HBSD: Incorporate select changes from a French firewall vendor

Though this commit isn't tested, this brings in some select changes from a French firewall vendor. In this commit, I've made their changes generic such that anyone basing their work on this can do so with minimal changes downstream. I'm 100% sure further refinement is necessary. However, this provides a good starting place for further testing and refinement. As we (at ${DAYJOB}, the sponsor of this work) work on integration with the other repositories, we'll likely find things to clean up or bugs to fix. This is the first commit in the hardened/13-stable/blackhawk feature branch. Forward-porting to 14-CURRENT and eventual integration of a few things into the respective master branches (currently: hardened/current/master and hardened/13-stable/master) will happen once we work out those finer details. An example of what could be merged into master is the pkgbase work. Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org> Sponsored-by: BlackhawkNest, Inc

HBSD: Incorporate select changes from a French firewall vendor
Though this commit isn't tested, this brings in some select changes from a French firewall vendor. In this commit, I've made their changes generic such that anyone basing their work on this can do so with minimal changes downstream. I'm 100% sure further refinement is necessary. However, this provides a good starting place for further testing and refinement. As we (at ${DAYJOB}, the sponsor of this work) work on integration with the other repositories, we'll likely find things to clean up or bugs to fix. This is the first commit in the hardened/13-stable/blackhawk feature branch. Forward-porting to 14-CURRENT and eventual integration of a few things into the respective master branches (currently: hardened/current/master and hardened/13-stable/master) will happen once we work out those finer details. An example of what could be merged into master is the pkgbase work. Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org> Sponsored-by: BlackhawkNest, Inc
02d42f45 · Shawn Webb · 862ea04b · 02d42f45 · 02d42f45 · 02d42f45
Commit 02d42f45 authored Feb 14, 2022 by Shawn Webb
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -530,7 +530,7 @@ OSRELDATE=	0
 .endif

 # Set VERSION for CTFMERGE to use via the default CTFFLAGS=-L VERSION.
-.for _V in BRANCH REVISION
+.for _V in BRANCH REVISION VENDOR_VERSION
 .if !defined(_${_V})
 _${_V}!=	eval $$(awk '/^${_V}=/{print}' ${SRCTOP}/sys/conf/newvers.sh); echo $$${_V}
 .export _${_V}
@@ -550,7 +550,11 @@ VERSION=	FreeBSD ${_REVISION}-${_BRANCH:C/-p[0-9]+$//} ${TARGET_ARCH} ${SRCRELDA
 _STRTIMENOW=	%Y%m%d%H%M%S
 _TIMENOW=	${_STRTIMENOW:gmtime}
 .if ${_BRANCH:MCURRENT*} || ${_BRANCH:MSTABLE*} || ${_BRANCH:MPRERELEASE*}
+.if defined(VENDOR_VERSION)
+_REVISION:=	${_VENDOR_VERSION:R}
+.else
 _REVISION:=	${_REVISION:R}
+.endif
 EXTRA_REVISION=	.snap${_TIMENOW}
 .elif ${_BRANCH:MALPHA*}
 EXTRA_REVISION=	.a${_BRANCH:C/ALPHA([0-9]+).*/\1/}.${_TIMENOW}
@@ -1870,7 +1874,11 @@ packagekernel: .PHONY
 .endif

 stagekernel: .PHONY
+.if ${BUILDKERNELS:[#]} == 1
+	${_+_}${MAKE} -C ${.CURDIR} ${.MAKEFLAGS} distributekernel INSTKERNNAME=kernel.${KERNCONF}
+.else
 	${_+_}${MAKE} -C ${.CURDIR} ${.MAKEFLAGS} distributekernel
+.endif

