Lmst

Quick analysis of Firefox Widevine support:
The checkbox in about:preferences#general
is defined in
browser/components/preferences/main.inc.xhtml, like so:

<!-- DRM Content -->
<groupbox id="drmGroup" data-category="paneGeneral" data-subcategory="drm" hidden="true">
  <label><html:h2 data-l10n-id="drm-content-header"/></label>
  <hbox align="center">
    <checkbox id="playDRMContent" preference="media.eme.enabled"
              class="tail-with-learn-more" data-l10n-id="play-drm-content" />
    <html:a is="moz-support-link"
      data-l10n-id="play-drm-content-learn-more"
      support-page="drm-content"
    />
  </hbox>
</groupbox>

And it's bound to the media.eme.enabled config.

Additionally, the CDM system has a status enum:

enum MediaKeySystemStatus {
  "available",
  "api-disabled",
  "cdm-disabled",
  "cdm-not-supported",
  "cdm-not-installed",
  "cdm-created",
};

/* Note: This dictionary and enum is only used by Gecko to convey messages
 * to chrome JS code. It is not exposed to the web.
 */
[GenerateToJSON]
dictionary RequestMediaKeySystemAccessNotification {
  required DOMString keySystem;
  required MediaKeySystemStatus status;
};

And the You must enable DRM to play some audio or video on this page. message is the locale string emeNotifications.drmContentDisabled.message2, and it's triggered in browser/actors/EncryptedMediaParent.sys.mjs when:

      case "api-disabled":
      case "cdm-disabled":
        this.handledMessages.add(status);
        notificationId = "drmContentDisabled";
        buttonCallback = () => {
          this.ensureEMEEnabled(browser, keySystem);
        };
        notificationMessage = lazy.gNavigatorBundle.GetStringFromName(
          "emeNotifications.drmContentDisabled.message2"
        );
        supportPage = "drm-content";
        break;

So if we wanna completely disable DRM support without annoying the user, we could set cdm-not-supported and blank out the checkbox.

Or, there is also the browser.eme.ui.enabled perf that's checked first, and if it's false, the whole system bails out (in browser/actors/EncryptedMediaParent.sys.mjs):

  isUiEnabled() {
    return Services.prefs.getBoolPref("browser.eme.ui.enabled");
  }

The pref is defined like so, in browser/app/profile/firefox.js:

#if defined(MOZ_WIDEVINE_EME)
  pref("browser.eme.ui.enabled", true);
#else
  pref("browser.eme.ui.enabled", false);
#endif

Additionally, MOZ_WIDEVINE_EME also sets (in browser/app/profile/firefox.js):

// Note: when media.gmp-*.visible is true, provided we're running on a
// supported platform/OS version, the corresponding CDM appears in the
// plugins list, Firefox will download the GMP/CDM if enabled, and our
// UI to re-enable EME prompts the user to re-enable EME if it's disabled
// and script requests EME. If *.visible is false, we won't show the UI
// to enable the CDM if its disabled; it's as if the keysystem is completely
// unsupported.
#ifdef MOZ_WIDEVINE_EME
  pref("media.gmp-widevinecdm.visible", true);
  pref("media.gmp-widevinecdm.enabled", true);

So you can set all three of those to false:

pref("media.gmp-widevinecdm.visible", false);
pref("media.gmp-widevinecdm.enabled", false);
perf("browser.eme.ui.enabled", false)

in a preference js file in your profile / dist.

Unsure exactly what sets MOZ_EME/MOZ_WIDEVINE_EME stuff.

According to https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42501,
and referencing toolkit/moz.configure, we have:

# EME Support
# ==============================================================
@depends(target, wmf)
def eme_choices(target, wmf):
    if (
        target.kernel in ("WINNT", "Linux")
        and target.os != "Android"
        and target.cpu in ("x86", "x86_64")
    ):
        if wmf:
            return ("widevine", "wmfcdm")
        return ("widevine",)
    if target.kernel == "WINNT" and target.cpu == "aarch64":
        return ("widevine",)
    if target.os in ("OSX"):
        return ("widevine",)


# Widevine is enabled by default in desktop browser builds.
@depends(build_project, eme_choices)
def eme_default(build_project, choices):
    if build_project == "browser":
        return choices


option(
    "--enable-eme",
    nargs="+",
    choices=eme_choices,
    default=eme_default,
    when=eme_choices,
    help="{Enable|Disable} support for Encrypted Media Extensions",
)


