/* Entry from the mainboard. */
void romstage_common(struct romstage_params *params)
{
struct romstage_handoff *handoff;
struct chipset_power_state *ps;
int prev_sleep_state;
timestamp_add_now(TS_BEFORE_INITRAM);
ps = fill_power_state();
prev_sleep_state = chipset_prev_sleep_state(ps);
printk(BIOS_DEBUG, "prev_sleep_state = S%d\n", prev_sleep_state);
#if CONFIG_ELOG_BOOT_COUNT
if (prev_sleep_state != 3)
boot_count_increment();
#endif
/* Initialize RAM */
raminit(params->mrc_params, prev_sleep_state);
timestamp_add_now(TS_AFTER_INITRAM);
handoff = romstage_handoff_find_or_add();
if (handoff != NULL)
handoff->s3_resume = (prev_sleep_state == 3);
else
printk(BIOS_DEBUG, "Romstage handoff structure not added!\n");
if (CONFIG_LPC_TPM) {
init_tpm(prev_sleep_state == 3);
}
}
void main(unsigned long bist)
{
int boot_mode = 0;
int cbmem_was_initted;
struct pei_data pei_data = {
.pei_version = PEI_VERSION,
.mchbar = (uintptr_t)DEFAULT_MCHBAR,
.dmibar = (uintptr_t)DEFAULT_DMIBAR,
.epbar = DEFAULT_EPBAR,
.pciexbar = CONFIG_MMCONF_BASE_ADDRESS,
.smbusbar = SMBUS_IO_BASE,
.wdbbar = 0x4000000,
.wdbsize = 0x1000,
.hpet_address = CONFIG_HPET_ADDRESS,
.rcba = (uintptr_t)DEFAULT_RCBABASE,
.pmbase = DEFAULT_PMBASE,
.gpiobase = DEFAULT_GPIOBASE,
.thermalbase = 0xfed08000,
.system_type = 0, // 0 Mobile, 1 Desktop/Server
.tseg_size = CONFIG_SMM_TSEG_SIZE,
.spd_addresses = { 0xa0, 0x00,0xa4,0x00 },
.ts_addresses = { 0x00, 0x00, 0x00, 0x00 },
.ec_present = 0,
// 0 = leave channel enabled
// 1 = disable dimm 0 on channel
// 2 = disable dimm 1 on channel
// 3 = disable dimm 0+1 on channel
.dimm_channel0_disabled = 2,
.dimm_channel1_disabled = 2,
.max_ddr3_freq = 1333,
.usb_port_config = {
{ 1, 0, 0x0080 }, /* P0: Front port (OC0) */
{ 1, 1, 0x0040 }, /* P1: Back port (OC1) */
{ 1, 0, 0x0040 }, /* P2: MINIPCIE1 (no OC) */
{ 1, 0, 0x0040 }, /* P3: MMC (no OC) */
{ 1, 2, 0x0080 }, /* P4: Front port (OC2) */
{ 0, 0, 0x0000 }, /* P5: Empty */
{ 0, 0, 0x0000 }, /* P6: Empty */
{ 0, 0, 0x0000 }, /* P7: Empty */
{ 1, 4, 0x0040 }, /* P8: Back port (OC4) */
{ 1, 4, 0x0040 }, /* P9: MINIPCIE3 (no OC) */
{ 1, 4, 0x0040 }, /* P10: BLUETOOTH (no OC) */
{ 0, 4, 0x0000 }, /* P11: Empty */
{ 1, 6, 0x0040 }, /* P12: Back port (OC6) */
{ 1, 5, 0x0040 }, /* P13: Back port (OC5) */
},
};
timestamp_init(get_initial_timestamp());
timestamp_add_now(TS_START_ROMSTAGE);
if (bist == 0)
enable_lapic();
pch_enable_lpc();
/* Enable GPIOs */
pci_write_config32(PCH_LPC_DEV, GPIO_BASE, DEFAULT_GPIOBASE|1);
pci_write_config8(PCH_LPC_DEV, GPIO_CNTL, 0x10);
setup_pch_gpios(&stumpy_gpio_map);
setup_sio_gpios();
/* Early SuperIO setup */
it8772f_ac_resume_southbridge(DUMMY_DEV);
ite_kill_watchdog(GPIO_DEV);
ite_enable_serial(SERIAL_DEV, CONFIG_TTYS0_BASE);
console_init();
init_bootmode_straps();
/* Halt if there was a built in self test failure */
report_bist_failure(bist);
if (MCHBAR16(SSKPD) == 0xCAFE) {
printk(BIOS_DEBUG, "soft reset detected\n");
boot_mode = 1;
/* System is not happy after keyboard reset... */
printk(BIOS_DEBUG, "Issuing CF9 warm reset\n");
outb(0x6, 0xcf9);
halt();
}
/* Perform some early chipset initialization required
* before RAM initialization can work
*/
sandybridge_early_initialization(SANDYBRIDGE_MOBILE);
printk(BIOS_DEBUG, "Back from sandybridge_early_initialization()\n");
boot_mode = southbridge_detect_s3_resume() ? 2 : 0;
post_code(0x38);
/* Enable SPD ROMs and DDR-III DRAM */
enable_smbus();
/* Prepare USB controller early in S3 resume */
if (boot_mode == 2) {
/*
* For Stumpy the back USB ports are reset on resume
* so default to resetting the controller to make the
* kernel happy. There is a CMOS flag to disable the
* controller reset in case the kernel can tolerate
* the device power loss better in the future.
*/
u8 magic = cmos_read(CMOS_USB_RESET_DISABLE);
if (magic == USB_RESET_DISABLE_MAGIC) {
printk(BIOS_DEBUG, "USB Controller Reset Disabled\n");
enable_usb_bar();
} else {
printk(BIOS_DEBUG, "USB Controller Reset Enabled\n");
}
} else {
/* Ensure USB reset on resume is enabled at boot */
cmos_write(0, CMOS_USB_RESET_DISABLE);
}
post_code(0x39);
pei_data.boot_mode = boot_mode;
timestamp_add_now(TS_BEFORE_INITRAM);
sdram_initialize(&pei_data);
timestamp_add_now(TS_AFTER_INITRAM);
post_code(0x3a);
/* Perform some initialization that must run before stage2 */
early_pch_init();
post_code(0x3b);
rcba_config();
post_code(0x3c);
quick_ram_check();
post_code(0x3e);
cbmem_was_initted = !cbmem_recovery(boot_mode==2);
if (boot_mode!=2)
save_mrc_data(&pei_data);
if (boot_mode==2 && !cbmem_was_initted) {
/* Failed S3 resume, reset to come up cleanly */
outb(0x6, 0xcf9);
halt();
}
northbridge_romstage_finalize(boot_mode==2);
post_code(0x3f);
if (CONFIG_LPC_TPM) {
init_tpm(boot_mode == 2);
}
}
void main(unsigned long bist)
{
int s3resume = 0;
spd_raw_data spd[4];
if (MCHBAR16(SSKPD) == 0xCAFE) {
outb(0x6, 0xcf9);
halt ();
}
timestamp_init(get_initial_timestamp());
timestamp_add_now(TS_START_ROMSTAGE);
if (bist == 0)
enable_lapic();
pch_enable_lpc();
/* Enable GPIOs */
pci_write_config32(PCH_LPC_DEV, GPIO_BASE, DEFAULT_GPIOBASE|1);
pci_write_config8(PCH_LPC_DEV, GPIO_CNTL, 0x10);
setup_pch_gpios(&mainboard_gpio_map);
early_usb_init(mainboard_usb_ports);
/* Initialize console device(s) */
console_init();
/* Halt if there was a built in self test failure */
report_bist_failure(bist);
/* Perform some early chipset initialization required
* before RAM initialization can work
*/
sandybridge_early_initialization(SANDYBRIDGE_MOBILE);
printk(BIOS_DEBUG, "Back from sandybridge_early_initialization()\n");
s3resume = southbridge_detect_s3_resume();
post_code(0x38);
/* Enable SPD ROMs and DDR-III DRAM */
enable_smbus();
post_code(0x39);
post_code(0x3a);
memset (spd, 0, sizeof (spd));
mainboard_get_spd(spd);
timestamp_add_now(TS_BEFORE_INITRAM);
init_dram_ddr3(spd, 1, get_mem_min_tck(), s3resume);
timestamp_add_now(TS_AFTER_INITRAM);
post_code(0x3c);
southbridge_configure_default_intmap();
rcba_config();
post_code(0x3d);
northbridge_romstage_finalize(s3resume);
#if CONFIG_LPC_TPM
init_tpm(s3resume);
#endif
post_code(0x3f);
timestamp_add_now(TS_END_ROMSTAGE);
}
int
main(int argc, char **argv)
{
bool fork_desired = TRUE;
int lockfd;
char* ocspuri = NULL;
int nhelpers = -1;
char *coredir;
const struct osw_conf_options *oco;
#ifdef NAT_TRAVERSAL
/** Overridden by nat_traversal= in ipsec.conf */
bool nat_traversal = FALSE;
bool nat_t_spf = TRUE; /* support port floating */
unsigned int keep_alive = 0;
bool force_keepalive = FALSE;
#endif
/** Overridden by virtual_private= in ipsec.conf */
char *virtual_private = NULL;
#ifdef LEAK_DETECTIVE
leak_detective=1;
#else
leak_detective=0;
#endif
#ifdef HAVE_LIBCAP_NG
/* Drop capabilities */
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
CAP_IPC_LOCK, -1);
/* our children must be able to CAP_NET_ADMIN to change routes.
