Re: snapshot boot fails with error "entry point at 0x1001000"

[Kastus Shchuka]

On Sat, Jul 04, 2020 at 11:09:54AM +, Michael Baehr wrote:
> Kastus Shchuka  wrote:
> “I installed 2020-07-03 snapshot on ASRock J4105M system and I am not able to 
> boot it.
> Boot stops at the line
> 
> entry point at 0x1001000
> 
> If I try bsd.rd kernel, it boots just fine. After this failure with snapshot 
> I 
> installed 6.7-release, and it boots without any issues.”
> 
> 
> I've experienced something similar, including the sensitivity to kernel size. 
> As best I can observe, the EFI bootloader is being handed a different block 
> of RAM than where the kernel is actually loaded (which is at a fixed address 
> defined in boot.c). Which block of memory gets returned, and whether boot 
> fails, seems to be dependent on the particular UEFI ROM/chipset. In my case, 
> debugging over serial, I observe a page fault while the kernel is still being 
> loaded into RAM.
> “Are there any other solutions than compiling a custom smaller kernel?”
> 
> 
> Patching efiboot.c as follows and recompiling bootia32/bootx64 resolved it 
> for me:
> --- a/sys/arch/amd64/stand/efiboot/efiboot.c
> +++ b/sys/arch/amd64/stand/efiboot/efiboot.c
> @@ -303,9 +303,9 @@ efi_memprobe(void)
> bios_memmap_t   *bm;
> EFI_STATUS   status;
> EFI_PHYSICAL_ADDRESS
> -addr = 0x1000ULL;  /* Below 256MB */
> +addr = 0x100;
>  
> -   status = EFI_CALL(BS->AllocatePages, AllocateMaxAddress, 
> EfiLoaderData,
> +   status = EFI_CALL(BS->AllocatePages, AllocateAddress, EfiLoaderData,
> EFI_SIZE_TO_PAGES(KERN_LOADSPACE_SIZE), &addr);
> if (status != EFI_SUCCESS)
> panic("BS->AllocatePages()");
> Let me know if that helps. I can't guarantee that this is actually what is 
> causing your issue but it worked for me.

I tried this patch and was able to boot kernel from snapshot 2007-07-03 with 
recompiled BOOTX64.EFI.
It fixes the problem with EFI memory mapping on ASRock J4105M motherboard.

I wonder what would it take for the patch to be accepted in -current?

Thanks,

Kastus

Re: no u-boot serial output on raspberry pi 3

[Jonathan Gray]

On Sun, Jul 05, 2020 at 09:18:55PM +0100, testing999...@zohomail.eu wrote:
> i can't get any u-boot serial output from miniroot67.fs on a raspberry
> pi 3.  i'm using a 'FTDI232' which cost ~$4 - USB to 3.3V jumper
> cables, connecting TX to RX and vice versa on GPIO header.
> 
> my serial console setup works without issue with a pi 1 and a pi 3,
> running raspbian, with:
> $ screen /dev/ttyUSB0 115200
> i had to add 'enable_uart=1' to /boot/config.txt before with console
> became accessible, on the pi 3.
> 
> i tried mounting the partitions after dd'ing miniroot67.fs and
> looking for some text files to edit, but there were only binaries
> 
> any ideas? i can only think of trying older miniroots or snapshots
> next. thanks

The arm64 miniroot contains a fat filesystem with raspberry pi firmware,
config.txt and rpi_3 u-boot. The config.txt already has serial enabled
(with pl011 uart):

arm_64bit=1
enable_uart=1
dtoverlay=disable-bt
kernel=u-boot.bin

You can force the firmware stage which runs before u-boot to output on
serial by modifying bootcode.bin as described at the end of
https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/README.md

If you try miniroot67.img from a snapshot you'll get a more recent
version of u-boot.  May be worth trying.

Prohibit WiFi interface from transmitting?

