Commit Graph

46475 Commits

Author SHA1 Message Date
Maxim Storchak
5f07b6f367 zram-swap: support swap priority
If zram-backed swap is added after an existing swap, it gets a lower
priority. Assiming that usually all other swaps are slower, there should
be a way to assign a higher priority to zram swap.

Signed-off-by: Maxim Storchak <m.storchak@gmail.com>
2020-01-15 20:49:00 +01:00
David Bauer
c9ac7b1729 ath79: add support for D-Link DIR-505
This commit adds support for the D-Link DIR-505, previously supported in
ar71xx.

Hardware
--------
SoC:   Atheros AR9330
FLASH: 8M SPI-NOR
RAM:   64M
WIFI:  1T1R 1SS Atheros AR9330
LED:   Power green, Status red
BTN:   WPS, Reset

Installation
------------
Currently, installation is only possible by sysupgrading from an earlier
OpenWrt version, U-Boot TFTP or a modded U-Boot. I do not have the
original bootloader from D-Link on my device anymore, so i cannot test
the factory image.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-01-15 20:38:46 +01:00
Rosen Penev
475a504dbc perf: Add libunwind only if selected
The depends are totally wrong. libunwind does not work with powerpc and
i386 as it needs glibc.

Instead of duplicating the platforms, just change the dependency.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-01-15 20:34:16 +01:00
Florian Eckert
ee2014e680 uhttpd: add enable instance option
With this change it is now possible to switch off single instances of
the uhttpd config. Until now it was only possible to switch all
instances of uhttpd on or off.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2020-01-15 20:16:42 +01:00
Kyle Copperfield
0fcb4a3981 hostapd: add wpa_strict_rekey support
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Rekey GTK on STA disassociate

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:13:49 +01:00
Kyle Copperfield
30c64825c7 hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_required
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Allows dtim_period to be configurable, the default is from hostapd.
Adds additional regulatory tunables for power constraint and spectrum
managment.

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:13:44 +01:00
Jeff Kletsky
e96bfaedf3 ath79: GL-AR750S (NOR/NAND): limit factory.img kernel size to 2 MB
The present U-Boot for GL-AR750S has a limit of 2 MB for kernel size.
While sysupgrade can manage kernels up to the present limit of 4 MB,
directly flashing a factory.img with a kernel size greater than 2 MB
through U-Boot will result in an unbootable device.

This commit uses the newly-introduced check-kernel-size build
operation to prevent the output of factory.img when the kernel
exceeds 2 MB in size, yet permits output of sysupgrade.img
as long as the kernel is within KERNEL_SIZE := 4096k

Cc: Chuanhong Guo <gch981213@gmail.com>

Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
2020-01-15 20:06:02 +01:00
Jeff Kletsky
f0b76d02e8 build: define check-kernel-size to remove unflashable images
Certain boards have limitations on U-Boot that prevent flashing
of images where the kernel size exceeds a threshold, yet
sysupgrade can sucessfully manage larger kernels. The current
check-size will remove the target artifact if its total size
exceeds the threshold. If applied after append-kernel,
it will remove the kernel, but the remaining image-assembly
steps will continue, resulting in an image without a kernel
that is likely unbootable.

By defining check-kernel-size, it is now possible to prevent release
of such unbootable images through a construct similar to:

  IMAGE/factory.img := append-kernel | pad-to $$$$(GL_UBOOT_UBI_OFFSET) | \
    append-ubi | check-kernel-size $$$$(GL_UBOOT_UBI_OFFSET)

Cc: Chuanhong Guo <gch981213@gmail.com>

Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
2020-01-15 20:05:48 +01:00
Kyle Copperfield
0da193ee69 dropbear: move failsafe code out of base-files
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Failsafe code of dropbear should be in the dropbear package not the
base-files package.

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:04:06 +01:00
Linus Walleij
f704f97e4c busybox: Include hdparm by default on nas type device
NAS devices certainly need to have hdparm to configure
things like spin-down time or their disks will be
constantly spinning. Just catenate CONFIG_HDPARM=y
on these configs.

Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2020-01-15 19:57:27 +01:00
Tomasz Maciej Nowak
2248df303d ath79: wlr-7100: use ath10k-ct smallbuffers package variant
The memory hacks got removed from ath10k with 1e27bef ("mac80211: remove
ath10k_pci memory hacks"). As this device has low amount of RAM, switch
to ath-10k-ct small buffers variant, to avoid the OOM Reaper.

Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
2020-01-15 19:53:49 +01:00
Eneas U de Queiroz
9b25f833eb cryptodev-linux: remove DEFAULT redefinition
The 'DEFAULT:=m if ALL' line prevents the phase1 buildbots from building
the package, and users from downloading it, since they use 'ALL_KMODS=y'
but 'ALL' is not set.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-01-15 19:31:08 +01:00
Felix Fietkau
866790fd82 mac80211: fix MAC address allocations if the local bit is set on the base addr
If it's set, don't subtract 1 from the interface index encoded into the first
byte of the address

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-15 15:36:26 +01:00
Adrian Schmutzler
2fe464a712 lantiq: reorganize 02_network board.d files
This reorganizes 02_network board.d files based on what's done for
ath79 and ramips: Instead of putting all settings into a single big
case, the interface/dsl/MAC address setup is put into separate
functions with a specific switch case for each of them. This makes
grouping of devices much easier and should be easier to read, too.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-01-14 22:04:44 +01:00
Adrian Schmutzler
18e089aaed lantiq: move common DSL setup into lantiq.sh
DSL setup consists of the same commands for all subtargets, so move it
into a helper function.

While at it, remove shebang from library file.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-01-14 22:04:37 +01:00
Adrian Schmutzler
355f0444f3 lantiq: split base-files into subtargets
This splits the device-dependent base-files into subtarget directories,
like done recently for ath79 and ramips. While this increases the
overall lines of codes, it will make the code per subtarget smaller
and easier to keep track of features and devices.

While at it, several variables at the top of 02_network are removed,
as they were never changed. The values are put directly into the
function calls where they are used.

Remove unneeded LED setup from 01_leds, and remove 01_leds entirely
for falcon subtarget (as it is not used there).

Applies alphabetic reordering to device cases in base-files.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-01-14 22:04:29 +01:00
Jo-Philipp Wich
b070101c50 valgrind: do not strip internal preload libraries and executables
Implement the suggestions laid out in README_PACKAGERS, mainly by preventing
the stripping of the internal vgpreload*.so libraries.

Also retain the symbol information of valgrind's private helper executables
and enable LTO as suggested in the packagers readme.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-01-14 17:52:34 +01:00
Xu Wang
44304c1d67 base-files: fix build for /sbin/pkg_check
Setting CONFIG_IPK_FILES_CHECKSUMS=y causes sha256 checksum files to be
included with the packages to check for corruption. This commit fixes two
issues:
- /sbin/pkg_check was being removed incorrectly if IPK_FILES_CHECKSUMS=y
- checksums were being saved in the wrong file

Signed-off-by: Xu Wang <xwang1498@gmx.com>
2020-01-14 17:52:34 +01:00
Andrea Dalla Costa
3c77e4ae4d wrt350nv2-builder: Fix memory leak
Add missing call to `free` for variable `buffer` in function
`create_bin_file`.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Andrea Dalla Costa
8057970d2a firmware-utils/mktitanimg: fix possible resource leak
Add missing call to `fclose` for file pointer `nsp_image`.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Andrea Dalla Costa
1775f690d5 firmware-utils/mksenaofw: fix possible memory leak
Add missing calls to `free` for variable `pmodel`.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Andrea Dalla Costa
b886d3c8f3 firmware-utils/mkfwimage: fix possible memory and resource leak
Add missing calls to `free` for variable `mem`.
Add missing call to `fclose` for variable `f`.

The same changes were made in both `mkfwimage.c` and `mkfwimage2.c`.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Andrea Dalla Costa
8e3b3152e5 firmware-utils/mkchkimg: fix possible resource leaks
Add missing `fclose` calls for file pointers `kern_fp`, `fs_fp`
and `out_fp`.
Not closing files could lead to resource leaks.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Andrea Dalla Costa
0ae0f48cec firmware-utils: fix possible memory leak and resource leak
Add missing calls to `free` for variable `buffer`.
This could lead to a memory leak.

Add missing call to `close` for file pointer `fdin`.
This could lead to a resource leak.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Andrea Dalla Costa
402b362db4 firmware-utils/dgfirmare: fix possible resource leak
Add missing calls to `fclose` in functions `write_img`, `write_rootfs`
and `write_kernel`.
The not-closed files could lead to resource leaks.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
David Lam
22b07ff73e hostapd: add support for subject validation
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.

