The LSM (Linux security mechanism) list is the successor of the now
legacy *major LSM*. Instead of defining a single security mechanism the
LSM symbol is a comma separated list of mechanisms to load.
Until recently OpenWrt would only support DAC (Unix discretionary access
controls) which don't require an additional entry in the LSM list. With
the newly introduced SELinux support the LSM needs to be extended else
only a manual modified Kernel cmdline (`security=selinux`) would
activate SELinux.
As the default OpenWrt Kernel config sets DAC as default security
mechanism, SELinux is stripped from the LSM list, even if
`KERNEL_DEFAULT_SECURITY_SELINUX` is activated. To allow SELinux without
a modified cmdline this commit sets a specific LSM list if
`KERNEL_SECURITY_SELINUX` is enabled.
The upstream Kconfig adds even more mechanisms
(smack,selinux,tomoyo,apparmor), but until they're ported to OpenWrt,
these can be ignored.
To compile SELinux Kernel support but disable it from loading, the
already present options `KERNEL_SECURITY_SELINUX_DISABLE` or
`KERNEL_SECURITY_SELINUX_BOOTPARAM` (with custom cmdline `selinux=0`)
can be used. Further it's possible to edit `/etc/selinux/config`.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This removes switches dependent on kernel version 4.14 as well as
several packages/modules selected only for that version.
This also removes sched-cake-virtual, which is not required anymore
now that we have only one variant of cake.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This target is still on kernel 4.14, and recent attempts to move it to
kernel 5.4 have not led to success. The device tester reported that it
wouldn't boot with the following messages:
From sysupgrade:
Press any key within 4 seconds to enter setup....
loading kernel from nand... OK
setting up elf image... OK
jumping to kernel code
At this point the system hangs.
From CompactFlash:
Press any key within 4 seconds to enter setup....
Booting CF
Loading kernel... done
setting up elf image... kernel out of range kernel loading failed
The tester reported that the same was observed with current master
(kernel 4.14) as well. This looks like some kernel size restriction.
Since this target is quite old and only supports one device, and since
nobody else seemed interested in working on this for quite some time,
I decided to not put further work into analyzing the problem and drop
this together with the other 4.14-only targets.
Patchwork series:
https://patchwork.ozlabs.org/project/openwrt/list/?series=197066&state=*
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This adds a number of options to config/Config-kernel.in so that
packages related to SELinux support can enable the appropriate Linux
kernel support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase; add ext4, F2FS, UBIFS, and JFFS2 support; add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
This allows the build process to prepare a squashfs filesystem for use
with SELinux.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
This target has been mostly replaced by ath79 and won't be included
in the upcoming release anymore. Finally put it to rest.
This also removes all references in packages, tools, etc. as well as
the uboot-ar71xx and vsc73x5-ucode packages.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The symbol KERNEL_CGROUP_HUGETLB is always used whenever KERNEL_CGROUPS is enabled.
The absence of this notation will cause the user to be asked to enter this parameter the first time it is compiled.
Signed-off-by: Yuan Tao <ty@wevs.org>
Remove `if !SMALL_FLASH` in places which are anyway already augmented
by `if !SMALL_FLASH`.
Always enable CONFIG_BLK_DEV_THROTTLING on !SMALL_FLASH devices rather
than just enabling it on bcm27xx.
Enabled CPU bandwidth provisioning for FAIR_GROUP_SCHED on !SMALL_FLASH
devices as CONFIG_FAIR_GROUP_SCHED is already enabled and becomes more
useful for cgroups with that option enbled as well.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Remapping the local build path in debug information makes debugging
using ./scripts/remote-gdb harder, because files no longer refer to the full
path on the build host.
For local builds, debug information does not need to be reproducible,
since it will be stripped out of packages anyway.
For buildbot builds, it makes sense to keep debug information reproducible,
since the full path is not needed (nor desired) anywhere.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Enabling KERNEL_TRANSPARENT_HUGEPAGE exposes 2 missing symbols:
* CONFIG_READ_ONLY_THP_FOR_FS
* TRANSPARENT_HUGEPAGE_ALWAYS
* TRANSPARENT_HUGEPAGE_MADVISE
The first one was added in 5.4, and is marked experimental there so just
disable it in the generic config.
For the latter two, we should not force the user to use either of them,
so add them as build-configurable kernel options.
Fixes: d1a8217d87 ("kernel: clean-up build-configurable kernel config symbols")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
It was removed from target defaults though it didn't exist in the
build-systems kernel configuration options. Add it there.
Fixes: d1a8217d87 ("kernel: clean-up build-configurable kernel config symbols")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
By specifying "BROKEN := 1" or "BROKEN := y" for a device, it will be
hidden (and deselected) by default. By that, it provides a stronger
option to "disable" a device beyond just using DEFAULT := n.