 PORTSDIR?=	/usr/ports
 WSTAGEDIR?=	${OBJTOP}/worldstage
@@ -1931,6 +1939,9 @@ real-update-packages: stage-packages .PHONY
 .else
 	@echo "==> Checking for new packages (comparing ${PKG_VERSION} to ${PKG_VERSION_FROM})"
 	@for pkg in ${PKG_VERSION_FROM_DIR}/${PKG_NAME_PREFIX}-*; do \
+	  if [ "${PKG_VERSION}" == "${PKG_VERSION_FROM}" ]; then \
+	    continue; \
+	  fi ; \
 	  pkgname=$$(pkg query -F $${pkg} '%n' | sed 's/${PKG_NAME_PREFIX}-\(.*\)/\1/') ; \
 	  newpkgname=${PKG_NAME_PREFIX}-$${pkgname}-${PKG_VERSION}.pkg ; \
 	  oldsum=$$(pkg query -F $${pkg} '%X') ; \
@@ -2035,7 +2046,7 @@ create-kernel-packages-flavor${flavor:C,^""$,${_default_flavor},}: _pkgbootstrap
 		-v kernel=yes -v _kernconf=${INSTALLKERNEL} ; \
 	sed -e "s/%VERSION%/${PKG_VERSION}/" \
 		-e "s/%PKGNAME%/kernel-${INSTALLKERNEL:tl}${flavor}/" \
-		-e "s/%KERNELDIR%/kernel/" \
+		-e "s/%KERNELDIR%/kernel.${INSTALLKERNEL}/" \
 		-e "s/%COMMENT%/FreeBSD ${INSTALLKERNEL} kernel ${flavor}/" \
 		-e "s/%DESC%/FreeBSD ${INSTALLKERNEL} kernel ${flavor}/" \
 		-e "s/ %VCS_REVISION%/${VCS_REVISION}/" \

--- a/bin/Makefile
+++ b/bin/Makefile
@@ -38,7 +38,8 @@ SUBDIR= cat \
 	stty \
 	sync \
 	test \
-	uuidgen
+	uuidgen \
+	vendor-version

 SUBDIR.${MK_SENDMAIL}+=	rmail
 SUBDIR.${MK_TCSH}+=	csh

--- a/bin/vendor-version/Makefile
+++ b/bin/vendor-version/Makefile
+# $FreeBSD$
+
+PACKAGE=runtime
+SCRIPTS= vendor-version
+MAN=
+CLEANFILES = vendor-version vendor-version.sh
+NEWVERS = ${SRCTOP}/sys/conf/newvers.sh
+
+vendor-version.sh: ${.CURDIR}/vendor-version.sh.in
+	eval $$(sh ${NEWVERS} -v); \
+	if ! sed -e "\
+			s/@@TYPE@@/$${TYPE}/g; \
+			s/@@REVISION@@/$${REVISION}/g; \
+			s/@@BRANCH@@/$${BRANCH}/g; \
+			s/@@VENDOR_VERSION@@/$${VENDOR_VERSION}/g; \
+		" ${.CURDIR}/vendor-version.sh.in >${.TARGET} ; then \
+		rm -f ${.TARGET} ; \
+		exit 1 ; \
+	fi
+
+.include <bsd.prog.mk>
--- a/bin/vendor-version/vendor-version.sh.in
+++ b/bin/vendor-version/vendor-version.sh.in
+#!/bin/sh
+
+set -e
+
+VENDOR_VERSION="@@VENDOR_VERSION@@"
+
+echo ${VENDOR_VERSION}
--- a/libexec/rc/rc
+++ b/libexec/rc/rc
@@ -38,6 +38,10 @@
 # first before contemplating any changes here.  If you do need to change
 # this file for some reason, we would like to know about it.

+if [ -f /usr/local/etc/rc ]; then
+	exec /usr/local/etc/rc
+fi
+
 stty status '^T' 2> /dev/null

 # Set shell to ignore SIGINT (2), but not children;

--- a/release/Makefile
+++ b/release/Makefile
@@ -24,6 +24,8 @@
 #  NOPKG:    if set, do not distribute third-party packages
 #  NOPORTS:  if set, do not distribute ports tree
 #  NOSRC:    if set, do not distribute source tree
+#  NODOC:    if set, do not generate release documentation
+#  WITH_PKGBASE:  if set, produce a pkgbase release image
 #  WITH_DVD: if set, generate dvd1.iso
 #  WITH_COMPRESSED_IMAGES: if set, compress installation images with xz(1)
 #		(uncompressed images are not removed)
@@ -38,6 +40,8 @@ WORLDDIR?=	${.CURDIR}/..
 PORTSDIR?=	/usr/ports
 RELNOTES_LANG?= en_US.ISO8859-1
 KERNCONF?=	HARDENEDBSD
+REPODIR?=	${OBJROOT}repo
+VENDORNAME=	HardenedBSD

 .if !defined(TARGET) || empty(TARGET)
 TARGET=		${MACHINE}
@@ -54,7 +58,7 @@ DISTDIR=	dist