@depends("--enable-eme", when=eme_choices)
def eme_modules(value):
    return value


# Fallback to an empty list when eme_choices is empty, setting eme_modules to
# None.
set_config("MOZ_EME_MODULES", eme_modules | dependable([]))

TL;DR, when not building from source, can just set the three perfs:

pref("media.gmp-widevinecdm.visible", false);
pref("media.gmp-widevinecdm.enabled", false);
perf("browser.eme.ui.enabled", false)

And when building from source, can try either --disable-eme, or patching toolkit/moz.configure to return None (it's Python) (which should be the default when --disable-eme doesn't work)

(CC: @hellomiakoda)

So today I learned something

If neither BIG_ENDIAN, LITTLE_ENDIAN or BYTE_SWAP are defined, and you do:

#if BYTE_ORDER == LITTLE_ENDIAN
// code goes here
#endif
#if BYTE_ORDER == BIG_ENDIAN
// code goes here
#endif

The if states both evaluate to if 0 == 0, and thus becomes 1 and both lines get included. This just bit my Linux kernel build on XP ...

@mattiem eg rather than

#if os(macOS) || os(iOS) || os(tvOS)
#endif

Define it in Package.swift

swiftSettings: [
.define("SUPPORTS_MYFEATURE", .when(platforms: [ .macOS, .iOS, .tvOS ]))
]

and #if SUPPORTS_MYFEATURE everywhere is easier to understand intent (and keep up to date when platforms change) 😊

/* Get address of this CPU's current battable */
+#if 1
+#if 1
+ lis %r30,_C_LABEL(cpu_info)@ha;
+ addi %r30,%r30,_C_LABEL(cpu_info)@l;
+#else
GET_CPUINFO(%r30)
+#endif
ldreg %r30,CI_BATTABLE(%r30)
+#else
+ lis %r30,_C_LABEL(battable)@ha
+ addi %r30,%r30,_C_LABEL(battable)@l
+#endif

GET_CPUINFO() の mfsprg r,0 を使わないようにしても動かないのは変わらない、というのがそれを裏付けている気はする（さすがに CI_BATTABLE の offsetof() は間違えようがないはず……）

--- a/sys/arch/powerpc/powerpc/trap_subr.S
+++ b/sys/arch/powerpc/powerpc/trap_subr.S
@@ -269,8 +269,13 @@ _C_LABEL(dsitrap):
/* get segment * 8 */

/* Get address of this CPU's current battable */
+#if 0
GET_CPUINFO(%r30)
ldreg %r30,CI_BATTABLE(%r30)
+#else
+ lis %r30,_C_LABEL(battable)@ha
+ addi %r30,%r30,_C_LABEL(battable)@l
+#endif

/* Add offset to the slot we care about. */
add %r31,%r31,%r30

これで動くということは GET_CPUINFO が途中で差し替わっているということ？？

static const struct memdev {
    const char *name;
    const struct file_operations *fops;
    fmode_t fmode;
    umode_t mode;
} devlist[] = {
#ifdef CONFIG_DEVMEM
    [DEVMEM_MINOR] = { "mem", &mem_fops, 0, 0 },
#endif
    [3] = { "null", &null_fops, FMODE_NOWAIT, 0666 },
#ifdef CONFIG_DEVPORT
    [4] = { "port", &port_fops, 0, 0 },
#endif
    [5] = { "zero", &zero_fops, FMODE_NOWAIT, 0666 },
    [7] = { "full", &full_fops, 0, 0666 },
    [8] = { "random", &random_fops, FMODE_NOWAIT, 0666 },
    [9] = { "urandom", &urandom_fops, FMODE_NOWAIT, 0666 },
#ifdef CONFIG_PRINTK
    [11] = { "kmsg", &kmsg_fops, 0, 0644 },
#endif
};

#ifdef CONFIG_PROC_FS

void chrdev_show(struct seq_file *f, off_t offset)
{
    struct char_device_struct *cd;

    mutex_lock(&chrdevs_lock);
    for (cd = chrdevs[major_to_index(offset)]; cd; cd = cd->next) {
        if (cd->major == offset)
            seq_printf(f, "%3d %s\n", cd->major, cd->name);
    }
    mutex_unlock(&chrdevs_lock);
}

#endif /* CONFIG_PROC_FS */

fs/char_dev.c

This is evil. Evil. Just evil. Why Linus oh why why why why why did you merge this code 19 years ago

Windows Installer is transactional, but combined with NTFS and installer processes is not fully: do more C:\Config.msi vulnerabilities exist? (plus a truckload of information on Windows SIDs)

Over the last years a few C:\Windows.msi vulnerabilities have been discovered (and fixed), of which some are linked below.