From the documentation:

subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com

subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.

altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI

altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.

domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.

domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

Signed-off-by: David Lam <david@thedavid.net>
2020-01-14 17:46:27 +01:00
Jo-Philipp Wich
0e05093b12 netfilter: package required kmods for nftables
Package new kmods "nf_tables_set" and "nft_objref" which got introduced
with kernel 4.18 and restrict the old "nft_set_rbtree" and "nft_set_hash"
modules to sub-4.18 versions.

Also reorder the nftables related netfilter.mk entries alphabetically
while touching this code section.

Fixes: FS#2699
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=2699#comment7450
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-01-14 16:58:43 +01:00
Felix Fietkau
b1a1c222c9 mac80211: fix list_phy_interfaces for multiple wiphys on the same device
Network interfaces are looked up based on the device behind a phy, so the
phy needs to be checked separately

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-14 14:57:13 +01:00
Felix Fietkau
9501469e11 mac80211: fix a page refcounting issue leading to leaks/crashes in rx A-MSDU decap
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-14 14:56:59 +01:00
Felix Fietkau
d5b3024139 mac80211: fix sta TID stats leak on a few nl80211 calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-14 14:56:54 +01:00
Felix Fietkau
fe1818cdbc mac80211: renumber subsys patches accepted upstream
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-14 14:56:46 +01:00
Adrian Schmutzler
e845c094d5 mediatek: split base-files into subtargets
This splits some base-files across subtargets, as done previously
on ath79 and ramips and also introduced for mt7629 subtarget here
already. Most of the existing base-files content is specific to
mt7623.

While at it, apply the following fixes:
- Remove lots of trailing whitespaces
- Remove wildcard on unielec,u7623-02-emmc-512m
- Remove inconsistent quotation marks in cases

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: John Crispin <john@phrozen.org>
2020-01-14 13:34:34 +01:00
David Bauer
c6e972c877 ipq40xx: add support for Aruba AP-303H
The Aruba AP-303H is the hospitality version of the Aruba AP-303 with a
POE-passthrough enabled ethernet switch instead of a sigle PHY.

Hardware
--------

SoC:   Qualcomm IPQ4029
RAM:   512M DDR3
FLASH: - 128MB SPI-NAND (Macronix)
       - 4MB SPI-NOR (Macronix MX25R3235F)
TPM:   Atmel AT97SC3203
BLE:   Texas Instruments CC2540T
       attached to ttyMSM1
ETH:   Qualcomm QCA8075
LED:   WiFi (amber / green)
       System (red / green /amber)
       PSE (green)
BTN:   Reset
USB:   USB 2.0

To connect to the serial console, you can solder to the labled pads next
to the USB port or use your Aruba supplied UARt adapter.

Do NOT plug a standard USB cable into the Console labled USB-port!
Aruba/HPE simply put UART on the micro-USB pins. You can solder yourself
an adapter cable:

VCC - NC
 D+ - TX
 D- - RX
GND - GND

The console setting in bootloader and OS is 9600 8N1. Voltage level is
3.3V.

To enable a full list of commands in the U-Boot "help" command, execute
the literal "diag" command.

Installation
------------

1. Get the OpenWrt initramfs image. Rename it to ipq40xx.ari and put it
   into the TFTP server root directory. Configure the TFTP server to
   be reachable at 192.168.1.75/24. Connect the machine running the TFTP
   server to the E0 (!) ethernet port of the access point, as it only
   tries to pull from the WAN port.

2. Connect to the serial console. Interrupt autobooting by pressing
   Enter when prompted.

3. Configure the bootargs and bootcmd for OpenWrt.
   $ setenv bootargs_openwrt "setenv bootargs console=ttyMSM0,9600n8"
   $ setenv nandboot_openwrt "run bootargs_openwrt; ubi part aos1;
     ubi read 0x85000000 kernel; set fdt_high 0x87000000;
     bootm 0x85000000"
   $ setenv ramboot_openwrt "run bootargs_openwrt;
     setenv ipaddr 192.168.1.105; setenv serverip 192.168.1.75;
     netget; set fdt_high 0x87000000; bootm"
   $ setenv bootcmd "run nandboot_openwrt"
   $ saveenv

4. Load OpenWrt into RAM:
   $ run ramboot_openwrt

5. After OpenWrt booted, transfer the OpenWrt sysupgrade image to the
   /tmp folder on the device. You will need to plug into E1-E3 ports of
   the access point to reach OpenWrt, as E0 is the WAN port of the
   device.

