nvmutil: split nvmutil.c into multiple files

this is a big program now. act like it. Signed-off-by: Leah Rowe <leah@libreboot.org>
2026-03-25 13:29:03 +02:00 · 2026-03-18 13:13:27 +00:00
parent 722ed03179
commit 27371af4bc
13 changed files with 3176 additions and 2865 deletions
--- a/util/nvmutil/.gitignore
+++ b/util/nvmutil/.gitignore
@@ -1,3 +1,5 @@
 /nvm
 /nvmutil
 *.bin
+*.o
+*.d
--- a/util/nvmutil/Makefile
+++ b/util/nvmutil/Makefile
@@ -11,10 +11,8 @@ DESTDIR?=
 PREFIX?=/usr/local
 INSTALL?=install

-.SUFFIXES:
+.SUFFIXES: .c .o

-# maybe add -I. here when running make
-# e.g. make LDIR=-I.
 LDIR?=

 PORTABLE?=$(LDIR) $(CFLAGS)
@@ -22,24 +20,73 @@ WARN?=$(PORTABLE) -Wall -Wextra
 STRICT?=$(WARN) -std=c90 -pedantic -Werror
 HELLFLAGS?=$(STRICT) -Weverything

-# program name
 PROG=nvmutil

+# source files
+
+SRCS = nvmutil.c state.c file.c string.c usage.c command.c num.c io.c \
+    checksum.c word.c
+
+# object files
+
+OBJS = $(SRCS:.c=.o)
+
+# default mode
+
+MODE?=portable
+
+# default mode, options
+
+CFLAGS_MODE=$(PORTABLE)
+CC_MODE=$(CC)
+
+# override modes (options)
+
+ifeq ($(MODE),warn)
+CFLAGS_MODE=$(WARN)
+endif
+
+ifeq ($(MODE),strict)
+CFLAGS_MODE=$(STRICT)
+endif
+
+ifeq ($(MODE),hell)
+CFLAGS_MODE=$(HELLFLAGS)
+CC_MODE=$(HELLCC)
+endif
+
+# (rebuild on .h changes)
+# (commented for portability)
+#
+# CFLAGS_MODE += -MMD -MP
+# -include $(OBJS:.o=.d)
+#
+# likely more compatible,
+# on its own:
+# -include $(OBJS:.o=.d)
+#
+# i want this to build on
+# old make, so i'll leave
+# this blanked by default
+
 all: $(PROG)

-$(PROG): $(PROG).c
-	$(CC) $(PORTABLE) $(PROG).c -o $(PROG) $(LDFLAGS)
+$(PROG): $(OBJS)
+	$(CC_MODE) $(OBJS) -o $(PROG) $(LDFLAGS)

-warn: $(PROG).c
-	$(CC) $(WARN) $(PROG).c -o $(PROG) $(LDFLAGS)
+# generic rules

-strict: $(PROG).c
-	$(CC) $(STRICT) $(PROG).c -o $(PROG) $(LDFLAGS)
-
-# clang-only extreme warnings (not portable)
-hell: $(PROG).c
-	$(HELLCC) $(HELLFLAGS) $(PROG).c -o $(PROG) $(LDFLAGS)
+# .c.o: is the old style (portable)
+# modern equivalent:
+# %.o: %.c
+#
+.c.o:
+	$(CC_MODE) $(CFLAGS_MODE) -c $< -o $@

+# -m in install is not portable
+# to old/other/weird versions.
+# use chmod directly.
+#
 install: $(PROG)
 	$(INSTALL) -d $(DESTDIR)$(PREFIX)/bin
 	$(INSTALL) $(PROG) $(DESTDIR)$(PREFIX)/bin/$(PROG)
@@ -49,8 +96,19 @@ uninstall:
 	rm -f $(DESTDIR)$(PREFIX)/bin/$(PROG)