The core is that the Windows Installer tries to be transactional, and NTFS is, but the combination with installer processes isn’t.

That leads into vulnerabilities where you can insert malicious Roll Back Scripts (.rbs files) and Roll Back Files (.rbf files), and I wonder if by now more have been discovered.

So this post is a kind of reminder to myself (:

Oh, and I learned much more about whoami on Windows, as there whoami /groups shows very detailed SID information. From that, I learned more on the internals of SIDs too!

2022:
- [Wayback/Archive] Wh04m1001/IFaultrepElevatedDataCollectionUAC
  PoC for UAC bypass using arbitrary file delete in auto-elevated IFaultrepElevatedDataCollection COM object. Arbitrary file delete is abused to get SYSTEM shell using method described here
  - [Wayback/Archive] Zero Day Initiative — Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks
  - [Wayback/Archive] IFaultrepElevatedDataCollectionUAC/Project1/Project1 at main · Wh04m1001/IFaultrepElevatedDataCollectionUAC
- [Wayback/Archive] PoC/FilesystemEoPs at master · thezdi/PoC (which embeds a video showing the exploit which taught me about whoami /groups, see below)
- [Wayback/Archive] How can I develop my .rbs file? · Issue #1 · Wh04m1001/IFaultrepElevatedDataCollectionUAC
  I used Advanced Installer to create MSI and RBS file. You may want to change Execute=”deferred” to Execute=”rollback”? I didnt use wix so not very familiar with it.
  - [Wayback/Archive] Free Windows Installer – MSI Installer Tool – Advanced Installer
2019:

Via [Wayback/Archive] Nicolas Krassas on Twitter: “PoC for UAC bypass using arbitrary file delete in auto-elevated IFaultrepElevatedDataCollection COM object. Arbitrary file delete is abused to get SYSTEM shell using method described here …”.

whoami /groups

I never knew that whoami had parameters, so I was glad the above links taught me about whomai /groups which not only shows you the groups, but also their SIDs (security identifiers).

On my system, these are distinctly different from a normal user, an administrator user without an elevation token and an administrative user with an elevation token.

The full lists are further on and contain any of these groups sorted by SID:

Group Name                                                    Type             SID          Attributes============================================================= ================ ============ ===============================================================Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupLOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupCONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\REMOTE INTERACTIVE LOGON                         Well-known group S-1-5-14     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group/Group used for deny onlyNT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupBUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner/Group used for deny onlyBUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupBUILTIN\Remote Desktop Users                                  Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled groupMandatory Label\Medium Mandatory Level                        Label            S-1-16-8192Mandatory Label\High Mandatory Level                          Label            S-1-16-12288============================================================= ================ ============ ===============================================================

I did this sorting because it makes more clear that the SIDs are divided into groups (or types) which are explained in these articles:

[Wayback/Archive] SID Components – Win32 apps | Microsoft Learn
A SID value includes components that provide information about the SID structure and components that uniquely identify a trustee. A SID consists of the following components:
- The revision level of the SID structure
- A 48-bit identifier authority value that identifies the authority that issued the SID
- A variable number of subauthority or relative identifier (RID) values that uniquely identify the trustee relative to the authority that issued the SID
… visualize their components:
S-R-I-S…
In this notation, the literal character “S” identifies the series of digits as a SID, R is the revision level, I is the identifier-authority value, and S… is one or more subauthority values.
The following example uses this notation to display the well-known domain-relative SID of the local Administrators group:
S-1-5-32-544
In this example, the SID has the following components. The constants in parentheses are well-known identifier authority and RID values defined in Winnt.h:
- A revision level of 1
- An identifier-authority value of 5 (SECURITY_NT_AUTHORITY)
- A first subauthority value of 32 (SECURITY_BUILTIN_DOMAIN_RID)
- A second subauthority value of 544 (DOMAIN_ALIAS_RID_ADMINS)