To make these devices visible, just enable the BROKEN option in
developer settings as already implemented for targets and packages.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Don't explicitely disable options in target/linux/generic/config-* if
they are already controlled in config/Config-kernel.in.
Add a bunch of new symbols and prepare defaults for using only unified
hierarchy (ie. cgroup2). Update symbol dependencies while at it
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Currently the user space stack cookies work well also when the kernel
stack cookies are not activated. This is handled completely in user
space and does not need kernel support.
This dependency was probably needed some years ago when the libc did not
support stack cookies.
Reviewed-by: Ian Cooper <iancooper@hotmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Set CCACHE_DIR to $(TOPDIR)/.ccache and CCACHE_BASEDIR to $(TOPDIR).
This allows to do clean and dirclean. Cache hit rate for test build
after dirclean is ~65%.
If CCACHE is enabled stats are printed out at the end of building process.
CCACHE_DIR config variable allows to override default, which could be useful
when sharing cache with many builds.
cacheclean make target allows to clean the cache.
Changes from v1:
- remove ccache directory using CCACHE_DIR variable
- remove ccache leftovers from sdk and toolchain make files
- introduce CONFIG_CCACHE_DIR variable
- introduce cacheclean make target
Signed-off-by: Roman Yeryomin <roman@advem.lv>
Removes the standalone implementation of stack smashing protection
in gcc's libssp in favour of the native implementation available
in glibc and uclibc. Musl libc already uses its native ssp, so this
patch does not affect musl-based toolchains.
Stack smashing protection configuration options are now uniform
across all supported libc variants.
This also makes kernel-level stack smashing protection available
for x86_64 and i386 builds using non-musl libc.
Signed-off-by: Ian Cooper <iancooper@hotmail.com>
This patch adds support for the MikroTik RouterBOARD RB493G, ported
from the ar71xx target.
See https://routerboard.com/RB493G for details
Specification:
- SoC Qualcomm Atheros AR7161
- RAM: 256 MiB
- Storage: 128MiB NAND
- Ethernet: 9x 1000/100/10 Mbps
- USB 1x 2.0 / 1.0 type A
- PCIe: 3x Mini slot
- MicroSD slot
Working:
- Board/system detection
- Ethernet
- SPI
- NAND
- LEDs
- USB
- Sysupgrade
Enabled (but untested due to lack of hardware):
- PCIe - ath79_pci_irq struct has the slot/pin/IRQ mappings if needed
Installation methods:
- tftp boot initramfs image, scp then flash via "sysupgrade -n"
- nand boot existing OpenWrt, scp then flash via "sysupgrade -n"
Notes:
- initramfs image will not work if uncompressed image size over ~8.5Mb
- The "rb4xx" drivers have been enabled
Signed-off-by: Christopher Hill <ch6574@gmail.com>
JSON info files contain machine readable information of built profiles
and resulting images. These files were added in commit 881ed09ee6
("build: create JSON files containing image info").
They are useful for firmware wizards and script checking for
reproducibility.
Currently all JSON files are stored next to the built images, resulting
in up to 168 individual files for the ath79/generic target.
This patch refactors the JSON creation to store individual per image
(not per profile) files in $(BUILD_DIR)/json_info_files and create an
single overview file called `profiles.json` in the target directory.
Storing per image files and not per profile solves the problem of
parallel file writes. If a profiles sysupgrade and factory image are
finished at the same time both processes would write to the same JSON
file, resulting in randomly broken outputs.
Some target like x86/64 do not use the image code yet, resulting in
missing JSON files. If no JSON info files were created, no
`profiles.json` files is created as it would be empty anyway.
As before, this creation is enabled by default only if `BUILDBOT` is set.
Tested via buildroot & ImageBuilder on ath79/generic, imx6 and x86/64.
Signed-off-by: Paul Spooren <mail@aparcar.org>
[json_info_files dir handling in Make, if case refactoring]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Add EFI platform bootable images for x86 platforms. These images can
also boot from legacy BIOS platform.
EFI System Partition need to be fat12/fat16/fat32 (not need to load
filesystem drivers), so the first partition of EFI images are not ext4
filesystem any more.
GPT partition table has an alternate partition table, we did not
generate it. This may cause problems when use these images as qemu disk
(kernel can not find rootfs), we pad enough sectors will be ok.
Signed-off-by: 李国 <uxgood.org@gmail.com>
[part_magic_* refactoring, removed genisoimage checks]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This commit introduces few related changes which need to be done in
single commit to keep images buildable between git revisions. In result
it retains all previous image creation possibilities with slight name
change of generated images. Brief summary of the commit:
* Split up image generation recipe to smaller chunks to make it more
generic and reusable.