*/
capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET,
CAP_NET_ADMIN, -1);
capng_apply(CAPNG_SELECT_BOTH);
#endif
global_argv = argv;
global_argc = argc;
#ifdef DEBUG
openswan_passert_fail = passert_fail;
#endif
/* see if there is an environment variable */
coredir = getenv("PLUTO_CORE_DIR");
if(getenv("PLUTO_WAIT_FOR_GDB")) {
sleep(120);
}
/* handle arguments */
for (;;)
{
# define DBG_OFFSET 256
static const struct option long_opts[] = {
/* name, has_arg, flag, val */
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "optionsfrom", required_argument, NULL, '+' },
{ "nofork", no_argument, NULL, 'd' },
{ "stderrlog", no_argument, NULL, 'e' },
{ "noklips", no_argument, NULL, 'n' },
{ "use-nostack", no_argument, NULL, 'n' },
{ "use-none", no_argument, NULL, 'n' },
{ "force_busy", no_argument, NULL, 'D' },
{ "nocrsend", no_argument, NULL, 'c' },
{ "strictcrlpolicy", no_argument, NULL, 'r' },
{ "crlcheckinterval", required_argument, NULL, 'x'},
{ "ocsprequestcert", required_argument, NULL, 'q'},
{ "ocspuri", required_argument, NULL, 'o'},
{ "uniqueids", no_argument, NULL, 'u' },
{ "useklips", no_argument, NULL, 'k' },
{ "use-klips", no_argument, NULL, 'k' },
{ "use-auto", no_argument, NULL, 'G' },
{ "usenetkey", no_argument, NULL, 'K' },
{ "use-netkey", no_argument, NULL, 'K' },
{ "use-mast", no_argument, NULL, 'M' },
{ "use-mastklips", no_argument, NULL, 'M' },
{ "use-bsdkame", no_argument, NULL, 'F' },
{ "interface", required_argument, NULL, 'i' },
{ "listen", required_argument, NULL, 'L' },
{ "ikeport", required_argument, NULL, 'p' },
{ "ctlbase", required_argument, NULL, 'b' },
{ "secretsfile", required_argument, NULL, 's' },
{ "foodgroupsdir", required_argument, NULL, 'f' },
{ "perpeerlogbase", required_argument, NULL, 'P' },
{ "perpeerlog", no_argument, NULL, 'l' },
{ "noretransmits", no_argument, NULL, 'R' },
{ "coredir", required_argument, NULL, 'C' },
{ "ipsecdir", required_argument, NULL, 'f' },
{ "ipsec_dir", required_argument, NULL, 'f' },
#ifdef USE_LWRES
{ "lwdnsq", required_argument, NULL, 'a' },
#else /* !USE_LWRES */
{ "adns", required_argument, NULL, 'a' },
#endif /* !USE_LWRES */
#ifdef NAT_TRAVERSAL
{ "nat_traversal", no_argument, NULL, '1' },
{ "keep_alive", required_argument, NULL, '2' },
{ "force_keepalive", no_argument, NULL, '3' },
{ "disable_port_floating", no_argument, NULL, '4' },
{ "debug-nat_t", no_argument, NULL, '5' },
{ "debug-nattraversal", no_argument, NULL, '5' },
{ "debug-nat-t", no_argument, NULL, '5' },
#endif
{ "virtual_private", required_argument, NULL, '6' },
{ "nhelpers", required_argument, NULL, 'j' },
#ifdef DEBUG
{ "debug-none", no_argument, NULL, 'N' },
{ "debug-all", no_argument, NULL, 'A' },
{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
{ "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
{ "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET },
{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
{ "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
{ "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET },
{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
{ "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET },
{ "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET },
{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
{ "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET },
{ "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
{ "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
{ "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
{ "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
{ "impair-sa-creation", no_argument, NULL, IMPAIR_SA_CREATION + DBG_OFFSET },
{ "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO + DBG_OFFSET },
{ "impair-jacob-two-two", no_argument, NULL, IMPAIR_JACOB_TWO_TWO + DBG_OFFSET },
#endif
{ 0,0,0,0 }
};
/* Note: we don't like the way short options get parsed
* by getopt_long, so we simply pass an empty string as
* the list. It could be "hvdenp:l:s:" "NARXPECK".
*/
int c = getopt_long(argc, argv, "", long_opts, NULL);
/** Note: "breaking" from case terminates loop */
switch (c)
{
case EOF: /* end of flags */
break;
case 0: /* long option already handled */
continue;
case ':': /* diagnostic already printed by getopt_long */
case '?': /* diagnostic already printed by getopt_long */
usage("");
break; /* not actually reached */
case 'h': /* --help */
usage(NULL);
break; /* not actually reached */
case 'C':
coredir = clone_str(optarg, "coredir");
break;
case 'v': /* --version */
{
const char **sp = ipsec_copyright_notice();
printf("%s%s\n", ipsec_version_string(),
compile_time_interop_options);
for (; *sp != NULL; sp++)
puts(*sp);
}
exit(0); /* not exit_pluto because we are not initialized yet */
break; /* not actually reached */
case '+': /* --optionsfrom <filename> */
optionsfrom(optarg, &argc, &argv, optind, stderr);
/* does not return on error */
continue;
case 'j': /* --nhelpers */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing number of pluto helpers");
{
char *endptr;
long count = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| count < -1)
usage("<nhelpers> must be a positive number, 0 or -1");
nhelpers = count;
}
continue;
case 'd': /* --nofork*/
fork_desired = FALSE;
continue;
case 'e': /* --stderrlog */
log_to_stderr_desired = TRUE;
continue;
case 'G': /* --use-auto */
kern_interface = AUTO_PICK;
continue;
case 'k': /* --use-klips */
kern_interface = USE_KLIPS;
continue;
case 'L': /* --listen ip_addr */
{
ip_address lip;
err_t e = ttoaddr(optarg,0,0,&lip);
if(e) {
openswan_log("invalid listen argument ignored: %s\n",e);
} else {
pluto_listen = clone_str(optarg, "pluto_listen");
openswan_log("bind() will be filtered for %s\n",pluto_listen);
}
}
continue;
case 'M': /* --use-mast */
kern_interface = USE_MASTKLIPS;
continue;
case 'F': /* --use-bsdkame */
kern_interface = USE_BSDKAME;
continue;
case 'K': /* --use-netkey */
kern_interface = USE_NETKEY;
continue;
case 'n': /* --use-nostack */
kern_interface = NO_KERNEL;
continue;
case 'D': /* --force_busy */
force_busy = TRUE;
continue
;
case 'c': /* --nocrsend */
no_cr_send = TRUE;
continue
;
case 'r': /* --strictcrlpolicy */
strict_crl_policy = TRUE;
continue
;
case 'R':
no_retransmits = TRUE;
continue;
case 'x': /* --crlcheckinterval <time>*/
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing interval time");
{
char *endptr;
long interval = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| interval <= 0)
usage("<interval-time> must be a positive number");
crl_check_interval = interval;
}
continue
;
case 'o': /* --ocspuri */
ocspuri = optarg;
continue;
case 'u': /* --uniqueids */
uniqueIDs = TRUE;
continue;
case 'i': /* --interface <ifname|ifaddr> */
if (!use_interface(optarg))
usage("too many --interface specifications");
continue;
/*
* This option does not really work, as this is the "left"
* site only, you also need --to --ikeport again later on
* It will result in: yourport -> 500, still not bypassing filters
*/
case 'p': /* --ikeport <portnumber> */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing port number");
{
char *endptr;
long port = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| port <= 0 || port > 0x10000)
usage("<port-number> must be a number between 1 and 65535");
pluto_port = port;
}
continue;
case 'b': /* --ctlbase <path> */
ctlbase = optarg;
if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
, "%s%s", ctlbase, CTL_SUFFIX) == -1)
usage("<path>" CTL_SUFFIX " too long for sun_path");
if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
, "%s%s", ctlbase, INFO_SUFFIX) == -1)
usage("<path>" INFO_SUFFIX " too long for sun_path");
if (snprintf(pluto_lock, sizeof(pluto_lock)
, "%s%s", ctlbase, LOCK_SUFFIX) == -1)
usage("<path>" LOCK_SUFFIX " must fit");
continue;
case 's': /* --secretsfile <secrets-file> */
pluto_shared_secrets_file = optarg;
continue;
case 'f': /* --ipsecdir <ipsec-dir> */
(void)osw_init_ipsecdir(optarg);
continue;
case 'a': /* --adns <pathname> */
pluto_adns_option = optarg;
continue;
#ifdef DEBUG
case 'N': /* --debug-none */
base_debugging = DBG_NONE;
continue;
case 'A': /* --debug-all */
base_debugging = DBG_ALL;
continue;
#endif
case 'P': /* --perpeerlogbase */
base_perpeer_logdir = optarg;
continue;
case 'l':
log_to_perpeer = TRUE;
continue;
#ifdef NAT_TRAVERSAL
case '1': /* --nat_traversal */
nat_traversal = TRUE;
continue;
case '2': /* --keep_alive */
keep_alive = atoi(optarg);
continue;
case '3': /* --force_keepalive */
force_keepalive = TRUE;
continue;
case '4': /* --disable_port_floating */
nat_t_spf = FALSE;
continue;
#ifdef DEBUG
case '5': /* --debug-nat_t */
base_debugging |= DBG_NATT;
continue;
#endif
#endif
case '6': /* --virtual_private */
virtual_private = optarg;
continue;
default:
#ifdef DEBUG
if (c >= DBG_OFFSET)
{
base_debugging |= c - DBG_OFFSET;
continue;
}
# undef DBG_OFFSET
#endif
bad_case(c);
}
break;
}
if (optind != argc)
usage("unexpected argument");
reset_debugging();
#ifdef HAVE_NO_FORK
fork_desired = FALSE;
nhelpers = 0;
#endif
/* if a core dir was set, chdir there */
if(coredir)
if(chdir(coredir) == -1) {
int e = errno;
openswan_log("pluto: chdir() do dumpdir failed (%d %s)\n",
e, strerror(e));
}
oco = osw_init_options();
lockfd = create_lock();
/* select between logging methods */
if (log_to_stderr_desired)
log_to_syslog = FALSE;
else
log_to_stderr = FALSE;
#ifdef DEBUG
#if 0
if(kernel_ops->set_debug) {
(*kernel_ops->set_debug)(cur_debugging, DBG_log, DBG_log);
}
#endif
#endif
/** create control socket.