[Wayback/Archive] SID (winnt.h) – Win32 apps | Microsoft Learn

typedef struct _SID {  BYTE                     Revision;  BYTE                     SubAuthorityCount;  SID_IDENTIFIER_AUTHORITY IdentifierAuthority;#if ...  DWORD                    *SubAuthority[];#else  DWORD                    SubAuthority[ANYSIZE_ARRAY];#endif} SID, *PISID;

[Wayback/Archive] Well-known SIDs – Win32 apps | Microsoft Learn
Well-known security identifiers (SIDs) identify generic groups and generic users. For example, there are well-known SIDs to identify the following groups and users:
- Everyone or World, which is a group that includes all users.
- CREATOR_OWNER, which is used as a placeholder in an inheritable ACE. When the ACE is inherited, the system replaces the CREATOR_OWNER SID with the SID of the object’s creator.
- The Administrators group for the built-in domain on the local computer.
There are universal well-known SIDs, which are meaningful on all secure systems using this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows systems.
…
The Windows API defines a set of constants for well-known identifier authority and relative identifier (RID) values. You can use these constants to create well-known SIDs. The following example combines the SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants to show the universal well-known SID for the special group representing all users (Everyone or World):
S-1-1-0
This example uses the string notation for SIDs in which S identifies the string as a SID, the first 1 is the revision level of the SID, and the remaining two digits are the SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants.
…
The remainder of this section contains tables of well-known SIDs and tables of identifier authority and subauthority constants that you can use to build well-known SIDs.
…
Following the above is a set of tables that explain the various subsets under S-1-1-(World or SECURITY_WORLD_SID_AUTHORITY), S-1-2-(Local or SECURITY_LOCAL_SID_AUTHORITY), S-1-5- (SECURITY_NT_AUTHORITY), and S-1-16- (Mandatory Label). The latter is used for elevation tokens including from UAC user account control elevation from a regular token to administrative token, and usually is in multiples of 4096 decimal (I added the decimal values in parenthesis in this table):
The following RIDs are used to specify mandatory integrity level.
RIDValueIdentifiesSECURITY_MANDATORY_UNTRUSTED_RID0x00000000(0)Untrusted.SECURITY_MANDATORY_LOW_RID0x00001000(4096)Low integrity.SECURITY_MANDATORY_MEDIUM_RID0x00002000(8192)Medium integrity.SECURITY_MANDATORY_MEDIUM_PLUS_RIDSECURITY_MANDATORY_MEDIUM_RID + 0x100(8448)Medium high integrity.SECURITY_MANDATORY_HIGH_RID0X00003000(12288)High integrity.SECURITY_MANDATORY_SYSTEM_RID0x00004000(16384)System integrity.SECURITY_MANDATORY_PROTECTED_PROCESS_RID0x00005000(20480)Protected process.
From there, you can understand that a regular user has S-1-16-8192 (Mandatory Label\High Mandatory), and an elevate user has S-1-16-12288 (Mandatory Label\High Mandatory).
There is one missing entry in this table for S-1-16-28672 (SECURITY_MANDATORY_SECURE_PROCESS_RID or ML_SECURE_PROCESS) with value 0x00007000 (skipping 0x00006000!) of this which the latter is documented in the last link in this list. It seems to have been introduced in Windows 10, but I have no idea which Windows processes actually uses it.
At the time of writing, [Wayback/Archive] SECURITY_MANDATORY_SECURE_PROCESS_RID – Google Search returns just two links
1. 1. [Wayback/Archive] operating system objects. Part 3: Level of Integrity
    But with the release of Windows 10, another level of integrity appeared – Secure Process (the highest at the moment).
    What it is? In a nutshell, it is a virtual machine consisting of Core Isolation and Memory Integrity.
    Windows uses hardware virtualization features to create a protected area of system memory that is isolated from the normal operating system.
    This protects the operating system processes from unauthorized access to anything outside the secure zone.
    Even if the malware uses an exploit that should allow these Windows processes to be compromised, virtualization is an additional layer of protection that isolates them from attacks.
    Memory integrity is a feature that is a subset of kernel isolation.