 clean:
-	rm -f $(PROG)
+	rm -f $(PROG) $(OBJS) *.d

 distclean: clean

+# easy commands
+
+warn:
+	$(MAKE) MODE=warn
+
+strict:
+	$(MAKE) MODE=strict
+
+hell:
+	$(MAKE) MODE=hell
+
 .PHONY: all warn strict hell install uninstall clean distclean
--- a/util/nvmutil/checksum.c
+++ b/util/nvmutil/checksum.c
@@ -0,0 +1,122 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2022-2026 Leah Rowe <leah@libreboot.org>
+ *
+ * Functions related to GbE NVM checksums.
+ *
+ * Related file: word.c
+ */
+
+#ifdef __OpenBSD__
+#include <sys/param.h>
+#endif
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "include/common.h"
+
+void
+read_checksums(void)
+{
+	struct xstate *x = xstatus();
+	struct commands *cmd;
+	struct xfile *f;
+
+	unsigned long _p;
+	unsigned long _skip_part;
+
+	unsigned char _num_invalid;
+	unsigned char _max_invalid;
+
+	cmd = &x->cmd[x->i];
+	f = &x->f;
+
+	f->part_valid[0] = 0;
+	f->part_valid[1] = 0;
+
+	if (!cmd->chksum_read)
+		return;
+
+	_num_invalid = 0;
+	_max_invalid = 2;
+
+	if (cmd->arg_part)
+		_max_invalid = 1;
+
+	/*
+	 * Skip verification on this part,
+	 * but only when arg_part is set.
+	 */
+	_skip_part = f->part ^ 1;
+
+	for (_p = 0; _p < 2; _p++) {
+		/*
+		 * Only verify a part if it was *read*
+		 */
+		if (cmd->arg_part && (_p == _skip_part))
+			continue;
+
+		f->part_valid[_p] = good_checksum(_p);
+		if (!f->part_valid[_p])
+			++_num_invalid;
+	}
+
+	if (_num_invalid >= _max_invalid) {
+		if (_max_invalid == 1)
+			err(ECANCELED, "%s: part %lu has a bad checksum",
+			    f->fname, (unsigned long)f->part);
+		err(ECANCELED, "%s: No valid checksum found in file",
+		    f->fname);
+	}
+}
+
+int
+good_checksum(unsigned long partnum)
+{
+	unsigned short expected_checksum;
+	unsigned short actual_checksum;
+
+	expected_checksum =
+	    calculated_checksum(partnum);
+
+	actual_checksum =
+	    nvm_word(NVM_CHECKSUM_WORD, partnum);
+
+	if (expected_checksum == actual_checksum) {
+		return 1;
+	} else {
+		return 0;
+	}
+}
+
+void
+set_checksum(unsigned long p)
+{
+	check_bin(p, "part number");
+	set_nvm_word(NVM_CHECKSUM_WORD, p, calculated_checksum(p));
+}
+
+unsigned short
+calculated_checksum(unsigned long p)
+{
+	unsigned long c;
+	unsigned int val16;
+
+	val16 = 0;
+
+	for (c = 0; c < NVM_CHECKSUM_WORD; c++)
+		val16 += (unsigned int)nvm_word(c, p);
+
+	return (unsigned short)((NVM_CHECKSUM - val16) & 0xffff);
+}
--- a/util/nvmutil/command.c
+++ b/util/nvmutil/command.c
@@ -0,0 +1,603 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2022-2026 Leah Rowe <leah@libreboot.org>
+ *
+ * Command handlers for nvmutil
+ */
+
+#ifdef __OpenBSD__
+#include <sys/param.h>
+#endif
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "include/common.h"
+
+/*
+ * Guard against regressions by maintainers (command table)
+ */
+void
+sanitize_command_list(void)
+{
+	struct xstate *x = xstatus();
+
+	unsigned long c;
+	unsigned long num_commands;
+
+	num_commands = items(x->cmd);
+
+	for (c = 0; c < num_commands; c++)
+		sanitize_command_index(c);
+}
+
+/*
+ * TODO: specific config checks per command
+ */
+void
+sanitize_command_index(unsigned long c)
+{
+	struct xstate *x = xstatus();
+	struct commands *cmd;
+
+	int _flag;
+	unsigned long gbe_rw_size;
+
+	cmd = &x->cmd[c];
+
+	check_command_num(c);
+
+	if (cmd->argc < 3)
+		err(EINVAL, "cmd index %lu: argc below 3, %d",
+		    (unsigned long)c, cmd->argc);
+
+	if (cmd->str == NULL)
+		err(EINVAL, "cmd index %lu: NULL str",
+		    (unsigned long)c);
+
+	if (*cmd->str == '\0')
+		err(EINVAL, "cmd index %lu: empty str",
+		    (unsigned long)c);
+
+	if (xstrxlen(cmd->str, MAX_CMD_LEN + 1) >
+	    MAX_CMD_LEN) {
+		err(EINVAL, "cmd index %lu: str too long: %s",
+		    (unsigned long)c, cmd->str);
+	}
+
+	if (cmd->run == NULL)
+		err(EINVAL, "cmd index %lu: cmd ptr null",
+		    (unsigned long)c);
+
+	check_bin(cmd->arg_part, "cmd.arg_part");
+	check_bin(cmd->chksum_read, "cmd.chksum_read");
+	check_bin(cmd->chksum_write, "cmd.chksum_write");
+
+	gbe_rw_size = cmd->rw_size;
+
+	switch (gbe_rw_size) {
+	case GBE_PART_SIZE:
+	case NVM_SIZE:
+		break;
+	default:
+		err(EINVAL, "Unsupported rw_size: %lu",
+		    (unsigned long)gbe_rw_size);
+	}
+
+	if (gbe_rw_size > GBE_PART_SIZE)
+		err(EINVAL, "rw_size larger than GbE part: %lu",
+		    (unsigned long)gbe_rw_size);
+
+	_flag = (cmd->flags & O_ACCMODE);
+
+	if (_flag != O_RDONLY &&
+	    _flag != O_RDWR)
+		err(EINVAL, "invalid cmd.flags setting");
+}
+
+void
+set_cmd(int argc, char *argv[])
+{
+	struct xstate *x = xstatus();
+	const char *cmd;
+
+	unsigned long c;
+
+	for (c = 0; c < items(x->cmd); c++) {
+
+		cmd = x->cmd[c].str;
+
+		/* not the right command */
+		if (xstrxcmp(argv[2], cmd, MAX_CMD_LEN) != 0)
+			continue;
+
+		/* valid command found */
+		if (argc >= x->cmd[c].argc) {
+			x->no_cmd = 0;
+			x->i = c; /* set command */
+
+			return;
+		}
+
+		err(EINVAL,
+		    "Too few args on command '%s'", cmd);
+	}
+
+	x->no_cmd = 1;
+}
+
+void
+set_cmd_args(int argc, char *argv[])
+{
+	struct xstate *x = xstatus();
+	struct commands *cmd;
+	struct xfile *f;
+	unsigned long i;
+
+	i = x->i;
+	cmd = &x->cmd[i];
+	f = &x->f;
+
+	if (!valid_command(i) || argc < 3)
+		usage();
+
+	if (x->no_cmd)
+		usage();
+
+	/* Maintainer bugs */
+	if (cmd->arg_part && argc < 4)
+		err(EINVAL,
+		    "arg_part set for command that needs argc4");
+
+	if (cmd->arg_part && i == CMD_SETMAC)
+		err(EINVAL,
+		    "arg_part set on CMD_SETMAC");
+
+	if (i == CMD_SETMAC) {
+
+		if (argc >= 4)
+			x->mac.str = argv[3];
+		else
+			x->mac.str = x->mac.rmac;
+
+	} else if (cmd->arg_part) {
+
+		f->part = conv_argv_part_num(argv[3]);
+	}
+}
+
+unsigned long
+conv_argv_part_num(const char *part_str)
+{
+	unsigned char ch;
+
+	if (part_str[0] == '\0' || part_str[1] != '\0')
+		err(EINVAL, "Partnum string '%s' wrong length", part_str);
+
+	/* char signedness is implementation-defined */
+	ch = (unsigned char)part_str[0];
+	if (ch < '0' || ch > '1')
+		err(EINVAL, "Bad part number (%c)", ch);
+
+	return (unsigned long)(ch - '0');
+}
+void
+run_cmd(void)
+{
+	struct xstate *x = xstatus();
+	unsigned long i;
+	void (*run)(void);
+
+	i = x->i;
+	run = x->cmd[i].run;
+
+	check_command_num(i);
+
+	if (run == NULL)
+		err(EINVAL, "Command %lu: null ptr", i);
+
+	run();
+
+	for (i = 0; i < items(x->cmd); i++)
+		x->cmd[i].run = cmd_helper_err;
+}
+
+void
+check_command_num(unsigned long c)
+{
+	if (!valid_command(c))
+		err(EINVAL, "Invalid run_cmd arg: %lu",
+		    (unsigned long)c);
+}
+
+unsigned char
+valid_command(unsigned long c)
+{
+	struct xstate *x = xstatus();
+	struct commands *cmd;
+
+	if (c >= items(x->cmd))
+		return 0;
+
+	cmd = &x->cmd[c];
+
+	if (c != cmd->chk)
+		err(EINVAL,
+		    "Invalid cmd chk value (%lu) vs arg: %lu",
+		    cmd->chk, c);
+
+	return 1;
+}
+
+void
+cmd_helper_setmac(void)
+{
+	struct xstate *x = xstatus();
+	unsigned long partnum;
+	struct macaddr *mac;
+
+	mac = &x->mac;
+
+	check_cmd(cmd_helper_setmac, "setmac");
+
+	printf("MAC address to be written: %s\n", mac->str);
+	parse_mac_string();
+
+	for (partnum = 0; partnum < 2; partnum++)
+		write_mac_part(partnum);
+}
+
+void
+parse_mac_string(void)
+{
+	struct xstate *x = xstatus();
+	struct macaddr *mac;
+
+	unsigned long mac_byte;
+
+	mac = &x->mac;
+
+	if (xstrxlen(x->mac.str, 18) != 17)
+		err(EINVAL, "MAC address is the wrong length");
+
+	memset(mac->mac_buf, 0, sizeof(mac->mac_buf));
+
+	for (mac_byte = 0; mac_byte < 6; mac_byte++)
+		set_mac_byte(mac_byte);
+
+	if ((mac->mac_buf[0] | mac->mac_buf[1] | mac->mac_buf[2]) == 0)
+		err(EINVAL, "Must not specify all-zeroes MAC address");
+
+	if (mac->mac_buf[0] & 1)
+		err(EINVAL, "Must not specify multicast MAC address");
+}
+
+void
+set_mac_byte(unsigned long mac_byte_pos)
+{
+	struct xstate *x = xstatus();
+	struct macaddr *mac;
+
+	char separator;
+
+	unsigned long mac_str_pos;
+	unsigned long mac_nib_pos;
+
+	mac = &x->mac;
+
+	mac_str_pos = mac_byte_pos * 3;
+
+	if (mac_str_pos < 15) {
+		if ((separator = mac->str[mac_str_pos + 2]) != ':')
+			err(EINVAL, "Invalid MAC address separator '%c'",
+			    separator);
+	}
+
+	for (mac_nib_pos = 0; mac_nib_pos < 2; mac_nib_pos++)
+		set_mac_nib(mac_str_pos, mac_byte_pos, mac_nib_pos);
+}
+
+void
+set_mac_nib(unsigned long mac_str_pos,
