The /tmp directory is mounted as tmpfs. The tmpfs filesystem is backed by
anonymous memory, which means it can be swapped out at any time, if there is
memory pressure [1]. For this reason, a zram swap device is a much better
choice than mounting /tmp on zram, since it's able to compress all anonymous
memory, and not just the memory assigned to /tmp. We already have the zram-swap
package for this specific purpose, which means procd's tmp-on-zram is both
redundant and more limited.
A follow-up patch will remove support for mounting /tmp in zram from procd
itself.
[1] https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Enable support for allocating user space page table entries in high memory [1],
for the targets which support this feature. This saves precious low memory
(permanently mapped, the only type of memory directly accessible by the kernel).
[1] https://www.kernel.org/doc/html/latest/vm/highmem.html
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Update to the latest upstream version. In this version there is a new
tool with which you can convert ipsets into nftables sets. Since we are
now using nftables as default firewall, this could be a useful tool for
porting ipsets to nftables sets.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.2-relnotes.txt
```
It includes the following security fix
* In some situations the X.509 verifier would discard an error on an
unverified certificate chain, resulting in an authentication bypass.
Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
```
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Remove macOS stuff. Upstream has fixed it in the same way.
Add SOL_TCP define. Taken from elsewhere in the code.
Refreshed patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switched to CMake for faster compilation and greater parallel
friendliness.
Added CMake options from the packages feed.
This release fixes various CVEs.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switched to building with meson as it's faster and does not need a
dependency on cmake, which takes a long time to build.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Refresh 2to3 patch. Upstream partially did this against some older
python version. This is still needed.
Refreshed other patches to be python3 safe.
Remove uClibc patches as only musl is present now.
Refresh others.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
For debugging purposes, we need to know if users are using modified
U-boot versions or not. Currently, the U-boot version is somehow
stripped. This is a little bit problematic when there are
backported/wip/to-upstream patches.
To make it more confusing, there was (before this commit) two U-boot
versioning. U-boot compiled by OpenWrt build bots are missing ``Build:``
This is also the case when the U-boot is compiled locally.
Example:
```
U-Boot SPL 2022.01 (Jan 27 2022 - 00:24:34 +0000)
U-Boot 2022.01 (Jan 27 2022 - 00:24:34 +0000)
```
On the other hand, if you run full build, you can at least see, where it
was compiled. Notice added ``Build:``.
Example:
```
U-Boot 2022.01 (Jan 27 2022 - 00:24:34 +0000), Build: jenkins-turris-os-packages-burstlab-omnia-216
```
In both cases, it is not clear to U-boot developers if it is an unmodified
build. This is also caused that there is a missing ``.git`` file from
U-boot folder, and so there is no history. It leads to that it can not
contain suffix ``-dirty`` (uncommitted modifications) or even something
else like number of commits, etc. [1]
When U-boot is compiled as it should be, the version should look like
this: ``U-Boot 2022.04-rc1-01173-g278195ea1f (Feb 11 2022 - 14:46:50 +0100)``
The date is not changed daily when there are new OpenWrt builds.
This commit adds OpenWrt specific version, which could be verified by
using strings.
```
$ strings bin/targets/mvebu/cortexa9/u-boot-omnia/u-boot-spl.kwb | grep -E "OpenWrt*"
U-Boot SPL 2022.01-OpenWrt-r18942+54-cbfce92367 (Feb 21 2022 - 13:17:34 +0000)
arm-openwrt-linux-muslgnueabi-gcc (OpenWrt GCC 11.2.0 r18942+54-cbfce92367) 11.2.0
2022.01-OpenWrt-r18942+54-cbfce92367
U-Boot 2022.01-OpenWrt-r18942+54-cbfce92367 (Feb 21 2022 - 13:17:34 +0000)
```
[1] https://u-boot.readthedocs.io/en/latest/develop/version.html
Reported-by: Pali Rohár <pali@kernel.org>
Suggested-by: Karel Kočí <karel.koci@nic.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
If a image is bigger than the device can handle, an error message is
printed. This is usually silenced and silently ignored, making it harder
to debug. While it's possible to run the build in verbose mode (via
`make V=s`) and grep for *is too big*, it's more intuitive to print the
error message directly. For that use the newly unlocked `$(call
ERROR_MESSAGE,...)` definition which now also print in non-verbose mode.
