bsdinstall: Stop loading cryptodev for ZFS installations

- zfs depends on the crypto module, not cryptodev, and most arm64 kernel
configs include std.dev, which includes "device crypto" anyway.
- This config works around a problem with kldxref lacking cross-target
support, but that has since been fixed.
- Loading cryptodev creates /dev/crypto, which gives unprivileged users
access to the kernel's opencrypto framework. Very few applications
need it, so we're needlessly increasing the kernel's surface area.

Thus, stop auto-loading cryptodev.

Reviewed by: kevans, allanjude, des
Differential Revision: https://reviews.freebsd.org/D45127

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

Revert r361257: bsdinstall: do a `certctl rehash` upon installation [...]

As of r365829, any given base distribution set will now include the /etc/ssl
symlinks that this rehash would've otherwise installed. This extra step is
no longer required.

MFC after: 1 week
X-MFC-With: r365837

bsdinstall: Update loader.conf for new OpenZFS deps

zfs.ko now includes the SPL but relies on cryptodev instead.

Reported by: D Scott Phillips
Sponsored by: iXsystems, Inc.

bsdinstall: do a `certctl rehash` upon installation of configuration

If certctl is installed on the system we're configuring, do a certctl
rehash.

Note that certctl may not be present if the world we've installed was built
either WITHOUT_OPENSSL or WITHOUT_CAROOT. In this scenario, we don't
currently see if the host has a certctl as this may be an indication that
the system *shouldn't* have certs installed into /etc/ssl.

Reviewed by: allanjude, dteske
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D24640

Add a comment explaining why the opensolaris_load line in loader.conf
is explicitly added.

Requested by: rgrimes
MFC after: 3 days
MFC with: r353004
Sponsored by: Rubicon Communications, LLC (Netgate)

Explicitly add opensolaris_load="YES" to loader.conf through the
installer when installing the system on a ZFS root filesystem.

For arm64, zfs_load="YES" does not add opensolaris.ko as a kld
dependency, so add it explicitly to prevent boot-time failures
out-of-box.

PR: 240478
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC (Netgate)

Fix variable name typo in the bsdinstall ttys hardening code.

Submitted by: Jörg Pernfuß <code.jpe@gmail.com>
Reviewed by: allanjude, dab, emaste
Approved by: re (gjb)
Differential Revision: https://reviews.freebsd.org/D12476

Ignore error return from newaliases(1)

This was originally added as "exit $SUCCESS" but with nothing to set the
SUCCESS variable. Thus it became an exit with no argument, which just
exits with the status of the preceding command.

MFC after: 3 days
Sponsored by: The FreeBSD Foundation

Add option to bsdinstall to disable insecure console, update stack guard option

This patch adds new bsdinstall option to hardening section that allows users
to change this behaviour to secure one and updates stack guard option so it
would set the value of relevant sysctl to 512 (2MB)

Submitted by: Bartek Rutkowski
Reviewed by: adrian, bapt, emaste
Approved by: bapt, emaste
MFC after: 1 day
Sponsored by: Pixeware LTD
Differential Revision: https://reviews.freebsd.org/D9700

Fixed bsdinstall location of vfs.zfs.min_auto_ashift

vfs.zfs.min_auto_ashift is a sysctl only not a tunable so updated bsdinstall
to use the correct location /etc/sysctl.conf instead of /boot/loader.conf

Reported by: Aaron Caza
Reviewed by: allanjude
MFC after: 2 days
Sponsored by: Multiplay
Differential Revision: https://reviews.freebsd.org/D11278

Add new System Hardening menu and options to bsdinstall.

This patch add new 'hardening' file responsible for new bsdinstall
'System Hardening' menu allowing users to set some sane and carefully
picked system security options (like random process id's, hiding
other users/groups processes and others).

All options are OFF by default in this patch due to POLA principle
with intention to turn change some of them to ON by default in future.

Reviewed by: adrian, allanjude, bdrewery, nwhitehorn
Approved by: adrian, allanjude
MFC after: 7 days

Update copyrights

MFC after: 3 days
X-MFC-to: stable/10

Ignore error results from newaliases(1)

MFC after: 3 days
X-MFC-to: stable/10

Add ZFS support to the bsdinstall partition editor and sade.

Submitted by: Kurt Lidl (original version)
MFC after: 6 weeks

Mask error from newaliases(1) when the hostname is not fully qualified.

MFC after: 3 days

I often forget that debugFile can begin with a + for deciding that debug
should be sent to both the file (minus the leading +) and stdout.

Copy the install log to the deployed /var/log directory so that we have
post-mortem data on how the machine was configured/installed.

Semi-revert this one file out of r257842. The ttys(5) stuff, as we
discussed on -current, was not supposed to go in but get solved in
a different way -- e.g., init(8) logic).