+    unsigned long mac_byte_pos, unsigned long mac_nib_pos)
+{
+	struct xstate *x = xstatus();
+	struct macaddr *mac;
+
+	char mac_ch;
+	unsigned short hex_num;
+
+	mac = &x->mac;
+
+	mac_ch = mac->str[mac_str_pos + mac_nib_pos];
+
+	if ((hex_num = hextonum(mac_ch)) > 15)
+		err(EINVAL, "Invalid character '%c'",
+		    mac->str[mac_str_pos + mac_nib_pos]);
+
+	/*
+	 * If random, ensure that local/unicast bits are set.
+	 */
+	if ((mac_byte_pos == 0) && (mac_nib_pos == 1) &&
+	    ((mac_ch | 0x20) == 'x' ||
+	    (mac_ch == '?')))
+		hex_num = (hex_num & 0xE) | 2; /* local, unicast */
+
+	/*
+	 * MAC words stored big endian in-file, little-endian
+	 * logically, so we reverse the order.
+	 */
+	mac->mac_buf[mac_byte_pos >> 1] |= hex_num <<
+	    (((mac_byte_pos & 1) << 3) /* left or right byte? */
+	    | ((mac_nib_pos ^ 1) << 2)); /* left or right nib? */
+}
+
+void
+write_mac_part(unsigned long partnum)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+	struct macaddr *mac;
+
+	unsigned long w;
+
+	f = &x->f;
+	mac = &x->mac;
+
+	check_bin(partnum, "part number");
+	if (!f->part_valid[partnum])
+		return;
+
+	for (w = 0; w < 3; w++)
+		set_nvm_word(w, partnum, mac->mac_buf[w]);
+
+	printf("Wrote MAC address to part %lu: ",
+	    (unsigned long)partnum);
+	print_mac_from_nvm(partnum);
+}
+
+void
+cmd_helper_dump(void)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	unsigned long p;
+
+	f = &x->f;
+
+	check_cmd(cmd_helper_dump, "dump");
+
+	f->part_valid[0] = good_checksum(0);
+	f->part_valid[1] = good_checksum(1);
+
+	for (p = 0; p < 2; p++) {
+
+		if (!f->part_valid[p]) {
+
+			fprintf(stderr,
+			    "BAD checksum %04x in part %lu (expected %04x)\n",
+			    nvm_word(NVM_CHECKSUM_WORD, p),
+			    (unsigned long)p,
+			    calculated_checksum(p));
+		}
+
+		printf("MAC (part %lu): ",
+		    (unsigned long)p);
+
+		print_mac_from_nvm(p);
+
+		hexdump(p);
+	}
+}
+
+void
+print_mac_from_nvm(unsigned long partnum)
+{
+	unsigned long c;
+	unsigned short val16;
+
+	for (c = 0; c < 3; c++) {
+		val16 = nvm_word(c, partnum);
+		printf("%02x:%02x",
+		    (unsigned int)(val16 & 0xff),
+		    (unsigned int)(val16 >> 8));
+		if (c == 2)
+			printf("\n");
+		else
+			printf(":");
+	}
+}
+
+void
+hexdump(unsigned long partnum)
+{
+	unsigned long c;
+	unsigned long row;
+	unsigned short val16;
+
+	for (row = 0; row < 8; row++) {
+
+		printf("%08lx ",
+		    (unsigned long)((unsigned long)row << 4));
+
+		for (c = 0; c < 8; c++) {
+
+			val16 = nvm_word((row << 3) + c, partnum);
+
+			if (c == 4)
+				printf(" ");
+
+			printf(" %02x %02x",
+			    (unsigned int)(val16 & 0xff),
+			    (unsigned int)(val16 >> 8));
+
+		}
+
+		printf("\n");
+	}
+}
+
+void
+cmd_helper_swap(void)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	check_cmd(cmd_helper_swap, "swap");
+
+	f = &x->f;
+
+	x_v_memcpy(
+	    f->buf + (unsigned long)GBE_WORK_SIZE,
+	    f->buf,
+	    GBE_PART_SIZE);
+
+	x_v_memcpy(
+	    f->buf,
+	    f->buf + (unsigned long)GBE_PART_SIZE,
+	    GBE_PART_SIZE);
+
+	x_v_memcpy(
+	    f->buf + (unsigned long)GBE_PART_SIZE,
+	    f->buf + (unsigned long)GBE_WORK_SIZE,
+	    GBE_PART_SIZE);
+
+	set_part_modified(0);
+	set_part_modified(1);
+}
+
+void
+cmd_helper_copy(void)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	check_cmd(cmd_helper_copy, "copy");
+
+	f = &x->f;
+
+	x_v_memcpy(
+	    f->buf + (unsigned long)((f->part ^ 1) * GBE_PART_SIZE),
+	    f->buf + (unsigned long)(f->part * GBE_PART_SIZE),
+	    GBE_PART_SIZE);
+
+	set_part_modified(f->part ^ 1);
+}
+
+void
+cmd_helper_cat(void)
+{
+	struct xstate *x = xstatus();
+	check_cmd(cmd_helper_cat, "cat");
+
+	x->cat = 0;
+	cat(0);
+}
+
+void
+cmd_helper_cat16(void)
+{
+	struct xstate *x = xstatus();
+	check_cmd(cmd_helper_cat16, "cat16");
+
+	x->cat = 1;
+	cat(1);
+}
+
+void
+cmd_helper_cat128(void)
+{
+	struct xstate *x = xstatus();
+	check_cmd(cmd_helper_cat128, "cat128");
+
+	x->cat = 15;
+	cat(15);
+}
+
+void
+cat(unsigned long nff)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	unsigned long p;
+	unsigned long ff;
+
+	f = &x->f;
+
+	p = 0;
+	ff = 0;
+
+	if ((unsigned long)x->cat != nff) {
+
+		err(ECANCELED, "erroneous call to cat");
+	}
+
+	fflush(NULL);
+
+	memset(f->pad, 0xff, GBE_PART_SIZE);
+
+	for (p = 0; p < 2; p++) {
+
+		cat_buf(f->bufcmp +
+		    (unsigned long)(p * (f->gbe_file_size >> 1)));
+
+		for (ff = 0; ff < nff; ff++) {
+
+			cat_buf(f->pad);
+		}
+	}
+}
+
+void
+cat_buf(unsigned char *b)
+{
+	if (b == NULL)
+		err(errno, "null pointer in cat command");
+
+	if (rw_file_exact(STDOUT_FILENO, b,
+	    GBE_PART_SIZE, 0, IO_WRITE, LOOP_EAGAIN, LOOP_EINTR,
+	    MAX_ZERO_RW_RETRY, OFF_ERR) < 0)
+		err(errno, "stdout: cat");
+}
+void
+check_cmd(void (*fn)(void),
+    const char *name)
+{
+	struct xstate *x = xstatus();
+	unsigned long i;
+
+	if (x->cmd[x->i].run != fn)
+		err(ECANCELED, "Running %s, but cmd %s is set",
+		    name, x->cmd[x->i].str);
+
+	/*
+	 * In addition to making sure we ran
+	 * the right command, we now disable
+	 * all commands from running again
+	 *
+	 * the _nop function will just call
+	 * err() immediately
+	 */
+
+	for (i = 0; i < items(x->cmd); i++)
+		x->cmd[i].run = cmd_helper_err;
+}
+
+void
+cmd_helper_err(void)
+{
+	err(ECANCELED,
+	    "Erroneously running command twice");
+}
--- a/util/nvmutil/file.c
+++ b/util/nvmutil/file.c
@@ -0,0 +1,987 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2026 Leah Rowe <leah@libreboot.org>
+ *
+ * Safe file handling.
+ */
+
+#ifdef __OpenBSD__
+#include <sys/param.h>
+#endif
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "include/common.h"
+
+/*
+ * TODO: make generic. S_ISREG: check every other
+ * type, erring only if it doesn't match what was
+ * passed as type requested.
+ * also:
+ * have variable need_seek, only err on seek if
+ * need_seek is set.
+ * also consider the stat check in this generic
+ * context
+ * make tthe return type an int, not a void.
+ * return -1 with errno set to indicate error,
+ * though the syscalls mostly handle that.
+ * save errno before lseek, resetting it after
+ * the check if return >-1
+ */
+void
+xopen(int *fd_ptr, const char *path, int flags, struct stat *st)
+{
+	if ((*fd_ptr = open(path, flags)) == -1)
+		err(errno, "%s", path);
+
+	if (fstat(*fd_ptr, st) == -1)
+		err(errno, "%s: stat", path);
+
+	if (!S_ISREG(st->st_mode))
+		err(errno, "%s: not a regular file", path);
+
+	if (lseek(*fd_ptr, 0, SEEK_CUR) == (off_t)-1)
+		err(errno, "%s: file not seekable", path);
+}
+
+/*
+ * Ensure rename() is durable by syncing the
+ * directory containing the target file.
+ */
+int
+fsync_dir(const char *path)
+{
+	int saved_errno = errno;
+
+	unsigned long pathlen;
+	unsigned long maxlen;
+
+	char *dirbuf;
+	int dirfd;
+
+	char *slash;
+
+	struct stat st;
+
+#if defined(PATH_LEN) && \
+    (PATH_LEN) >= 256
+	maxlen = PATH_LEN;
+#else
+	maxlen = 1024;
+#endif
+
+	dirbuf = NULL;
+	dirfd = -1;
+
+	pathlen = xstrxlen(path, maxlen);
+
+	if (pathlen >= maxlen) {
+		fprintf(stderr, "Path too long for fsync_parent_dir\n");
+		goto err_fsync_dir;
+	}
+
+	if (pathlen == 0)
+	{
+		errno = EINVAL;
+		goto err_fsync_dir;
+	}
+
+	dirbuf = malloc(pathlen + 1);
+	if (dirbuf == NULL)
+		goto err_fsync_dir;
+
+	x_v_memcpy(dirbuf, path, pathlen + 1);
+	slash = x_c_strrchr(dirbuf, '/');
+
+	if (slash != NULL) {
+		*slash = '\0';
+		if (*dirbuf == '\0') {
+			dirbuf[0] = '/';
+			dirbuf[1] = '\0';
+		}
+	} else {
+		dirbuf[0] = '.';
+		dirbuf[1] = '\0';
+	}
+
+	dirfd = open(dirbuf, O_RDONLY
+#ifdef O_DIRECTORY
+	    | O_DIRECTORY
+#endif
+#ifdef O_NOFOLLOW
+	    | O_NOFOLLOW
+#endif
+	);
+	if (dirfd == -1)
+		goto err_fsync_dir;
+
+	if (fstat(dirfd, &st) < 0)
+		goto err_fsync_dir;
+
+	if (!S_ISDIR(st.st_mode)) {
+		fprintf(stderr, "%s: not a directory\n", dirbuf);
+		goto err_fsync_dir;
+	}
+
+	/* sync file on disk */
+	if (x_i_fsync(dirfd) == -1)
+		goto err_fsync_dir;
+
+	if (x_i_close(dirfd) == -1)
+		goto err_fsync_dir;
+
+	if (dirbuf != NULL)
+		free(dirbuf);
+
+	errno = saved_errno;
+	return 0;
+
+err_fsync_dir:
+	if (!errno)
+		errno = EIO;
+
+	if (errno != saved_errno)
+		fprintf(stderr, "%s: %s\n", path, strerror(errno));
+
+	if (dirbuf != NULL)
+		free(dirbuf);
+
+	if (dirfd > -1)
+		x_i_close(dirfd);
+
+	errno = saved_errno;
+
+	return -1;
+}