* Make iso images x86 specific and drop their definition as root
filesystem.
* Convert image creation process to generic code specified in image.mk.
* Make geode subtarget inherit features from the main target instead of
redefining them.
* For subtargets create device definitions with basic packages set.
Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
[rebased]
Signed-off-by: Paul Spooren <mail@aparcar.org>
1. KERNEL_CRASH_DUMP should depends on KERNEL_PROC_KCORE (kexec use it)
2. select crashkernel mem size by totalmem
mem <= 256M disable crashkernel by default
mem >= 4G use 256M for crashkernel
mem >= 8G use 512M for crashkernel
default use 128M
3. set BOOT_IMAGE in kdump.init
4. resolve a "Unhandled rela relocation: R_X86_64_PLT32" error
Tested on x86_64
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
With kernel 5.4 the upstream kernel supports deactivating the FPU
support on MIPS. Use this new upstream feature instead of our older
patch which was removed when porting the kernel patches to kernel 5.4.
This way both options are set which should work for older kernel
versions and also new ones.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
CONFIG_INCLUDE_CONFIG option is helpful for being able to rebuild the
exact same firmware as you see on a live OpenWRT instance, but it's
crucially missing feeds information, so we can't rebuild the exact same
package versions. This commit fixes this by adding the remaining feeds
(and version) buildinfo files to the image.
Signed-off-by: Xu Wang <xwang1498@gmx.com>
Make it possible to activate some additional kernel debug options.
This can be used to debug some problems in kernel drivers.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The adds an option to activate KCOV (Code coverage for fuzzing).
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The kernel kernel address sanitizer is able to detect some memory
bugs in the kernel like out of range array accesses.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The kernel Undefined Behavior Sanitizer is able to detect some memory
bugs in the kernel like out of range array accesses.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This change makes the names of Broadcom targets consistent by using
the common notation based on SoC/CPU ID (which is used internally
anyway), bcmXXXX instead of brcmXXXX.
This is even used for target TITLE in make menuconfig already,
only the short target name used brcm so far.
Despite, since subtargets range from bcm2708 to bcm2711, it seems
appropriate to use bcm27xx instead of bcm2708 (again, as already done
for BOARDNAME).
This also renames the packages brcm2708-userland and brcm2708-gpu-fw.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Álvaro Fernández Rojas <noltari@gmail.com>
This tristate choose allows to select to build only some applications
with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE
is activated for the, which is a huge increase.
Network exposed applications like dnsmasq should then be build with PIE
enabled, but some applications which are normally not parsing data from
the network do not have it activated. The regular option should give a
good trade off between extra flash and RAM memory usage and security.
This changes the default from building no applications with PIE to build
some specifically marked applications with PIE enabled. This option is
only activated for targets with bigger flash and RAM to not consume
extra memory on the very small targets. On SDK builds the Regular option
should always be selected, because some tiny targets share the
applications with big targets and only the images for the tiny targets
should contain the none PIE applications, but the images for the normal
targets should use PIE. The shared packages should always use PIE when
it should be normally activated.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
Don't build with uClibc-ng. It's totally unsupported as several functions
are missing.
Make the musl libc support conditional.
Fix hash with make check FIXUP=1. Apparently I based the Makefile off of
libedit and forgot to fix the hash.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fixes: 856ea2bad3 ("libcxx: Add package")
Currently in OpenWrt, there are two libc++: libstdcpp and uClibc++. The
former is huge and the latter supports only C++98 with some basic support
for C++11. Those C++ versions seem to be specific to the compiler version
libcxx supports C++11 and above while being much smaller than libstdcpp.
On mt7621, these are the sizes of the ipks that I get:
libstdcpp: 460786
libcxx: 182881
uClibc++:67720
libcxx is faster than uClibc++ and is under active development as part of
the LLVM project while uClibc++ is effectively dead.
This PR modifies uclibc++.mk to expose the make menuconfig option. Further
cleanup is beyond the scope of this PR. What that means is, this is not
used by default.
A g++-libcxx wrapper based on the uClibc++ one was added. Works the same
way.
Compile tested with all packages that use uclibc++.mk in their Makefiles
under mipsel_24kc. kismet fails compilation but that package needs to be
cleaned up and updated.
Runtime tested with gddrescue, gdisk, dcwapd, bonnie++, and aircrack-ng
on a TP-Link Archer C7v2.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This separates the options for signature creation and verification
* SIGNED_PACKAGES create Packages.sig
* SIGNED_IMAGES add ucert signature to created images
* CHECK_SIGNATURE add verification capabilities to images
* INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys
Right now the buildbot.git contains some hacks to create images that
have signature verification capabilities while not storing private keys
on buildbot slaves. This commit allows to disable these steps for the
buildbots and only perform signing on the master.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Lets remove unused GCC_VERSION_4_8 symbol after the series of patches
which has switched to target gcc-8 by default.
