helps is: > > First: > #/bin/sh > /sbin/ifconfig athn0 > /sbin/ifconfig athn0 down -inet -inet6 -join bbk1 -wpakey -chan -bssid > /sbin/ifconfig athn0 > > Second: > Disabling the hotspot on bbk1 and re-enabling it > > Third: > sh -x /etc/netstart athn0 > > This prevents to do a coldboot on the APU2 - reducing downtime. > AND: It works reliably everytime since month! > In case you missed it, a fix was proposed on the bugs@ list on Friday: https://marc.info/?l=openbsd-bugs&m=159380123409160&w=2 The same patch is copied below. If anyone else could confirm that this makes athn(4) work again as a client against a WPA2 AP then I will commit this. diff refs/heads/master refs/heads/athn-ccmpfix blob - 3a28d87bc88a0e7b9ed6c873bd7a07682cc91a0b blob + 1d739529d7d214bea314e50e847594dc01021a41 --- sys/dev/ic/ar5008.c +++ sys/dev/ic/ar5008.c @@ -811,12 +811,20 @@ ar5008_ccmp_decap(struct athn_softc *sc, struct mbuf * /* Sanity checks to ensure this is really a key we installed. */ entry = (uintptr_t)k->k_priv; if (k->k_flags & IEEE80211_KEY_GROUP) { - if (k->k_id > IEEE80211_WEP_NKID || + if (k->k_id >= IEEE80211_WEP_NKID || entry != k->k_id) return 1; - } else if (entry != IEEE80211_WEP_NKID + - IEEE80211_AID(ni->ni_associd)) - return 1; + } else { +#ifndef IEEE80211_STA_ONLY + if (ic->ic_opmode == IEEE80211_M_HOSTAP) { + if (entry != IEEE80211_WEP_NKID + + IEEE80211_AID(ni->ni_associd)) + return 1; + } else +#endif + if (entry != IEEE80211_WEP_NKID) + return 1; + } /* Check that ExtIV bit is set. */ if (!(ivp[3] & IEEE80211_WEP_EXTIV)) blob - 40725b02c43b54e10a87de333acdfd3b8270534d blob + f7aa77ba15cae787a42fdbffb8a9d9cd2d0226d2 --- sys/dev/ic/athn.c +++ sys/dev/ic/athn.c @@ -1037,12 +1037,17 @@ athn_set_key(struct ieee80211com *ic, struct ieee80211 } if (!(k->k_flags & IEEE80211_KEY_GROUP)) { - entry = IEEE80211_WEP_NKID + IEEE80211_AID(ni->ni_associd); +#ifndef IEEE80211_STA_ONLY + if (ic->ic_opmode == IEEE80211_M_HOSTAP) + entry = IEEE80211_WEP_NKID + IEEE80211_AID(ni->ni_associd); + else +#endif + entry = IEEE80211_WEP_NKID; if (entry >= sc->kc_entries - IEEE80211_WEP_NKID) return ENOSPC; } else { entry = k->k_id; - if (entry > IEEE80211_WEP_NKID) + if (entry >= IEEE80211_WEP_NKID) return ENOSPC; } k->k_priv = (void *)entry; @@ -3056,10 +3061,6 @@ athn_init(struct ifnet *ifp) else athn_config_pcie(sc); - /* Reset HW key cache entries. */ - for (i = 0; i < sc->kc_entries; i++) - athn_reset_key(sc, i); - ops->enable_antenna_diversity(sc); #ifdef ATHN_BT_COEXISTENCE @@ -3086,6 +3087,10 @@ athn_init(struct ifnet *ifp) /* Enable Rx. */ athn_rx_start(sc); + /* Reset HW key cache entries. */ + for (i = 0; i < sc->kc_entries; i++) + athn_reset_key(sc, i); + /* Enable interrupts. */ athn_enable_interrupts(sc); @@ -3121,7 +3126,7 @@ athn_stop(struct ifnet *ifp, int disable) { struct athn_softc *sc = ifp->if_softc; struct ieee80211com *ic = &sc->sc_ic; - int qid; + int qid, i; ifp->if_timer = sc->sc_tx_timer = 0; ifp->if_flags &= ~IFF_RUNNING; @@ -3158,6 +3163,10 @@ athn_stop(struct ifnet *ifp, int disable) AR_WRITE_BARRIER(sc); athn_set_rxfilter(sc, 0); athn_stop_rx_dma(sc); + + /* Reset HW key cache entries. */ + for (i = 0; i < sc->kc_entries; i++) + athn_reset_key(sc, i); athn_reset(sc, 0); athn_init_pll(sc, NULL);