+
+/*
+ * create new tmpfile path
+ *
+ * ON SUCCESS:
+ *
+ * returns ptr to path string on success
+ * ALSO: the int at *fd will be set,
+ *       indicating the file descriptor
+ *
+ * ON ERROR:
+ *
+ * return NULL (*fd not touched)
+ *
+ * malloc() may set errno, but you should
+ * not rely on errno from this function
+ *
+ * local: if non-zero, then only a file
+ * name will be given, relative to
+ * the current file name. for this,
+ * the 3rd argument (path) must be non-null
+ *
+ * if local is zero, then 3rd arg (path)
+ * is irrelevant and can be NULL
+ */
+char *
+new_tmpfile(int *fd, int local, const char *path)
+{
+	unsigned long maxlen;
+	struct stat st;
+
+	/*
+	 * please do not modify the
+	 * strings or I will get mad
+	 */
+	char tmp_none[] = "";
+	char tmp_default[] = "/tmp";
+	char default_tmpname[] = "tmpXXXXXX";
+	char *tmpname;
+
+	char *base = NULL;
+	char *dest = NULL;
+
+	unsigned long tmpdir_len = 0;
+	unsigned long tmpname_len = 0;
+	unsigned long tmppath_len = 0;
+
+	int fd_tmp = -1;
+	int flags;
+
+	/*
+	 * 256 is the most
+	 * conservative path
+	 * size limit (posix),
+	 * but 4096 is modern
+	 *
+	 * set PATH_LEN as you
+	 * wish, at build time
+	 */
+
+#if defined(PATH_LEN) && \
+    (PATH_LEN) >= 256
+	maxlen = PATH_LEN;
+#else
+	maxlen = 1024;
+#endif
+
+	tmpname = default_tmpname;
+	if (local) {
+		if (path == NULL)
+			goto err_new_tmpfile;
+		if (*path == '\0')
+			goto err_new_tmpfile;
+
+		if (stat(path, &st) == -1)
+			goto err_new_tmpfile;
+
+		if (!S_ISREG(st.st_mode))
+			goto err_new_tmpfile;
+
+		tmpname = (char *)path;
+	}
+
+	if (local) {
+		base = tmp_none;
+
+		/*
+		 * appended to filename for tmp:
+		 */
+		tmpdir_len = xstrxlen(default_tmpname, maxlen);
+	} else {
+		base = x_c_tmpdir();
+
+		if (base == NULL)
+			base = tmp_default;
+		if (*base == '\0')
+			base = tmp_default;
+
+		tmpdir_len = xstrxlen(base, maxlen);
+	}
+
+	tmpname_len = xstrxlen(tmpname, maxlen);
+
+	tmppath_len = tmpdir_len + tmpname_len;
+	++tmppath_len; /* for '/' or '.' */
+
+	/*
+	 * max length -1 of maxlen
+	 * for termination
+	 */
+	if (tmpdir_len > maxlen - tmpname_len - 1)
+		goto err_new_tmpfile;
+
+	/* +1 for NULL */
+	dest = malloc(tmppath_len + 1);
+	if (dest == NULL)
+		goto err_new_tmpfile;
+
+	if (local) {
+
+		*dest = '.'; /* hidden file */
+
+		x_v_memcpy(dest + (unsigned long)1, tmpname, tmpname_len);
+
+		x_v_memcpy(dest + (unsigned long)1 + tmpname_len,
+		    default_tmpname, tmpdir_len);
+	} else {
+
+		x_v_memcpy(dest, base, tmpdir_len);
+
+		dest[tmpdir_len] = '/';
+
+		x_v_memcpy(dest + tmpdir_len + 1, tmpname, tmpname_len);
+	}
+
+	dest[tmppath_len] = '\0';
+
+	fd_tmp = x_i_mkstemp(dest);
+	if (fd_tmp == -1)
+		goto err_new_tmpfile;
+
+	if (fchmod(fd_tmp, 0600) == -1)
+		goto err_new_tmpfile;
+
+	flags = fcntl(fd_tmp, F_GETFL);
+
+	if (flags == -1)
+		goto err_new_tmpfile;
+
+	/*
+	 * O_APPEND would permit offsets
+	 * to be ignored, which breaks
+	 * positional read/write
+	 */
+	if (flags & O_APPEND)
+		goto err_new_tmpfile;
+
+	if (lock_file(fd_tmp, flags) == -1)
+		goto err_new_tmpfile;
+
+	if (fstat(fd_tmp, &st) == -1)
+		goto err_new_tmpfile;
+
+	/*
+	 * Extremely defensive
+	 * likely pointless checks
+	 */
+
+	/* check if it's a file */
+	if (!S_ISREG(st.st_mode))
+		goto err_new_tmpfile;
+
+	/* check if it's seekable */
+	if (lseek(fd_tmp, 0, SEEK_CUR) == (off_t)-1)
+		goto err_new_tmpfile;
+
+	/* tmpfile has >1 hardlinks */
+	if (st.st_nlink > 1)
+		goto err_new_tmpfile;
+
+	/* tmpfile unlinked while opened */
+	if (st.st_nlink == 0)
+		goto err_new_tmpfile;
+
+	*fd = fd_tmp;
+
+	return dest;
+
+err_new_tmpfile:
+
+	if (dest != NULL)
+		free(dest);
+
+	if (fd_tmp > -1)
+		x_i_close(fd_tmp);
+
+	return NULL;
+}
+
+int
+lock_file(int fd, int flags)
+{
+	struct flock fl;
+
+	memset(&fl, 0, sizeof(fl));
+
+	if ((flags & O_ACCMODE) == O_RDONLY)
+		fl.l_type = F_RDLCK;
+	else
+		fl.l_type = F_WRLCK;
+
+	fl.l_whence = SEEK_SET;
+
+	if (fcntl(fd, F_SETLK, &fl) == -1)
+		return -1;
+
+	return 0;
+}
+
+char *
+x_c_tmpdir(void)
+{
+	char *t;
+	struct stat st;
+
+	t = getenv("TMPDIR");
+	t = getenv("TMPDIR");
+
+	if (t && *t) {
+		if (stat(t, &st) == 0 && S_ISDIR(st.st_mode)) {
+			if ((st.st_mode & S_IWOTH) && !(st.st_mode & S_ISVTX))
+				return NULL;
+			return t;
+		}
+	}
+
+	if (stat("/tmp", &st) == 0 && S_ISDIR(st.st_mode))
+		return "/tmp";
+
+	if (stat("/var/tmp", &st) == 0 && S_ISDIR(st.st_mode))
+		return "/var/tmp";
+
+	return ".";
+}
+
+/*
+ * portable mkstemp
+ */
+int
+x_i_mkstemp(char *template)
+{
+	int fd;
+	int i, j;
+	unsigned long len;
+	char *p;
+
+	char ch[] =
+	    "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+
+	unsigned long r;
+
+	len = xstrxlen(template, PATH_LEN);
+
+	/* find trailing XXXXXX */
+	if (len < 6)
+		return -1;
+
+	p = template + len - 6;
+
+	for (i = 0; i < 100; i++) {
+
+		for (j = 0; j < 6; j++) {
+			r = rlong();
+			p[j] = ch[(unsigned long)(r >> 1) % (sizeof(ch) - 1)];
+		}
+
+		fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600);
+
+		if (fd >= 0)
+			return fd;
+
+		if (errno != EEXIST)
+			return -1;
+	}
+
+	errno = EEXIST;
+	return -1;
+}
+
+/*
+ * Safe I/O functions wrapping around
+ * read(), write() and providing a portable
+ * analog of both pread() and pwrite().
+ * These functions are designed for maximum
+ * robustness, checking NULL inputs, overflowed
+ * outputs, and all kinds of errors that the
+ * standard libc functions don't.
+ *
+ * Looping on EINTR and EAGAIN is supported.
+ * EINTR/EAGAIN looping is done indefinitely.
+ */
+
+/*
+ * rw_file_exact() - Read perfectly or die
+ *
+ * Read/write, and absolutely insist on an
+ * absolute read; e.g. if 100 bytes are
+ * requested, this MUST return 100.
+ *
+ * This function will never return zero.
+ * It will only return below (error),
+ * or above (success). On error, -1 is
+ * returned and errno is set accordingly.
+ *
+ * Zero-byte returns are not allowed.
+ * It will re-spin a finite number of
+ * times upon zero-return, to recover,
+ * otherwise it will return an error.
+ */
+long
+rw_file_exact(int fd, unsigned char *mem, unsigned long nrw,
+    off_t off, int rw_type, int loop_eagain,
+    int loop_eintr, unsigned long max_retries,
+    int off_reset)
+{
+	long rval;
+	long rc;
+
+	unsigned long nrw_cur;
+
+	off_t off_cur;
+	void *mem_cur;
+
+	unsigned long retries_on_zero;
+
+	rval = 0;
+
+	rc = 0;
+	retries_on_zero = 0;
+
+	if (io_args(fd, mem, nrw, off, rw_type) == -1)
+		return -1;
+
+	while (1) {
+	
+		/* Prevent theoretical overflow */
+		if (rval >= 0 && (unsigned long)rval > (nrw - rc))
+			goto err_rw_file_exact;
+
+		rc += rval;
+		if ((unsigned long)rc >= nrw)
+			break;
+
+		mem_cur = (void *)(mem + (unsigned long)rc);
+		nrw_cur = (unsigned long)(nrw - (unsigned long)rc);
+		if (off < 0)
+			goto err_rw_file_exact;
+		off_cur = off + (off_t)rc;
+
+		rval = prw(fd, mem_cur, nrw_cur, off_cur,
+		    rw_type, loop_eagain, loop_eintr,
+		    off_reset);
+
+		if (rval < 0)
+			return -1;
+
+		if (rval == 0) {
+			if (retries_on_zero++ < max_retries)
+				continue;
+			goto err_rw_file_exact;
+		}
+
+		retries_on_zero = 0;
+	}
+
+	if ((unsigned long)rc != nrw)
+		goto err_rw_file_exact;
+
+	return rw_over_nrw(rc, nrw);
+
+err_rw_file_exact:
+	errno = EIO;
+	return -1;
+}
+
+/*
+ * prw() - portable read-write
+ *
+ * This implements a portable analog of pwrite()
+ * and pread() - note that this version is not
+ * thread-safe (race conditions are possible on
+ * shared file descriptors).
+ *
+ * This limitation is acceptable, since nvmutil is
+ * single-threaded. Portability is the main goal.
+ *
+ * If you need real pwrite/pread, just compile
+ * with flag: HAVE_REAL_PREAD_PWRITE=1
+ *
+ * A fallback is provided for regular read/write.
+ * rw_type can be IO_READ, IO_WRITE, IO_PREAD
+ * or IO_PWRITE
+ *
+ * loop_eagain does a retry loop on EAGAIN if set
+ * loop_eintr does a retry loop on EINTR if set
+ *
+ * Unlike the bare syscalls, prw() does security
+ * checks e.g. checks NULL strings, checks bounds,
+ * also mitigates a few theoretical libc bugs.
+ * It is designed for extremely safe single-threaded
+ * I/O on applications that need it.
+ *
+ * NOTE: If you use loop_eagain (1), you enable wait
+ * loop on EAGAIN. Beware if using this on a non-blocking