 # Define OSRELEASE by using newvers.sh
 .if !defined(OSRELEASE) || empty(OSRELEASE)
-.for _V in TYPE BRANCH REVISION
+.for _V in TYPE BRANCH REVISION VENDOR_VERSION
 ${_V}!=	eval $$(awk '/^${_V}=/{print}' ${.CURDIR}/../sys/conf/newvers.sh); echo $$${_V}
 .endfor
 .for _V in ${TARGET_ARCH}
@@ -131,8 +135,7 @@ base.txz:

 kernel.txz:
 	mkdir -p ${DISTDIR}
-	cd ${WORLDDIR} && ${IMAKE} distributekernel packagekernel \
-		DISTDIR=${.OBJDIR}/${DISTDIR} KERNCONF=${KERNCONF}
+	cd ${WORLDDIR} && ${IMAKE} distributekernel packagekernel DISTDIR=${.OBJDIR}/${DISTDIR} KERNCONF=${KERNCONF}
 	mv ${DISTDIR}/kernel*.txz .

 src.txz:
@@ -151,38 +154,107 @@ ports.txz:
 	    --exclude 'usr/ports/INDEX*' --exclude work usr/ports | \
 	    ${XZ_CMD} > ${.OBJDIR}/ports.txz

+reldoc:
+	cd ${DOCDIR}/en_US.ISO8859-1/htdocs/releases/${REVISION}R && \
+	    env MAN4DIR=${WORLDDIR}/share/man/man4 \
+	    SVN=${SVN} \
+	    _BRANCH=${BRANCH} \
+	    ${MAKE} all install clean "FORMATS=html txt" \
+	    INSTALL_COMPRESSED='' URLS_ABSOLUTE=YES DOCDIR=${.OBJDIR}/rdoc \
+	    WEBDIR=${DOCDIR} DESTDIR=${.OBJDIR}/rdoc
+	mkdir -p reldoc
+.for i in hardware readme relnotes errata
+	ln -f ${.OBJDIR}/rdoc/${i:tl}.txt \
+		reldoc/${i:tu}.TXT
+	ln -f ${.OBJDIR}/rdoc/${i:tl}.html \
+		reldoc/${i:tu}.HTML
+.endfor
+	cp ${.OBJDIR}/rdoc/docbook.css \
+		reldoc/
+
+REPONAME!=${PKG_CMD} -o ABI_FILE=${OBJROOT}${TARGET}.${TARGET_ARCH}/usr.bin/uname/uname config abi
+
 disc1: packagesystem
 # Install system
 	mkdir -p ${.TARGET}
-	cd ${WORLDDIR} && ${IMAKE} installworld installkernel distribution \
+.if defined(WITH_PKGBASE)
+# TODO : We need to switch to create the installer data from the pkgs
+	cd ${WORLDDIR} && ${IMAKE} installkernel installworld distribution \
+	    DESTDIR=${.OBJDIR}/${.TARGET} INSTKERNNAME=kernel.${KERNCONF} MK_AMD=no MK_AT=no \
+	    MK_INSTALLLIB=no MK_LIB32=no MK_MAIL=no \
+	    MK_TOOLCHAIN=no MK_PROFILE=no \
+	    MK_RESCUE=no MK_DICT=no \
+	    MK_KERNEL_SYMBOLS=no MK_TESTS=no MK_DEBUG_FILES=no \
+	    -DDB_FROM_SRC
+.else
+	cd ${WORLDDIR} && ${IMAKE} installkernel installworld distribution \
+	    KERNCONF=${KERNCONF} \
 	    DESTDIR=${.OBJDIR}/${.TARGET} MK_AT=no \
 	    MK_INSTALLLIB=no MK_LIB32=no MK_MAIL=no \
 	    MK_TOOLCHAIN=no MK_PROFILE=no \
 	    MK_RESCUE=no MK_DICT=no \
 	    MK_KERNEL_SYMBOLS=no MK_TESTS=no MK_DEBUG_FILES=no \
 	    -DDB_FROM_SRC
+.endif
 # Copy distfiles
 	mkdir -p ${.TARGET}/usr/freebsd-dist
+.if defined(WITH_PKGBASE)
+	mkdir ${.TARGET}/usr/freebsd-dist/${REPONAME}/
+	cp -RH ${REPODIR}/${REPONAME}/latest ${.TARGET}/usr/freebsd-dist/${REPONAME}/