6. Flash OpenWrt:
   $ ubidetach -p /dev/mtd16
   $ ubiformat /dev/mtd16
   $ sysupgrade -n /tmp/openwrt-sysupgrade.bin

To go back to the stock firmware, simply reset the bootcmd in the
bootloader to the original value:

  $ setenv bootcmd "boot"
  $ saveenv

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-01-14 09:38:32 +01:00
Tobias Schramm
66eb88edb6 ath79: add support for Ubiquiti EdgeSwitch/ToughSwitch 5XP
The Ubiquiti ToughSwitch 5XP is a 5-port PoE Gigabit switch with a single
Fast-Ethernet management port. It supports both 24V passive PoE out on all
five ports.

Flash:    8 MB
RAM:      64 MB
SoC:      AR7242
Switch:   ar8327
USB:      1x USB 2.0
Ethernet: 5x GbE, 1x FE

Installation of the firmware is possible either via serial + tftpboot or
the factory firmware update function via webinterface.

By default the single Fast-Ethernet port labeled "MGMT" is configured
as the WAN port. Thus access to the device is only possible via the
five switch ports.

Serial: 3v3 115200 8n1

The serial header is located in the lower left corner of the switches PCB:

```
|
|
|
| o
| o RX
| o TX
| o GND
|
|
++  +-++-+  ++  ++  +
+--+ ++ +--++--++--+
```

Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
[remove ubnt,sw compatible - fix spelling - wrap commit message -
remove superfluous phy-mode property]
Signed-off-by: David Bauer <mail@david-bauer.net>
2020-01-14 09:38:32 +01:00
Tobias Schramm
2e05d6185a ath79: add generic dtsi for Ubiquiti SW boards
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
[remove ubnt,sw compatible]
Signed-off-by: David Bauer <mail@david-bauer.net>
2020-01-14 09:38:32 +01:00
Petr Štetiar
28080d54d2 ramips: mt7621: disable images for gehua_ghl-r-001
This device OOPs during the boot due to broken flash. It can be probably
fixed with `broken-flash-reset` once ramips is on 4.19 kernel.

So disable images for this device until its fixed.

Ref: FS#2695, PR#2483
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-14 00:06:03 +01:00
Florian Eckert
0f33c6b74a base-files: use jshn lib for ubus sysupgrade argument generation
With this change the well known jshn library will be used, to build the
json arguments for the ubus sysupgrade method. This is also used in all
other shell program that uses JSON. This commit unifies that.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2020-01-14 00:06:03 +01:00
Petr Štetiar
3d62463755 rpcd: activate PIE ASLR by default
This activates PIE ASLR support by default when the regular option is
selected.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-14 00:06:44 +01:00
Petr Štetiar
2b28358a37 odhcpd: activate PIE ASLR by default
This activates PIE ASLR support by default when the regular option is
selected.

Size increase on x86/64:

 odhcpd-ipv6only Installed-Size: 36821 -> 38216

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-14 00:06:40 +01:00
Petr Štetiar
9c628cc76c procd: activate PIE ASLR by default
This activates PIE ASLR support by default when the regular option is
selected.

Size increase on x86/64:

 procd Installed-Size: 44931 -> 47362

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-14 00:06:35 +01:00
Petr Štetiar
d38dd6e1ef ubus: activate PIE ASLR by default
This activates PIE ASLR support by default when the regular option is
selected.

Size increase on x86/64:

 ubus  Installed-Size:  5602 ->  5950
 ubusd Installed-Size: 11643 -> 12119

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-14 00:06:03 +01:00
Hauke Mehrtens
a2571f3c81 uhttpd: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 39% uncompressed and 21% compressed
on MIPS BE.

old:
33,189 /usr/sbin/uhttpd
23,016 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk

new:
46,212 /usr/sbin/uhttpd
27,979 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
6b2379d048 hostapd: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 26% uncompressed and 16% compressed
on MIPS BE.

old:
460,933 /usr/sbin/wpad
283,891 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk

new:
584,508 /usr/sbin/wpad
330,281 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
7ab6613026 dropbear: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 18% uncompressed and 17% compressed
on MIPS BE.

old:
164,261 /usr/sbin/dropbear
 85,648 dropbear_2019.78-2_mips_24kc.ipk

new:
194,492 /usr/sbin/dropbear
100,309 dropbear_2019.78-2_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
dae0ac7770 dnsmasq: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 37% uncompressed and 18% compressed
on MIPS BE.

old:
146,933 /usr/sbin/dnsmasq
101,837 dnsmasq_2.80-14_mips_24kc.ipk

new:
202,020 /usr/sbin/dnsmasq
120,577 dnsmasq_2.80-14_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
19cbac7d26 buildsystem: Make PIE ASLR option tristate
This tristate choose allows to select to build only some applications
with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE
is activated for the, which is a huge increase.

