bsdinstall: Stop loading cryptodev for ZFS installations

- zfs depends on the crypto module, not cryptodev, and most arm64 kernel
configs include std.dev, which includes "device crypto" anyway.
-

bsdinstall: Stop loading cryptodev for ZFS installations

- zfs depends on the crypto module, not cryptodev, and most arm64 kernel
configs include std.dev, which includes "device crypto" anyway.
- This config works around a problem with kldxref lacking cross-target
support, but that has since been fixed.
- Loading cryptodev creates /dev/crypto, which gives unprivileged users
access to the kernel's opencrypto framework. Very few applications
need it, so we're needlessly increasing the kernel's surface area.

Thus, stop auto-loading cryptodev.

Reviewed by: kevans, allanjude, des
Differential Revision: https://reviews.freebsd.org/D45127

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

Revert r361257: bsdinstall: do a `certctl rehash` upon installation [...]

As of r365829, any given base distribution set will now include the /etc/ssl
symlinks that this rehash would've otherwise in

Revert r361257: bsdinstall: do a `certctl rehash` upon installation [...]

As of r365829, any given base distribution set will now include the /etc/ssl
symlinks that this rehash would've otherwise installed. This extra step is
no longer required.

MFC after: 1 week
X-MFC-With: r365837

show more ...

MFH

Sponsored by: Rubicon Communications, LLC (netgate.com)

bsdinstall: Update loader.conf for new OpenZFS deps

zfs.ko now includes the SPL but relies on cryptodev instead.

Reported by: D Scott Phillips
Sponsored by: iXsystems, Inc.

bsdinstall: do a `certctl rehash` upon installation of configuration

If certctl is installed on the system we're configuring, do a certctl
rehash.

Note that certctl may not be present if the world

bsdinstall: do a `certctl rehash` upon installation of configuration

If certctl is installed on the system we're configuring, do a certctl
rehash.

Note that certctl may not be present if the world we've installed was built
either WITHOUT_OPENSSL or WITHOUT_CAROOT. In this scenario, we don't
currently see if the host has a certctl as this may be an indication that
the system *shouldn't* have certs installed into /etc/ssl.

Reviewed by: allanjude, dteske
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D24640

show more ...

Merge ^/head r352764 through r353315.

Add a comment explaining why the opensolaris_load line in loader.conf
is explicitly added.

Requested by: rgrimes
MFC after: 3 days
MFC with: r353004
Sponsored by: Rubicon Communications, LLC (Netgat

Add a comment explaining why the opensolaris_load line in loader.conf
is explicitly added.

Requested by: rgrimes
MFC after: 3 days
MFC with: r353004
Sponsored by: Rubicon Communications, LLC (Netgate)

show more ...

Explicitly add opensolaris_load="YES" to loader.conf through the
installer when installing the system on a ZFS root filesystem.

For arm64, zfs_load="YES" does not add opensolaris.ko as a kld
depende

Explicitly add opensolaris_load="YES" to loader.conf through the
installer when installing the system on a ZFS root filesystem.

For arm64, zfs_load="YES" does not add opensolaris.ko as a kld
dependency, so add it explicitly to prevent boot-time failures
out-of-box.

PR: 240478
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC (Netgate)

show more ...

MFH r338661 through r339200.

Sponsored by: The FreeBSD Foundation

Merge ^/head r338731 through r338987.

Fix variable name typo in the bsdinstall ttys hardening code.

Submitted by: Jörg Pernfuß <code.jpe@gmail.com>
Reviewed by: allanjude, dab, emaste
Approved by: re (gjb)
Differential Revision: https:/

Fix variable name typo in the bsdinstall ttys hardening code.