* We must create it before the parent process returns so that
* there will be no race condition in using it. The easiest
* place to do this is before the daemon fork.
*/
{
err_t ugh = init_ctl_socket();
if (ugh != NULL)
{
fprintf(stderr, "pluto: %s", ugh);
exit_pluto(1);
}
}
#ifdef IPSECPOLICY
/* create info socket. */
{
err_t ugh = init_info_socket();
if (ugh != NULL)
{
fprintf(stderr, "pluto: %s", ugh);
exit_pluto(1);
}
}
#endif
/* If not suppressed, do daemon fork */
if (fork_desired)
{
{
pid_t pid = fork();
if (pid < 0)
{
int e = errno;
fprintf(stderr, "pluto: fork failed (%d %s)\n",
errno, strerror(e));
exit_pluto(1);
}
if (pid != 0)
{
/* parent: die, after filling PID into lock file.
* must not use exit_pluto: lock would be removed!
*/
exit(fill_lock(lockfd, pid)? 0 : 1);
}
}
if (setsid() < 0)
{
int e = errno;
fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
errno, strerror(e));
exit_pluto(1);
}
}
else
{
/* no daemon fork: we have to fill in lock file */
(void) fill_lock(lockfd, getpid());
fprintf(stdout, "Pluto initialized\n");
fflush(stdout);
}
/** Close everything but ctl_fd and (if needed) stderr.
* There is some danger that a library that we don't know
* about is using some fd that we don't know about.
* I guess we'll soon find out.
*/
{
int i;
for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
if ((!log_to_stderr || i != 2)
#ifdef IPSECPOLICY
&& i != info_fd
#endif
&& i != ctl_fd)
close(i);
/* make sure that stdin, stdout, stderr are reserved */
if (open("/dev/null", O_RDONLY) != 0)
osw_abort();
if (dup2(0, 1) != 1)
osw_abort();
if (!log_to_stderr && dup2(0, 2) != 2)
osw_abort();
}
init_constants();
pluto_init_log();
#ifdef HAVE_LIBNSS
char buf[100];
snprintf(buf, sizeof(buf), "%s",oco->confddir);
loglog(RC_LOG_SERIOUS,"nss directory plutomain: %s",buf);
SECStatus nss_init_status= NSS_InitReadWrite(buf);
if (nss_init_status != SECSuccess) {
loglog(RC_LOG_SERIOUS, "NSS initialization failed (err %d)\n", PR_GetError());
exit_pluto(10);
} else {
loglog(RC_LOG_SERIOUS, "NSS Initialized");
PK11_SetPasswordFunc(getNSSPassword);
#ifdef FIPS_CHECK
const char *package_files[]= { IPSECLIBDIR"/setup",
IPSECLIBDIR"/addconn",
IPSECLIBDIR"/auto",
IPSECLIBDIR"/barf",
IPSECLIBDIR"/_copyright",
IPSECLIBDIR"/eroute",
IPSECLIBDIR"/ikeping",
IPSECLIBDIR"/_include",
IPSECLIBDIR"/_keycensor",
IPSECLIBDIR"/klipsdebug",
IPSECLIBDIR"/look",
IPSECLIBDIR"/newhostkey",
IPSECLIBDIR"/pf_key",
IPSECLIBDIR"/_pluto_adns",
IPSECLIBDIR"/_plutoload",
IPSECLIBDIR"/_plutorun",
IPSECLIBDIR"/ranbits",
IPSECLIBDIR"/_realsetup",
IPSECLIBDIR"/rsasigkey",
IPSECLIBDIR"/pluto",
IPSECLIBDIR"/_secretcensor",
IPSECLIBDIR"/secrets",
IPSECLIBDIR"/showdefaults",
IPSECLIBDIR"/showhostkey",
IPSECLIBDIR"/showpolicy",
IPSECLIBDIR"/spi",
IPSECLIBDIR"/spigrp",
IPSECLIBDIR"/_startklips",
IPSECLIBDIR"/_startnetkey",
IPSECLIBDIR"/tncfg",
IPSECLIBDIR"/_updown",
IPSECLIBDIR"/_updown.klips",
IPSECLIBDIR"/_updown.mast",
IPSECLIBDIR"/_updown.netkey",
IPSECLIBDIR"/verify",
IPSECLIBDIR"/whack",
IPSECSBINDIR"/ipsec",
NULL
};
if (Pluto_IsFIPS() && !FIPSCHECK_verify_files(package_files)) {
loglog(RC_LOG_SERIOUS, "FIPS integrity verification test failed");
exit_pluto(10);
}
#endif
}
#endif
/* Note: some scripts may look for this exact message -- don't change
* ipsec barf was one, but it no longer does.
*/
{
const char *vc = ipsec_version_code();
#ifdef PLUTO_SENDS_VENDORID
const char *v = init_pluto_vendorid();
openswan_log("Starting Pluto (Openswan Version %s%s; Vendor ID %s) pid:%u"
, vc, compile_time_interop_options, v, getpid());
#else
openswan_log("Starting Pluto (Openswan Version %s%s) pid:%u"
, vc, compile_time_interop_options, getpid());
#endif
#ifdef HAVE_LIBNSS
if(Pluto_IsFIPS()) {
openswan_log("Pluto is running in FIPS mode");
}
#endif
if((vc[0]=='c' && vc[1]=='v' && vc[2]=='s') ||
(vc[2]=='g' && vc[3]=='i' && vc[4]=='t')) {
/*
* when people build RPMs from CVS or GIT, make sure they
* get blamed appropriately, and that we get some way to
* identify who did it, and when they did it. Use string concat,
* so that strings the binary can or classic SCCS "what", will find
* stuff too.