[Mogens Jensen]

I've installed OpenBSD 6.7 on a system that have an athn(4) wireless
network adapter. Before setting up this device, I wanted to verify the
configuration of pf, unbound etc. which required the interface to have
an IP address, so I added the following line to /etc/hostname.athn0:

inet 192.168.10.1 255.255.255.0

This enabled the interface, which allowed pf, unbound etc. to start:

# ifconfig athn0
athn0: flags=8843 mtu 1500
lladdr XX:XX:XX:XX:XX:XX
index 4 priority 4 llprio 3
groups: wlan
media: IEEE802.11 autoselect (DS1)
status: no network
ieee80211: nwid ""
inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255

However, it also automatically made the interface start scanning:

# netstat -W athn0 | grep scans
1 active scans started
0 passive scans started

Is it possible to configure the athn0 interface with an IP address, but
prohibit any kind of wireless communication?

The reason for this is that I have to verify many systems with
different configuration, which requires athn0 to be configured with an
IP address. I want to do the verification and install patches before any
wireless communication happens, as I can't guarantee that none of the
devices within wireless range are malicious.


Regards,
Mogens Jensen

no u-boot serial output on raspberry pi 3

[testing999888]

i can't get any u-boot serial output from miniroot67.fs on a raspberry
pi 3.  i'm using a 'FTDI232' which cost ~$4 - USB to 3.3V jumper
cables, connecting TX to RX and vice versa on GPIO header.

my serial console setup works without issue with a pi 1 and a pi 3,
running raspbian, with:
$ screen /dev/ttyUSB0 115200
i had to add 'enable_uart=1' to /boot/config.txt before with console
became accessible, on the pi 3.

i tried mounting the partitions after dd'ing miniroot67.fs and
looking for some text files to edit, but there were only binaries

any ideas? i can only think of trying older miniroots or snapshots
next. thanks

Re: Prohibit WiFi interface from transmitting?

[Stefan Sperling]

On Sun, Jul 05, 2020 at 08:37:40PM +, Mogens Jensen wrote:
> I've installed OpenBSD 6.7 on a system that have an athn(4) wireless
> network adapter. Before setting up this device, I wanted to verify the
> configuration of pf, unbound etc. which required the interface to have
> an IP address, so I added the following line to /etc/hostname.athn0:
> 
> inet 192.168.10.1 255.255.255.0
> 
> This enabled the interface, which allowed pf, unbound etc. to start:
> 
> # ifconfig athn0
> athn0: flags=8843 mtu 1500
>   lladdr XX:XX:XX:XX:XX:XX
>   index 4 priority 4 llprio 3
>   groups: wlan
>   media: IEEE802.11 autoselect (DS1)
>   status: no network
>   ieee80211: nwid ""
>   inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255
> 
> However, it also automatically made the interface start scanning:
> 
> # netstat -W athn0 | grep scans
> 1 active scans started
> 0 passive scans started
> 
> Is it possible to configure the athn0 interface with an IP address, but
> prohibit any kind of wireless communication?

Setting an IP address will implicitly mark the interface UP.
This is long-standing behaviour and unlikely to change.

And when a wifi interfaces is marked UP it will search for access points.

Since you don't have an nwid configured, what will happen is:

1) The device will send a probe request with a wildcard SSID.
   Afterwards it will continue to listen for beacons indefinitely.

2) The device will receive beacons which are parsed by the kernel to
   populate the list of networks shown by 'ifconfig athn0 scan'.
   Because no nwid is configured no connection attempt will be made.
   (Note that this is new behaviour in OpenBSD 6.7. Before 6.7, the
   kernel would try to find an unencrypted network to connect to.)

It is impossible to exchange data frames with the system over wifi in
this unassociated state because any incoming data frames will be dropped.
So if that's your concern then there is no actual reason to worry.