Fixes: FS#50 (aka #7604)
Signed-off-by: Paul Spooren <mail@aparcar.org>
Using `make -j9` only prints a subset of messages to follow the build
process progressing. However this silently skips over errors which might
be of interested. Using `make V=s` easily floods the terminal making it
hard to find error messages between the lines.
A compromise is the usage of `$(call ERROR_MESSAGE,...)` which prints a
message in red. This function is silenced in the non-verbose mode, even
if only used at a single place in `package/Makefile` where it notifies
about a OPKG corner case.
This commit moves the `ERROR_MESSAGE` definition outside of the
`OPENWRT_VERBOSE` condition and print error messages in every mode.
With this in place further error messages are possible.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Ran `make kernel_menuconfig CONFIG_TARGET=bcm2710` having used the snapshot
config for bcm2710[1]. Manually added back two symbols that the make target
removed, namely:
* # CONFIG_SND_SOC_AD193X_I2C is not set
* # CONFIG_SND_SOC_AD193X_SPI is not set
1. https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2710/config.buildinfo
Signed-off-by: John Audia <graysky@archlinux.us>
Ran `make kernel_menuconfig CONFIG_TARGET=bcm2711` having used the snapshot
config for bcm2711[1]. Manually added back two symbols that the make target
removed, namely:
* # CONFIG_SND_SOC_AD193X_I2C is not set
* # CONFIG_SND_SOC_AD193X_SPI is not set
Without adding these back, the build fails due to unsatisfied deps[2].
Build system: x86_64
Build-tested: bcm2711/multidevices
1. https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2711/config.buildinfo
2. a478202d74 (commitcomment-67096592)
Signed-off-by: John Audia <graysky@archlinux.us>
iptables-nft doesn't depend on libip{4,6}tc, so move
libiptext* libs in their own packages to clean up dependencies
Rename libxtables-nft to libiptext-nft
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Using PROVIDES allows to have other packages continue to
depend on iptables and users to pick between legacy and nft
version.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
'iptables-mod-' can be used directly by firewall3, by
iptables and by iptables-nft. They are not linked to
iptables but to libxtables, so fix the dependencies to allow
to remove iptables(-legacy)
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
libxtables doesn't depend on libnftnl, iptables-nft does,
so move the dependency to not pull libnftnl with firewall3/iptables-legacy
Also libxtables-nft depends on IPTABLES_NFTABLES
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Fixes following missing kernel config symbol after adding GPIO watchdog:
Software watchdog (SOFT_WATCHDOG) [M/n/y/?] m
Watchdog device controlled through GPIO-line (GPIO_WATCHDOG) [Y/n/m/?] y
Register the watchdog as early as possible (GPIO_WATCHDOG_ARCH_INITCALL) [N/y/?] (NEW)
Fixes: 1a97c03d86 ("rampis: feed zbt-we1026 external watchdog")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes following warning message during image building process:
Finalizing root filesystem...
root-ipq806x/lib/upgrade/asrock.sh: line 1: /lib/functions.sh: No such file or directory
Enabling boot
root-ipq806x/lib/upgrade/asrock.sh: line 1: /lib/functions.sh: No such file or directory
Enabling bootcount
Fixes#9350
Fixes: 98b86296e6 ("ipq806x: add support for ASRock G10")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
It seems, that there are currently some unhandled corner cases in which
`.toolchain_build_ver` results in empty file and thus forcing rebuilds,
even if the toolchain was build correctly just a few moments ago. Until
proper fix is found, workaround that by checking for this corner case
and simply populate `.toolchain_build_ver` file.
While at it, improve the UX and display version mismatch, so it's more
clear what has forced the rebuild:
"Toolchain build version changed (11.2.0-1 != ), running make targetclean"
References: https://gitlab.com/ynezz/openwrt/-/jobs/2133332533/raw
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes following complaints and suggestions:
In scripts/check-toolchain-clean.sh line 2:
eval `grep CONFIG_GCC_VERSION .config`
^-- SC2046 (warning): Quote this to prevent word splitting.
^-- SC2006 (style): Use $(...) notation instead of legacy backticks `...`.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
TP-Link Archer A9 v6 (FCCID: TE7A9V6) is an AC1900 Wave-2 gigabit home
router based on a combination of Qualcomm QCN5502 (most likely a 4x4:4
version of the QCA9563 WiSOC), QCA9984 and QCA8337N.
The vendor's firmware content reveals that the same device might be
available on the US market under name 'Archer C90 v6'. Due to lack of
access to such hardware, support introduced in this commit was tested
only on the EU version (sold under 'Archer A9 v6' name).