*/
openswan_log("@(#) built on "__DATE__":" __TIME__ " by " BUILDER);
}
#if defined(USE_1DES)
openswan_log("WARNING: 1DES is enabled");
#endif
}
if(coredir) {
openswan_log("core dump dir: %s", coredir);
}
#ifdef LEAK_DETECTIVE
openswan_log("LEAK_DETECTIVE support [enabled]");
#else
openswan_log("LEAK_DETECTIVE support [disabled]");
#endif
#ifdef HAVE_OCF
{
struct stat buf;
errno=0;
if( stat("/dev/crypto",&buf) != -1)
openswan_log("OCF support for IKE via /dev/crypto [enabled]");
else
openswan_log("OCF support for IKE via /dev/crypto [failed:%s]", strerror(errno));
}
#else
openswan_log("OCF support for IKE [disabled]");
#endif
/* Check for SAREF support */
#ifdef KLIPS_MAST
#include <ipsec_saref.h>
{
int e, sk, saref;
saref = 1;
errno=0;
sk = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_REFINFO, &saref, sizeof(saref));
if (e == -1 ) {
openswan_log("SAref support [disabled]: %s" , strerror(errno));
}
else {
openswan_log("SAref support [enabled]");
}
errno=0;
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_BINDREF, &saref, sizeof(saref));
if (e == -1 ) {
openswan_log("SAbind support [disabled]: %s" , strerror(errno));
}
else {
openswan_log("SAbind support [enabled]");
}
close(sk);
}
#endif
#ifdef HAVE_LIBNSS
openswan_log("NSS support [enabled]");
#else
openswan_log("NSS support [disabled]");
#endif
#ifdef HAVE_STATSD
openswan_log("HAVE_STATSD notification via /bin/openswan-statsd enabled");
#else
openswan_log("HAVE_STATSD notification support not compiled in");
#endif
/** Log various impair-* functions if they were enabled */
if(DBGP(IMPAIR_BUST_MI2))
openswan_log("Warning: IMPAIR_BUST_MI2 enabled");
if(DBGP(IMPAIR_BUST_MR2))
openswan_log("Warning: IMPAIR_BUST_MR2 enabled");
if(DBGP(IMPAIR_SA_CREATION))
openswan_log("Warning: IMPAIR_SA_CREATION enabled");
if(DBGP(IMPAIR_JACOB_TWO_TWO))
openswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
if(DBGP(IMPAIR_DIE_ONINFO))
openswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
if(DBGP(IMPAIR_DELAY_ADNS_KEY_ANSWER))
openswan_log("Warning: IMPAIR_DELAY_ADNS_KEY_ANSWER enabled");
if(DBGP(IMPAIR_DELAY_ADNS_TXT_ANSWER))
openswan_log("Warning: IMPAIR_DELAY_ADNS_TXT_ANSWER enabled");
/** Initialize all of the various features */
#ifdef NAT_TRAVERSAL
init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
#endif
init_virtual_ip(virtual_private);
init_rnd_pool();
init_timer();
init_secret();
init_states();
init_connections();
init_crypto();
init_crypto_helpers(nhelpers);
load_oswcrypto();
init_demux();
init_kernel();
init_adns();
init_id();
#ifdef TPM
init_tpm();
#endif
#ifdef HAVE_THREADS
init_fetch();
#endif
ocsp_set_default_uri(ocspuri);
/* loading X.509 CA certificates */
load_authcerts("CA cert", oco->cacerts_dir, AUTH_CA);
/* loading X.509 AA certificates */
load_authcerts("AA cert", oco->aacerts_dir, AUTH_AA);
/* loading X.509 OCSP certificates */
load_authcerts("OCSP cert", oco->ocspcerts_dir, AUTH_OCSP);
/* loading X.509 CRLs */
load_crls();
/* loading attribute certificates (experimental) */
load_acerts();
#ifdef HAVE_LIBNSS
/*Loading CA certs from NSS DB*/
load_authcerts_from_nss("CA cert", AUTH_CA);
#endif
daily_log_event();
call_server();
return -1; /* Shouldn't ever reach this */
}
void main(unsigned long bist)
{
int boot_mode = 0;
int cbmem_was_initted;
struct pei_data pei_data = {
.pei_version = PEI_VERSION,
.mchbar = (uintptr_t)DEFAULT_MCHBAR,
.dmibar = (uintptr_t)DEFAULT_DMIBAR,
.epbar = DEFAULT_EPBAR,
.pciexbar = CONFIG_MMCONF_BASE_ADDRESS,
.smbusbar = SMBUS_IO_BASE,
.wdbbar = 0x4000000,
.wdbsize = 0x1000,
.hpet_address = CONFIG_HPET_ADDRESS,
.rcba = (uintptr_t)DEFAULT_RCBABASE,
.pmbase = DEFAULT_PMBASE,
.gpiobase = DEFAULT_GPIOBASE,
.thermalbase = 0xfed08000,
.system_type = 0, // 0 Mobile, 1 Desktop/Server
.tseg_size = CONFIG_SMM_TSEG_SIZE,
.spd_addresses = { 0xa0, 0x00, 0xa4, 0x00 },
.ts_addresses = { 0x00, 0x00, 0x00, 0x00 },
.ec_present = 0,
// 0 = leave channel enabled
// 1 = disable dimm 0 on channel
// 2 = disable dimm 1 on channel
// 3 = disable dimm 0+1 on channel
.dimm_channel0_disabled = 2,
.dimm_channel1_disabled = 2,
.max_ddr3_freq = 1600,
.usb_port_config = {
{ 1, 0, 0x0040 }, /* P0: Front port (OC0) */
{ 1, 1, 0x0040 }, /* P1: Back port (OC1) */
{ 1, 0, 0x0040 }, /* P2: MINIPCIE1 (no OC) */
{ 1, 0, 0x0040 }, /* P3: MMC (no OC) */
{ 1, 2, 0x0040 }, /* P4: Front port (OC2) */
{ 0, 0, 0x0000 }, /* P5: Empty */
{ 0, 0, 0x0000 }, /* P6: Empty */
{ 0, 0, 0x0000 }, /* P7: Empty */
{ 1, 4, 0x0040 }, /* P8: Back port (OC4) */
{ 1, 4, 0x0040 }, /* P9: MINIPCIE3 (no OC) */
{ 1, 4, 0x0040 }, /* P10: BLUETOOTH (no OC) */
{ 0, 4, 0x0000 }, /* P11: Empty */
{ 1, 6, 0x0040 }, /* P12: Back port (OC6) */
{ 1, 5, 0x0040 }, /* P13: Back port (OC5) */
},
};
timestamp_init(get_initial_timestamp());
timestamp_add_now(TS_START_ROMSTAGE);
if (bist == 0)
enable_lapic();
pch_enable_lpc();
/* Enable GPIOs */
pci_write_config32(PCH_LPC_DEV, GPIO_BASE, DEFAULT_GPIOBASE|1);
pci_write_config8(PCH_LPC_DEV, GPIO_CNTL, 0x10);
setup_pch_gpios(&emeraldlake2_gpio_map);
setup_sio_gpios();
/* Early SuperIO setup */
console_init();
/* Halt if there was a built in self test failure */
report_bist_failure(bist);
if (MCHBAR16(SSKPD) == 0xCAFE) {
printk(BIOS_DEBUG, "soft reset detected\n");
boot_mode = 1;
/* System is not happy after keyboard reset... */
printk(BIOS_DEBUG, "Issuing CF9 warm reset\n");
outb(0x6, 0xcf9);
halt();
}
/* Perform some early chipset initialization required
* before RAM initialization can work
*/
sandybridge_early_initialization(SANDYBRIDGE_MOBILE);
printk(BIOS_DEBUG, "Back from sandybridge_early_initialization()\n");
boot_mode = southbridge_detect_s3_resume() ? 2 : 0;
post_code(0x38);
/* Enable SPD ROMs and DDR-III DRAM */
enable_smbus();
/* Prepare USB controller early in S3 resume */
if (boot_mode == 2)
enable_usb_bar();
post_code(0x3a);
pei_data.boot_mode = boot_mode;
timestamp_add_now(TS_BEFORE_INITRAM);
sdram_initialize(&pei_data);
timestamp_add_now(TS_AFTER_INITRAM);
post_code(0x3b);
/* Perform some initialization that must run before stage2 */
early_pch_init();
post_code(0x3c);
/* This should probably go away. Until now it is required
* and mainboard specific
*/
rcba_config();
post_code(0x3d);
quick_ram_check();
post_code(0x3e);
cbmem_was_initted = !cbmem_recovery(boot_mode==2);
if (boot_mode!=2)
save_mrc_data(&pei_data);
if (boot_mode==2 && !cbmem_was_initted) {
/* Failed S3 resume, reset to come up cleanly */
outb(0x6, 0xcf9);
halt();
}
northbridge_romstage_finalize(boot_mode==2);
post_code(0x3f);
if (CONFIG_LPC_TPM) {
init_tpm(boot_mode == 2);
}
}
int
main(int argc, char **argv)
{
int lockfd;
int nhelpers = -1;
char *coredir;
const struct lsw_conf_options *oco;
/*
* We read the intentions for how to log from command line options
* and the config file. Then we prepare to be able to log, but until
* then log to stderr (better then nothing). Once we are ready to
* actually do loggin according to the methods desired, we set the
* variables for those methods
*/
bool log_to_stderr_desired = FALSE;
bool log_to_file_desired = FALSE;
coredir = NULL;
/* set up initial defaults that need a cast */
pluto_shared_secrets_file =
DISCARD_CONST(char *, SHARED_SECRETS_FILE);
#ifdef NAT_TRAVERSAL
/** Overridden by nat_traversal= in ipsec.conf */
bool nat_traversal = FALSE;
bool nat_t_spf = TRUE; /* support port floating */
unsigned int keep_alive = 0;
bool force_keepalive = FALSE;
#endif
/** Overridden by virtual_private= in ipsec.conf */
char *virtual_private = NULL;
#ifdef LEAK_DETECTIVE
leak_detective=1;
#else
leak_detective=0;
#endif
#ifdef HAVE_LIBCAP_NG
/* Drop capabilities */
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
CAP_IPC_LOCK, CAP_AUDIT_WRITE,
-1);
/* our children must be able to CAP_NET_ADMIN to change routes.