> The reason for this is that I have to verify many systems with
> different configuration, which requires athn0 to be configured with an
> IP address. I want to do the verification and install patches before any
> wireless communication happens, as I can't guarantee that none of the
> devices within wireless range are malicious.

As a workaround you could add 'down' to your hostname.if file after
configuring the IP:

inet 192.168.10.1 255.255.255.0
down

That will disable the device after IP configuration. The address will
remain configured and the interface will remain inactive until marked UP.
Though I cannot tell if this would satisfy your verification process.

Re: Relayd with TLS and non-TLS backends - bug

[Henry Bonath]

This specific Backend in my test lab is an IIS machine, but in
production I have OpenBSD/HAProxy in front of IIS, Apache, Tomcat,
etc.
I'm not doing anything fancy either... although the certificate in the
lab is signed by an internal CA.

Here's the relevant output from openssl s_client: The cert verifies
perfectly fine.
openssl s_client -connect 192.168.42.61:443
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES256-SHA384
Session-ID: C0138246D3973B3106A378C0DB503D4BCDE02C6461AB073949027C90CDCF
Session-ID-ctx:
Master-Key:
AACBE3A3E34406F9371B4E85D4DC82C177C641C94806562053C000FE0E019D2E1456702F69DECFB6D11C4B4A12A0D555
Start Time: 1593970747
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
---

and Netcat:
nc -zv 192.168.42.61 443
Connection to 192.168.42.61 443 port [tcp/https] succeeded!

On Fri, Jul 3, 2020 at 9:40 PM Daniel Jakots  wrote:
>
> On Fri, 3 Jul 2020 19:14:17 -0400, Henry Bonath 
> wrote:
>
> > Daniel,
> >
> > Thanks for taking the time to test this out.
> > I just reloaded a test machine from scratch with -current and
> > installed the HAProxy 2.0.15-4f39279 package.
> > I loaded a very basic config file, and am also seeing the same exact
> > issue on this one as well.
> > Very strange that you are not -
> > Would you mind sharing any additional details of your config file?
> > Is there anything special about the certificate you have on the
> > backend server?
> >
> > I would love to understand what is going on here and what the
> > difference is with my experience.
>
> What is your backend running? Can you connect from the haproxy host with
> nc(1) and/or openssl(1)?
>
> I try to do my stuff as vanilla as possible so it's an RSA key signed
> by LE.

Re: An Athn ar9280 client seems to require cold boots of late?

[Stefan Sperling]

On Mon, Jun 29, 2020 at 12:09:12PM +, Kapfhammer, Stefan wrote:
> Hi,
> 
> I am using exactly the same WLE-200NX wifi card in an APU2B4. I have a 
> BlackBerry KeyONE
> running at Android 8.1 / Version ABT975 which I use as hotspot for the APU2.
> 
> After setting athn0 down, it is impossible to establish the connection - 
> without further intervention -
> a second time.
> 
> What helps is:
> 
> First:
> #/bin/sh
> /sbin/ifconfig athn0
> /sbin/ifconfig athn0 down -inet -inet6 -join bbk1 -wpakey -chan -bssid
> /sbin/ifconfig athn0
> 
> Second:
> Disabling the hotspot on bbk1 and re-enabling it
> 
> Third:
> sh -x /etc/netstart athn0
> 
> This prevents to do a coldboot on the APU2 - reducing downtime.
> AND: It works reliably everytime since month!
> 

In case you missed it, a fix was proposed on the bugs@ list on Friday:
https://marc.info/?l=openbsd-bugs&m=159380123409160&w=2
The same patch is copied below.

