kern: add an option for preserving the early kenv

Some downstream configurations do not store secrets in the
early (loader/static) environments and desire a way to preserve these
for diagnostic reasons.  Provide an option to do so.

Reviewed by:	imp, jhb (earlier version)
Differential Revision:	https://reviews.freebsd.org/D30834

2 files changed, 12 insertions, 0 deletions

diff --git a/sys/conf/options b/sys/conf/options
index 882460fbf35b..774850158221 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -1021,3 +1021,11 @@ IICHID_DEBUG	opt_hid.h
 IICHID_SAMPLING	opt_hid.h
 HKBD_DFLT_KEYMAP	opt_hkbd.h
 HIDRAW_MAKE_UHID_ALIAS	opt_hid.h
+
+# kenv options
+# The early kernel environment (loader environment, config(8)-provided static)
+# is typically cleared after the dynamic environment comes up to ensure that
+# we're not inadvertently holding on to 'secret' values in these stale envs.
+# This option is insecure except in controlled environments where the static
+# environment's contents are known to be safe.
+PRESERVE_EARLY_KENV	opt_global.h
diff --git a/sys/kern/kern_environment.c b/sys/kern/kern_environment.c
index 54992e6594ed..8dc345559e95 100644
--- a/sys/kern/kern_environment.c
+++ b/sys/kern/kern_environment.c
@@ -365,7 +365,11 @@ init_dynamic_kenv_from(char *init_env, int *curpos)
 			kenvp[i] = malloc(len, M_KENV, M_WAITOK);
 			strcpy(kenvp[i++], cp);
 sanitize:
+#ifdef PRESERVE_EARLY_KENV
+			continue;
+#else
 			explicit_bzero(cp, len - 1);
+#endif
 		}
 		*curpos = i;
 	}