*/
capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET,
CAP_NET_ADMIN, -1);
capng_apply(CAPNG_SELECT_BOTH);
#endif
#ifdef DEBUG
libreswan_passert_fail = passert_fail;
#endif
if(getenv("PLUTO_WAIT_FOR_GDB")) {
sleep(120);
}
/* handle arguments */
for (;;)
{
# define DBG_OFFSET 256
static const struct option long_opts[] = {
/* name, has_arg, flag, val */
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "config", required_argument, NULL, 'z' },
{ "nofork", no_argument, NULL, 'd' },
{ "stderrlog", no_argument, NULL, 'e' },
{ "logfile", required_argument, NULL, 'g' },
{ "plutostderrlogtime", no_argument, NULL, 't' },
{ "noklips", no_argument, NULL, 'n' },
{ "use-nostack", no_argument, NULL, 'n' },
{ "use-none", no_argument, NULL, 'n' },
{ "force_busy", no_argument, NULL, 'D' },
{ "strictcrlpolicy", no_argument, NULL, 'r' },
{ "crlcheckinterval", required_argument, NULL, 'x'},
{ "uniqueids", no_argument, NULL, 'u' },
{ "useklips", no_argument, NULL, 'k' },
{ "use-klips", no_argument, NULL, 'k' },
{ "use-auto", no_argument, NULL, 'G' },
{ "usenetkey", no_argument, NULL, 'K' },
{ "use-netkey", no_argument, NULL, 'K' },
{ "use-mast", no_argument, NULL, 'M' },
{ "use-mastklips", no_argument, NULL, 'M' },
{ "use-bsdkame", no_argument, NULL, 'F' },
{ "interface", required_argument, NULL, 'i' },
{ "listen", required_argument, NULL, 'L' },
{ "ikeport", required_argument, NULL, 'p' },
{ "natikeport", required_argument, NULL, 'q' },
{ "ctlbase", required_argument, NULL, 'b' },
{ "secretsfile", required_argument, NULL, 's' },
{ "perpeerlogbase", required_argument, NULL, 'P' },
{ "perpeerlog", no_argument, NULL, 'l' },
{ "noretransmits", no_argument, NULL, 'R' },
{ "coredir", required_argument, NULL, 'C' },
{ "ipsecdir", required_argument, NULL, 'f' },
{ "ipsec_dir", required_argument, NULL, 'f' },
{ "foodgroupsdir", required_argument, NULL, 'f' },
{ "adns", required_argument, NULL, 'a' },
#ifdef NAT_TRAVERSAL
{ "nat_traversal", no_argument, NULL, '1' },
{ "keep_alive", required_argument, NULL, '2' },
{ "force_keepalive", no_argument, NULL, '3' },
{ "disable_port_floating", no_argument, NULL, '4' },
{ "debug-nat_t", no_argument, NULL, '5' },
{ "debug-nattraversal", no_argument, NULL, '5' },
{ "debug-nat-t", no_argument, NULL, '5' },
#endif
{ "virtual_private", required_argument, NULL, '6' },
{ "nhelpers", required_argument, NULL, 'j' },
#ifdef HAVE_LABELED_IPSEC
{ "secctx_attr_value", required_argument, NULL, 'w' },
#endif
#ifdef DEBUG
{ "debug-none", no_argument, NULL, 'N' },
{ "debug-all", no_argument, NULL, 'A' },
{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
{ "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
{ "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET },
{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
{ "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
{ "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET },
{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
{ "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET },
{ "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET },
{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
{ "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET },
{ "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
{ "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
{ "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
{ "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
{ "impair-sa-creation", no_argument, NULL, IMPAIR_SA_CREATION + DBG_OFFSET },
{ "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO + DBG_OFFSET },
{ "impair-jacob-two-two", no_argument, NULL, IMPAIR_JACOB_TWO_TWO + DBG_OFFSET },
{ "impair-major-version-bump", no_argument, NULL, IMPAIR_MAJOR_VERSION_BUMP + DBG_OFFSET },
{ "impair-minor-version-bump", no_argument, NULL, IMPAIR_MINOR_VERSION_BUMP + DBG_OFFSET },
{ "impair-retransmits", no_argument, NULL, IMPAIR_RETRANSMITS + DBG_OFFSET },
{ "impair-send-bogus-isakmp-flag", no_argument, NULL, IMPAIR_SEND_BOGUS_ISAKMP_FLAG + DBG_OFFSET },
#endif
{ 0,0,0,0 }
};
/* Note: we don't like the way short options get parsed
* by getopt_long, so we simply pass an empty string as
* the list. It could be "hvdenp:l:s:" "NARXPECK".
*/
int c = getopt_long(argc, argv, "", long_opts, NULL);
/** Note: "breaking" from case terminates loop */
switch (c)
{
case EOF: /* end of flags */
break;
case 0: /* long option already handled */
continue;
case ':': /* diagnostic already printed by getopt_long */
case '?': /* diagnostic already printed by getopt_long */
usage("");
break; /* not actually reached */
case 'h': /* --help */
usage(NULL);
break; /* not actually reached */
case 'C':
coredir = clone_str(optarg, "coredir");
continue;
case 'v': /* --version */
{
printf("%s%s\n", ipsec_version_string(),
compile_time_interop_options);
}
exit(0); /* not exit_pluto because we are not initialized yet */
break; /* not actually reached */
case 'j': /* --nhelpers */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing number of pluto helpers");
{
char *endptr;
long count = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| count < -1)
usage("<nhelpers> must be a positive number, 0 or -1");
nhelpers = count;
}
continue;
#ifdef HAVE_LABELED_IPSEC
case 'w': /* --secctx_attr_value*/
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing (positive integer) value of secctx_attr_value (needed only if using labeled ipsec)");
{
char *endptr;
long value = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| (value != SECCTX && value !=10) )
usage("<secctx_attr_value> must be a positive number (32001 by default, 10 for backward compatibility, or any other future number assigned by IANA)");
secctx_attr_value = (u_int16_t)value;
}
continue;
#endif
case 'd': /* --nofork*/
fork_desired = FALSE;
continue;
case 'e': /* --stderrlog */
log_to_stderr_desired = TRUE;
continue;
case 'g': /* --logfile */
pluto_log_file = optarg;
log_to_file_desired = TRUE;
continue;
case 't': /* --plutostderrlogtime */
log_with_timestamp = TRUE;
continue;
case 'G': /* --use-auto */
libreswan_log("The option --use-auto is obsoleted, falling back to --use-netkey\n");
kern_interface = USE_NETKEY;
continue;
case 'k': /* --use-klips */
kern_interface = USE_KLIPS;
continue;
case 'L': /* --listen ip_addr */
{
ip_address lip;
err_t e = ttoaddr(optarg,0,0,&lip);
if(e) {
libreswan_log("invalid listen argument ignored: %s\n",e);
} else {
pluto_listen = clone_str(optarg, "pluto_listen");
libreswan_log("bind() will be filtered for %s\n",pluto_listen);
}
}
continue;
case 'M': /* --use-mast */
kern_interface = USE_MASTKLIPS;
continue;
case 'F': /* --use-bsdkame */
kern_interface = USE_BSDKAME;
continue;
case 'K': /* --use-netkey */
kern_interface = USE_NETKEY;
continue;
case 'n': /* --use-nostack */
kern_interface = NO_KERNEL;
continue;
case 'D': /* --force_busy */
force_busy = TRUE;
continue
;
case 'r': /* --strictcrlpolicy */
strict_crl_policy = TRUE;
continue
;
case 'R':
no_retransmits = TRUE;
continue;
case 'x': /* --crlcheckinterval <time>*/
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing interval time");
{
char *endptr;
long interval = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| interval <= 0)
usage("<interval-time> must be a positive number");
crl_check_interval = interval;
}
continue
;
case 'u': /* --uniqueids */
uniqueIDs = TRUE;
continue;
case 'i': /* --interface <ifname|ifaddr> */