Discussed on: -current

A series of changes tested together as a whole:
+ Add a `-D FILE" command-line option for overriding the path to the
bsdinstall log file (BSDINSTALL_LOG env var).
+ Document new `-D FILE' in the man page for bsdinstall.
+ If FILE in `-D FILE' begins with a +, debug output goes to stdout
(interleaved between dialog(1) invocations/output) as well as to FILE
(minus the leading + of course).
+ If BSDINSTALL_LOG cannot be written, then debugging is disabled (except in
the case of a leading + in the pathname, wherein debug will still be
printed to stdout).
+ Update source code formatting style.
+ Fix a dangling participle ("Begun ..." -> "Began ...")
+ Rewrite the docsinstall script (was necessary to abate direct dependency
on BSDINSTALL_LOG (instead, use fault-tolerant bsdconfig framework which
displays appropriate errors for package management).
NB: docsinstall is still using pkg(8) after this change.
+ Add additional debug output for dhclient/rtsol/wpa_cliscan
+ Display script errors in a textbox rather than just on stdout
+ Update many coments.
+ Add new f_show_err() API call (like f_show_msg but changes the dialog
title to "Error")(see bsdconfig's `common.subr').
+ Add new f_eval_catch() API call for executing a command via eval but not
before logging the command to debug. Several example cases documented in
API header for function in bsdconfig's `common.subr'.
+ Fix dialog auto-sizing when launched as an rvalue to a pipe for indirected
scripts (previously would default to 24x80 sizing in this case, now it can
autosize to full size even when in a pipe chain).
+ Fix bug in f_snprintf if $format argument began with "-"; printf would
misinterpret as a flag. (this is in bsdcofig's `strings.subr').
+ Add accompanying f_sprintf() and f_vsprintf() to go along with already
existing f_snprintf() and f_vsnprintf() (see bsdconfig's `strings.subr').
+ Remove some unnecessary default ZFS datasets from the automatic "zfsboot"
script. Such as: /usr/ports/distfiles /usr/ports/packages /usr/obj /var/db
/var/empty /var/mail and /var/run (these can all be created as-needed once
the system is installed).
+ Remove setuid=off for /usr/home (as discussed from last round of CFT).
+ Fix some i18n string violations in "zfsboot".
+ Bolster debugging output in "zfsboot".
+ Fix some string quoting issues in "zfsboot".
+ Fix some variable scope issues in "zfsboot".
+ Change "Create" to "Install" in "zfsboot" main menu.
+ Increase error checking in "zfsboot" (type-check arguments and such).
+ Add call to "graid destroy" killing automatic metadata (part of the series
of pedantic destructions we do when bootstrapping a new/naked disk).
+ Make judicious use of new f_eval_catch() in "zfsboot".
+ Fixup some variable names for consistency (zfsboot).
+ Fix an underride syntax parameter expansion folly (zfsboot).
+ Confirm layout if not explicitly chosen when blindly proceeding (no
longer have to touch anything on the ZFS menu if it scares you, just
choose the omnibus "Install" option at the top and you'll be prompted to
select vdev type and disks in the layout confirmation dialog).
+ Change numbered menu items to alphabetic for more efficient navigation.
+ Consolidate vdev selection and disk selection into a single stateful
menu which performs validation and allows backing out to each previous
menu as you go deeper.
+ Redesign the ``Last Chance'' dialog (still using the same colors, but
make it conform to a tolerable width and make disks appear in a block-
quote style indented region).
+ Fix a bug wherein we used the a lowercase variable name by accident
(actual variable name declared as all-uppercase) at the time of
initializing fstab(5) (not believed to cause any issues though).
+ Update the geli setup infobox for each provider being initialized
(not just at the onset -- since each ``geli init'' causes kernel messages
to push our infobox off-screen).

Reviewed by: Allan Jude <freebsd@allanjude.com>
Discussed on: -current
MFC after: 3 days

Add zfsboot module as an option for automatic configuration. Default is
to run interactively but it can be scripted too (optinally completely
non-interactive). Currently supports GELI and all ZFS vdev types. Also
performs validation on selections/settings providing error messages if
necessary, explaining (in plain language) what the issue is. Currently
the auto partitioning of naked disks only supports GPT and MBR (VTOC8
pending for sparc64), so is only available for i386/amd64 install.

Submitted by: Allan Jude <freebsd@allanjude.com>, myself
Reviewed by: Allan Jude <freebsd@allanjude.com>
Approved by: re (glebius)

Run newaliases at the end of the install process.

Submitted by: kevlo

Import bsdinstall. This is meant to be (eventually in conjunction with
pc-sysinstall) a replacement for sysinstall in the 9.0 release and beyond.
Currently supported platforms are sparc64, pc98, i386, amd64, powerpc, and
powerpc64. Integration into the build system will occur in the coming
weeks.

Merging with pc-sysinstall will use this code as a frontend, while
temporarily retaining the interactive partition editor here. This work
will be done in parallel with improvements on this code and release
integration.

Thanks to all who have provided testing and comments!