    Windows typically requires digital signatures for device drivers and other code that runs in low-level OS kernel mode.
    When Memory Integrity is enabled, the Code Integrity Service in Windows runs inside a hypervisor-protected container created by kernel isolation.
    This should make it nearly impossible for malware to gain access to the OS kernel.
    In Windows 10 and newer operating systems, the virtual machine has its own separate kernel – securekernel.exe (located in the System32 folder),
    as well as an initialization host – secinit.exe (like wininit.exe for session 0, and winlogon.exe->userinit .exe for session 1),
    and its code integrity module – skci.dll (as ci.dll for a normal kernel).
    A very good article about a new type of HyperGuard protection (just the very core securekernel.exe) was published on January 1st.
    Those who are interested can read
    [Wayback/Archive] HyperGuard – Secure Kernel Patch Guard: Part 1 – SKPG Initialization
    [Wayback/Archive] HyperGuard – Secure Kernel Patch Guard: Part 2 – SKPG Extents
    [Wayback/Archive] HyperGuard – Secure Kernel Patch Guard: Part 3 – More SKPG Extents
    The Secure Process integrity level looks like this:
    The code:
```
SID: S-1-16-28672Value: 0x00007000LSymbol: ML_SECURE_PROCESSRID Label: SECURITY_MANDATORY_SECURE_PROCESS_RIDDescription: A secure process integrity levelUsage: Included in a token for protected processes, new for Windows 10
```
    The logic of the Integrity Level is as follows: a process with a smaller RID cannot access the ACL of a process with a larger RID.
    Processes started by a normal user (including an administrator) receive a medium integrity level (S-1-16-8192).
    And processes launched through UAC with administrator rights – high integrity level (S-1-16-12288).
    One interesting rule that Microsoft left in order to control the OS should be mentioned here (after all, without access to the system, control over the OS will be completely lost).
    As you can see, RID rises in increments of 0x1000. This step must be increased evenly.
    But here’s what’s unusual: SID S-1-16-28672 is defined as 0x7000 and with respect to SID S-1-16-20480 it’s two steps.
    Here, either there is some kind of SID hidden from prying eyes, or Microsoft has deliberately prohibited absolutely any access to safe processes.
  2. [Wayback/Archive] Windows Security Monitoring: Scenarios and Patterns – Andrei Miroshnikov – Google Books
    Table 12-3: Windows Process Integrity Labels
    SIDNAMEUSE EXAMPLES-1-16- 0SECURITY_MANDATORY_UNTRUSTED_RID
    (Mandatory Label Untrusted Mandatory Level)Processes started by Anonymous accountS-1-16- 4096SECURITY_MANDATORY_LOW_RID
    (Mandatory Label Low Mandatory Level)Internet Explorer Protected Mode process or
    AppContainer processS-1-16- 8192SECURITY_MANDATORY_MEDIUM_RID
    (Mandatory Label\Medium Mandatory Level)Process for regular applications with enabled
    UACS-1-16- 8448SECURITY_MANDATORY_MEDIUM_PLUS_RIDCan be used as a priority between medium and
    highS-1-16- 12288SECURITY_MANDATORY_HIGH_RID
    (Mandatory Label\High Mandatory Level)Applications executed with UAC elevationS-1-16- 16384SECURITY_MANDATORY_SYSTEM_RID
    (Mandatory Label System Mandatory Level)Services or system applications, such as
    Winlogon and WininitS-1-16- 20480SECURITY_MANDATORY_PROTECTED_PROCESS_RIDIncluded in a token for protected processesS-1-16- 28672SECURITY_MANDATORY_SECURE_PROCESS_RIDIncluded in a token for protected processes, new
    for Windows 10
Then it continues with a large table with RIDs(like 545 or 0x00000221) to build NT_AUTHORITY SIDs(like S-1-5-32-545).
At the time of writing, like SECURITY_MANDATORY_SECURE_PROCESS_RID, also [Wayback/Archive] “ML_SECURE_PROCESS” – Google Search returns few results, of which the just two Microsoft documentation pages:
- [Wayback/Archive] [MS-DTYP]: Well-Known SID Structures | Microsoft Learn has the most comprehensive table of SID values, including
  ML_SECURE_PROCESS
  S-1-16-28672
  A secure process integrity level.<36>
- [Wayback/Archive] [MS-DTYP]: Appendix B: Product Behavior | Microsoft Learn which includes
  <36> Section 2.4.2.4: The ML_SECURE_PROCESS SID is not supported in Windows NT, Windows 2000, Windows XP, or Windows Server 2003.