If anyone else could confirm that this makes athn(4) work again as
a client against a WPA2 AP then I will commit this.

diff refs/heads/master refs/heads/athn-ccmpfix
blob - 3a28d87bc88a0e7b9ed6c873bd7a07682cc91a0b
blob + 1d739529d7d214bea314e50e847594dc01021a41
--- sys/dev/ic/ar5008.c
+++ sys/dev/ic/ar5008.c
@@ -811,12 +811,20 @@ ar5008_ccmp_decap(struct athn_softc *sc, struct mbuf *
/* Sanity checks to ensure this is really a key we installed. */
entry = (uintptr_t)k->k_priv;
if (k->k_flags & IEEE80211_KEY_GROUP) {
-   if (k->k_id > IEEE80211_WEP_NKID ||
+   if (k->k_id >= IEEE80211_WEP_NKID ||
entry != k->k_id)
return 1;
-   } else if (entry != IEEE80211_WEP_NKID +
-   IEEE80211_AID(ni->ni_associd))
-   return 1;
+   } else {
+#ifndef IEEE80211_STA_ONLY
+   if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
+   if (entry != IEEE80211_WEP_NKID +
+   IEEE80211_AID(ni->ni_associd))
+   return 1;
+   } else
+#endif
+   if (entry != IEEE80211_WEP_NKID)
+   return 1;
+   }
 
/* Check that ExtIV bit is set. */
if (!(ivp[3] & IEEE80211_WEP_EXTIV))
blob - 40725b02c43b54e10a87de333acdfd3b8270534d
blob + f7aa77ba15cae787a42fdbffb8a9d9cd2d0226d2
--- sys/dev/ic/athn.c
+++ sys/dev/ic/athn.c
@@ -1037,12 +1037,17 @@ athn_set_key(struct ieee80211com *ic, struct ieee80211
}
 
if (!(k->k_flags & IEEE80211_KEY_GROUP)) {
-   entry = IEEE80211_WEP_NKID + IEEE80211_AID(ni->ni_associd);
+#ifndef IEEE80211_STA_ONLY
+   if (ic->ic_opmode == IEEE80211_M_HOSTAP)
+   entry = IEEE80211_WEP_NKID + 
IEEE80211_AID(ni->ni_associd);
+   else
+#endif
+   entry = IEEE80211_WEP_NKID;
if (entry >= sc->kc_entries - IEEE80211_WEP_NKID)
return ENOSPC;
} else {
entry = k->k_id;
-   if (entry > IEEE80211_WEP_NKID)
+   if (entry >= IEEE80211_WEP_NKID)
return ENOSPC;
}
k->k_priv = (void *)entry;
@@ -3056,10 +3061,6 @@ athn_init(struct ifnet *ifp)
else
athn_config_pcie(sc);
 
-   /* Reset HW key cache entries. */
-   for (i = 0; i < sc->kc_entries; i++)
-   athn_reset_key(sc, i);
-
ops->enable_antenna_diversity(sc);
 
 #ifdef ATHN_BT_COEXISTENCE
@@ -3086,6 +3087,10 @@ athn_init(struct ifnet *ifp)
/* Enable Rx. */
athn_rx_start(sc);
 
+   /* Reset HW key cache entries. */
+   for (i = 0; i < sc->kc_entries; i++)
+   athn_reset_key(sc, i);
+
/* Enable interrupts. */
athn_enable_interrupts(sc);
 
@@ -3121,7 +3126,7 @@ athn_stop(struct ifnet *ifp, int disable)
 {
struct athn_softc *sc = ifp->if_softc;
struct ieee80211com *ic = &sc->sc_ic;
-   int qid;
+   int qid, i;
 
ifp->if_timer = sc->sc_tx_timer = 0;
ifp->if_flags &= ~IFF_RUNNING;
@@ -3158,6 +3163,10 @@ athn_stop(struct ifnet *ifp, int disable)
AR_WRITE_BARRIER(sc);
athn_set_rxfilter(sc, 0);
athn_stop_rx_dma(sc);
+
+   /* Reset HW key cache entries. */
+   for (i = 0; i < sc->kc_entries; i++)
+   athn_reset_key(sc, i);
 
athn_reset(sc, 0);
athn_init_pll(sc, NULL);