Signed-off-by: Paul Spooren <mail@aparcar.org>
[refactored into separate commit]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The JSON info files contain details about the created firmware images
per device and are stored next to the created images.
The JSON files are stored as "$(IMAGE_PREFIX).json" and contain some
device/image meta data as well as a list of created firmware images.
An example of openwrt-ramips-rt305x-aztech_hw550-3g.json
{
"id": "aztech_hw550-3g",
"image_prefix": "openwrt-ramips-rt305x-aztech_hw550-3g",
"images": [
{
"name": "openwrt-ramips-rt305x-aztech_hw550-3g-squashfs-sysupgrade.bin",
"sha256": "db2b34b0ec4a83d9bf612cf66fab0dc3722b191cb9bedf111e5627a4298baf20",
"type": "sysupgrade"
}
],
"metadata_version": 1,
"supported_devices": [
"aztech,hw550-3g",
"hw550-3g"
],
"target": "ramips/rt305x",
"titles": [
{
"model": "HW550-3G",
"vendor": "Aztech"
},
{
"model": "ALL0239-3G",
"vendor": "Allnet"
}
],
"version_commit": "r10920+123-0cc87b3bac",
"version_number": "SNAPSHOT"
}
Signed-off-by: Paul Spooren <mail@aparcar.org>
Add option BUILD_LOG_DIR to menuconfig to change log destination.
The mix-up of *DIR* and *FOLDER* is confusing however.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Change TARGET_ROOTFS_PARTSIZE from 128 to 104 MiB, so the whole image
(bootloader + boot + root) will fit on a 128MB CF card by default.
With these settings, the generated images (tested on x86-generic and
x86-64) have 126,353,408 bytes; the smallest CF card marketed as "128MB"
that I found a datasheet for (a Transcend TS128MCF80) has 126,959,616
bytes.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
KERNEL_DEVPTS_MULTIPLE_INSTANCES and KERNEL_POSIX_MQUEUE were
previously enabled by default only if KERNEL_LXC_MISC was selected.
KERNEL_LXC_MISC was enabled only if the SMALL_FLASH (anti-)feature
was not selected.
Now that KERNEL_LXC_MISC no longer exists, make sure that those
options are also only enabled by default for !SMALL_FLASH targets.
Fixes: 4f94a331 ("config: kernel: remove KERNEL_LXC_MISC")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Kernel features are neutral. The two cascaded features can also be
useful for other container related tools
It's also less error-prone if only kconfig symbols from the kernel are
prefixed KERNEL_
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
generate feeds.buildinfo and version.buildinfo in build dir after
containing the feed revisions (via ./scripts/feeds list -sf) as well as
the current revision of buildroot (via ./scripts/getver.sh).
With this information it should be possible to reproduce any build,
especially the release builds.
Usage would be to move feeds.buildinfo to feeds.conf and git checkout the
revision hash of version.buildinfo.
Content of feeds.buildinfo would look similar to this:
src-git routing https://git.openwrt.org/feed/routing.git^bf475d6
src-git telephony https://git.openwrt.org/feed/telephony.git^470eb8e
...
Content of version.buildinfo would look similar to this:
r10203+1-c12bd3a21b
Without the exact feed revision it is not possible to determine
installed package versions.
Also rename config.seed to config.buildinfo to follow the recommended
style of https://reproducible-builds.org/docs/recording/
Signed-off-by: Paul Spooren <mail@aparcar.org>
Introduce a new option CONFIG_SIGNATURE_CHECK which defaults to the value
of CONFIG_SIGNED_PACKAGES and thus is enabled by default.
This option is needed to support building target opkg with enabled
signature verification while having the signed package lists disabled.
Our buildbots currently disable package signing globally in the
buildroot and SDK to avoid the need to ship private signing keys to
the build workers and to prevent the triggering of random key generation
on the worker nodes since package signing happens off-line on the master
nodes.
As unintended side-effect, updated opkg packages will get built with
disabled signature verification, hence the need for a new override option.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The linux kernel is not reproducible because the build user
and domain is included into the kernel. Set the build user
to `builder` and build domain to buildhost.
It's also possible to build reproducible builds by setting
KERNEL_BUILD_USER KERNEL_BUILD_DOMAIN to static values.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
As we're now going to pad all images by default to 128MiB let's enable
compression of the images for armvirt and malta in order to save some
space and bandwidth.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
As we're now going to pad all images by default, lets decrease the
default rootfs partition size from 256MiB to 128MiB in order to save
some space.