The summary able of users, local/remote and non-elevated/elevated permutations is this:

Non-elevatedElevatedLocal regular

Group Name                             Type             SID          Attributes====================================== ================ ============ ==================================================Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupBUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupCONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\Medium Mandatory Level Label            S-1-16-8192

Local administrator

Group Name                                                    Type             SID          Attributes============================================================= ================ ============ ==================================================Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Group used for deny onlyBUILTIN\Administrators                                        Alias            S-1-5-32-544 Group used for deny onlyBUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupCONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\Medium Mandatory Level                        Label            S-1-16-8192

Group Name                                                    Type             SID          Attributes============================================================= ================ ============ ===============================================================Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled groupBUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group ownerBUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupCONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\High Mandatory Level                          Label            S-1-16-12288

Remote regular

Group Name                             Type             SID          Attributes====================================== ================ ============ ==================================================Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupBUILTIN\Remote Desktop Users           Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled groupBUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\REMOTE INTERACTIVE LOGON  Well-known group S-1-5-14     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\Medium Mandatory Level Label            S-1-16-8192

Remote administrator

Group Name                                                    Type             SID          Attributes============================================================= ================ ============ ==================================================Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Group used for deny onlyBUILTIN\Administrators                                        Alias            S-1-5-32-544 Group used for deny onlyBUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\REMOTE INTERACTIVE LOGON                         Well-known group S-1-5-14     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\Medium Mandatory Level                        Label            S-1-16-8192

Group Name                                                    Type             SID          Attributes============================================================= ================ ============ ===============================================================Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled groupBUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group ownerBUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\REMOTE INTERACTIVE LOGON                         Well-known group S-1-5-14     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\High Mandatory Level                          Label            S-1-16-12288

Normal user logged in locally through the console

GROUP INFORMATION-----------------Group Name                             Type             SID          Attributes====================================== ================ ============ ==================================================Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupBUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupCONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\Medium Mandatory Level Label            S-1-16-8192

Normal user logged in remotely

GROUP INFORMATION-----------------Group Name                             Type             SID          Attributes====================================== ================ ============ ==================================================Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupBUILTIN\Remote Desktop Users           Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled groupBUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\REMOTE INTERACTIVE LOGON  Well-known group S-1-5-14     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\Medium Mandatory Level Label            S-1-16-8192

Administrative user logged on locally through the console without elevation token

GROUP INFORMATION-----------------Group Name                                                    Type             SID          Attributes============================================================= ================ ============ ==================================================Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Group used for deny onlyBUILTIN\Administrators                                        Alias            S-1-5-32-544 Group used for deny onlyBUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupCONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\Medium Mandatory Level                        Label            S-1-16-8192

Administrative user logged on locally through the console with elevation token

GROUP INFORMATION-----------------Group Name                                                    Type             SID          Attributes============================================================= ================ ============ ===============================================================Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled groupBUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group ownerBUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupCONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\High Mandatory Level                          Label            S-1-16-12288

Administrative user logged on remotely without elevation token

GROUP INFORMATION-----------------Group Name                                                    Type             SID          Attributes============================================================= ================ ============ ==================================================Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Group used for deny onlyBUILTIN\Administrators                                        Alias            S-1-5-32-544 Group used for deny onlyBUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\REMOTE INTERACTIVE LOGON                         Well-known group S-1-5-14     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\Medium Mandatory Level                        Label            S-1-16-8192

Administrative user logged on remotely with elevation token

GROUP INFORMATION-----------------Group Name                                                    Type             SID          Attributes============================================================= ================ ============ ===============================================================Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled groupBUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group ownerBUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\REMOTE INTERACTIVE LOGON                         Well-known group S-1-5-14     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled groupLOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled groupMandatory Label\High Mandatory Level                          Label            S-1-16-12288

--jeroen

#1 #else #endif #if

@jaromil Same error. If I don't run the init-assets.sh manually I get the no rule to make assets.o error, if I do run it I get syntax errors because the assets.h file has no #endif ... not sure why this is happening at all :( Ah well.

