Commit Graph

21253 Commits

Author SHA1 Message Date
Daniel Golle
fc865eb3ae uboot-envtools: replace use of platform_get_bootdev
Use new function fitblk_get_bootdev in /lib/upgrade/common.sh instead.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-26 01:29:22 +00:00
Daniel Golle
5992f976b3 base-files: recognize bootdevice on devices using fitblk
Boards using the fitblk driver need special treatment when it comes to
detecting the actual block device used to store the image used to boot
from. Transparently handle this in 'export_bootdevice' and provide new
'fitblk_get_bootdev' function to replace implementations in
/lib/upgrade/platform.sh.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-26 01:29:22 +00:00
Paweł Owoc
c2537f3c8f ipq-wifi: update to version 2024-02-25, remove unused ipq8174 extension
fc30aee ipq8074: remove regdomain, update regdb and rename MX4200 BDF
Remove unused ipq8174 extension

Signed-off-by: Paweł Owoc <frut3k7@gmail.com>
2024-02-25 15:04:31 +01:00
Daniel Golle
c378927ef8 procd: update to git HEAD
2f94972 hotplug-dispatch: don't filter empty env variables
 1901aba system: break infite loop resolving rootfs type

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-24 04:00:15 +00:00
Daniel Golle
6368ed1ae5 mediatek: mt7623: phase out uImage.FIT partition parser
Use the new fitblk driver on the BananaPi R2 as well as UniElec U7623.
Introduce boot device selection for fitblk's /chosen/rootdisk
handle, similar to how it is already done on MT7622, MT7986 and MT7988.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-24 03:02:35 +00:00
Daniel Golle
9b6427e908 uboot-mediatek: fix truncated patch
The default environment for the Linksys E8450 and Belkin RT3200 got
truncated by one line due to a broken patch. While the impact was
luckily only cosmetic, fix it so bootmenu title also shows U-Boot
version again.

Fixes: 6aec3c7b5b ("mediatek: mt7622: modernize Linksys E8450 / Belkin RT3200 UBI build")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-24 03:02:35 +00:00
Marcin Gajda
07b9186e88 ipq40xx: Add support Netgear LBR20
**Netgear LBR20** is a router with two gigabit ethernets , three wifi radios and integrated LTE cat.18 modem.

SoC Type: Qualcomm IPQ4019
RAM: 512 MiB
Flash: 256 MiB , SLC NAND, 2 Gbit (Macronix MX30LF2G18AC)
Bootloader: U-Boot
Modem: LTE CAT.18 Quectel EG-18EA ,  Max. 1.2Gbps downlink / 150Mbps uplink

WiFi class AC2200:
- radio0 : 5G on QCA9888 , WiFi5- 802.11a/n/ac MU-MIMO 2x2 , 887Mbps , 80MHz - limited for low channels
- radio1: 2,4G on IPQ4019 ,WiFi4- 802.11b/g/n MIMO2x2 300Mbps 40Mhz
- radio2: 5G on IPQ4019 , WiFi5- 802.11a/n/ac MU-MIMO 2x2 , 887Mbps ,80Mhz - limited for high channels  (from 100 up to 165) . Becouse of DFS remember to set country before turning on.

Ethernet: 2x1GbE (WAN/LAN1, LAN2)
LEDs:  section power : green and red  , section on top (orbi) drived by TLC59208F: red, green ,blue and white
USB ports: No
Buttons:  2 Reset and SYNC(WPS)
Power: 12 VDC, 2,5 A
Connector type: Barrel

OpenWRT Installation
1. Simplest way is just do upgrade from webpage with *factory.img
2. You can also do it with standard tool for Netgear's debricking - NMPRFlash
3. Most advanced way is to open device , connect to UART console and :
- Prepare OpenWrt initramfs image in TFTP server root (server IP 192.168.1.10)
- Connect serial console (115200,8n1) to UART connector
- Connect TFTP server to RJ-45 port
- Stop in u-Boot and run u-Boot command:

> setenv serverip 192.168.1.10
> set fdt_high 0x85000000
> tftpboot 0x83000000 openwrt-ipq40xx-generic-netgear_lbr20-initramfs-zImage.itb
> bootm 0x83000000

- Login via ssh
- upload or download *sysupgrade.bin ( like wget ... or scp transfer)
-  Install image via "sysupgrade -n" (like “sysupgrade -n /tmp/openwrt-ipq40xx-generic-netgear_lbr20-squashfs-sysupgrade.bin”)

Back to Stock
- Download firmware from official Netgear's webpage , it will be *.img file after decompressing.
- Use NMRPFlash tool  ( detailed insructions on project page https://github.com/jclehner/nmrpflash )