I'm keeping it above 100MiB in order to keep current behavior, where
overlay filesystem is using F2FS.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
It's being used only in x86 target to produce combined images, where
it's mandatory to have padded images in order to produce working
squashfs combined images usable in QEMU.
Currently we're producing unusable x86 combined squashfs images
(18.06.1, 18.06.2 and snapshots) as we don't enable TARGET_IMAGES_PAD,
thus providing very small space for the overlay filesystem, leading to
the following with OpenWrt 18.06.1 r7258-5eb055306f images on x86 QEMU:
root@(none):/# mount | egrep 'root|overlay'
/dev/root on /rom type squashfs
/dev/loop0 on /overlay type ext4
overlayfs:/overlay on / type overlay
root@(none):/# df -h | egrep 'root|overlay|Size'
Filesystem Size Used Available Use% Mounted on
/dev/root 2.5M 2.5M 0 100% /rom
/dev/loop0 113.0K 8.0K 97.0K 8% /overlay
overlayfs:/overlay 113.0K 8.0K 97.0K 8% /
So we should rather ensure proper image padding in image generation code
and we shouldn't rely on config options in order to generate usable
images.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
enable kernel features needed for procd-ujail, procd-seccomp, lxc and
more on devices with big enough flash. Those packages are currently
useless in binary builds due to missing kernel features.
Enable the features on devices which can bare with the extra space
consumption.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Commit eae6cac6a3 ("lantiq: add support for AVM FRITZ!Box 7362 SL"), but
one needs an initramfs image to flash OpenWrt from stock firmware (as
described in the commit log). This patch has the initramfs image built
by default.
Thanks to blogic (for pointing to the FEATURES declaration in the target
Makefiles) and Musashino on the forum for suggesting
config/Config-images.in needed editing too. While at it, reorder the
TARGET_INITRAMFS_COMPRESSION_LZMA declarations alphabetically.
This patch will result in initramfs images for all lantiq subtargets
that have the ramdisk flag set. I tested on the falcon and ase
subtargets, which lack that flag, to confirm they don't produce any
initramfs images with this patch - which they do not.
Given the limited scope of the lantiq (sub)target(s), blogic indicated
this should be OK.
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[fixed the wrong reference to eae6cac6a3 commit]
If the target supports a newer kernel version that is not used by default
yet, it can be enabled with this option
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Upstream has renamed KPROBE_EVENT to KPROBE_EVENTS in the following
commit:
commit 6b0b7551428e4caae1e2c023a529465a9a9ae2d4
Author: Anton Blanchard <anton@samba.org>
Date: Thu Feb 16 17:00:50 2017 +1100
perf/core: Rename CONFIG_[UK]PROBE_EVENT to CONFIG_[UK]PROBE_EVENTS
We have uses of CONFIG_UPROBE_EVENT and CONFIG_KPROBE_EVENT as
well as CONFIG_UPROBE_EVENTS and CONFIG_KPROBE_EVENTS.
Consistently use the plurals.
So I'm adding this plural option in order to make kconfig happy and stop
asking about it if kernel is compiled with verbose logging:
Enable kprobes-based dynamic events (KPROBE_EVENTS) [Y/n/?] (NEW)
Signed-off-by: Petr Štetiar <ynezz@true.cz>
VBoxManage is not used and the image is created with proper permisions:
0f5d0f6 image: use internal qemu-img for vmdk and vdi images drop host
dependencies on qemu-utils and VirtualBox
Unreachable config symbols:
9e0759e x86: merge all geode based subtargets into one
No need to define those symbols since x86_64 is subtarget of x86:
196fb76 x86: make x86_64 a subtarget instead of a standalone target
Unreachable config symbols, so remove GRUB_ROOT:
371b382 x86: remove the xen_domu subtarget
Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
When CGROUP block io is enabled a new symbol is exposed and needs to
be set or unset else kernel oldconfig hangs waiting for input during
normal OpenWrt builds. Therefore add sane defaults for this symbol
in that case. Also, the defaults brcm2708 are different than generic
defaults because the platform's defconfig enables BLK_DEV_THROTTLING
by default (in defconfig config from the patches used to match
upstream's kernel, not in OpenWrt config-4.xx).
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
[make KERNEL_BLK_DEV_THROTTLING_LOW depend on KERNEL_BLK_DEV_THROTTLING]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This patch adds the boot-part feature which enables the brcm2708
target move from the custom boot partition size config option to
the generic CONFIG_TARGET_KERNEL_PARTSIZE.
Note:
For people using custom images: Just like with
CONFIG_TARGET_ROOTFS_PARTSIZE changing the value
can cause sysupgrade to repartition the device!
Make sure to have a backup in this case.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This may be useful if you don't entirely trust your flash and want to be able
to check for corruptions.