+	rm ${.TARGET}/usr/freebsd-dist/${REPONAME}/latest/*-dev*
+	pkg repo ${.TARGET}/usr/freebsd-dist/${REPONAME}/latest/
+	mkdir -p ${.TARGET}/usr/freebsd-dist/${VENDORNAME}/All
+	echo "${VENDOR_PORTS_LIST}" | xargs -I@ sh -c "cp -RH ${VENDOR_REPODIR}/@ ${.TARGET}/usr/freebsd-dist/${VENDORNAME}/All"
+	cp -RH "${VENDOR_REPODIR}/Latest" "${.TARGET}/usr/freebsd-dist/${VENDORNAME}/"
+	pkg repo ${.TARGET}/usr/freebsd-dist/${VENDORNAME}/
+# Install pkg, we need to set SRCCONF to /dev/null in case it contain WITHOUT_NLS
+# the ports tree doesn't like that
+# HACK: lately pkg fails to compile in weird way, do a hack version of extracting in
+# and replace /usr/sbin/pkg with a link
+	tar xzf ${.TARGET}/usr/freebsd-dist/${VENDORNAME}/Latest/pkg.txz -C $$(realpath ${.TARGET})
+	rm $$(realpath ${.TARGET})/usr/sbin/pkg
+	ln -s /usr/local/sbin/pkg $$(realpath ${.TARGET})/usr/sbin/pkg
+.else
 	for dist in MANIFEST $$(ls *.txz | grep -vE -- '(base|lib32)-dbg'); \
 	    do cp $${dist} ${.TARGET}/usr/freebsd-dist; \
 	done
+.endif
+# Copy documentation, if generated
+.if !defined(NODOC)
+	cp reldoc/* ${.TARGET}
+.endif
 # Set up installation environment
 	ln -fs /tmp/bsdinstall_etc/resolv.conf ${.TARGET}/etc/resolv.conf
 	echo sendmail_enable=\"NONE\" > ${.TARGET}/etc/rc.conf
 	echo hostid_enable=\"NO\" >> ${.TARGET}/etc/rc.conf
+	echo devmatch_enable=\"NO\" >> ${.TARGET}/etc/rc.conf
+	echo debug.witness.trace=0 >> ${.TARGET}/etc/sysctl.conf
 	echo vfs.mountroot.timeout=\"10\" >> ${.TARGET}/boot/loader.conf
 	echo kernels_autodetect=\"NO\" >> ${.TARGET}/boot/loader.conf
 	cp ${.CURDIR}/rc.local ${.TARGET}/etc
-	# XXXOP - try to work around installer lockup on random dev in a virtual machine
-	dd if=/dev/random of=${.TARGET}/boot/entropy bs=4k count=1
-	chown 0:0 ${.TARGET}/boot/entropy
-	chmod 0600 ${.TARGET}/boot/entropy
+.if defined(WITH_PKGBASE)
+	mkdir ${.TARGET}/conf
+.if defined(WITH_SERIAL)
+	cp ${.CURDIR}/config_serial.xml ${.TARGET}/conf/config.xml
+.else
+	cp ${.CURDIR}/config_vga.xml ${.TARGET}/conf/config.xml
+.endif
+	echo 'kernel="kernel.HARDENEDBSD"' >> ${.TARGET}/boot/loader.conf.local
+	echo 'module_path="kernel.HARDENEDBSD"' >> ${.TARGET}/boot/loader.conf
+	echo 'boot_multicons="YES"' >> ${.TARGET}/boot/loader.conf.local
+	echo 'kern.cam.boot_delay="10000"' >> ${.TARGET}/boot/loader.conf.local
+.if defined(WITH_SERIAL)
+	echo 'boot_serial="YES"' >> ${.TARGET}/boot/loader.conf.local
+	echo 'comconsole_speed=115200' >> ${.TARGET}/boot/loader.conf.local
+	echo 'console=comconsole' >> ${.TARGET}/boot/loader.conf.local
+.endif
+.endif
 	touch ${.TARGET}