@jaromil Ran it manually, and it generated a file with the #ifndef __ASSETS_H__ #def __ASSETS_H__ and nothing else in the file, which causes a different error. I'm on Arch, have quite a bit of experience compiling code from various projects, but I don't know enough about the build process here to figure out why it's making essentially a blank file (with no #endif)

fucking hell winspool.h:

#ifdef UNICODE
#define AddJob AddJobW
#else
#define AddJob AddJobA
#endif // !UNICODE

Jolt defines a class method called...
virtual void AddJob(const JobHandle &inJob) override;

guess some ordering got re-arranged and now my shit is conflicting

@RustyCrab @prettygood

/* Exit with a status code indicating success.
   Copyright (C) 1999-2025 Free Software Foundation, Inc.

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */

#include <config.h>
#include <stdio.h>
#include <sys/types.h>
#include "system.h"

/* Act like "true" by default; false.c overrides this.  */
#ifndef EXIT_STATUS
# define EXIT_STATUS EXIT_SUCCESS
#endif

#if EXIT_STATUS == EXIT_SUCCESS
# define PROGRAM_NAME "true"
#else
# define PROGRAM_NAME "false"
#endif

#define AUTHORS proper_name ("Jim Meyering")

void
usage (int status)
{
  printf (_("\
Usage: %s [ignored command line arguments]\n\
  or:  %s OPTION\n\
"),
          program_name, program_name);
  printf ("%s\n\n",
          _(EXIT_STATUS == EXIT_SUCCESS
            ? N_("Exit with a status code indicating success.")
            : N_("Exit with a status code indicating failure.")));
  fputs (HELP_OPTION_DESCRIPTION, stdout);
  fputs (VERSION_OPTION_DESCRIPTION, stdout);
  printf (USAGE_BUILTIN_WARNING, PROGRAM_NAME);
  emit_ancillary_info (PROGRAM_NAME);
  exit (status);
}

int
main (int argc, char **argv)
{
  /* Recognize --help or --version only if it's the only command-line
     argument.  */
  if (argc == 2)
    {
      initialize_main (&argc, &argv);
      set_program_name (argv[0]);
      setlocale (LC_ALL, "");
      bindtextdomain (PACKAGE, LOCALEDIR);
      textdomain (PACKAGE);

      /* Note true(1) will return EXIT_FAILURE in the
         edge case where writes fail with GNU specific options.  */
      atexit (close_stdout);

      if (STREQ (argv[1], "--help"))
        usage (EXIT_STATUS);

      if (STREQ (argv[1], "--version"))
        version_etc (stdout, PROGRAM_NAME, PACKAGE_NAME, Version, AUTHORS,
                     (char *) nullptr);
    }

  return EXIT_STATUS;
}

#C
经常在一些厂家SDK看到有变量define在header里
为了防止重复linker还特意加了
#ifndef __XXXXX_C
extern .....;
#else
.....;
#endif
这是为了什么呢

vim % on `#if` `#else` `#endif` is so helpful.

#if _FP_W_TYPE_SIZE < 32
#error "Here's a nickel kid. Go buy yourself a real computer."
#endif
-- linux/arch/sparc64/double.h

External Versioning in GCC: Defining Project Versions Without Modifying Source Code

I was experimenting with gcc linker and how I could define the version of my project externally. The idea is to have a version bump procedure, but without needing to modify source code for just a version. So assuming we have this file named test.c: #include #ifndef VERSION #define VERSION "default" #endif int main(){ printf(VERSION); } Enter fullscreen mode …

https://devnews.tech/external-versioning-in-gcc-defining-project-versions-without-modifying-source-code/?utm_source=mastodon&utm_medium=jetpack_social

@libreleah @mkukri

Both Heads and lbmk permit to apply patches on top of a coreboot fork.

The difference between the two here is that lbmk builds the tree, clean, for each boards, where Heads applies the patches to a fork once, and each board reuses fork build artifacts;, building board specifics in a board specific artifact directory. That permits crossgcc, being the buildstack of each coreboot fork version to be built once, and also repro build issues upstream, economizing both disk space, cpu resource for user and CI.

In Heads goal of building fully functional roms, CI can build and stitch reproducible roms for each commit for end users to download directly from CI, for each commit, and see if a comit broke a built, for each commit. CI cache is reused, so that we don't waste CI resources either.