+ * pipe (it could spin indefinitely).
+ *
+ * off_reset: if zero, and using fallback pwrite/pread
+ *            analogs, we check if a file offset changed,
+ *            which would indicate another thread changed
+ *            it, and return error, without resetting the
+ *            file - this would allow that thread to keep
+ *            running, but we could then cause a whole
+ *            program exit if we wanted to.
+ *            if not zero:
+ *            we reset and continue, and pray for the worst.
+ */
+
+long
+prw(int fd, void *mem, unsigned long nrw,
+    off_t off, int rw_type,
+    int loop_eagain, int loop_eintr,
+    int off_reset)
+{
+#ifndef MAX_EAGAIN_RETRIES
+	unsigned long retries = 100000;
+#else
+	unsigned long retries = MAX_EAGAIN_RETRIES;
+#endif
+
+	long r;
+	int positional_rw;
+	struct stat st;
+#if !defined(HAVE_REAL_PREAD_PWRITE) || \
+    HAVE_REAL_PREAD_PWRITE < 1
+	int saved_errno;
+	off_t verified;
+	off_t off_orig;
+	off_t off_last;
+#endif
+
+	if (io_args(fd, mem, nrw, off, rw_type)
+	    == -1) {
+		return -1;
+	}
+
+	r = -1;
+
+	/* Programs like cat can use this,
+	   so we only check if it's a normal
+	   file if not looping EAGAIN */
+	if (!loop_eagain) {
+		/*
+		 * Checking on every run of prw()
+		 * is expensive if called many
+		 * times, but is defensive in
+		 * case the status changes.
+		 */
+		if (check_file(fd, &st) == -1)
+			return -1;
+	}
+
+	if (rw_type >= IO_PREAD)
+		positional_rw = 1; /* pread/pwrite */
+	else
+		positional_rw = 0; /* read/write */
+
+try_rw_again:
+
+	if (!positional_rw) {
+#if defined(HAVE_REAL_PREAD_PWRITE) && \
+    HAVE_REAL_PREAD_PWRITE > 0
+real_pread_pwrite:
+#endif
+		if (rw_type == IO_WRITE)
+			r = write(fd, mem, nrw);
+		else if (rw_type == IO_READ)
+			r = read(fd, mem, nrw);
+#if defined(HAVE_REAL_PREAD_PWRITE) && \
+    HAVE_REAL_PREAD_PWRITE > 0
+		else if (rw_type == IO_PWRITE)
+			r = pwrite(fd, mem, nrw, off);
+		else if (rw_type == IO_PREAD)
+			r = pread(fd, mem, nrw, off);
+#endif
+
+		if (r == -1 && (errno == try_err(loop_eintr, EINTR)
+		    || errno == try_err(loop_eagain, EAGAIN)))
+			goto try_rw_again;
+
+		return rw_over_nrw(r, nrw);
+	}
+
+#if defined(HAVE_REAL_PREAD_PWRITE) && \
+    HAVE_REAL_PREAD_PWRITE > 0
+	goto real_pread_pwrite;
+#else
+	if ((off_orig = lseek_loop(fd, (off_t)0, SEEK_CUR,
+	    loop_eagain, loop_eintr)) == (off_t)-1) {
+		r = -1;
+	} else if (lseek_loop(fd, off, SEEK_SET,
+	    loop_eagain, loop_eintr) == (off_t)-1) {
+		r = -1;
+	} else {
+		verified = lseek_loop(fd, (off_t)0, SEEK_CUR,
+		    loop_eagain, loop_eintr);
+
+		/*
+		 * Partial thread-safety: detect
+		 * if the offset changed to what
+		 * we previously got. If it did,
+		 * then another thread may have
+		 * changed it. Enabled if
+		 * off_reset is OFF_RESET.
+		 *
+		 * We do this *once*, on the theory
+		 * that nothing is touching it now.
+		 */
+		if (off_reset && off != verified)
+			lseek_loop(fd, off, SEEK_SET,
+			    loop_eagain, loop_eintr);
+
+		do {
+			/*
+			 * Verify again before I/O
+			 * (even with OFF_ERR)
+			 *
+			 * This implements the first check
+			 * even with OFF_ERR, but without
+			 * the recovery. On ERR_RESET, if
+			 * the check fails again, then we
+			 * know something else is touching
+			 * the file, so it's best that we
+			 * probably leave it alone and err.
+			 *
+			 * In other words, ERR_RESET only
+			 * tolerates one change. Any more
+			 * will cause an exit, including
+			 * per EINTR/EAGAIN re-spin.
+			 */
+			verified = lseek_loop(fd, (off_t)0, SEEK_CUR,
+			    loop_eagain, loop_eintr);
+
+			if (off != verified)
+				goto err_prw;
+
+			if (rw_type == IO_PREAD)
+				r = read(fd, mem, nrw);
+			else if (rw_type == IO_PWRITE)
+				r = write(fd, mem, nrw);
+
+			if (rw_over_nrw(r, nrw) == -1) {
+				errno = EIO;
+				break;
+			}
+
+		} while (r == -1 &&
+		    (errno == try_err(loop_eintr, EINTR) ||
+		     errno == try_err(loop_eagain, EAGAIN)) &&
+		    retries++ < MAX_EAGAIN_RETRIES);
+	}
+
+	saved_errno = errno;
+
+	off_last = lseek_loop(fd, off_orig, SEEK_SET,
+	    loop_eagain, loop_eintr);
+
+	if (off_last != off_orig) {
+		errno = saved_errno;
+		goto err_prw;
+	}
+
+	errno = saved_errno;
+
+	return rw_over_nrw(r, nrw);
+#endif
+
+err_prw:
+	errno = EIO;
+	return -1;
+}
+
+int
+io_args(int fd, void *mem, unsigned long nrw,
+    off_t off, int rw_type)
+{
+	/* obviously */
+	if (mem == NULL)
+		goto err_io_args;
+
+	/* uninitialised fd */
+	if (fd < 0)
+		goto err_io_args;
+
+	/* negative offset */
+	if (off < 0)
+		goto err_io_args;
+
+	/* prevent zero-byte rw */
+	if (!nrw)
+		goto err_io_args;
+
+	/* prevent overflow */
+	if (nrw > (unsigned long)X_LONG_MAX)
+		goto err_io_args;
+
+	/* prevent overflow */
+	if (((unsigned long)off + nrw) < (unsigned long)off)
+		goto err_io_args;
+
+	if (rw_type > IO_PWRITE)
+		goto err_io_args;
+
+	return 0;
+
+err_io_args:
+	errno = EIO;
+	return -1;
+}
+
+int
+check_file(int fd, struct stat *st)
+{
+	if (fstat(fd, st) == -1)	
+		goto err_is_file;
+
+	if (!S_ISREG(st->st_mode))
+		goto err_is_file;
+
+	return 0;
+
+err_is_file:
+	errno = EIO;
+	return -1;
+}
+
+/*
+ * Check overflows caused by buggy libc.
+ *
+ * POSIX can say whatever it wants.
+ * specification != implementation
+ */
+long
+rw_over_nrw(long r, unsigned long nrw)
+{
+	/*
+	 * If a byte length of zero
+	 * was requested, that is
+	 * clearly a bug. No way.
+	 */
+	if (!nrw)
+		goto err_rw_over_nrw;
+
+	if (r == -1)
+		return r;
+
+	if ((unsigned long)
+	    r > X_LONG_MAX) {
+
+		/*
+		 * Theoretical buggy libc
+		 * check. Extremely academic.
+		 *
+		 * Specifications never
+		 * allow this return value
+		 * to exceed SSIZE_T, but
+		 * spec != implementation
+		 *
+		 * Check this after using
+		 * [p]read() or [p]write()
+		 */
+		goto err_rw_over_nrw;
+	}
+
+	/*
+	 * Theoretical buggy libc:
+	 * Should never return a number of
+	 * bytes above the requested length.
+	 */
+	if ((unsigned long)r > nrw)
+		goto err_rw_over_nrw;
+
+	return r;
+
+err_rw_over_nrw:
+
+	errno = EIO;
+	return -1;
+}
+
+#if !defined(HAVE_REAL_PREAD_PWRITE) || \
+    HAVE_REAL_PREAD_PWRITE < 1
+/*
+ * lseek_loop() does lseek() but optionally
+ * on an EINTR/EAGAIN wait loop. Used by prw()
+ * for setting offsets for positional I/O.
+ */
+off_t
+lseek_loop(int fd, off_t off, int whence,
+    int loop_eagain, int loop_eintr)
+{
+	off_t old;
+
+	old = -1;
+
+	do {
+		old = lseek(fd, off, whence);
+	} while (old == (off_t)-1 && (
+	    errno == try_err(loop_eintr, EINTR) ||
+	    errno == try_err(loop_eagain, EAGAIN)));
+
+	return old;
+}
+#endif
+
+/*
+ * If a given error loop is enabled,
+ * e.g. EINTR or EAGAIN, an I/O operation
+ * will loop until errno isn't -1 and one
+ * of these, e.g. -1 and EINTR
+ */
+int
+try_err(int loop_err, int errval)
+{
+	if (loop_err)
+		return errval;
+
+	/* errno is never negative,
+	   so functions checking it
+	   can use it accordingly */
+	return -1;
+}
+
+/*
+ * non-atomic rename
+ *
+ * commented because i can't sacrifice
+ * exactly this property. nvmutil tries
+ * to protect files against e.g. power loss
+ */
+/*
+int
+x_i_rename(const char *src, const char *dst)
+{
+	int sfd, dirfd;
+	ssize_t r;
+	char buf[8192];
+
+	sfd = open(src, O_RDONLY);
+	if (sfd < 0)
+		return -1;
+
+	dirfd = open(dst, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	if (dirfd < 0) {
+		x_i_close(sfd);
+		return -1;
+	}
+
+	while ((r = read(sfd, buf, sizeof(buf))) > 0) {
+		ssize_t w = write(dirfd, buf, r);
+		if (w != r) {
+			x_i_close(sfd);
+			x_i_close(dirfd);
+			return -1;
+		}
+	}
+
+	if (r < 0) {
+		x_i_close(sfd);
+		x_i_close(dirfd);
+		return -1;
+	}
+
+	x_i_fsync(dirfd);
+
+	x_i_close(sfd);
+	x_i_close(dirfd);
+
+	if (unlink(src) < 0)
+		return -1;
+
+	return 0;
+}
+*/
+
+int
+x_i_close(int fd)
+{
+	int r;
+	int saved_errno = errno;
+
+	do {
+		r = close(fd);
+	} while (r == -1 && errno == EINTR);
+
+	if (r > -1)
+		errno = saved_errno;
+
+	return r;
+}
+
+int
+x_i_fsync(int fd)
+{
+	int r;
+
+	do {
+		r = fsync(fd);
+	} while (r == -1 && errno == EINTR);
+
+	return r;
+}
--- a/util/nvmutil/include/common.h
+++ b/util/nvmutil/include/common.h
@@ -4,16 +4,28 @@
 * Copyright (c) 2022-2026 Leah Rowe <leah@libreboot.org>
 */