Based on the information on the PL version of the vendor website, this
device has been already phased out and is no longer available.
Specifications:
- Qualcomm QCN5502 (775 MHz)
- 128 MB of RAM (DDR2)
- 16 MB of flash (SPI NOR)
- 5x Gbps Ethernet (Qualcomm QCA8337N over SGMII)
- Wi-Fi:
- 802.11b/g/n on 2.4 GHz: Qualcomm QCN5502* in 4x4:4 mode
- 802.11a/n/ac on 5 GHz: Qualcomm QCA9984 in 3x3:3 mode
- 3x non-detachable, dual-band external antennas (~3.5 dBi for 5 GHz,
~2.2 dBi for 2.4 GHz, IPEX/U.FL connectors)
- 1x internal PCB antenna for 2.4 GHz (~1.8 dBi)
- 1x USB 2.0 Type-A
- 11x LED (4x connected to QCA8337N, 7x connected to QCN5502)
- 2x button (reset, WPS)
- UART (4-pin, 2.54 mm pitch) header on PCB (not populated)
- 1x mechanical power switch
- 1x DC jack (12 V)
*) unsupported due to missing support for QCN550x in ath9k
UART system serial console notice:
The RX signal of the main SOC's UART on this device is shared with the
WPS button's GPIO. The first-stage U-Boot by default disables the RX,
resulting in a non-functional UART input.
If you press and keep 'ENTER' on the serial console during early
boot-up, the first-stage U-Boot will enable RX input.
Vendor firmware allows password-less access to the system over serial.
Flash instruction (vendor GUI):
1. It is recommended to first upgrade vendor firmware to the latest
version (1.1.1 Build 20210315 rel.40637 at the time of writing).
2. Use the 'factory' image directly in the vendor's GUI.
Flash instruction (TFTP based recovery in second-stage U-Boot):
1. Rename 'factory' image to 'ArcherA9v6_tp_recovery.bin'
2. Setup a TFTP server on your PC with IP 192.168.0.66/24.
3. Press and hold the reset button for ~5 sec while turning on power.
4. The device will download image, flash it and reboot.
Flash instruction (web based recovery in first-stage U-Boot):
1. Use 'CTRL+C' during power-up to enable CLI in first-stage U-Boot.
2. Connect a PC with IP set to 192.168.0.1 to one of the LAN ports.
3. Issue 'httpd' command and visit http://192.168.0.1 in browser.
4. Use the 'factory' image.
If you would like to restore vendor's firmware, follow one of the
recovery methods described above.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
ALFA Network Tube-2HQ is a successor of the Tube-2H/P series (EOL) which
was based on the Atheros AR9331. The new version uses Qualcomm QCA9531.
Specifications:
- Qualcomm/Atheros QCA9531 v2
- 650/400/200 MHz (CPU/DDR/AHB)
- 64 or 128 MB of RAM (DDR2)
- 16+ MB of flash (SPI NOR)
- 1x 10/100 Mbps Ethernet with passive PoE input (24 V)
(802.3at/af PoE support with optional module)
- 1T1R 2.4 GHz Wi-Fi with external PA (SE2623L, up to 27 dBm) and LNA
- 1x Type-N (male) antenna connector
- 6x LED (5x driven by GPIO)
- 1x button (reset)
- external h/w watchdog (EM6324QYSP5B, enabled by default)
- UART (4-pin, 2.00 mm pitch) header on PCB
Flash instruction:
You can use sysupgrade image directly in vendor firmware which is based
on LEDE/OpenWrt. Alternatively, you can use web recovery mode in U-Boot:
1. Configure PC with static IP 192.168.1.2/24.
2. Connect PC with one of RJ45 ports, press the reset button, power up
device, wait for first blink of all LEDs (indicates network setup),
then keep button for 3 following blinks and release it.
3. Open 192.168.1.1 address in your browser and upload sysupgrade image.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Drop custom 'mtd-cal-data' and switch to 'nvmem-cells' based solution
for fetching radio calibration data and its MAC address.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
All the QCA9531 based boards from ALFA Network are based on the same
design and share a common DTSI: 'qca9531_alfa-network_r36a.dtsi'.
Instead of defining 'nvmem-cells' for the MAC address in every device's
DTS, move definition to the common DTSI file.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Bump the last missing target to Kernel 5.10. While this requires a work
around to boot it will allow more people to test the new Kernel before
the upcomming release.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This is a workaround to make the target overall bootable. With this more
people should be able to test the Kernel 5.10 and report further issues.