Submitted by: Jörg Pernfuß <code.jpe@gmail.com>
Reviewed by: allanjude, dab, emaste
Approved by: re (gjb)
Differential Revision: https://reviews.freebsd.org/D12476

show more ...

bsdinstall: Stop loading cryptodev for ZFS installations

- zfs depends on the crypto module, not cryptodev, and most arm64 kernel
configs include std.dev, which includes "device crypto" anyway.
-

bsdinstall: Stop loading cryptodev for ZFS installations

- zfs depends on the crypto module, not cryptodev, and most arm64 kernel
configs include std.dev, which includes "device crypto" anyway.
- This config works around a problem with kldxref lacking cross-target
support, but that has since been fixed.
- Loading cryptodev creates /dev/crypto, which gives unprivileged users
access to the kernel's opencrypto framework. Very few applications
need it, so we're needlessly increasing the kernel's surface area.

Thus, stop auto-loading cryptodev.

Reviewed by: kevans, allanjude, des
Differential Revision: https://reviews.freebsd.org/D45127

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

Revert r361257: bsdinstall: do a `certctl rehash` upon installation [...]

As of r365829, any given base distribution set will now include the /etc/ssl
symlinks that this rehash would've otherwise in

Revert r361257: bsdinstall: do a `certctl rehash` upon installation [...]

As of r365829, any given base distribution set will now include the /etc/ssl
symlinks that this rehash would've otherwise installed. This extra step is
no longer required.

MFC after: 1 week
X-MFC-With: r365837

show more ...

MFH

Sponsored by: Rubicon Communications, LLC (netgate.com)

bsdinstall: Update loader.conf for new OpenZFS deps

zfs.ko now includes the SPL but relies on cryptodev instead.

Reported by: D Scott Phillips
Sponsored by: iXsystems, Inc.

bsdinstall: do a `certctl rehash` upon installation of configuration

If certctl is installed on the system we're configuring, do a certctl
rehash.

Note that certctl may not be present if the world

bsdinstall: do a `certctl rehash` upon installation of configuration

If certctl is installed on the system we're configuring, do a certctl
rehash.

Note that certctl may not be present if the world we've installed was built
either WITHOUT_OPENSSL or WITHOUT_CAROOT. In this scenario, we don't
currently see if the host has a certctl as this may be an indication that
the system *shouldn't* have certs installed into /etc/ssl.

Reviewed by: allanjude, dteske
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D24640

show more ...

Merge ^/head r352764 through r353315.

Add a comment explaining why the opensolaris_load line in loader.conf
is explicitly added.

Requested by: rgrimes
MFC after: 3 days
MFC with: r353004
Sponsored by: Rubicon Communications, LLC (Netgat

Add a comment explaining why the opensolaris_load line in loader.conf
is explicitly added.

Requested by: rgrimes
MFC after: 3 days
MFC with: r353004
Sponsored by: Rubicon Communications, LLC (Netgate)

show more ...

Explicitly add opensolaris_load="YES" to loader.conf through the
installer when installing the system on a ZFS root filesystem.

For arm64, zfs_load="YES" does not add opensolaris.ko as a kld
depende

Explicitly add opensolaris_load="YES" to loader.conf through the
installer when installing the system on a ZFS root filesystem.

For arm64, zfs_load="YES" does not add opensolaris.ko as a kld
dependency, so add it explicitly to prevent boot-time failures
out-of-box.

PR: 240478
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC (Netgate)

show more ...

MFH r338661 through r339200.

Sponsored by: The FreeBSD Foundation

Merge ^/head r338731 through r338987.

Fix variable name typo in the bsdinstall ttys hardening code.

Submitted by: Jörg Pernfuß <code.jpe@gmail.com>
Reviewed by: allanjude, dab, emaste
Approved by: re (gjb)
Differential Revision: https:/

Fix variable name typo in the bsdinstall ttys hardening code.

Submitted by: Jörg Pernfuß <code.jpe@gmail.com>
Reviewed by: allanjude, dab, emaste
Approved by: re (gjb)
Differential Revision: https://reviews.freebsd.org/D12476

show more ...

MFhead@r323635