 bootonly: packagesystem
 # Install system
 	mkdir -p ${.TARGET}
-	cd ${WORLDDIR} && ${IMAKE} installworld installkernel distribution \
+	cd ${WORLDDIR} && ${IMAKE} installkernel installworld distribution \
 	    DESTDIR=${.OBJDIR}/${.TARGET} MK_AT=no \
 	    MK_GAMES=no \
 	    MK_INSTALLLIB=no MK_LIB32=no MK_MAIL=no \
@@ -200,15 +272,11 @@ bootonly: packagesystem
 	echo vfs.mountroot.timeout=\"10\" >> ${.TARGET}/boot/loader.conf
 	echo kernels_autodetect=\"NO\" >> ${.TARGET}/boot/loader.conf
 	cp ${.CURDIR}/rc.local ${.TARGET}/etc
-	# XXXOP - try to work around installer lockup on random dev in a virtual machine
-	dd if=/dev/random of=${.TARGET}/boot/entropy bs=4k count=1
-	chown 0:0 ${.TARGET}/boot/entropy
-	chmod 0600 ${.TARGET}/boot/entropy

 dvd: packagesystem
 # Install system
 	mkdir -p ${.TARGET}
-	cd ${WORLDDIR} && ${IMAKE} installworld installkernel distribution \
+	cd ${WORLDDIR} && ${IMAKE} installkernel installworld distribution \
 		DESTDIR=${.OBJDIR}/${.TARGET} MK_RESCUE=no MK_KERNEL_SYMBOLS=no \
 		MK_TESTS=no MK_DEBUG_FILES=no \
 		-DDB_FROM_SRC
@@ -224,10 +292,6 @@ dvd: packagesystem
 	echo vfs.mountroot.timeout=\"10\" >> ${.TARGET}/boot/loader.conf
 	echo kernels_autodetect=\"NO\" >> ${.TARGET}/boot/loader.conf
 	cp ${.CURDIR}/rc.local ${.TARGET}/etc
-	# XXXOP - try to work around installer lockup on random dev in a virtual machine
-	dd if=/dev/random of=${.TARGET}/boot/entropy bs=4k count=1
-	chown 0:0 ${.TARGET}/boot/entropy
-	chmod 0600 ${.TARGET}/boot/entropy
 	touch ${.TARGET}

 release.iso: disc1.iso
@@ -248,8 +312,12 @@ mini-memstick: mini-memstick.img
 mini-memstick.img: bootonly
 	sh ${.CURDIR}/${TARGET}/make-memstick.sh bootonly ${.TARGET}

+.if defined(WITH_PKGBASE)
+packagesystem:
+.else
 packagesystem: base.txz kernel.txz ${EXTRA_PACKAGES}
 	sh ${.CURDIR}/scripts/make-manifest.sh *.txz > MANIFEST
+.endif
 	touch ${.TARGET}

 pkg-stage:

--- a/release/packages/kernel.ucl
+++ b/release/packages/kernel.ucl
@@ -16,7 +16,14 @@ desc = <<EOD
 %DESC%
 EOD
 scripts: {
+	pre-deinstall = <<EOD
+	/usr/sbin/kernel-select -k ${PKG_ROOTDIR}/boot/ -p backup %PKG_NAME_PREFIX%-%PKGNAME%
+EOD
 	post-install = <<EOD
-	/usr/sbin/kldxref ${PKG_ROOTDIR}/boot/%KERNELDIR%
+	/usr/sbin/kernel-select -k ${PKG_ROOTDIR}/boot/ -p switch %PKG_NAME_PREFIX%-%PKGNAME%
+EOD
+	post-deinstall = <<EOD
+	/usr/sbin/kernel-select cleanup
+	/usr/sbin/kernel-select -q -k ${PKG_ROOTDIR}/boot  status || /usr/sbin/kernel-select -k ${PKG_ROOTDIR}/boot switch GENERIC
 EOD
 }
--- a/share/mk/src.opts.mk
+++ b/share/mk/src.opts.mk
@@ -122,6 +122,7 @@ __DEFAULT_YES_OPTIONS = \
    IPFW \
    ISCSI \
    JAIL \
+    KERNEL_SELECT \
    KDUMP \
    KVM \
    LDNS \

--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -48,7 +48,8 @@
 #
 #	-V var	Print ${var}="${val-of-var}" and exit
 #
-#	-v	Print TYPE REVISION BRANCH RELEASE VERSION RELDATE variables
+#	-v	Print TYPE REVISION BRANCH RELEASE VERSION RELDATE
+#		VENDOR_VERSION variables
 #		like the -V command
 #

@@ -61,6 +62,7 @@ fi
 BRANCH="${BRANCH}-HBSD"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"
+VENDOR_VERSION=""

 if [ -z "${SYSDIR}" ]; then
    SYSDIR=$(dirname $0)/..
@@ -118,7 +120,7 @@ while getopts crRvV: opt; do
 		;;
 	v)
 		# Only put variables that are single lines here.
-		for v in TYPE REVISION BRANCH RELEASE VERSION RELDATE; do
+		for v in TYPE REVISION BRANCH RELEASE VERSION RELDATE VENDOR_VERSION; do
 			eval val=\$${v}
 			echo ${v}=\"${val}\"
 		done

