sys-apps/opal-utils: add noexec devtmpfs patch for opal-prd

Package-Manager: Portage-3.0.8, Repoman-3.0.2
Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

2 files changed, 182 insertions, 0 deletions

diff --git a/sys-apps/opal-utils/files/devtmpfs-noexec.patch b/sys-apps/opal-utils/files/devtmpfs-noexec.patch
new file mode 100644
index 000000000000..45e97308a1f2
--- /dev/null
+++ b/sys-apps/opal-utils/files/devtmpfs-noexec.patch
@@ -0,0 +1,87 @@
+From 47005e8d4c9aeda5826c17c4a013cfbda1a3f2de Mon Sep 17 00:00:00 2001
+From: Georgy Yakovlev <gyakovlev@gentoo.org>
+Date: Mon, 12 Oct 2020 14:29:17 -0700
+Subject: [PATCH] opal-prd: handle devtmpfs mounted with noexec
+
+On systems using recent versions of systemd /dev (devtmpfs) is mounted with
+noexec option. Such mount prevents mapping HBRT image code region as RWX
+from /dev. This commit, as suggested in github PR linked below, attempts to
+work around the situation by copying HBRT image to anon mmaped memory
+region and sets mprotect rwx on it, allowing opal-prd to sucessfully
+execute the code region.
+
+Having memory region set as RWX is not ideal for security, but fixing that
+is a separate and hard to solve problem. Original code also mmaped region
+as RWX, so this PR does not make things worse at least.
+
+Closes: https://github.com/open-power/skiboot/issues/258
+Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
+Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
+[oliver: whitespace fix, add a comment, reflow commit message]
+Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
+---
+ external/opal-prd/opal-prd.c | 36 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/external/opal-prd/opal-prd.c b/external/opal-prd/opal-prd.c
+index d74d80398d..12269e8ebb 100644
+--- a/external/opal-prd/opal-prd.c
++++ b/external/opal-prd/opal-prd.c
+@@ -973,7 +973,9 @@ static int map_hbrt_file(struct opal_prd_ctx *ctx, const char *name)
+ static int map_hbrt_physmem(struct opal_prd_ctx *ctx, const char *name)
+ {
+ 	struct prd_range *range;
++	int rc;
+ 	void *buf;
++	void *ro_buf;
+ 
+ 	range = find_range(name, 0);
+ 	if (!range) {
+@@ -981,15 +983,45 @@ static int map_hbrt_physmem(struct opal_prd_ctx *ctx, const char *name)
+ 		return -1;
+ 	}
+ 
+-	buf = mmap(NULL, range->size, PROT_READ | PROT_WRITE | PROT_EXEC,
++	ro_buf = mmap(NULL, range->size, PROT_READ,
+ 			MAP_PRIVATE, ctx->fd, range->physaddr);
+-	if (buf == MAP_FAILED) {
++	if (ro_buf == MAP_FAILED) {
+ 		pr_log(LOG_ERR, "IMAGE: mmap(range:%s, "
+ 				"phys:0x%016lx, size:0x%016lx) failed: %m",
+ 				name, range->physaddr, range->size);
+ 		return -1;
+ 	}
+ 
++	buf = mmap(NULL, range->size, PROT_READ | PROT_WRITE,
++			MAP_SHARED | MAP_ANONYMOUS, -1 , 0);
++	if (buf == MAP_FAILED) {
++		pr_log(LOG_ERR, "IMAGE: anon mmap(size:0x%016lx) failed: %m",
++				range->size);
++		return -1;
++	}
++
++	memcpy(buf, ro_buf, range->size);
++
++	rc = munmap(ro_buf, range->size);
++	if (rc < 0) {
++		pr_log(LOG_ERR, "IMAGE: munmap("
++				"phys:0x%016lx, size:0x%016lx) failed: %m",
++				range->physaddr, range->size);
++		return -1;
++	}
++
++	/*
++	 * FIXME: We shouldn't be mapping the memory as RWX, but HBRT appears to