if (!use_interface(optarg))
usage("too many --interface specifications");
continue;
/*
* This option does not really work, as this is the "left"
* site only, you also need --to --ikeport again later on
* It will result in: yourport -> 500, still not bypassing filters
*/
case 'p': /* --ikeport <portnumber> */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing port number");
{
char *endptr;
long port = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| port <= 0 || port > 0x10000)
usage("<port-number> must be a number between 1 and 65535");
pluto_port = port;
}
continue;
#ifdef NAT_TRAVERSAL
case 'q': /* --natikeport <portnumber> */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing port number");
{
char *endptr;
long port = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| port <= 0 || port > 0x10000)
usage("<port-number> must be a number between 1 and 65535");
pluto_natt_float_port = port;
}
continue;
#endif
case 'b': /* --ctlbase <path> */
ctlbase = optarg;
if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
, "%s%s", ctlbase, CTL_SUFFIX) == -1)
usage("<path>" CTL_SUFFIX " too long for sun_path");
if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
, "%s%s", ctlbase, INFO_SUFFIX) == -1)
usage("<path>" INFO_SUFFIX " too long for sun_path");
if (snprintf(pluto_lock, sizeof(pluto_lock)
, "%s%s", ctlbase, LOCK_SUFFIX) == -1)
usage("<path>" LOCK_SUFFIX " must fit");
continue;
case 's': /* --secretsfile <secrets-file> */
pluto_shared_secrets_file = optarg;
continue;
case 'f': /* --ipsecdir <ipsec-dir> */
(void)lsw_init_ipsecdir(optarg);
continue;
case 'a': /* --adns <pathname> */
pluto_adns_option = optarg;
continue;
#ifdef DEBUG
case 'N': /* --debug-none */
base_debugging = DBG_NONE;
continue;
case 'A': /* --debug-all */
base_debugging = DBG_ALL;
continue;
#endif
case 'P': /* --perpeerlogbase */
base_perpeer_logdir = optarg;
continue;
case 'l':
log_to_perpeer = TRUE;
continue;
#ifdef NAT_TRAVERSAL
case '1': /* --nat_traversal */
nat_traversal = TRUE;
continue;
case '2': /* --keep_alive */
keep_alive = atoi(optarg);
continue;
case '3': /* --force_keepalive */
force_keepalive = TRUE;
continue;
case '4': /* --disable_port_floating */
nat_t_spf = FALSE;
continue;
#ifdef DEBUG
case '5': /* --debug-nat_t */
base_debugging |= DBG_NATT;
continue;
#endif
#endif
case '6': /* --virtual_private */
virtual_private = optarg;
continue;
case 'z': /* --config */
;
/* Config struct to variables mapper. This will overwrite */
/* all previously set options. Keep this in the same order than */
/* long_opts[] is. */
struct starter_config *cfg = read_cfg_file(optarg);
set_cfg_string(&pluto_log_file, cfg->setup.strings[KSF_PLUTOSTDERRLOG]);
fork_desired = cfg->setup.options[KBF_PLUTOFORK]; /* plutofork= */
log_with_timestamp =
cfg->setup.options[KBF_PLUTOSTDERRLOGTIME];
force_busy = cfg->setup.options[KBF_FORCEBUSY];
strict_crl_policy = cfg->setup.options[KBF_STRICTCRLPOLICY];
crl_check_interval = cfg->setup.options[KBF_CRLCHECKINTERVAL];
uniqueIDs = cfg->setup.options[KBF_UNIQUEIDS];
/*
* We don't check interfaces= here because that part has been dealt
* with in _stackmanager before we started
*/
set_cfg_string(&pluto_listen, cfg->setup.strings[KSF_LISTEN]);
pluto_port = cfg->setup.options[KBF_IKEPORT]; /* --ikeport */
/* no config option: ctlbase */
set_cfg_string(&pluto_shared_secrets_file, cfg->setup.strings[KSF_SECRETSFILE]); /* --secrets */
if(cfg->setup.strings[KSF_IPSECDIR] != NULL &&
*cfg->setup.strings[KSF_IPSECDIR] != 0) {
lsw_init_ipsecdir(cfg->setup.strings[KSF_IPSECDIR]); /* --ipsecdir */
}
set_cfg_string(&base_perpeer_logdir, cfg->setup.strings[KSF_PERPEERDIR]); /* --perpeerlogbase */
log_to_perpeer = cfg->setup.options[KBF_PERPEERLOG]; /* --perpeerlog */
no_retransmits = !cfg->setup.options[KBF_RETRANSMITS]; /* --noretransmits */
set_cfg_string(&coredir, cfg->setup.strings[KSF_DUMPDIR]); /* --dumpdir */
/* no config option: pluto_adns_option */
#ifdef NAT_TRAVERSAL
pluto_natt_float_port = cfg->setup.options[KBF_NATIKEPORT];
nat_traversal = cfg->setup.options[KBF_NATTRAVERSAL];
keep_alive = cfg->setup.options[KBF_KEEPALIVE];
force_keepalive = cfg->setup.options[KBF_FORCE_KEEPALIVE];
nat_t_spf = !cfg->setup.options[KBF_DISABLEPORTFLOATING];
#endif
set_cfg_string(&virtual_private,
cfg->setup.strings[KSF_VIRTUALPRIVATE]);
nhelpers = cfg->setup.options[KBF_NHELPERS];
#ifdef HAVE_LABELED_IPSEC
secctx_attr_value = cfg->setup.options[KBF_SECCTX];
#endif
#ifdef DEBUG
base_debugging = cfg->setup.options[KBF_PLUTODEBUG];
#endif
char *protostack = cfg->setup.strings[KSF_PROTOSTACK];
if (protostack == NULL || *protostack == 0)
kern_interface = USE_NETKEY;
else if (strcmp(protostack, "none") == 0)
kern_interface = NO_KERNEL;
else if (strcmp(protostack, "auto") == 0)
{
libreswan_log("The option protostack=auto is obsoleted, falling back to protostack=netkey\n");
kern_interface = USE_NETKEY;
}
else if (strcmp(protostack, "klips") == 0)
kern_interface = USE_KLIPS;
else if (strcmp(protostack, "mast") == 0)
kern_interface = USE_MASTKLIPS;
else if (strcmp(protostack, "netkey") == 0 ||
strcmp(protostack, "native") == 0)
kern_interface = USE_NETKEY;
else if (strcmp(protostack, "bsd") == 0 ||
strcmp(protostack, "kame") == 0 ||
strcmp(protostack, "bsdkame") == 0)
kern_interface = USE_BSDKAME;
else if (strcmp(protostack, "win2k") == 0)
kern_interface = USE_WIN2K;
confread_free(cfg);
continue;
default:
#ifdef DEBUG
if (c >= DBG_OFFSET)
{
base_debugging |= c - DBG_OFFSET;
continue;
}
# undef DBG_OFFSET
#endif
bad_case(c);
}
break;
}
if (optind != argc)
usage("unexpected argument");
reset_debugging();
#ifdef HAVE_NO_FORK
fork_desired = FALSE;
nhelpers = 0;
#endif
/* default coredir to location compatible with SElinux */
if(!coredir) {
coredir = clone_str("/var/run/pluto", "coredir");
}
if(chdir(coredir) == -1) {
int e = errno;
libreswan_log("pluto: chdir() do dumpdir failed (%d: %s)\n",
e, strerror(e));
}
oco = lsw_init_options();
lockfd = create_lock();
/* select between logging methods */
if (log_to_stderr_desired || log_to_file_desired) {
log_to_syslog = FALSE;
}
if (!log_to_stderr_desired)
log_to_stderr = FALSE;
#ifdef DEBUG
#if 0
if(kernel_ops->set_debug) {
(*kernel_ops->set_debug)(cur_debugging, DBG_log, DBG_log);
}
#endif
#endif
/** create control socket.
* We must create it before the parent process returns so that
* there will be no race condition in using it. The easiest
* place to do this is before the daemon fork.
*/
{
err_t ugh = init_ctl_socket();
if (ugh != NULL)
{
fprintf(stderr, "pluto: %s", ugh);
exit_pluto(1);
}
}
/* If not suppressed, do daemon fork */
if (fork_desired)
{
{
pid_t pid = fork();
if (pid < 0)
{
int e = errno;
fprintf(stderr, "pluto: fork failed (%d %s)\n",
errno, strerror(e));
exit_pluto(1);
}
if (pid != 0)
{
/* parent: die, after filling PID into lock file.
* must not use exit_pluto: lock would be removed!
*/
exit(fill_lock(lockfd, pid)? 0 : 1);
}
}
if (setsid() < 0)
{
int e = errno;
fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
errno, strerror(e));
exit_pluto(1);
}
}
else
{
/* no daemon fork: we have to fill in lock file */
(void) fill_lock(lockfd, getpid());
if (isatty(fileno(stdout)))
{
fprintf(stdout, "Pluto initialized\n");
fflush(stdout);
}
}
/** Close everything but ctl_fd and (if needed) stderr.
* There is some danger that a library that we don't know
* about is using some fd that we don't know about.
* I guess we'll soon find out.