+/*
+ * TODO: split this per .c file
+ */
+
 /* Use this shorthand in cmd helpers. e.g.
   in cmd_setmac function:
   check_cmd(cmd_helper_cat);
 */

+#ifndef COMMON_H
+#define COMMON_H
+
 /*
 * system prototypes
 */
+
 int fchmod(int fd, mode_t mode);

+/*
+ * build config
+ */
+
 #ifndef NVMUTIL_H
 #define NVMUTIL_H

@@ -313,7 +325,7 @@ struct xstate {



-static struct xstate *xstatus(void);
+struct xstate *xstatus(void);

 /*
 * Sanitize command tables.
@@ -549,3 +561,4 @@ typedef char bool_off_reset[(OFF_RESET==0||OFF_RESET==1)?1:-1];


 #endif
+#endif
--- a/util/nvmutil/io.c
+++ b/util/nvmutil/io.c
@@ -0,0 +1,746 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2026 Leah Rowe <leah@libreboot.org>
+ *
+ * I/O functions specific to nvmutil.
+ *
+ * Related: file.c
+ */
+
+#ifdef __OpenBSD__
+#include <sys/param.h>
+#endif
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "include/common.h"
+
+void
+open_gbe_file(void)
+{
+	struct xstate *x = xstatus();
+	struct commands *cmd;
+	struct xfile *f;
+
+	struct stat _st;
+	int _flags;
+
+	cmd = &x->cmd[x->i];
+	f = &x->f;
+
+	xopen(&f->gbe_fd, f->fname,
+	    cmd->flags | O_BINARY |
+	    O_NOFOLLOW | O_CLOEXEC, &_st);
+
+	/* inode will be checked later on write */
+	f->gbe_dev = _st.st_dev;
+	f->gbe_ino = _st.st_ino;
+
+	if (_st.st_nlink > 1)
+		err(EINVAL,
+		    "%s: warning: file has multiple (%lu) hard links\n",
+		    f->fname, (unsigned long)_st.st_nlink);
+
+	if (_st.st_nlink == 0)
+		err(EIO, "%s: file unlinked while open", f->fname);
+
+	_flags = fcntl(f->gbe_fd, F_GETFL);
+	if (_flags == -1)
+		err(errno, "%s: fcntl(F_GETFL)", f->fname);
+
+	/*
+	 * O_APPEND must not be used, because this
+	 * allows POSIX write() to ignore the
+	 * current write offset and write at EOF,
+	 * which would therefore break pread/pwrite
+	 */
+	if (_flags & O_APPEND)
+		err(EIO, "%s: O_APPEND flag", f->fname);
+
+	f->gbe_file_size = _st.st_size;
+
+	switch (f->gbe_file_size) {
+	case SIZE_8KB:
+	case SIZE_16KB:
+	case SIZE_128KB:
+		break;
+	default:
+		err(EINVAL, "File size must be 8KB, 16KB or 128KB");
+	}
+
+	if (lock_file(f->gbe_fd, cmd->flags) == -1)
+		err(errno, "%s: can't lock", f->fname);
+}
+
+/*
+ * We copy the entire gbe file
+ * to the tmpfile, and then we
+ * work on that. We copy back
+ * afterward. this is the copy.
+ *
+ * we copy to tmpfile even on
+ * read-only commands, for the
+ * double-read verification,
+ * which also benefits cmd_cat.
+ */
+void
+copy_gbe(void)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	f = &x->f;
+
+	read_file();
+
+	/*
+	 regular operations post-read operate only on the first
+	 8KB, because each GbE part is the first 4KB of each
+	 half of the file.
+
+	 we no longer care about anything past 8KB, until we get
+	 to writing, at which point we will flush the buffer
+	 again
+	 */
+
+	if (f->gbe_file_size == SIZE_8KB)
+		return;
+
+	x_v_memcpy(f->buf + (unsigned long)GBE_PART_SIZE,
+	    f->buf + (unsigned long)(f->gbe_file_size >> 1),
+	    (unsigned long)GBE_PART_SIZE);
+}
+
+void
+read_file(void)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	struct stat _st;
+	long _r;
+
+	f = &x->f;
+
+	/* read main file */
+	_r = rw_file_exact(f->gbe_fd, f->buf, f->gbe_file_size,
+	    0, IO_PREAD, NO_LOOP_EAGAIN, LOOP_EINTR,
+	    MAX_ZERO_RW_RETRY, OFF_ERR);
+
+	if (_r < 0)
+		err(errno, "%s: read failed", f->fname);
+
+	/* copy to tmpfile */
+
+	_r = rw_file_exact(f->tmp_fd, f->buf, f->gbe_file_size,
+	    0, IO_PWRITE, NO_LOOP_EAGAIN, LOOP_EINTR,
+	    MAX_ZERO_RW_RETRY, OFF_ERR);
+
+	if (_r < 0)
+		err(errno, "%s: %s: copy failed",
+		    f->fname, f->tname);
+
+	/*
+	 * file size comparison
+	 */
+
+	if (fstat(f->tmp_fd, &_st) == -1)
+		err(errno, "%s: stat", f->tname);
+
+	f->gbe_tmp_size = _st.st_size;
+
+	if (f->gbe_tmp_size != f->gbe_file_size)
+		err(EIO, "%s: %s: not the same size",
+		    f->fname, f->tname);
+
+	/*
+	 * fsync tmp gbe file, because we will compare
+	 * its contents to what was read (for safety)
+	 */
+	if (x_i_fsync(f->tmp_fd) == -1)
+		err(errno, "%s: fsync (tmpfile copy)", f->tname);
+
+	_r = rw_file_exact(f->tmp_fd, f->bufcmp, f->gbe_file_size,
+	    0, IO_PREAD, NO_LOOP_EAGAIN, LOOP_EINTR,
+	    MAX_ZERO_RW_RETRY, OFF_ERR);
+
+	if (_r < 0)
+		err(errno, "%s: read failed (cmp)", f->tname);
+
+	if (x_i_memcmp(f->buf, f->bufcmp, f->gbe_file_size) != 0)
+		err(errno, "%s: %s: read contents differ (pre-test)",
+		    f->fname, f->tname);
+}
+void
+write_gbe_file(void)
+{
+	struct xstate *x = xstatus();
+	struct commands *cmd;
+	struct xfile *f;
+
+	struct stat _gbe_st;
+	struct stat _tmp_st;
+
+	unsigned long p;
+	unsigned char update_checksum;
+
+	cmd = &x->cmd[x->i];
+	f = &x->f;
+
+	if ((cmd->flags & O_ACCMODE) == O_RDONLY)
+		return;
+
+	if (fstat(f->gbe_fd, &_gbe_st) == -1)
+		err(errno, "%s: re-check", f->fname);
+	if (_gbe_st.st_dev != f->gbe_dev || _gbe_st.st_ino != f->gbe_ino)
+		err(EIO, "%s: file replaced while open", f->fname);
+	if (_gbe_st.st_size != f->gbe_file_size)
+		err(errno, "%s: file size changed before write", f->fname);
+	if (!S_ISREG(_gbe_st.st_mode))
+		err(errno, "%s: file type changed before write", f->fname);
+
+	if (fstat(f->tmp_fd, &_tmp_st) == -1)
+		err(errno, "%s: re-check", f->tname);
+	if (_tmp_st.st_dev != f->tmp_dev || _tmp_st.st_ino != f->tmp_ino)
+		err(EIO, "%s: file replaced while open", f->tname);
+	if (_tmp_st.st_size != f->gbe_file_size)
+		err(errno, "%s: file size changed before write", f->tname);
+	if (!S_ISREG(_tmp_st.st_mode))
+		err(errno, "%s: file type changed before write", f->tname);
+
+	update_checksum = cmd->chksum_write;
+
+	for (p = 0; p < 2; p++) {
+		if (!f->part_modified[p])
+			continue;
+
+		if (update_checksum)
+			set_checksum(p);
+
+		rw_gbe_file_part(p, IO_PWRITE, "pwrite");
+	}
+}
+
+void
+rw_gbe_file_part(unsigned long p, int rw_type,
+    const char *rw_type_str)
+{
+	struct xstate *x = xstatus();
+	struct commands *cmd;
+	struct xfile *f;
+
+	long rval;
+
+	off_t file_offset;
+
+	unsigned long gbe_rw_size;
+	unsigned char *mem_offset;
+
+	cmd = &x->cmd[x->i];
+	f = &x->f;
+
+	gbe_rw_size = cmd->rw_size;
+
+	if (rw_type < IO_PREAD || rw_type > IO_PWRITE)
+		err(errno, "%s: %s: part %lu: invalid rw_type, %d",
+		    f->fname, rw_type_str, (unsigned long)p, rw_type);
+
+	mem_offset = gbe_mem_offset(p, rw_type_str);
+	file_offset = (off_t)gbe_file_offset(p, rw_type_str);
+
+	rval = rw_gbe_file_exact(f->tmp_fd, mem_offset,
+	    gbe_rw_size, file_offset, rw_type);
+
+	if (rval == -1)
+		err(errno, "%s: %s: part %lu",
+		    f->fname, rw_type_str, (unsigned long)p);
+
+	if ((unsigned long)rval != gbe_rw_size)
+		err(EIO, "%s: partial %s: part %lu",
+		    f->fname, rw_type_str, (unsigned long)p);
+}
+
+void
+write_to_gbe_bin(void)
+{
+	struct xstate *x = xstatus();
+	struct commands *cmd;
+	struct xfile *f;
+
+	int saved_errno;
+	int mv;
+
+	cmd = &x->cmd[x->i];
+	f = &x->f;
+
+	if ((cmd->flags & O_ACCMODE) != O_RDWR)
+		return;
+
+	write_gbe_file();
+
+	/*
+	 * We may otherwise read from
+	 * cache, so we must sync.
+	 */
+	if (x_i_fsync(f->tmp_fd) == -1)
+		err(errno, "%s: fsync (pre-verification)",
+		    f->tname);
+
+	check_written_part(0);
+	check_written_part(1);
+
+	report_io_err_rw();
+
+	if (f->io_err_gbe)
+		err(EIO, "%s: bad write", f->fname);
+
+	/*
+	 * success!
+	 * now just rename the tmpfile
+	 */
+
+	saved_errno = errno;
+
+	if (x_i_close(f->tmp_fd) == -1) {
+		fprintf(stderr, "FAIL: %s: close\n", f->tname);
+		f->io_err_gbe_bin = 1;
+	}
+
+	if (x_i_close(f->gbe_fd) == -1) {
+		fprintf(stderr, "FAIL: %s: close\n", f->fname);
+		f->io_err_gbe_bin = 1;
+	}
+
+	errno = saved_errno;
+
+	f->tmp_fd = -1;
+	f->gbe_fd = -1;
+
+	if (!f->io_err_gbe_bin) {
+
+		mv = gbe_mv();
+
+		if (mv < 0) {
+
+			f->io_err_gbe_bin = 1;
+
+			fprintf(stderr, "%s: %s\n",
+			    f->fname, strerror(errno));
+		} else {
+			/*
+			 * tmpfile removed
+			 * by the rename
+			 */
+
+			if (f->tname != NULL)
+				free(f->tname);
+
+			f->tname = NULL;
+		}
+	}
+
+	/*
+	 * finally:
+	 * must sync to disk!
+	 * very nearly done
+	 */
+
+	if (!f->io_err_gbe_bin)
+		return;
+
+	fprintf(stderr, "FAIL (rename): %s: skipping fsync\n",
+	    f->fname);
+	if (errno)
+		fprintf(stderr,
+		    "errno %d: %s\n", errno, strerror(errno));
+}
+
+void
+check_written_part(unsigned long p)
+{
+	struct xstate *x = xstatus();
+	struct commands *cmd;
+	struct xfile *f;
+
+	long rval;
+
+	unsigned long gbe_rw_size;
+
+	off_t file_offset;
+	unsigned char *mem_offset;
+
+	struct stat st;
+	unsigned char *buf_restore;
+
+	cmd = &x->cmd[x->i];
+	f = &x->f;
+
+	if (!f->part_modified[p])
+		return;
+
+	gbe_rw_size = cmd->rw_size;
+
+	mem_offset = gbe_mem_offset(p, "pwrite");
+	file_offset = (off_t)gbe_file_offset(p, "pwrite");
+
+	memset(f->pad, 0xff, sizeof(f->pad));
+
+	if (fstat(f->gbe_fd, &st) == -1)
+		err(errno, "%s: fstat (post-write)", f->fname);
+	if (st.st_dev != f->gbe_dev || st.st_ino != f->gbe_ino)
+		err(EIO, "%s: file changed during write", f->fname);
+
+	if (fstat(f->tmp_fd, &st) == -1)
+		err(errno, "%s: fstat (post-write)", f->tname);
+	if (st.st_dev != f->tmp_dev || st.st_ino != f->tmp_ino)
+		err(EIO, "%s: file changed during write", f->tname);
+