++	 * require the ability to write into the image at runtime.
++	 */
++	rc = mprotect(buf, range->size, PROT_READ | PROT_WRITE | PROT_EXEC);
++	if (rc < 0) {
++		pr_log(LOG_ERR, "IMAGE: mprotect(phys:%p, "
++			"size:0x%016lx, rwx) failed: %m",
++			buf, range->size);
++		return -1;
++	}
++
+ 	ctx->code_addr = buf;
+ 	ctx->code_size = range->size;
+ 	return 0;
diff --git a/sys-apps/opal-utils/opal-utils-6.6.3-r1.ebuild b/sys-apps/opal-utils/opal-utils-6.6.3-r1.ebuild
new file mode 100644
index 000000000000..5dca4f59dc1f
--- /dev/null
+++ b/sys-apps/opal-utils/opal-utils-6.6.3-r1.ebuild
@@ -0,0 +1,95 @@
+# Copyright 2019-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{6,7,8} )
+
+inherit linux-info python-any-r1 systemd toolchain-funcs
+
+DESCRIPTION="OPAL firmware utilities"
+HOMEPAGE="https://github.com/open-power/skiboot"
+SRC_URI="https://github.com/open-power/skiboot/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0 GPL-2+"
+SLOT="0"
+KEYWORDS="~ppc64"
+IUSE="doc"
+
+DEPEND=""
+RDEPEND="${DEPEND}"
+BDEPEND="doc? (
+	$(python_gen_any_dep '
+		dev-python/sphinx[${PYTHON_USEDEP}]
+		dev-python/recommonmark[${PYTHON_USEDEP}]
+	')
+)"
+
+CONFIG_CHECK="~MTD_POWERNV_FLASH ~OPAL_PRD ~PPC_DT_CPU_FTRS ~SCOM_DEBUGFS"
+ERROR_MTD_POWERND_FLASH="CONFIG_MTD_POWERND_FLASH is required to use pflash and opal-gard"
+ERROR_OPAL_PRD="CONFIG_OPAL_PRD is required to run opal-prd daemon"
+ERROR_SCOM_DEBUGFS="CONFIG_SCOM_DEBUGFS is required to use xscom-utils"
+
+S="${WORKDIR}/skiboot-${PV}"
+
+PATCHES=(
+	"${FILESDIR}/flags.patch"
+	"${FILESDIR}/devtmpfs-noexec.patch"
+)
+
+python_check_deps() {
+	has_version "dev-python/recommonmark[${PYTHON_USEDEP}]" &&
+	has_version "dev-python/sphinx[${PYTHON_USEDEP}]"
+}
+
+pkg_setup() {
+	linux-info_pkg_setup
+	use doc && python-any-r1_pkg_setup
+}
+
+src_configure() {
+	tc-export CC LD
+	export OPAL_PRD_VERSION="${PV}"
+	export GARD_VERSION="${PV}"
+	export PFLASH_VERSION="${PV}"
+	export XSCOM_VERSION="${PV}"
+	export FFSPART_VERSION="${PV}"
+}
+
+src_compile() {
+	emake V=1 -C external/opal-prd
+	emake V=1 -C external/gard
+	emake V=1 -C external/pflash
+	emake V=1 -C external/xscom-utils
+	emake V=1 -C external/ffspart
+
+	use doc && emake V=1 -C doc html
+}
+
+src_install() {
+	emake -C external/opal-prd DESTDIR="${D}" prefix="${EPREFIX}/usr" install
+	emake -C external/gard DESTDIR="${D}" prefix="${EPREFIX}/usr" install
+	emake -C external/pflash DESTDIR="${D}" prefix="${EPREFIX}/usr" install
+	emake -C external/xscom-utils DESTDIR="${D}" prefix="${EPREFIX}/usr" install
+	dosbin external/ffspart/ffspart
+
+	newinitd "${FILESDIR}"/opal-prd.initd opal-prd
+	newconfd "${FILESDIR}"/opal-prd.confd opal-prd
+
+	systemd_dounit external/opal-prd/opal-prd.service
+
+	if use doc; then
+		rm -r doc/_build/html/_sources || die
+		local HTML_DOCS=( doc/_build/html/. )
+	fi
+	einstalldocs
+}
+
+src_test() {
+	emake V=1 -C external/opal-prd test
+	emake V=1 -C external/gard check
+	# this test is fragile and fails because of filename path
+	rm external/pflash/test/tests/01-info || die
+	emake V=1 -C external/pflash check
+	emake V=1 -C external/ffspart check
+}