*/
{
int i;
for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
if ((!log_to_stderr || i != 2)
&& i != ctl_fd)
close(i);
/* make sure that stdin, stdout, stderr are reserved */
if (open("/dev/null", O_RDONLY) != 0)
lsw_abort();
if (dup2(0, 1) != 1)
lsw_abort();
if (!log_to_stderr && dup2(0, 2) != 2)
lsw_abort();
}
init_constants();
pluto_init_log();
pluto_init_nss(oco->confddir);
#ifdef FIPS_CHECK
const char *package_files[]= { IPSECLIBDIR"/setup",
IPSECLIBDIR"/addconn",
IPSECLIBDIR"/auto",
IPSECLIBDIR"/barf",
IPSECLIBDIR"/eroute",
IPSECLIBDIR"/ikeping",
IPSECLIBDIR"/readwriteconf",
IPSECLIBDIR"/_keycensor",
IPSECLIBDIR"/klipsdebug",
IPSECLIBDIR"/look",
IPSECLIBDIR"/newhostkey",
IPSECLIBDIR"/pf_key",
IPSECLIBDIR"/_pluto_adns",
IPSECLIBDIR"/_plutorun",
IPSECLIBDIR"/ranbits",
IPSECLIBDIR"/_realsetup",
IPSECLIBDIR"/rsasigkey",
IPSECLIBDIR"/pluto",
IPSECLIBDIR"/_secretcensor",
IPSECLIBDIR"/secrets",
IPSECLIBDIR"/showhostkey",
IPSECLIBDIR"/spi",
IPSECLIBDIR"/spigrp",
IPSECLIBDIR"/_stackmanager",
IPSECLIBDIR"/tncfg",
IPSECLIBDIR"/_updown",
IPSECLIBDIR"/_updown.klips",
IPSECLIBDIR"/_updown.mast",
IPSECLIBDIR"/_updown.netkey",
IPSECLIBDIR"/verify",
IPSECLIBDIR"/whack",
IPSECSBINDIR"/ipsec",
NULL
};
if (Pluto_IsFIPS() && !FIPSCHECK_verify_files(package_files)) {
loglog(RC_LOG_SERIOUS, "FATAL: FIPS integrity verification test failed");
exit_pluto(10);
}
#else
libreswan_log("FIPS integrity support [disabled]");
#endif
#ifdef HAVE_LIBCAP_NG
libreswan_log("libcap-ng support [enabled]");
#else
libreswan_log("libcap-ng support [disabled]");
#endif
#ifdef USE_LINUX_AUDIT
libreswan_log("Linux audit support [enabled]");
/* test and log if audit is enabled on the system */
int audit_fd, rc;
audit_fd = audit_open();
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
{
loglog(RC_LOG_SERIOUS, "Warning: kernel has no audit support");
} else {
loglog(RC_LOG_SERIOUS, "FATAL (SOON): audit_open() failed : %s", strerror(errno));
/* temp disabled exit_pluto(10); */
}
}
rc = audit_log_acct_message(audit_fd, AUDIT_USER_START, NULL,
"starting pluto daemon", NULL, -1, NULL, NULL, NULL, 1);
close(audit_fd);
if (rc < 0) {
loglog(RC_LOG_SERIOUS, "FATAL: audit_log_acct_message failed: %s", strerror(errno));
exit_pluto(10);
}
#else
libreswan_log("Linux audit support [disabled]");
#endif
/* Note: some scripts may look for this exact message -- don't change
* ipsec barf was one, but it no longer does.
*/
{
const char *vc = ipsec_version_code();
#ifdef PLUTO_SENDS_VENDORID
const char *v = init_pluto_vendorid();
libreswan_log("Starting Pluto (Libreswan Version %s%s; Vendor ID %s) pid:%u"
, vc, compile_time_interop_options, v, getpid());
#else
libreswan_log("Starting Pluto (Libreswan Version %s%s) pid:%u"
, vc, compile_time_interop_options, getpid());
#endif
if(Pluto_IsFIPS()) {
libreswan_log("Pluto is running in FIPS mode");
} else {
libreswan_log("Pluto is NOT running in FIPS mode");
}
if((vc[0]=='c' && vc[1]=='v' && vc[2]=='s') ||
(vc[2]=='g' && vc[3]=='i' && vc[4]=='t')) {
/*
* when people build RPMs from CVS or GIT, make sure they
* get blamed appropriately, and that we get some way to
* identify who did it, and when they did it. Use string concat,
* so that strings the binary can or classic SCCS "what", will find
* stuff too.
*/
libreswan_log("@(#) built on "__DATE__":" __TIME__ " by " BUILDER);
}
#if defined(USE_1DES)
libreswan_log("WARNING: 1DES is enabled");
#endif
}
if(coredir) {
libreswan_log("core dump dir: %s", coredir);
}
if(pluto_shared_secrets_file) {
libreswan_log("secrets file: %s", pluto_shared_secrets_file);
}
#ifdef LEAK_DETECTIVE
libreswan_log("LEAK_DETECTIVE support [enabled]");
#else
libreswan_log("LEAK_DETECTIVE support [disabled]");
#endif
#ifdef HAVE_OCF
{
struct stat buf;
errno=0;
if( stat("/dev/crypto",&buf) != -1)
libreswan_log("OCF support for IKE via /dev/crypto [enabled]");
else
libreswan_log("OCF support for IKE via /dev/crypto [failed:%s]", strerror(errno));
}
#else
libreswan_log("OCF support for IKE [disabled]");
#endif
/* Check for SAREF support */
#ifdef KLIPS_MAST
#include <ipsec_saref.h>
{
int e, sk, saref;
saref = 1;
errno=0;
sk = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_REFINFO, &saref, sizeof(saref));
if (e == -1 ) {
libreswan_log("SAref support [disabled]: %s" , strerror(errno));
}
else {
libreswan_log("SAref support [enabled]");
}
errno=0;
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_BINDREF, &saref, sizeof(saref));
if (e == -1 ) {
libreswan_log("SAbind support [disabled]: %s" , strerror(errno));
}
else {
libreswan_log("SAbind support [enabled]");
}
close(sk);
}
#endif
libreswan_log("NSS crypto [enabled]");
#ifdef XAUTH_HAVE_PAM
libreswan_log("XAUTH PAM support [enabled]");
#else
libreswan_log("XAUTH PAM support [disabled]");
#endif
#ifdef HAVE_STATSD
libreswan_log("HAVE_STATSD notification via /bin/libreswan-statsd enabled");
#else
libreswan_log("HAVE_STATSD notification support [disabled]");
#endif
/** Log various impair-* functions if they were enabled */
if(DBGP(IMPAIR_BUST_MI2))
libreswan_log("Warning: IMPAIR_BUST_MI2 enabled");
if(DBGP(IMPAIR_BUST_MR2))
libreswan_log("Warning: IMPAIR_BUST_MR2 enabled");
if(DBGP(IMPAIR_SA_CREATION))
libreswan_log("Warning: IMPAIR_SA_CREATION enabled");
if(DBGP(IMPAIR_JACOB_TWO_TWO))
libreswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
if(DBGP(IMPAIR_DIE_ONINFO))
libreswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
if(DBGP(IMPAIR_MAJOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MAJOR_VERSION_BUMP enabled");
if(DBGP(IMPAIR_MINOR_VERSION_BUMP))
libreswan_log("Warning: IMPAIR_MINOR_VERSION_BUMP enabled");
if(DBGP(IMPAIR_RETRANSMITS))
libreswan_log("Warning: IMPAIR_RETRANSMITS enabled");
if(DBGP(IMPAIR_SEND_BOGUS_ISAKMP_FLAG))
libreswan_log("Warning: IMPAIR_SEND_BOGUS_ISAKMP_FLAG enabled");
if(DBGP(IMPAIR_DELAY_ADNS_KEY_ANSWER))
libreswan_log("Warning: IMPAIR_DELAY_ADNS_KEY_ANSWER enabled");
if(DBGP(IMPAIR_DELAY_ADNS_TXT_ANSWER))
libreswan_log("Warning: IMPAIR_DELAY_ADNS_TXT_ANSWER enabled");
/** Initialize all of the various features */
#ifdef NAT_TRAVERSAL
init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
#endif
init_virtual_ip(virtual_private);
/* obsoletd by nss code init_rnd_pool(); */
init_timer();
init_secret();
init_states();
init_connections();
init_crypto();
init_crypto_helpers(nhelpers);
load_lswcrypto();
init_demux();
init_kernel();
init_adns();
init_id();
#ifdef TPM
init_tpm();
#endif
#if defined(LIBCURL) || defined(LDAP_VER)
init_fetch();
#endif
/* loading X.509 CA certificates */
load_authcerts("CA cert", oco->cacerts_dir, AUTH_CA);
#if 0
/* unused */
/* loading X.509 AA certificates */
load_authcerts("AA cert", oco->aacerts_dir, AUTH_AA);
#endif
/* loading X.509 CRLs */
load_crls();
/* loading attribute certificates (experimental) */
load_acerts();
/*Loading CA certs from NSS DB*/
load_authcerts_from_nss("CA cert", AUTH_CA);
#ifdef HAVE_LABELED_IPSEC
init_avc();
#endif
daily_log_event();
call_server();
return -1; /* Shouldn't ever reach this */
}
void romstage_common(const struct romstage_params *params)
{
int boot_mode;
int wake_from_s3;
timestamp_init(get_initial_timestamp());
timestamp_add_now(TS_START_ROMSTAGE);
if (params->bist == 0)
enable_lapic();
wake_from_s3 = early_pch_init(params->gpio_map, params->rcba_config);
#if CONFIG_EC_GOOGLE_CHROMEEC
/* Ensure the EC is in the right mode for recovery */
google_chromeec_early_init();
#endif
/* Halt if there was a built in self test failure */