Suggested-by: Daniel González Cabanelas <dgcbueu@gmail.com>
Signed-off-by: Paul Spooren <mail@aparcar.org>
Add support for the TP-Link EAP615-Wall, an AX1800 Wall Plate WiFi 6 AP.
The device is very similar to the TP-Link EAP235-Wall.
Hardware:
* SoC: MediaTek MT7621AT
* RAM: 128MiB
* Flash: 16MiB SPI-NOR
* Ethernet: 4x GbE
* Back: ETH0 (PoE-PD)
* Bottom: ETH1, ETH2, ETH3 (PoE passthrough)
* WiFi: MT7905DAN/MT7975DN 2.4/5 GHz 2T2R
* LEDS: 1x white
* Buttons: 1x LED, 1x reset
Stock firmware uses a random MAC address for ethernet. OpenWrt uses the
MAC address that is on the device label for ethernet and the wireless
interfaces. MAC address must not be incremented, as this will cause MAC
address conflicts in case you have two devices with consecutive MAC
addresses. Instead, different locally administered addresses will be
generated automatically, based on the MAC on the label.
Installation via stock firmware:
* Enable SSH in the TP-Link web interface
* SSH to the device
* Run `cliclientd stopcs`
* Upload the OpenWrt factory image via the TP-Link web interface
Installation via bootloader:
* Solder TTL header. Pinout: 1: TX, 2: RX, 3: GND, 4: VCC, with pin 1
closest to ETH1. Baud rate 115200
* Interrupt boot process by holding a key during boot
* Boot the OpenWrt initramfs:
# tftpboot 0x84000000 openwrt-ramips-mt7621-tplink_eap615-wall-v1-initramfs-kernel.bin
# bootm
* Copy openwrt-ramips-mt7621-tplink_eap615-wall-v1-squashfs-sysupgrade.bin
to /tmp and use sysupgrade to install it
Thanks to Sander Vanheule for his work on the EAP235-Wall, which made
adding support for the EAP615-Wall very easy.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Sander Vanheule <sander@svanheule.net>
Acked-by: Arınç ÜNAL <arinc.unal@arinc9.com>
706e9cc tplink-safeloader: support for Archer A6 v3 JP
497726b firmware-utils: support checksum for AVM fritzbox wasp SOCs
2ca6462 iptime-crc32: add support for AX8004M
57d0e31 tplink-safeloader: TP-Link EAP615-Wall v1 support
8a8da19 tplink-safeloader: add TL-WPA8631P v3 support
eea4ee7 tplink-safeloader: add TP-Link Archer A9 v6 support
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Debians' changelog by Henrique de Moraes Holschuh <hmh@debian.org>:
* upstream changelog: new upstream datafile 20220207
* Mitigates (*only* when loaded from UEFI firmware through the FIT)
CVE-2021-0146, INTEL-SA-00528: VT-d privilege escalation through
debug port, on Pentium, Celeron and Atom processors with signatures
0x506c9, 0x506ca, 0x506f1, 0x706a1, 0x706a8
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145
* Mitigates CVE-2021-0127, INTEL-SA-00532: an unexpected code breakpoint
may cause a system hang, on many processors.
* Mitigates CVE-2021-0145, INTEL-SA-00561: information disclosure due
to improper sanitization of shared resources (fast-store forward
predictor), on many processors.
* Mitigates CVE-2021-33120, INTEL-SA-00589: out-of-bounds read on some
Atom Processors may allow information disclosure or denial of service
via network access.
* Fixes critical errata (functional issues) on many processors
* Adds a MSR switch to enable RAPL filtering (default off, once enabled
it can only be disabled by poweroff or reboot). Useful to protect
SGX and other threads from side-channel info leak. Improves the
mitigation for CVE-2020-8694, CVE-2020-8695, INTEL-SA-00389 on many
processors.
* Disables TSX in more processor models.
* Fixes issue with WBINDV on multi-socket (server) systems which could
cause resets and unpredictable system behavior.
* Adds a MSR switch to 10th and 11th-gen (Ice Lake, Tiger Lake, Rocket
Lake) processors, to control a fix for (hopefully rare) unpredictable
processor behavior when HyperThreading is enabled. This MSR switch
is enabled by default on *server* processors. On other processors,
it needs to be explicitly enabled by an updated UEFI/BIOS (with added
configuration logic). An updated operating system kernel might also
be able to enable it. When enabled, this fix can impact performance.