--- a/usr.sbin/Makefile
+++ b/usr.sbin/Makefile
@@ -157,6 +157,8 @@ SUBDIR.${MK_ISCSI}+=	ctladm ctld iscsid
 SUBDIR.${MK_JAIL}+=	jail
 SUBDIR.${MK_JAIL}+=	jexec
 SUBDIR.${MK_JAIL}+=	jls
+SUBDIR.${MK_KERNEL_SELECT}+=	kernel-select
+SUBDIR.${MK_KERNEL_SELECT}+=	vendor-update
 # XXX MK_SYSCONS
 SUBDIR.${MK_LEGACY_CONSOLE}+=	kbdcontrol
 SUBDIR.${MK_LEGACY_CONSOLE}+=	kbdmap

--- a/usr.sbin/bsdconfig/share/common.subr
+++ b/usr.sbin/bsdconfig/share/common.subr
@@ -1010,6 +1010,16 @@ f_count_ifs()
 	setvar "$__var_to_set" $#
 }

+f_ispkgbase()
+{
+	ABI=$(pkg -o ABI_FILE=/usr/sbin/uname config abi)
+	if [ -d "/usr/freebsd-dist/${ABI}" ]; then
+		return 1
+	fi
+
+	return 0
+}
+
 ############################################################ MAIN

 #

--- a/usr.sbin/bsdinstall/scripts/Makefile
+++ b/usr.sbin/bsdinstall/scripts/Makefile
 # $FreeBSD$

 SCRIPTS= auto adduser bootconfig checksum config docsinstall entropy \
-         fetchmissingdists hardening hostname jail keymap mirrorselect mount \
+         hardening hostname jail keymap mirrorselect mount \
         netconfig netconfig_ipv4 netconfig_ipv6 rootpass script services time \
         umount wlanconfig zfsboot
+SCRRIPTS+=	pkgbase vendor
 BINDIR= ${LIBEXECDIR}/bsdinstall

 MAN=

--- a/usr.sbin/bsdinstall/scripts/auto
+++ b/usr.sbin/bsdinstall/scripts/auto
@@ -143,6 +143,9 @@ dialog_workaround()

 f_dprintf "Began Installation at %s" "$( date )"

+PKGBASE_INSTALL=$(f_ispkgbase)
+VENDOR_INSTALL=0
+
 rm -rf $BSDINSTALL_TMPETC
 mkdir $BSDINSTALL_TMPETC

@@ -153,35 +156,47 @@ trap error SIGINT	# Catch cntrl-C here
 bsdinstall hostname || error "Set hostname failed"

 export DISTRIBUTIONS="base.txz kernel.txz"
-if [ -f $BSDINSTALL_DISTDIR/MANIFEST ]; then
+if [ ${PKGBASE_INSTALL} -eq 0 && -f $BSDINSTALL_DISTDIR/MANIFEST ]; then
 	DISTMENU=`awk -F'\t' '!/^(kernel\.txz|base\.txz)/{print $1,$5,$6}' $BSDINSTALL_DISTDIR/MANIFEST`
 	DISTMENU="$(echo ${DISTMENU} | sed -E 's/\.txz//g')"

-	if [ -n "$DISTMENU" ]; then
-		exec 3>&1
-		EXTRA_DISTS=$( eval dialog \
-		    --backtitle \"HardenedBSD Installer\" \
-		    --title \"Distribution Select\" --nocancel --separate-output \
-		    --checklist \"Choose optional system components to install:\" \
-		    0 0 0 $DISTMENU \
-		2>&1 1>&3 )
-		for dist in $EXTRA_DISTS; do
-			export DISTRIBUTIONS="$DISTRIBUTIONS $dist.txz"
-		done
-	fi
+	exec 3>&1
+	EXTRA_DISTS=$( eval dialog \
+		--backtitle \"HardenedBSD Installer\" \
+		--title \"Distribution Select\" --nocancel --separate-output \
+		--checklist \"Choose optional system components to install:\" \
+		0 0 0 $DISTMENU \
+	2>&1 1>&3 )
+	for dist in $EXTRA_DISTS; do
+		export DISTRIBUTIONS="$DISTRIBUTIONS $dist.txz"
+	done
 fi