+	rval = rw_gbe_file_exact(f->tmp_fd, f->pad,
+	    gbe_rw_size, file_offset, IO_PREAD);
+
+	if (rval == -1)
+		f->rw_check_err_read[p] = f->io_err_gbe = 1;
+	else if ((unsigned long)rval != gbe_rw_size)
+		f->rw_check_partial_read[p] = f->io_err_gbe = 1;
+	else if (x_i_memcmp(mem_offset, f->pad, gbe_rw_size) != 0)
+		f->rw_check_bad_part[p] = f->io_err_gbe = 1;
+
+	if (f->rw_check_err_read[p] ||
+	    f->rw_check_partial_read[p])
+		return;
+
+	/*
+	 * We only load one part on-file, into memory but
+	 * always at offset zero, for post-write checks.
+	 * That's why we hardcode good_checksum(0).
+	 */
+	buf_restore = f->buf;
+
+	/*
+	 * good_checksum works on f->buf
+	 * so let's change f->buf for now
+	 */
+	f->buf = f->pad;
+
+	if (good_checksum(0))
+		f->post_rw_checksum[p] = 1;
+
+	f->buf = buf_restore;
+}
+
+void
+report_io_err_rw(void)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	unsigned long p;
+
+	f = &x->f;
+
+	if (!f->io_err_gbe)
+		return;
+
+	for (p = 0; p < 2; p++) {
+		if (!f->part_modified[p])
+			continue;
+
+		if (f->rw_check_err_read[p])
+			fprintf(stderr,
+			    "%s: pread: p%lu (post-verification)\n",
+			    f->fname, (unsigned long)p);
+		if (f->rw_check_partial_read[p])
+			fprintf(stderr,
+			    "%s: partial pread: p%lu (post-verification)\n",
+			    f->fname, (unsigned long)p);
+		if (f->rw_check_bad_part[p])
+			fprintf(stderr,
+			    "%s: pwrite: corrupt write on p%lu\n",
+			    f->fname, (unsigned long)p);
+
+		if (f->rw_check_err_read[p] ||
+		    f->rw_check_partial_read[p]) {
+			fprintf(stderr,
+			    "%s: p%lu: skipped checksum verification "
+			    "(because read failed)\n",
+			    f->fname, (unsigned long)p);
+
+			continue;
+		}
+
+		fprintf(stderr, "%s: ", f->fname);
+
+		if (f->post_rw_checksum[p])
+			fprintf(stderr, "GOOD");
+		else
+			fprintf(stderr, "BAD");
+
+		fprintf(stderr, " checksum in p%lu on-disk.\n",
+		    (unsigned long)p);
+
+		if (f->post_rw_checksum[p]) {
+			fprintf(stderr,
+			    "    This does NOT mean it's safe. it may be\n"
+			    "    salvageable if you use the cat feature.\n");
+		}
+	}
+}
+
+int
+gbe_mv(void)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	int rval;
+
+	int saved_errno;
+	int tmp_gbe_bin_exists;
+
+	char *dest_tmp;
+	int dest_fd;
+
+	f = &x->f;
+
+	/* will be set 0 if it doesn't */
+	tmp_gbe_bin_exists = 1;
+
+	dest_tmp = NULL;
+	dest_fd = -1;
+
+	saved_errno = errno;
+
+	rval = rename(f->tname, f->fname);
+
+	if (rval > -1) {
+		/*
+		 * same filesystem
+		 */
+
+		tmp_gbe_bin_exists = 0;
+
+		if (fsync_dir(f->fname) < 0) {
+			f->io_err_gbe_bin = 1;
+			rval = -1;
+		}
+
+		goto ret_gbe_mv;
+	}
+
+	if (errno != EXDEV)
+		goto ret_gbe_mv;
+
+	/* cross-filesystem rename */
+
+	if ((rval = f->tmp_fd = open(f->tname,
+	    O_RDONLY | O_BINARY)) == -1)
+		goto ret_gbe_mv;
+
+	/* create replacement temp in target directory */
+	dest_tmp = new_tmpfile(&dest_fd, 1, f->fname);
+	if (dest_tmp == NULL)
+		goto ret_gbe_mv;
+
+	/* copy data */
+
+	rval = rw_file_exact(f->tmp_fd, f->bufcmp,
+	    f->gbe_file_size, 0, IO_PREAD,
+	    NO_LOOP_EAGAIN, LOOP_EINTR,
+	    MAX_ZERO_RW_RETRY, OFF_ERR);
+
+	if (rval < 0)
+		goto ret_gbe_mv;
+
+	rval = rw_file_exact(dest_fd, f->bufcmp,
+	    f->gbe_file_size, 0, IO_PWRITE,
+	    NO_LOOP_EAGAIN, LOOP_EINTR,
+	    MAX_ZERO_RW_RETRY, OFF_ERR);
+
+	if (rval < 0)
+		goto ret_gbe_mv;
+
+	if (x_i_fsync(dest_fd) == -1)
+		goto ret_gbe_mv;
+
+	if (x_i_close(dest_fd) == -1)
+		goto ret_gbe_mv;
+
+	if (rename(dest_tmp, f->fname) == -1)
+		goto ret_gbe_mv;
+
+	if (fsync_dir(f->fname) < 0) {
+		f->io_err_gbe_bin = 1;
+		goto ret_gbe_mv;
+	}
+
+	free(dest_tmp);
+	dest_tmp = NULL;
+
+ret_gbe_mv:
+
+	if (f->gbe_fd > -1) {
+		if (x_i_close(f->gbe_fd) < 0)
+			rval = -1;
+		if (fsync_dir(f->fname) < 0) {
+			f->io_err_gbe_bin = 1;
+			rval = -1;
+		}
+		f->gbe_fd = -1;
+	}
+
+	if (f->tmp_fd > -1) {
+		if (x_i_close(f->tmp_fd) < 0)
+			rval = -1;
+
+		f->tmp_fd = -1;
+	}
+
+	/*
+	 * before this function is called,
+	 * tmp_fd may have been moved
+	 */
+	if (tmp_gbe_bin_exists) {
+		if (unlink(f->tname) < 0)
+			rval = -1;
+		else
+			tmp_gbe_bin_exists = 0;
+	}
+
+	if (rval < 0) {
+		/*
+		 * if nothing set errno,
+		 * we assume EIO, or we
+		 * use what was set
+		 */
+		if (errno == saved_errno)
+			errno = EIO;
+	} else {
+		errno = saved_errno;
+	}
+
+	return rval;
+}
+
+/*
+ * This one is similar to gbe_file_offset,
+ * but used to check Gbe bounds in memory,
+ * and it is *also* used during file I/O.
+ */
+unsigned char *
+gbe_mem_offset(unsigned long p, const char *f_op)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	off_t gbe_off;
+
+	f = &x->f;
+
+	gbe_off = gbe_x_offset(p, f_op, "mem",
+	    GBE_PART_SIZE, GBE_WORK_SIZE);
+
+	return (unsigned char *)
+	    (f->buf + (unsigned long)gbe_off);
+}
+
+/*
+ * I/O operations filtered here. These operations must
+ * only write from the 0th position or the half position
+ * within the GbE file, and write 4KB of data.
+ *
+ * This check is called, to ensure just that.
+ */
+off_t
+gbe_file_offset(unsigned long p, const char *f_op)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	off_t gbe_file_half_size;
+
+	f = &x->f;
+
+	gbe_file_half_size = f->gbe_file_size >> 1;
+
+	return gbe_x_offset(p, f_op, "file",
+	    gbe_file_half_size, f->gbe_file_size);
+}
+
+off_t
+gbe_x_offset(unsigned long p, const char *f_op, const char *d_type,
+    off_t nsize, off_t ncmp)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	off_t off;
+
+	check_bin(p, "part number");
+
+	f = &x->f;
+
+	off = ((off_t)p) * (off_t)nsize;
+
+	if (off > ncmp - GBE_PART_SIZE)
+		err(ECANCELED, "%s: GbE %s %s out of bounds",
+		    f->fname, d_type, f_op);
+
+	if (off != 0 && off != ncmp >> 1)
+		err(ECANCELED, "%s: GbE %s %s at bad offset",
+		    f->fname, d_type, f_op);
+
+	return off;
+}
+
+long
+rw_gbe_file_exact(int fd, unsigned char *mem, unsigned long nrw,
+    off_t off, int rw_type)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	long r;
+
+	f = &x->f;
+
+	if (io_args(fd, mem, nrw, off, rw_type) == -1)
+		return -1;
+
+	if (mem != (void *)f->pad) {
+		if (mem < f->buf)
+			goto err_rw_gbe_file_exact;
+
+		if ((unsigned long)(mem - f->buf) >= GBE_WORK_SIZE)
+			goto err_rw_gbe_file_exact;
+	}
+
+	if (off < 0 || off >= f->gbe_file_size)
+		goto err_rw_gbe_file_exact;
+
+	if (nrw > (unsigned long)(f->gbe_file_size - off))
+		goto err_rw_gbe_file_exact;
+
+	if (nrw > (unsigned long)GBE_PART_SIZE)
+		goto err_rw_gbe_file_exact;
+
+	r = rw_file_exact(fd, mem, nrw, off, rw_type,
+	    NO_LOOP_EAGAIN, LOOP_EINTR, MAX_ZERO_RW_RETRY,
+	    OFF_ERR);
+
+	return rw_over_nrw(r, nrw);
+
+err_rw_gbe_file_exact:
+	errno = EIO;
+	return -1;
+}
--- a/util/nvmutil/num.c
+++ b/util/nvmutil/num.c
@@ -0,0 +1,103 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2026 Leah Rowe <leah@libreboot.org>
+ *
+ * Numerical functions.
+ */
+
+#ifdef __OpenBSD__
+#include <sys/param.h>
+#endif
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "include/common.h"
+
+unsigned short
+hextonum(char ch_s)
+{
+	unsigned char ch;
+
+	ch = (unsigned char)ch_s;
+
+	if ((unsigned int)(ch - '0') <= 9)
+		return ch - '0';
+
+	ch |= 0x20;
+
+	if ((unsigned int)(ch - 'a') <= 5)
+		return ch - 'a' + 10;
+
+	if (ch == '?' || ch == 'x')
+		return (unsigned short)rlong() & 0xf;
+
+	return 16; /* invalid character */
+}
+
+/*
+ * Portable random
+ * number generator
+ */
+unsigned long
+rlong(void)
+{
+#if (defined(__OpenBSD__) && (OpenBSD) >= 201) || \
+    defined(__FreeBSD__) || \
+    defined(__NetBSD__) || defined(__APPLE__)
+
+	unsigned long rval;
+	arc4random_buf(&rval, sizeof(unsigned long));
+
+	return rval;
+#else
+	int fd;
+
+	long nr;
+
+	unsigned long rval;
+
+	fd = open("/dev/urandom", O_RDONLY | O_BINARY);
+
+#ifdef __OpenBSD__
+	if (fd < 0) /* old openbsd */
+		fd = open("/dev/arandom", O_RDONLY | O_BINARY);
+#endif
+
+	if (fd < 0)
+		fd = open("/dev/random", O_RDONLY | O_BINARY);
+
+	if (fd < 0)
+		err(errno, "can't open random device");
+
+	nr = rw_file_exact(fd, (unsigned char *)&rval,
+	    sizeof(unsigned long), 0, IO_READ, LOOP_EAGAIN,
+	    LOOP_EINTR, MAX_ZERO_RW_RETRY, OFF_ERR);
+
+	if (x_i_close(fd) < 0)
+		err(errno, "Can't close randomness fd");
+
+	if (nr != sizeof(unsigned long))
+		err(errno, "Incomplete read from random device");
+
+	return rval;
+#endif
+}
+
+void
+check_bin(unsigned long a, const char *a_name)
+{
+	if (a > 1)
+		err(EINVAL, "%s must be 0 or 1, but is %lu",
+		    a_name, (unsigned long)a);
+}
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
--- a/util/nvmutil/state.c
+++ b/util/nvmutil/state.c
@@ -0,0 +1,192 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2022-2026 Leah Rowe <leah@libreboot.org>
+ *
+ * This tool lets you modify Intel GbE NVM (Gigabit Ethernet
+ * Non-Volatile Memory) images, e.g. change the MAC address.
+ * These images configure your Intel Gigabit Ethernet adapter.
+ *
+ * This code is designed to be portable, running on as many
+ * Unix and Unix-like systems as possible (mainly BSD/Linux).
+ *
+ * Recommended CFLAGS for Clang/GCC:
+ *
+ * -Os -Wall -Wextra -Werror -pedantic -std=c90
+ */
+
+#ifdef __OpenBSD__
+#include <sys/param.h>
+#endif