report_bist_failure(params->bist);
/* Perform some early chipset initialization required
* before RAM initialization can work
*/
haswell_early_initialization(HASWELL_MOBILE);
printk(BIOS_DEBUG, "Back from haswell_early_initialization()\n");
if (wake_from_s3) {
#if CONFIG_HAVE_ACPI_RESUME
printk(BIOS_DEBUG, "Resume from S3 detected.\n");
#else
printk(BIOS_DEBUG, "Resume from S3 detected, but disabled.\n");
wake_from_s3 = 0;
#endif
}
/* There are hard coded assumptions of 2 meaning s3 wake. Normalize
* the users of the 2 literal here based off wake_from_s3. */
boot_mode = wake_from_s3 ? 2 : 0;
/* Prepare USB controller early in S3 resume */
if (wake_from_s3)
enable_usb_bar();
post_code(0x3a);
params->pei_data->boot_mode = boot_mode;
timestamp_add_now(TS_BEFORE_INITRAM);
report_platform_info();
if (params->copy_spd != NULL)
params->copy_spd(params->pei_data);
sdram_initialize(params->pei_data);
timestamp_add_now(TS_AFTER_INITRAM);
post_code(0x3b);
intel_early_me_status();
quick_ram_check();
post_code(0x3e);
if (!wake_from_s3) {
cbmem_initialize_empty();
/* Save data returned from MRC on non-S3 resumes. */
save_mrc_data(params->pei_data);
} else if (cbmem_initialize()) {
#if CONFIG_HAVE_ACPI_RESUME
/* Failed S3 resume, reset to come up cleanly */
reset_system();
#endif
}
romstage_handoff_init(wake_from_s3);
post_code(0x3f);
if (IS_ENABLED(CONFIG_LPC_TPM))
init_tpm(wake_from_s3);
}
/* Entry from the mainboard. */
void romstage_common(struct romstage_params *params)
{
const struct mrc_saved_data *cache;
struct romstage_handoff *handoff;
struct pei_data *pei_data;
post_code(0x32);
timestamp_add_now(TS_BEFORE_INITRAM);
pei_data = params->pei_data;
pei_data->boot_mode = params->power_state->prev_sleep_state;
#if IS_ENABLED(CONFIG_ELOG_BOOT_COUNT)
if (params->power_state->prev_sleep_state != ACPI_S3)
boot_count_increment();
#endif
/* Perform remaining SOC initialization */
soc_pre_ram_init(params);
post_code(0x33);
/* Check recovery and MRC cache */
params->pei_data->saved_data_size = 0;
params->pei_data->saved_data = NULL;
if (!params->pei_data->disable_saved_data) {
if (vboot_recovery_mode_enabled()) {
/* Recovery mode does not use MRC cache */
printk(BIOS_DEBUG,
"Recovery mode: not using MRC cache.\n");
} else if (IS_ENABLED(CONFIG_CACHE_MRC_SETTINGS)
&& (!mrc_cache_get_current_with_version(&cache,
params->fsp_version))) {
/* MRC cache found */
params->pei_data->saved_data_size = cache->size;
params->pei_data->saved_data = &cache->data[0];
} else if (params->pei_data->boot_mode == ACPI_S3) {
/* Waking from S3 and no cache. */
printk(BIOS_DEBUG,
"No MRC cache found in S3 resume path.\n");
post_code(POST_RESUME_FAILURE);
hard_reset();
} else {
printk(BIOS_DEBUG, "No MRC cache found.\n");
mainboard_check_ec_image(params);
}
}
/* Initialize RAM */
raminit(params);
timestamp_add_now(TS_AFTER_INITRAM);
/* Save MRC output */
if (IS_ENABLED(CONFIG_CACHE_MRC_SETTINGS)) {
printk(BIOS_DEBUG, "MRC data at %p %d bytes\n",
pei_data->data_to_save, pei_data->data_to_save_size);
if ((params->pei_data->boot_mode != ACPI_S3)
&& (params->pei_data->data_to_save_size != 0)
&& (params->pei_data->data_to_save != NULL))
mrc_cache_stash_data_with_version(
params->pei_data->data_to_save,
params->pei_data->data_to_save_size,
params->fsp_version);
}
/* Save DIMM information */
mainboard_save_dimm_info(params);
/* Create romstage handof information */
handoff = romstage_handoff_find_or_add();
if (handoff != NULL)
handoff->s3_resume = (params->power_state->prev_sleep_state ==
ACPI_S3);
else {
printk(BIOS_DEBUG, "Romstage handoff structure not added!\n");
hard_reset();
}
/*
* Initialize the TPM, unless the TPM was already initialized
* in verstage and used to verify romstage.
*/
if (IS_ENABLED(CONFIG_LPC_TPM) &&
!IS_ENABLED(CONFIG_RESUME_PATH_SAME_AS_BOOT) &&
!IS_ENABLED(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK))
init_tpm(params->power_state->prev_sleep_state ==
ACPI_S3);
}
void main(unsigned long bist)
{
int boot_mode = 0;
int cbmem_was_initted;
struct pei_data pei_data = {
.pei_version = PEI_VERSION,
.mchbar = (uintptr_t)DEFAULT_MCHBAR,
.dmibar = (uintptr_t)DEFAULT_DMIBAR,
.epbar = DEFAULT_EPBAR,
.pciexbar = CONFIG_MMCONF_BASE_ADDRESS,
.smbusbar = SMBUS_IO_BASE,
.wdbbar = 0x4000000,
.wdbsize = 0x1000,
.hpet_address = CONFIG_HPET_ADDRESS,
.rcba = (uintptr_t)DEFAULT_RCBABASE,
.pmbase = DEFAULT_PMBASE,
.gpiobase = DEFAULT_GPIOBASE,
.thermalbase = 0xfed08000,
.system_type = 0, // 0 Mobile, 1 Desktop/Server
.tseg_size = CONFIG_SMM_TSEG_SIZE,
.spd_addresses = { 0xA0, 0x00,0xA4,0x00 },
.ts_addresses = { 0x00, 0x00, 0x00, 0x00 },
.ec_present = 1,
// 0 = leave channel enabled
// 1 = disable dimm 0 on channel
// 2 = disable dimm 1 on channel
// 3 = disable dimm 0+1 on channel
.dimm_channel0_disabled = 2,
.dimm_channel1_disabled = 2,
.max_ddr3_freq = 1600,
.usb_port_config = {
/* enabled usb oc pin length */
{ 1, 0, 0x0040 }, /* P0: USB 3.0 1 (OC0) */
{ 1, 0, 0x0040 }, /* P1: USB 3.0 2 (OC0) */
{ 0, 1, 0x0000 }, /* P2: Empty */
{ 1, 1, 0x0040 }, /* P3: Camera (no OC) */
{ 1, 1, 0x0040 }, /* P4: WLAN (no OC) */
{ 1, 1, 0x0040 }, /* P5: WWAN (no OC) */
{ 0, 1, 0x0000 }, /* P6: Empty */
{ 0, 1, 0x0000 }, /* P7: Empty */
{ 0, 5, 0x0000 }, /* P8: Empty */
{ 1, 4, 0x0040 }, /* P9: USB 2.0 (AUO4) (OC4) */
{ 0, 5, 0x0000 }, /* P10: Empty */
{ 0, 5, 0x0000 }, /* P11: Empty */
{ 0, 5, 0x0000 }, /* P12: Empty */
{ 1, 5, 0x0040 }, /* P13: Bluetooth (no OC) */
},
.usb3 = {
.mode = XHCI_MODE,
.hs_port_switch_mask = XHCI_PORTS,
.preboot_support = XHCI_PREBOOT,
.xhci_streams = XHCI_STREAMS,
},
};
timestamp_init(get_initial_timestamp());
timestamp_add_now(TS_START_ROMSTAGE);
if (bist == 0)
enable_lapic();
pch_enable_lpc();
/* Enable GPIOs */
pci_write_config32(PCH_LPC_DEV, GPIO_BASE, DEFAULT_GPIOBASE|1);
pci_write_config8(PCH_LPC_DEV, GPIO_CNTL, 0x10);
setup_pch_gpios(&stout_gpio_map);
/* Initialize console device(s) */
console_init();
/* Halt if there was a built in self test failure */
report_bist_failure(bist);
if (MCHBAR16(SSKPD) == 0xCAFE) {
printk(BIOS_DEBUG, "soft reset detected\n");
boot_mode = 1;
/* System is not happy after keyboard reset... */
printk(BIOS_DEBUG, "Issuing CF9 warm reset\n");
outb(0x6, 0xcf9);
halt();
}
/* Perform some early chipset initialization required
* before RAM initialization can work
*/
sandybridge_early_initialization(SANDYBRIDGE_MOBILE);
printk(BIOS_DEBUG, "Back from sandybridge_early_initialization()\n");
boot_mode = southbridge_detect_s3_resume() ? 2 : 0;
/* Do ec reset as early as possible, but skip it on S3 resume */
if (boot_mode < 2)
early_ec_init();
post_code(0x38);
/* Enable SPD ROMs and DDR-III DRAM */
enable_smbus();
/* Prepare USB controller early in S3 resume */
if (boot_mode == 2)
enable_usb_bar();
post_code(0x39);
post_code(0x3a);
pei_data.boot_mode = boot_mode;
timestamp_add_now(TS_BEFORE_INITRAM);
sdram_initialize(&pei_data);
timestamp_add_now(TS_AFTER_INITRAM);
post_code(0x3b);
/* Perform some initialization that must run before stage2 */
early_pch_init();
post_code(0x3c);
rcba_config();
post_code(0x3d);
quick_ram_check();
post_code(0x3e);
cbmem_was_initted = !cbmem_recovery(boot_mode==2);
if (boot_mode!=2)
save_mrc_data(&pei_data);
if (boot_mode==2 && !cbmem_was_initted) {
/* Failed S3 resume, reset to come up cleanly */
outb(0x6, 0xcf9);
halt();
}
northbridge_romstage_finalize(boot_mode==2);
post_code(0x3f);
if (CONFIG_LPC_TPM) {
init_tpm(boot_mode == 2);
}
}