* Updated Microcodes:
sig 0x000306f2, pf_mask 0x6f, 2021-08-11, rev 0x0049, size 38912
sig 0x000306f4, pf_mask 0x80, 2021-05-24, rev 0x001a, size 23552
sig 0x000406e3, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 105472
sig 0x00050653, pf_mask 0x97, 2021-05-26, rev 0x100015c, size 34816
sig 0x00050654, pf_mask 0xb7, 2021-06-16, rev 0x2006c0a, size 43008
sig 0x00050656, pf_mask 0xbf, 2021-08-13, rev 0x400320a, size 35840
sig 0x00050657, pf_mask 0xbf, 2021-08-13, rev 0x500320a, size 36864
sig 0x0005065b, pf_mask 0xbf, 2021-06-04, rev 0x7002402, size 28672
sig 0x00050663, pf_mask 0x10, 2021-06-12, rev 0x700001c, size 28672
sig 0x00050664, pf_mask 0x10, 2021-06-12, rev 0xf00001a, size 27648
sig 0x00050665, pf_mask 0x10, 2021-09-18, rev 0xe000014, size 23552
sig 0x000506c9, pf_mask 0x03, 2021-05-10, rev 0x0046, size 17408
sig 0x000506ca, pf_mask 0x03, 2021-05-10, rev 0x0024, size 16384
sig 0x000506e3, pf_mask 0x36, 2021-04-29, rev 0x00ec, size 108544
sig 0x000506f1, pf_mask 0x01, 2021-05-10, rev 0x0036, size 11264
sig 0x000606a6, pf_mask 0x87, 2021-12-03, rev 0xd000331, size 291840
sig 0x000706a1, pf_mask 0x01, 2021-05-10, rev 0x0038, size 74752
sig 0x000706a8, pf_mask 0x01, 2021-05-10, rev 0x001c, size 75776
sig 0x000706e5, pf_mask 0x80, 2021-05-26, rev 0x00a8, size 110592
sig 0x000806a1, pf_mask 0x10, 2021-09-02, rev 0x002d, size 34816
sig 0x000806c1, pf_mask 0x80, 2021-08-06, rev 0x009a, size 109568
sig 0x000806c2, pf_mask 0xc2, 2021-07-16, rev 0x0022, size 96256
sig 0x000806d1, pf_mask 0xc2, 2021-07-16, rev 0x003c, size 101376
sig 0x000806e9, pf_mask 0x10, 2021-04-28, rev 0x00ec, size 104448
sig 0x000806e9, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 104448
sig 0x000806ea, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 103424
sig 0x000806eb, pf_mask 0xd0, 2021-04-28, rev 0x00ec, size 104448
sig 0x000806ec, pf_mask 0x94, 2021-04-28, rev 0x00ec, size 104448
sig 0x00090661, pf_mask 0x01, 2021-09-21, rev 0x0015, size 20480
sig 0x000906c0, pf_mask 0x01, 2021-08-09, rev 0x2400001f, size 20480
sig 0x000906e9, pf_mask 0x2a, 2021-04-29, rev 0x00ec, size 106496
sig 0x000906ea, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 102400
sig 0x000906eb, pf_mask 0x02, 2021-04-28, rev 0x00ec, size 104448
sig 0x000906ec, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424
sig 0x000906ed, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424
sig 0x000a0652, pf_mask 0x20, 2021-04-28, rev 0x00ec, size 93184
sig 0x000a0653, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 94208
sig 0x000a0655, pf_mask 0x22, 2021-04-28, rev 0x00ee, size 94208
sig 0x000a0660, pf_mask 0x80, 2021-04-28, rev 0x00ea, size 94208
sig 0x000a0661, pf_mask 0x80, 2021-04-29, rev 0x00ec, size 93184
sig 0x000a0671, pf_mask 0x02, 2021-08-29, rev 0x0050, size 102400
* Removed Microcodes:
sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
* update .gitignore and debian/.gitignore.
Add some missing items from .gitignore and debian/.gitignore.
* ucode-blacklist: do not late-load 0x406e3 and 0x506e3.
When the BIOS microcode is older than revision 0x7f (and perhaps in some
other cases as well), the latest microcode updates for 0x406e3 and
0x506e3 must be applied using the early update method. Otherwise, the
system might hang. Also: there must not be any other intermediate
microcode update attempts [other than the one done by the BIOS itself],
either. It must go from the BIOS microcode update directly to the
latest microcode update.
* source: update symlinks to reflect id of the latest release, 20220207
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
