git: 8e11e8fb782c - stable/13 - kern: add an option for preserving the early kenv
Kyle Evans
kevans at FreeBSD.org
Thu Aug 26 06:37:41 UTC 2021
The branch stable/13 has been updated by kevans:
URL: https://cgit.FreeBSD.org/src/commit/?id=8e11e8fb782cab5bbcde7a3f44f614c75f4b163d
commit 8e11e8fb782cab5bbcde7a3f44f614c75f4b163d
Author: Kyle Evans <kevans at FreeBSD.org>
AuthorDate: 2021-06-20 19:29:31 +0000
Commit: Kyle Evans <kevans at FreeBSD.org>
CommitDate: 2021-08-26 06:35:30 +0000
kern: add an option for preserving the early kenv
Some downstream configurations do not store secrets in the
early (loader/static) environments and desire a way to preserve these
for diagnostic reasons. Provide an option to do so.
(cherry picked from commit 7a129c973b5ba0fa916dfa658d523bec66dbd02d)
---
sys/conf/options | 8 ++++++++
sys/kern/kern_environment.c | 4 ++++
2 files changed, 12 insertions(+)
diff --git a/sys/conf/options b/sys/conf/options
index b6956193d841..121a23ed876c 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -1020,3 +1020,11 @@ IICHID_DEBUG opt_hid.h
IICHID_SAMPLING opt_hid.h
HKBD_DFLT_KEYMAP opt_hkbd.h
HIDRAW_MAKE_UHID_ALIAS opt_hid.h
+
+# kenv options
+# The early kernel environment (loader environment, config(8)-provided static)
+# is typically cleared after the dynamic environment comes up to ensure that
+# we're not inadvertently holding on to 'secret' values in these stale envs.
+# This option is insecure except in controlled environments where the static
+# environment's contents are known to be safe.
+PRESERVE_EARLY_KENV opt_global.h
diff --git a/sys/kern/kern_environment.c b/sys/kern/kern_environment.c
index 54992e6594ed..8dc345559e95 100644
--- a/sys/kern/kern_environment.c
+++ b/sys/kern/kern_environment.c
@@ -365,7 +365,11 @@ init_dynamic_kenv_from(char *init_env, int *curpos)
kenvp[i] = malloc(len, M_KENV, M_WAITOK);
strcpy(kenvp[i++], cp);
sanitize:
+#ifdef PRESERVE_EARLY_KENV
+ continue;
+#else
explicit_bzero(cp, len - 1);
+#endif
}
*curpos = i;
}
More information about the dev-commits-src-all
mailing list