Signed-off-by: Michal Hrusecky <Michal@Hrusecky.net>
This patch adds the boot-part feature to the apm82181 sata target.
This makes it possible to configure the boot partition size with
the generic CONFIG_TARGET_KERNEL_PARTSIZE symbol.
Please note: For people using custom images: Just like with
CONFIG_TARGET_ROOTFS_PARTSIZE changing the value can cause
sysupgrade to repartition the device!
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The configuration option was renamed with kernel 4.19 from
CONFIG_CC_STACKPROTECTOR to CONFIG_STACKPROTECTOR adapt the code to set
both options.
CONFIG_STACKPROTECTOR now sets the regular stack protector and
CONFIG_STACKPROTECTOR_STRONG activates the additional protection of more
functions.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The sdcard image generation uses CONFIG_TARGET_ROOTFS_PARTSIZE, which is
currently bound to TARGET_ROOTFS_EXT4FS on this target.
Since the rootfs is squashfs anyway, allow deselecting of the ext4fs
one.
Sort the target list alphabetically while here.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Extend the small_flash feature to disable swap, core dumps, and
kernel debug info, and change the squashfs block size to 1024KiB.
Also change squashfs fragment cache to 2 for small_flash to ease memory
usage.
Signed-off-by: Alex Maclean <monkeh@monkeh.net>
Add a new config option to allow to select the default compile
optimization level for the kernel.
Select the optimization for size by default if the small_flash feature is
set. Otherwise "Optimize for performance" is set.
Add the small_flash feature flag to all (sub)targets which had the
optimization for size in their default kernel config.
Remove CC_OPTIMIZE_FOR_* symbols from all kernel configs to apply the new
setting.
Exceptions to the above are:
- lantiq, where the optimization for size is only required for the
xway_legacy subtarget but was set for the whole target
- mediatek, ramips/mt7620 & ramips/mt76x8 where boards should have
plenty of space and an optimization for size doesn't make much sense
- rb532, which has 128MByte flash
Signed-off-by: Mathias Kresin <dev@kresin.me>
In order for monitoring tools such as atop and htop to track and report
i/o data, kernel support for task statistics and io accounting is
required.
Add a config option to enable building this support in the kernel.
Signed-off-by: Jeremiah McConnell <miah@miah.com>
It was only enabled when the target was added back in commit 9b321bc
("lantiq: add Amazon-SE subtarget")
Leave pistachio alone as devices of this target are not likely have
small_flash or low_mem constraint
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
To make it more accessible for nodejs users to configure and run a build
on mips target lacking hardware fpu
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Configure variable SSP_SUPPORT is ambiguous for packages (tor, openssh,
avahi, freeswitch). It means 'toolchain supporting SSP', but for toolchain
and depends it means 'build gcc with libssp'.
Musl no longer uses libssp (1877bc9d8f), it has internal support, so
SSP_SUPPORT was disabled leading some package to not use SSP.
No information why Glibc and uClibc use libssp, but they may also provide
their own SSP support. uClibc used it own with commit 933b588e25 but it was
reverted in f3cacb9e84 without details.
Create an new configure GCC_LIBSSP and automatically enable SSP_SUPPORT
if either USE_MUSL or GCC_LIBSSP.
Signed-off-by: Julien Dusser <julien.dusser@free.fr>
Introduce a configuration option to build a "hardened" OpenWrt with
ASLR PIE support.
Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR)
by building Position Independent Executables (PIE). This new option protects
against "return-to-text" attacks.
Busybox need a special care, link is done with ld, not gcc, leading to
unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE.
If other failing packages were found, PKG_ASLR_PIE:=0 should be added to
their Makefiles.
Original Work by: Yongkui Han <yonhan@cisco.com>
Signed-off-by: Julien Dusser <julien.dusser@free.fr>
The Download/git rule will do a `git checkout <git-ref>`.
So, we can use any ref we want.
No need to limit just to branches.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This is mainly for legal considerations and not promoting the usage of
and no redistribution of binaries of patented technologies seems to be
also the established practice in other linux distros.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Symbol CONFIG_INITRAMFS_FORCE allows to ignore the value passed by the
bootloader.
By default, all symbols containing INITRAMFS are wiped from the final
config and then re-added conditionally.
Add support for this symbol, as the build will stop otherwise
questioning the user about this option:
* Restart config...
*
*
* General setup
*
Cross-compiler tool prefix (CROSS_COMPILE) []
Compile also drivers which will not load (COMPILE_TEST) [N/y/?] n
...
Initial RAM filesystem and RAM disk (initramfs/initrd) support
(BLK_DEV_INITRD) [Y/n/?] y
Initramfs source file(s) (INITRAMFS_SOURCE) []
Ignore the initramfs passed by the bootloader (INITRAMFS_FORCE)
[N/y/?] (NEW)
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Multicast routing support is not needed in most setups, and increases the
size of the kernel considerably (>10K after LZMA). Add a config switch to
allow disabling it.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
The following patch enables building of initramfs images by default for
the P1020 subtarget in mpc85xx.