Open the case
- Unscrew nuts and remove washers from antenna's conectors.
- There are two Torx T10 screws under the label next to antenna conectors. You have to unglue this label from left and right corner to get it
- Two parts of shell covers will slide out from eachother , you have to unglue two small rubber pads and namplate sticker on bottom to do that.
- PCB is screwed with 4Pcs of Torx T10 screws
- Before lifting up PCB remove pigtiles for LTE antennas and release them from PCB and radiator (black and white wires)
- On other side of PCB ,in left bottom corner there is already soldered with 4 pins UART connector for console. Counting from left it is  +3,3V , TX , RX ,GND (reffer to this picture: https://i.ibb.co/Pmrf9KB/20240116-103524.jpg )

BDF's files are in firmware_qca-wireless  https://github.com/openwrt/firmware_qca-wireless/ and in parallel sent to ath10k@lists.infradead.org.

Signed-off-by: Marcin Gajda <mgajda@o2.pl>
2024-02-23 19:46:23 +01:00
Daniel Golle
ae2dced6ce
rpcd: update to latest git HEAD
8ef4c25 sys: use "Auto-Installed" field for packagelist

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-23 15:59:05 +01:00
Robert Marko
9bd7d8b756 ipq-wifi: fix archive hash
It seems that ipq-wifi bump included and incorrect PKG_MIRROR_HASH value,
so fix it by using:
make package/firmware/ipq-wifi/check FIXUP=1

Fixes: 70fd815e57 ("qualcommax: ipq807x: add support for Linksys MX5300")
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-02-23 14:14:05 +01:00
Eneas U de Queiroz
375dd23011 mac80211: only build ath10k with smallbuffers
When both variants of ath10k drivers are selected, any driver that is
selected along is being built twice, one for each ath10k variant.

Avoid these redundant builds by introducing an optional second parameter
to config_package that lists the variants for which the package is to be
built.

If the symbol is to be set for all of the variants, $(ALL_VARIANTS) can
be used.  This is the case for the mac80211 and cfg80211 modules.  If
the parameter is empty, then the module will be selected and thus built
when the first variant is compiled.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2024-02-23 14:02:53 +01:00
Eneas U de Queiroz
4390ea484d mac80211: build each variant in its own dir
Having different build directories is the default when the package
Makefile defines more than one variant.

Mac80211 overrides PKG_BUILD_DIR, not taking different variants in
consideration, which causes clobbering the directories when both
variants are built.

When compiled with AUTOREMOVE=y, the effect is that the package is
unnecessarily rebuilt when the package is compiled again.

Wihout AUTOREMOVE, the problem is worse: the second variant will not be
rebuilt, and you end up with the smallbuffers variant being a copy of
the regular one.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2024-02-23 14:02:53 +01:00
Paweł Owoc
70fd815e57 qualcommax: ipq807x: add support for Linksys MX5300
Hardware specification:
========
SoC: Qualcomm IPQ8072A
Flash: 512MB (Winbond W29N04GZBIBA)
RAM: 1GB (2x Nanya DDR3L NT5CC256M16ER-EK)
Ethernet: 5x 10/100/1000Mbps (Qualcomm QCA8075)
WiFi1: 5GHz ac 4x4 (Qualcomm QCA9984 + Skyworks SKY85746-11) - channels 100-169
WiFi2: 5GHz ax 4x4 (Qualcomm QCN5054 + Skyworks SKY85755-11) - channels 36-64
WiFi3: 2.4GHz ax 4x4 (Qualcomm QCN5024 + Skyworks SKY8340-11)
IoT: Bluetooth 5, Zigbee and Thread (Qualcomm QCA4024 + Skyworks SE2433T-R)
IoT Flash: 4MB (Macronix MX25R3235F)
RTC: ST M41T00S
LED: 1x RGB status (NXP PCA9633)
USB: 1x USB 3.0
Button: WPS, Reset

Flash instructions:
========
1. Manually upgrade firmware using openwrt-qualcommax-ipq807x-linksys_mx5300-squashfs-factory.bin image.
More details can be found here: https://www.linksys.com/hk/support-article?articleNum=274497
After first boot check actual partition:
- fw_printenv -n boot_part
and install firmware on second partition using command in case of 2:
- mtd -r -e kernel -n write openwrt-qualcommax-ipq807x-linksys_mx5300-squashfs-factory.bin kernel
and in case of 1:
- mtd -r -e alt_kernel -n write openwrt-qualcommax-ipq807x-linksys_mx5300-squashfs-factory.bin alt_kernel

