record this information in the sqlports db. ok kn@ tb@
OpenBSD is starting to support branch target identification on amd64 and
arm64 (part of the features on Apple m2, and on Intel 11th gen/newer CPUs
with "control-flow enhancement technology").
On amd64 it is currently being enabled/disabled in snapshot kernels at
various times while we gain more information about which software in
ports is working/not.
This works by placing certain opcodes at legitimate targets of branch
instructions (which are ignored on earlier CPUs as they are NOPs there)
and trapping if an indirect call/jump is attempted to a location which
does not contain such an opcode. This makes it harder for an attacker
to jump to a location containing code of their choosing.
For more details on the Intel implementatios See chapter 17 of SDM vol.1
https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html
Our system compilers on amd64/arm64 add the required opcodes at valid
targets, but some code in ports is built with a compiler which does not
do that, also some ports have asm code which has not had the required
instructions added at those points yet (i.e. endbr64 on amd64).
In those cases, the whole binary can be annotated with a segment type
PT_OPENBSD_NOBTCFI as an indicator to the kernel not to enforce branch
target control flow integrity for the produced binary.
The relevant compiler options to enable (default on OpenBSD)/disable are:
amd64: -fcf-protection=branch, -fcf-protection=none
arm64: -mbranch-protection=bti, -mbranch-protection=none
We won't be distributing CDROM anymore, so simplify to
just PERMIT_PACKAGE / PERMIT_DISTFILES
In particular, the new variables are shorter, so this makes
for better cosmetic sense in ports.
The "current" version allows for the old variables to die out
peacefully, at our leasure, and then I'll remove the old stubs.
As discussed with sthen@, various people agree, and deraadt@
is okay with the strategic change.
This does survive a bulk.
PLEASE NOTE: built packages require current pkg* tools.
In particular, the current version deals with
@comment pkgpath=* ftp=*
just fine, but the old one WILL COMPLAIN about missing cdrom info.
register-plist also doesn't care, adding/removing cdrom info
is a no-op for it. There is NO BUMP needed for the conversion.
For now, sqlports STILL carries the old variables. I'll deal
with their removal later.
So, Portsq is a snapshot of Ports... dirty but fast.
I had mixed feelings about this.
There's also a script to resync the table.
Grows the db by about 50% (+25MB)
Discussed with sthen@
Add a "meta" table that just contains a schema version and a hash.
So that some clients (e.g., portroach) can automatically figure out
whether a rebuild is required.
kill a bit of code.
adjust is now the only request "not in the mold", so just create it when
needed (so, late enough)
Add index creation (directly in create_schema), for now used for
canonical.
espie