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Select the other CONFIG_ALL_* options in the hierarchy when the master
option is selected. Currently CONFIG_ALL_KMODS is not selected when the
build bot selects CONFIG_ALL_NONSHARED for example.
Now the rtc kmods should get build when CONFIG_ALL_KMODS,
CONFIG_ALL_NONSHARED or CONFIG_ALL and CONFIG_RTC_SUPPORT are selected
like it is done by the build bots for targets with rtc support.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Jo-Philipp Wich <jo@mein.io>
We are starting to add more and more kernel configurable options, to the
point where the Global build options menu is not really usable anymore,
hide all kernel-related configuration options behind a menu.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
While we have CRASHLOG on MIPS it makes sense to support 'classic'
kexec-based CRASH_DUMP on x86 and arm platforms.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
On the more sophisticated (i.e. deeper FIFO) serial controllers,
flow-control might be needed to avoid dropping output.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Prior to commit 1496b95a0 ("x86: clean up default grub baudrate
settings") we had three different baud rates for the Geode targets:
19200 for net5501, 38400 for alix2, and 115200 for Geos.
It doesn't seem that there's a very good reason for varying from our
default 115200 baud, so let's make the Geode target do that instead.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This can be used to tweak the buildbot behavior without having to change
buildbot's configuration.
It will also allow us to add more aggressive clean steps (e.g. on
toolchain changes), which would break developers' workflows if enable
by default.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
samba.org has started to enforce https and
currently plain http downloads with curl/wget fail,
so convert samba.org download links to use https.
Modernise links at the same time.
Also convert samba.org URL fields to have https.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
This is used to save space on buildbot instances.
If any part of a package needs to be rebuild, the whole package is
rebuilt from scratch. Stamp files are preserved to allow dependency
checks to work
Signed-off-by: Felix Fietkau <nbd@nbd.name>
It could cause crashes with some forms of virtualization, and it is
unlikely to work properly with most systems.
It's safer to just disable it.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
These options are needed to create /dev/mem or /dev/kmem .
/dev/mem is needed by the io tool to access raw hardware memory, which
is helpful when debugging and developing drivers.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: John Crispin <john@phrozen.org>
2 GB is overkill and was only added to allow unlimited ext4 resizing,
which is a pretty rare use case. 256 MB allows resizing up to 256 GB,
which should be good enough for almost all users.
A lot of this is mostly irrelevant anyway, since you can just use
squashfs + ext4 overlay.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This makes it possible to activate the gpio and the pinctl debugging
from LEDE menuconfig.
Acked-by: John Crispin <john@phrozen.org>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The current default rootfs size of 256MB in conjunction with 4K blocks
produces an ext4 filesystem which lacks the appropriate amount of backup GDT
entries to support online-resizing.
For x86 targets, increase the default rootfs size to 2048MB which allows
online resizing the filesystem to up to 2TB which is the current theoretical
maximum for LEDE, due to missing GPT support on the root block device.
Note that the filesystem artefact will not occupy 2GB on the build system as
the make_ext4fs utility uses sparse files to generate the filesystem images,
so the actual disk usage is much lower. Furthermore the filesystem images
are gzip compressed, shrinking them to only a few megabytes on the download
server.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Michael Heimpold <mhei@heimpold.de>
There is very little practical use to limit the number of available inodes on
an ext4 filesystem and the make_ext4fs utility is able to calculate useful
defaults by itself.
Drop the option to make resulting ext4 filesystems more flexible by default.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Michael Heimpold <mhei@heimpold.de>
Configurations without shadow passwords have been broken since the removal
of telnet: as the default entry in /etc/passwd is not empty (but rather
unset), there will be no way to log onto such a system by default. As
disabling shadow passwords is not useful anyways, remove this configuration
option.
The config symbol is kept (for a while), as packages from feeds depend on
it.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Added gen_mvebu_sdcard_img.sh to facilitate creating an fixed-size sdcard image,
adding the bootloader and populating it with actual data.
Added the required rules for creating a 4GB sdcard image according to this layout:
p0: boot (fat32)
p1: rootfs (squashfs)
p2: rootfs_data (ext4)
This should be generic to any mvebu boards that can boot from block storage.
Added the new sdcard image to the Clearfog image profile.
Signed-off-by: Josua Mayer <josua.mayer97@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup]
Enable selection of the kernel key retention framework and some of its
additional facilities; see Documentation/security/keys.txt and
security/keys/Kconfig for details
Signed-off-by: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
The MR24's u-boot takes it sweet time decompressing the
LZMA-packed initramfs image. A user reported that
compared to the old gzip method in v2: it "takes a ton
longer to decompress like 4\x the old boot time for
decompression".