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "include/common.h"
+
+/*
+ * Program state/command table
+ * Default config stored here,
+ * and copied to a newly allocated
+ * buffer in memory, then the pointer
+ * is passed. The rest of the program
+ * will manipulate this data.
+ */
+/*
+TODO: 
+eventually, i will not have this return
+a pointer at all. instead, a similar key
+mechanism will be used for other access
+functions e.g. word/set_word, err(needs
+to clean up), and so on. then those
+would return values if already initialised,
+but would not permit additional init - will
+decide exactly how to implement this at a
+later state.
+
+this is part of an ongoing effort to introduce
+extreme memory safety into this program.
+ */
+struct xstate *
+xstatus(void)
+{
+	static int first_run = 1;
+
+	static struct xstate us = {
+	/* .cmd (update cmd[] in the struct if adding to it)
+	         DO NOT FORGET. or C will init zeroes/NULLs */
+
+	/* cmd[] members */
+		/* DO NOT MESS THIS UP */
+		/* items must be set *exactly* */
+	{
+	{
+		CMD_DUMP, "dump", cmd_helper_dump, ARGC_3,
+		ARG_NOPART,
+		SKIP_CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+		NVM_SIZE, O_RDONLY
+	}, {
+		CMD_SETMAC, "setmac", cmd_helper_setmac, ARGC_3,
+		ARG_NOPART,
+		CHECKSUM_READ, CHECKSUM_WRITE,
+		NVM_SIZE, O_RDWR
+	}, {
+		CMD_SWAP, "swap", cmd_helper_swap, ARGC_3,
+		ARG_NOPART,
+		CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+		GBE_PART_SIZE, O_RDWR
+	}, {
+		CMD_COPY, "copy", cmd_helper_copy, ARGC_4,
+		ARG_PART,
+		CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+		GBE_PART_SIZE, O_RDWR
+	}, {
+		CMD_CAT, "cat", cmd_helper_cat, ARGC_3,
+		ARG_NOPART,
+		CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+		GBE_PART_SIZE, O_RDONLY
+	}, {
+		CMD_CAT16, "cat16", cmd_helper_cat16, ARGC_3,
+		ARG_NOPART,
+		CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+		GBE_PART_SIZE, O_RDONLY
+	}, {
+		CMD_CAT128, "cat128", cmd_helper_cat128, ARGC_3,
+		ARG_NOPART,
+		CHECKSUM_READ, SKIP_CHECKSUM_WRITE,
+		GBE_PART_SIZE, O_RDONLY
+	}
+	},
+
+	/* ->mac */
+	{NULL, "xx:xx:xx:xx:xx:xx", {0, 0, 0}}, /* .str, .rmac, .mac_buf */
+
+	/* .f */
+	{0},
+
+	/* .argv0 (for our getprogname implementation) */
+	NULL,
+
+	/* ->i   (index to cmd[]) */
+	0,
+
+	/* .no_cmd (set 0 when a command is found) */
+	1,
+
+	/* .xsize (size of the stuct will be stored here later) */
+	0,
+
+	/* .cat (cat helpers set this) */
+	-1
+
+	};
+
+	if (!first_run)
+		return &us;
+
+	first_run = 0;
+
+	us.xsize = sizeof(us);
+
+	us.f.buf = us.f.real_buf;
+
+	us.f.gbe_fd = -1;
+	us.f.tmp_fd = -1;
+
+	us.f.tname = NULL;
+	us.f.fname = NULL;
+
+	return &us;
+}
+
+int
+exit_cleanup(void)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	int close_err;
+	int saved_errno;
+
+	close_err = 0;
+	saved_errno = errno;
+
+	if (x != NULL) {
+		f = &x->f;
+
+		if (f->gbe_fd > -1) {
+			if (x_i_close(f->gbe_fd) == -1)
+				close_err = 1;
+			f->gbe_fd = -1;
+		}
+
+		if (f->tmp_fd > -1) {
+			if (x_i_close(f->tmp_fd) == -1)
+				close_err = 1;
+		}
+
+		if (f->tname != NULL) {
+			if (unlink(f->tname) == -1)
+				close_err = 1;
+		}
+
+		f->tmp_fd = -1;
+	}
+
+	if (saved_errno)
+		errno = saved_errno;
+
+	if (close_err)
+		return -1;
+
+	return 0;
+}
--- a/util/nvmutil/string.c
+++ b/util/nvmutil/string.c
@@ -0,0 +1,187 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2026 Leah Rowe <leah@libreboot.org>
+ *
+ * String handling.
+ */
+
+#ifdef __OpenBSD__
+#include <sys/param.h>
+#endif
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "include/common.h"
+
+/*
+ * Portable strcmp() but blocks NULL/empty/unterminated
+ * strings. Even stricter than strncmp().
+ */
+int
+xstrxcmp(const char *a, const char *b, unsigned long maxlen)
+{
+	unsigned long i;
+
+	if (a == NULL || b == NULL)
+		err(EINVAL, "NULL input to xstrxcmp");
+
+	if (*a == '\0' || *b == '\0')
+		err(EINVAL, "Empty string in xstrxcmp");
+
+	for (i = 0; i < maxlen; i++) {
+
+		unsigned char ac = (unsigned char)a[i];
+		unsigned char bc = (unsigned char)b[i];
+
+		if (ac == '\0' || bc == '\0') {
+			if (ac == bc)
+				return 0;
+			return ac - bc;
+		}
+
+		if (ac != bc)
+			return ac - bc;
+	}
+
+	/*
+	 * We reached maxlen, so assume unterminated string.
+	 */
+	err(EINVAL, "Unterminated string in xstrxcmp");
+
+	/*
+	 * Should never reach here. This keeps compilers happy.
+	 */
+	errno = EINVAL;
+	return -1;
+}
+
+/*
+ * strnlen() but aborts on NULL input, and empty strings.
+ * Our version also prohibits unterminated strings.
+ * strnlen() was standardized in POSIX.1-2008 and is not
+ * available on some older systems, so we provide our own.
+ */
+unsigned long
+xstrxlen(const char *scmp, unsigned long maxlen)
+{
+	unsigned long xstr_index;
+
+	if (scmp == NULL)
+		err(EINVAL, "NULL input to xstrxlen");
+
+	if (*scmp == '\0')
+		err(EINVAL, "Empty string in xstrxlen");
+
+	for (xstr_index = 0;
+	    xstr_index < maxlen && scmp[xstr_index] != '\0';
+	    xstr_index++);
+
+	if (xstr_index == maxlen)
+		err(EINVAL, "Unterminated string in xstrxlen");
+
+	return xstr_index;
+}
+
+void
+err(int nvm_errval, const char *msg, ...)
+{
+	struct xstate *x = xstatus();
+
+	va_list args;
+
+	if (errno == 0)
+		errno = nvm_errval;
+	if (!errno)
+		errno = ECANCELED;
+
+	(void)exit_cleanup();
+
+	if (x != NULL)
+		fprintf(stderr, "%s: ", getnvmprogname());
+
+	va_start(args, msg);
+	vfprintf(stderr, msg, args);
+	va_end(args);
+
+	fprintf(stderr, ": %s\n", strerror(errno));
+
+	exit(EXIT_FAILURE);
+}
+
+const char *
+getnvmprogname(void)
+{
+	struct xstate *x = xstatus();
+
+	const char *p;
+	static char fallback[] = "nvmutil";
+
+	char *rval = fallback;
+
+	if (x != NULL) {
+		if (x->argv0 == NULL || *x->argv0 == '\0')
+			return "";
+
+		rval = x->argv0;
+	}
+
+	p = x_c_strrchr(rval, '/');
+
+	if (p)
+		return p + 1;
+	else
+		return rval;
+}
+
+char *
+x_c_strrchr(const char *s, int c)
+{
+	const char *p = NULL;
+
+	while (*s) {
+		if (*s == (char)c)
+			p = s;
+		s++;
+	}
+
+	if (c == '\0')
+		return (char *)s;
+
+	return (char *)p;
+}
+
+void *
+x_v_memcpy(void *dst, const void *src, unsigned long n)
+{
+	unsigned char *d = (unsigned char *)dst;
+	const unsigned char *s = (const unsigned char *)src;
+
+	while (n--)
+		*d++ = *s++;
+
+	return dst;
+}
+
+int
+x_i_memcmp(const void *a, const void *b, unsigned long n)
+{
+	const unsigned char *pa = (const unsigned char *)a;
+	const unsigned char *pb = (const unsigned char *)b;
+
+	for ( ; n--; ++pa, ++pb)
+		if (*pa != *pb)
+			return *pa - *pb;
+
+	return 0;
+}
--- a/util/nvmutil/usage.c
+++ b/util/nvmutil/usage.c
@@ -0,0 +1,48 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2023 Riku Viitanen <riku.viitanen@protonmail.com>
+ * Copyright (c) 2026 Leah Rowe <leah@libreboot.org>
+ *
+ */
+
+#ifdef __OpenBSD__
+#include <sys/param.h>
+#endif
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "include/common.h"
+
+void
+usage(void)
+{
+	const char *util;
+
+	util = getnvmprogname();
+
+	fprintf(stderr,
+	    "Modify Intel GbE NVM images e.g. set MAC\n"
+	    "USAGE:\n"
+	    "\t%s FILE dump\n"
+	    "\t%s FILE setmac [MAC]\n"
+	    "\t%s FILE swap\n"
+	    "\t%s FILE copy 0|1\n"
+	    "\t%s FILE cat\n"
+	    "\t%s FILE cat16\n"
+	    "\t%s FILE cat128\n",
+	    util, util, util, util,
+	    util, util, util);
+
+	err(EINVAL, "Too few arguments");
+}
--- a/util/nvmutil/word.c
+++ b/util/nvmutil/word.c
@@ -0,0 +1,98 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (c) 2022-2026 Leah Rowe <leah@libreboot.org>
+ *
+ * Manipulate sixteen-bit little-endian
+ * words on Intel GbE NVM configurations.
+ */
+
+#ifdef __OpenBSD__
+#include <sys/param.h>
+#endif
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "include/common.h"
+
+/*
+ * GbE NVM files store 16-bit (2-byte) little-endian words.
+ * We must therefore swap the order when reading or writing.
+ *
+ * NOTE: The MAC address words are stored big-endian in the
+ * file, but we assume otherwise and adapt accordingly.
+ */
+
+unsigned short
+nvm_word(unsigned long pos16, unsigned long p)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	unsigned long pos;
+
+	f = &x->f;
+
+	check_nvm_bound(pos16, p);
+	pos = (pos16 << 1) + (p * GBE_PART_SIZE);
+
+	return (unsigned short)f->buf[pos] |
+	    ((unsigned short)f->buf[pos + 1] << 8);
+}
+
+void
+set_nvm_word(unsigned long pos16, unsigned long p, unsigned short val16)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	unsigned long pos;
+
+	f = &x->f;
+
+	check_nvm_bound(pos16, p);
+	pos = (pos16 << 1) + (p * GBE_PART_SIZE);
+
+	f->buf[pos] = (unsigned char)(val16 & 0xff);
+	f->buf[pos + 1] = (unsigned char)(val16 >> 8);
+
+	set_part_modified(p);
+}
+
+void
+set_part_modified(unsigned long p)
+{
+	struct xstate *x = xstatus();
+	struct xfile *f;
+
+	f = &x->f;
+
+	check_bin(p, "part number");
+	f->part_modified[p] = 1;
+}
+
+void
+check_nvm_bound(unsigned long c, unsigned long p)
+{
+	/*
+	 * NVM_SIZE assumed as the limit, because this
+	 * current design assumes that we will only
+	 * ever modified the NVM area.
+	 */
+
+	check_bin(p, "part number");
+
+	if (c >= NVM_WORDS)
+		err(ECANCELED, "check_nvm_bound: out of bounds %lu",
+		    (unsigned long)c);
+}