-FETCH_DISTRIBUTIONS=""
-for dist in $DISTRIBUTIONS; do
-	if [ ! -f $BSDINSTALL_DISTDIR/$dist ]; then
-		FETCH_DISTRIBUTIONS="$FETCH_DISTRIBUTIONS $dist"
+if [ ${PKGBASE_INSTALL} -eq 0 ]; then
+	LOCAL_DISTRIBUTIONS="MANIFEST"
+	FETCH_DISTRIBUTIONS=""
+	for dist in $DISTRIBUTIONS; do
+		if [ ! -f $BSDINSTALL_DISTDIR/$dist ]; then
+			FETCH_DISTRIBUTIONS="$FETCH_DISTRIBUTIONS $dist"
+		else
+			LOCAL_DISTRIBUTIONS="$LOCALDISTRIBUTIONS $dist"
+		fi
+	done
+
+	if [ -n "$FETCH_DISTRIBUTIONS" -a -n "$BSDINSTALL_CONFIGCURRENT" ]; then
+		dialog --backtitle "HardenedBSD Installer" --title "Network Installation" --msgbox "Some installation files were not found on the boot volume. The next few screens will allow you to configure networking so that they can be downloaded from the Internet." 0 0
+		bsdinstall netconfig || error
+		NETCONFIG_DONE=yes
 	fi
-done

-if [ -n "$FETCH_DISTRIBUTIONS" -a -n "$BSDINSTALL_CONFIGCURRENT" ]; then
-	dialog --backtitle "HardenedBSD Installer" --title "Network Installation" --msgbox "Some installation files were not found on the boot volume. The next few screens will allow you to configure networking so that they can be downloaded from the Internet." 0 0
-	bsdinstall netconfig || error
-	NETCONFIG_DONE=yes
+	if [ -n "$FETCH_DISTRIBUTIONS" ]; then
+		exec 3>&1
+		BSDINSTALL_DISTSITE=$(`dirname $0`/mirrorselect 2>&1 1>&3)
+		MIRROR_BUTTON=$?
+		exec 3>&-
+		test $MIRROR_BUTTON -eq 0 || error "No mirror selected"
+		export $BSDINSTALL_DISTSITE
+	fi
 fi

 rm -f $PATH_FSTAB
@@ -334,33 +349,101 @@ case "$PARTMODE" in
 	;;
 esac

-if [ -n "$FETCH_DISTRIBUTIONS" ]; then
-	exec 3>&1
-	export BSDINSTALL_DISTDIR=$(`dirname $0`/fetchmissingdists 2>&1 1>&3)
-	FETCH_RESULT=$?
-	exec 3>&-
+if [ ${PKGBASE_INSTALL} -eq 0 && ! -z "$FETCH_DISTRIBUTIONS" ]; then
+	ALL_DISTRIBUTIONS="$DISTRIBUTIONS"
+	WANT_DEBUG=
+
+	BSDINSTALL_FETCHDEST="$BSDINSTALL_CHROOT/usr/freebsd-dist"
+	mkdir -p "$BSDINSTALL_FETCHDEST" || error "Could not create directory $BSDINSTALL_FETCHDEST"
+
+	export DISTRIBUTIONS="$FETCH_DISTRIBUTIONS"
+	# Try to use any existing distfiles
+	if [ -d $BSDINSTALL_DISTDIR ]; then
+		DISTDIR_IS_UNIONFS=1
+		mount_nullfs -o union "$BSDINSTALL_FETCHDEST" "$BSDINSTALL_DISTDIR"
+	else
+		export DISTRIBUTIONS="$FETCH_DISTRIBUTIONS"
+		export BSDINSTALL_DISTDIR="$BSDINSTALL_FETCHDEST"
+	fi
+
+	export FTP_PASSIVE_MODE=YES
+	for _DISTRIBUTION in $DISTRIBUTIONS; do
+		case $_DISTRIBUTION in
+			*-dbg.*)
+				[ -e $BSDINSTALL_DISTDIR/$_DISTRIBUTION ] \
+					&& continue
+				WANT_DEBUG=1
+				DEBUG_LIST="\n$DEBUG_LIST\n$_DISTRIBUTION"
+				;;
+			*)
+				;;
+		esac
+	done
+
+	bsdinstall distfetch
+	rc=$?
+
+	if [ $rc -ne 0 ]; then
+		msg="FAiled to fetch remote distribution"
+		if [ ! -z "$WANT_DEBUG" ]; then
+			DEBUG_LIST="${DEBUG_LIST%%\n}"
+			DEBUG_LIST="${DEBUG_LIST##\n}"
+			msg="$msg\n\nPlease deselect the following distributions"
+			msg="$msg and retry the installation:"
+			msg="$msg\n$DEBUG_LIST"
+		fi
+		error "$msg"
+	fi