This patch also fixes a issue with the WNDR4700's initramfs
image getting to big and causing the following u-boot crash
during the decompression:
"Uncompressing Multi-File Image ... Error: inflate() returned -5
out-of-mem or overwrite error - must RESET board to recover"
This patch fixes both issues by reverting the MR24's initramfs
compression method back to gzip. And choosing to compress the
initramfs within the initramfs image as LZMA by default.
Cc: chrisrblake93@gmail.com
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
If jffs2 support was not enabled by the target, jffs2 are quite likely
to be broken, so we shouldn't build them.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Make global options menuconfig cleaner by moving POSIX ACL
and attr support options into a submenu.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
This adds a configuration options that allows to make filesystem ACL support
the default in the kernel, except for old nfs.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
Introduce a new symbol ALL_NONSHARED which selects all non-sharable packages
by default. This option is mainly intented for buildbot setups to build the
target dependant software subset only.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Curent ARC toolchain fails to build libstdc++ if -fno-plt is used.
Lots of following error messages appear:
------------------->8------------------
...
staging_dir/toolchain-arc_arc700_gcc-arc-2015.06_uClibc-1.0.9/arc-openwrt-linux-uclibc/bin/ld:
BFD (GNU Binutils) 2.23.2 assertion fail elf32-arc.c:2786
collect2: error: ld returned 1 exit status
------------------->8------------------
In newer binutils (still in development) for ARC rewritten from
scratch this seem to not happen, so once new binutils for ARC hit
the street this patch might be reverted.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Felix Fietkau <nbd@openwrt.org>
Cc: Jo-Philipp Wich <jow@openwrt.org>
Cc: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 48642
Add the basic set of kernel options to allow it from mounting a NFS root
and boot from it.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
SVN-Revision: 48590
These allow the generated kernel's build metadata to be defined explicitly.
This metadata is reported, eg, at boot time and in `uname -a` on running
systems. If the variables aren't configured, the current build system username
and hostname are used as normal.
The motivation for this option is to achive reproducible (bit-for-bit
identical) kernel builds of official openwrt releases.
Signed-off-by: bryan newbold <bnewbold@robocracy.org>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48541
Revision 46834 changed IPv6 support from a module to builtin. But
since the configuration of the IPv6 kernel options was left in
package/kernel/linux/modules/netsupport.mk, this means that an
empty kmod-ipv6 module was still being generated (not packaged).
This patch moves the configuration of the IPv6 kernel options to
config/Config-kernel.in to remove this last bit of the module.
Note that CONFIG_IPV6_PRIVACY was dropped (enabled by default
since Linux v3.13), so this option is no longer needed.
See 5d9efa7ee9
Signed-off-by: Arjen de Korte <arjen+openwrt@de-korte.org>
SVN-Revision: 48132
When stack protector support is disabled in libc (always the case for
!musl), gcc assumes that it needs to use __stack_chk_guard for the stack
canary.
This causes kernel build errors, because the kernel is only set up to
handle TLS stack canaries.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46543
Make musl provide libssp_nonshared.a and make GCC link it unconditionally
if musl is used. This should be a no-op if SSP is disabled and seems to be
the only reliable way of dealing with SSP over all packages due to the mess
that is linkerflags handling in packages.
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46108
Memory Resource Controller no longer depends on Resource counters since
Kernel version 4.0.
3.18 is the only still supported version needing Resource counters for
MEMCG, thus declare the dependency only for that version.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 46024
This changes the x86 image generation to match x86_64, using the PARTUUID for
the rootfs instead of explicitly configuring the device.
It unbreaks KVM with VirtIO, which uses /dev/vda2 instead of /dev/sda2.
Tested in QEMU/KVM with VirtIO, VirtualBox and VMware.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 44966
Split out kmods from ALL to make it easier to create local builds that
are compatible kmod-wise with releases.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 44830
This is needed by many services to function properly and as
all modern distributions got it enabled, it starts to be a
de-facto standard, i.e. user-space starts to silently depend
on it.
This also pulls in EXPORTFS, however, the kernel binary size
increases only a little.
On ARM systems comes down to 800 bytes uncompressed and about
200 bytes compressed size.
On MIPS systems it's about 1.2 kB size increase of the LZMA
compressed kernel.
v2: use menuconfig option instead of just enabling the option
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 44765
It's the eglibc packaging with a bit of spit-polishing. And testing. :-)
[blogic: merged glibc and eglibc into 1 and made eglibc a glibc variant]
Signed-off-by: Jeff Waugh <jdub@bethesignal.org>
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 44701