In the case of t480, the patch was made with lbmk in mind, not coreboot nor Heads, and breaks other thinkpads in coreboot upstream, trying to not only build for t480 but make sure t480 patchset doesn't break other boards. In this case, it breaks all other thinkpads, so prevent Heads from merging the PR. What you propose here is for libreboot and Heads to maintain a patchset not merged upstream; it might suit libreboot mindset, being more bleeding edge, and minifree, selling the t480, but not Heads. Heads tries to stay as close as possible to upstream forks, and pushes upstream projects to merge patches. Its long, not easy, but the right thing to do. The patches stays in a patch dir for everyone to see, per software version. In this case, patches/coreboot-24.12/*

I tried to apply the following patch without success instead of commenting thermal.asl

+diff --git a/src/ec/lenovo/h8/acpi/ec.asl b/src/ec/lenovo/h8/acpi/ec.asl
+index bc54d3b..a0408c8 100644
+--- a/src/ec/lenovo/h8/acpi/ec.asl
++++ b/src/ec/lenovo/h8/acpi/ec.asl
+@@ -331,7 +331,13 @@ Device(EC)
+ #include "sleepbutton.asl"
+ #include "lid.asl"
+ #include "beep.asl"
++
++#ifndef CONFIG_BOARD_LENOVO_T480
+ #include "thermal.asl"
++#else
++//#include "thermal.asl"
++#endif
++
+ #include "systemstatus.asl"
+ #include "thinkpad.asl"
+ }

Other non t480 fail to build, and I have no more time to spend on this. The community is interested, tried to reach libreboot and were seen as spammers.

Please fix your patchset upstream. People saw the t480 being "supported by coreboot" in a talk. People didn't understand it was a WiP patchset under coreboot. And here we are. 24.12 was december 2024 "release", there will be another one in 25.03... I do not have time to maintain patches on top of patches, Leah. My focus is not to be a coreboot distribution. My focus is to deliver reproducible roms to users needing accessible security, and improve that UX. There is no grub/seabios under Heads, my focus is to make upstream do the right thing and participate upstream, and make contributors participate upstream. Here, you stated loud and clear tha libreboot comes first before coreboot, I respect that. But the t480 patchset is the one too from upstream. That upstream patch needs to build, and then will be merged and then you won't have to maintain it either. And others will fix audio issues, nvidia etc. Otherwise its silo work, and i'm not interested in that anymore

---

Yes, there is different coreboot forks specified in a central place: modules/coreboot.

And there, the buildsystem says if it can reuse crossgcc of another fork to fasten builds for each commit. The idea here is that the user building one board, or multiple boards will get the same result, but CI building multiple boards based on the same fork will speed up builds massively.

d16 will move to fam15h fork from other community effort. I mentor now, I don't try to do everything myself. Just as here, trying tto collaborate with you so you fix what was brought up upstream. But up to now, you are upstream for t480.

The goal here was not to compare our buildsystems, simply stating that the patchset upstream will never be merged if it causes regressions building other boards. Libreboot can do what it wants, but needs to respect how coreboot works. Their CI does the same, and make sure that building a commit for a board won't break others. In current case, it breaks others and needs to be updated.

This needs to be fixed upstream at https://review.coreboot.org/c/coreboot/+/83274

#if 0
たぬき
#endif

ibus-1.5.32-beta2/portal/ibus-portal-dbus.c
と
ibus-1.5.32-rc1/portal/ibus-portal-dbus.c
で
- g_variant_builder_init (&builder, G_VARIANT_TYPE ("a{sv}"));
+#if GLIB_VERSION_MAX_ALLOWED >= GLIB_VERSION_2_84
+ g_variant_builder_init_static (&builder, G_VARIANT_TYPE ("a{sv}"));
+#else
+ g_variant_builder_init(&builder, G_VARIANT_TYPE ("a{sv}"));
+#endif
という差分があってここでコケているっぽいが、これが github には入ってなくて生成ファイルっぽい？
よくわからん設定やめて

Good news: there's code for it:

#ifndef ZAHL
#define ZAHL 0
#endif

Bad news: XOR-ing a value with 0 isn't going to help. It's a NOP.

And it's intentional, for example:

ts ^= ZAHL; /* hehe */

I can’t reverse engineer the real value of ZAHL without knowing the original timestamp.

It might be possible to do an exhaustive search, but time_t is a long long and my time is short short.

So no blog.fefe.de for Tapestry. Sorry!

3/3

#endif

Client Info