-	[ $FETCH_RESULT -ne 0 ] && error "Could not fetch remote distributions"
+	export DISTRIBUTIONS="$ALL_DISTRIBUTIONS"
+fi
+
+if [ ${PKGBASE_INSTALL} -eq 0 && ! -z "$LOCAL_DISTRIBUTIONS" ]; then
+	BSDINSTALL_FETCHDEST="$BSDINSTALL_CHROOT/usr/freebsd-dist"j
+	mkdir -p "$BSDINSTALL_FETCHDEST" || error "Could not create directory $BSDINSTALL_FETCHDEST"
+	if [ -d $BSDINSTALL_DISTDIR ]; then
+		DISTDIR_IS_UNIONFS=1
+		mount_nullfs -o union "$BSDINSTALL_FETCHDEST" "$BSDINSTALL_DISTDIR"
+		export BSDINSTALL_DISTDIR="$BSDINSTALL_FETCHDEST"
+	fi
+	env DISTRIBUTIONS="$LOCAL_DISTRIBUTIONS" \
+		BSDINSTALL_DISTSITE="file///usr/freebsd-dist" \
+		bsdinstall distfetch || \
+		error "FAiled to fetch distribution from local media"
+fi
+
+if [ ${PKGBASE_INSTALL} -eq 0 ]; then
+	bsdinstall checksum || error "Distribution checksum failed"
+	bsdinstall distextract || error "Distribution extract failed"
+else
+	bsdinstall pkgbase || error "FAiled to install pkgbase"
+	bsdinstall vendor || error "Failed to install vendor additions"
 fi
-bsdinstall checksum || error "Distribution checksum failed"
-bsdinstall distextract || error "Distribution extract failed"

 # Set up boot loader
 bsdinstall bootconfig || error "Failed to configure bootloader"

-bsdinstall rootpass || error "Could not set root password"
+if [ ${VENDOR_INSTALL} -eq 0 ]; then
+	bsdinstall rootpass || error "Could not set root password"
+fi

 trap true SIGINT	# This section is optional
 if [ "$NETCONFIG_DONE" != yes ]; then
-	bsdinstall netconfig	# Don't check for errors -- the user may cancel
+	if [ ${VENDOR_INSTALL} -eq 0 ]; then
+		bsdinstall netconfig	# Don't check for errors -- the user may cancel
+	fi
 fi
+
 bsdinstall time
-bsdinstall services
-bsdinstall hardening

-dialog --backtitle "HardenedBSD Installer" --title "Add User Accounts" --yesno \
-    "Would you like to add users to the installed system now?" 0 0 && \
-    bsdinstall adduser
+if [ ${VENDOR_INSTALL} -eq 0 ]; then
+	bsdinstall services
+	bsdinstall hardening
+
+	dialog --backtitle "HardenedBSD Installer" --title "Add User Accounts" --yesno \
+		"Would you like to add users to the installed system now?" 0 0 && \
+		bsdinstall adduser
+fi

 finalconfig() {
 	exec 3>&1
@@ -415,7 +498,9 @@ finalconfig() {
 }

 # Allow user to change his mind
-finalconfig
+if [ ${VENDOR_INSTALL} -eq 0 ]; then
+	finalconfig
+fi

 trap error SIGINT	# SIGINT is bad again
 bsdinstall config  || error "Failed to save config"
@@ -424,14 +509,16 @@ if [ ! -z "$BSDINSTALL_FETCHDEST" ]; then
 	rm -rf "$BSDINSTALL_FETCHDEST"
 fi

-dialog --backtitle "HardenedBSD Installer" --title "Manual Configuration" \
-    --default-button no --yesno \
-   "The installation is now finished. Before exiting the installer, would you like to open a shell in the new system to make any final manual modifications?" 0 0
-if [ $? -eq 0 ]; then
-	clear
-	echo This shell is operating in a chroot in the new system. \
-	    When finished making configuration changes, type \"exit\".
-	chroot "$BSDINSTALL_CHROOT" /bin/sh 2>&1
+if [ ${VENDOR_INSTALL} -eq 0 ]; then
+	dialog --backtitle "HardenedBSD Installer" --title "Manual Configuration" \
+		--default-button no --yesno \
+		"The installation is now finished. Before exiting the installer, would you like to open a shell in the new system to make any final manual modifications?" 0 0
+	if [ $? -eq 0 ]; then
+		clear
+		echo This shell is operating in a chroot in the new system. \
+			When finished making configuration changes, type \"exit\".
+		chroot "$BSDINSTALL_CHROOT" /bin/sh 2>&1
+	fi
 fi

 bsdinstall entropy

--- a/usr.sbin/bsdinstall/scripts/pkgbase
+++ b/usr.sbin/bsdinstall/scripts/pkgbase