Network exposed applications like dnsmasq should then be build with PIE
enabled, but some applications which are normally not parsing data from
the network do not have it activated. The regular option should give a
good trade off between extra flash and RAM memory usage and security.

This changes the default from building no applications with PIE to build
some specifically marked applications with PIE enabled. This option is
only activated for targets with bigger flash and RAM to not consume
extra memory on the very small targets. On SDK builds the Regular option
should always be selected, because some tiny targets share the
applications with big targets and only the images for the tiny targets
should contain the none PIE applications, but the images for the normal
targets should use PIE. The shared packages should always use PIE when
it should be normally activated.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hans Dedecker
3446702cdb ethtool: bump to 5.4
7dc0af7 Release version 5.4.
914912e ethtool: add 0x16 and 0x1c extended compliance codes
600b779 ethtool: mark 10G Base-ER as SFF-8472 revision 10.4 onwards
696565d ethtool: correctly interpret bitrate of 255
2941970 fix unused parameter warning in e1000_get_mac_type()
5e814f2 fix unused parameter warning in fjes_dump_regs()
b1a5279 fix unused parameter warning in ixgb_dump_regs()
6608751 fix unused parameter warning in ibm_emac_dump_regs()
1c30119 fix unused parameter warning in et131x_dump_regs()
a56aba4 fix unused parameter warning in amd8111e_dump_regs()
f40d32d fix unused parameter warning in fec_dump_regs()
8b84f1a fix unused parameter warning in at76c50x_usb_dump_regs()
f725f5a fix unused parameter warning in smsc911x_dump_regs()
a12cd66 fix unused parameter warning in e1000_dump_regs()
e058656 fix unused parameter warning in igb_dump_regs()
debac02 fix unused parameter warning in de2104[01]_dump_regs()
d434eea fix unused parameter warning in e100_dump_regs()
8df12f3 fix unused parameter warning in vioc_dump_regs()
92d716b fix unused parameter warning in tg3_dump_{eeprom, regs}()
211c99e fix unused parameter warning in fec_8xx_dump_regs()
362fb8b fix unused parameter warning in ixgbevf_dump_regs()
87903c2 fix unused parameter warning in st_{mac100, gmac}_dump_regs()
c1eaddf fix unused parameter warning in vmxnet3_dump_regs()
313c9f8 fix unused parameter warning in dsa_dump_regs()
183e8a2 fix unused parameter warning in {skge, sky2}_dump_regs()
7f84c13 fix unused parameter warning in lan78xx_dump_regs()
02d0aaa fix unused parameter warning in realtek_dump_regs()
726d607 fix unused parameter warning in ixgbe_dump_regs()
967177c fix unused parameter warning in netsemi_dump_eeprom()
710a414 fix unused parameter warning in natsemi_dump_regs()
283398a fix unused parameter warning in print_simple_table()
0404267 fix unused parameter warning in sfc_dump_regs()
57c7298 fix unused parameter warning in altera_tse_dump_regs()
302e91a fix unused parameter warning in dump_eeprom()
2054a8c fix unused parameter warning in find_option()
d5432a9 fix unused parameter warnings in do_version() and show_usage()
c430e75 fix arithmetic on pointer to void is a GNU extension warning
e568431 ethtool: implement support for Energy Detect Power Down
e391f4c ethtool: sync ethtool-copy.h: adds support for EDPD

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-01-12 22:19:37 +01:00
David Bauer
8b86ddf4d5 netfilter: add back nft_hash
nft_hash hash falsely removed in commit 97940f8766
("kernel: remove obsolete kernel version switches").

Add the module back, as otherwise the build fails.

Fixes: 97940f8766 ("kernel: remove obsolete kernel version switches")

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-01-12 18:59:07 +01:00
Adrian Schmutzler
97940f8766 kernel: remove obsolete kernel version switches
After kernel 4.9 has been removed, this removes all (now obsolete)
kernel version switches that deal with versions before 4.14.

Package kmod-crypto-iv is empty now and thus removed entirely.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-01-12 16:34:20 +01:00
David Bauer
ba8faa0fea generic: update config-4.14
Builds for kenrel 4.14 targetswere failing because of
missing symbols for the B53 swconfig driver.

Fixes: 313bde53ce ("generic: update config-4.19")
Signed-off-by: David Bauer <mail@david-bauer.net>
2020-01-12 16:27:33 +01:00