2. Installation using serial connection from OEM firmware (default login: root, password: admin):
- fw_printenv -n boot_part
In case of 2:
- flash_erase /dev/mtd21 0 0
  nandwrite -p /dev/mtd21 openwrt-qualcommax-ipq807x-linksys_mx5300-squashfs-factory.bin
or in case of 1:
- flash_erase /dev/mtd23 0 0
  nandwrite -p /dev/mtd23 openwrt-qualcommax-ipq807x-linksys_mx5300-squashfs-factory.bin
After first boot install firmware on second partition:
- mtd -r -e kernel -n write openwrt-qualcommax-ipq807x-linksys_mx5300-squashfs-factory.bin kernel
or:
- mtd -r -e alt_kernel -n write openwrt-qualcommax-ipq807x-linksys_mx5300-squashfs-factory.bin alt_kernel

3. Installation from initramfs image using USB FAT32 formatted drive:
Stop u-boot and run:
- usb start && fatload usb 0:1 $loadaddr openwrt-qualcommax-ipq807x-linksys_mx5300-initramfs-uImage.itb && bootm $loadaddr
Write firmware to the flash from initramfs:
- mtd -e kernel -n write openwrt-qualcommax-ipq807x-linksys_mx5300-squashfs-factory.bin kernel
and:
- mtd -r -e alt_kernel -n write openwrt-qualcommax-ipq807x-linksys_mx5300-squashfs-factory.bin alt_kernel

4. Back to the OEM firmware:
- mtd -e kernel -n write FW_MX5300_1.1.9.200251_prod.img kernel
and:
- mtd -r -e alt_kernel -n write FW_MX5300_1.1.9.200251_prod.img alt_kernel

5. USB recovery:
- fw_setenv usbimage 'openwrt-qualcommax-ipq807x-linksys_mx5300-initramfs-uImage.itb'
  fw_setenv bootusb 'usb start && fatload usb 0:1 $loadaddr $usbimage && bootm $loadaddr'
  fw_setenv bootcmd 'run bootusb; aq_load_fw && if test $auto_recovery = no; then bootipq; elif test $boot_part = 1; then run bootpart1; else run bootpart2; fi'

Notes:
========
IoT device is accesible over spi. Not yet supported.

Signed-off-by: Paweł Owoc <frut3k7@gmail.com>
Reviewed-by: Robert Marko <robimarko@gmail.com>
2024-02-23 13:34:59 +01:00
Rafał Miłecki
788122cc12 base-files: sysupgrade: rename add_*files() functions
Usage of word "add" was somehow misleading in those functions:
1. They don't really add (as in: append) anything. Result files are
   created from scratch.
2. It wasn't clear what adding files means. It could be understood as
   adding actual files somewhere (to existing archive?).

Also the word "add" was also a bit ambiguous.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-02-22 22:19:13 +01:00
Rafał Miłecki
4a1b94adba base-files: sysupgrade: s/do_save_conffiles/create_backup_archive/
Rename function to more accurate and self-explanatory name:
1. Use "archive" in name as this functions creates tar archive
2. Avoid "conffiles" as this function may archive more than that

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-02-22 22:19:01 +01:00
Rafał Miłecki
4ba5eba94c base-files: sysupgrade: exit with no error for --help
Calling "sysupgrade --help" should result in printing help and exiting
with 0 code.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-02-22 22:18:36 +01:00
Rafał Miłecki
73da77fd00 base-files: sysupgrade: group & cleanup global variables
Group & describe them by type, drop unneeded exports.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-02-22 22:18:36 +01:00
Rafał Miłecki
57be93c16d base-files: sysupgrade: replace UMOUNT_ETCBACKUP_DIR with a local variable
It was used inside do_save_conffiles() only.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-02-22 22:18:36 +01:00
Luiz Angelo Daros de Luca
61ac147bb6 base-files: sysupgrade: fix error message and typo
Some minor error message and comment fixes.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2024-02-22 22:14:54 +01:00
Rafał Miłecki
157d6019df Revert "base-files: sysupgrade: always setup overlay when creating backup"
This reverts commit 4fa9aaf0be.

That seemed like a good idea allowing us to include any runtime
generated file in archive. Unfortuantely it broke backups with files
from mounted directories.

When mounting overlay with / as lowerdir its mounts don't propagete in
the mountpoint. That resulted in empty directories:
/tmp/overlay.XXXXXX/backup/tmp/
/tmp/overlay.XXXXXX/backup/var/
/tmp/overlay.XXXXXX/backup/dev/
/tmp/overlay.XXXXXX/backup/proc/
etc.

As some platforms / users try to backup files like /var/dhcp.leases or
/boot/cmdline.txt it means we can't use that solution.

Link: http://lists.openwrt.org/pipermail/openwrt-devel/2024-February/042320.html
Link: https://lore.kernel.org/linux-fsdevel/67bb0571-a6e0-44ea-9ab6-91c267d0642f@gmail.com/T/#u
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-02-22 22:08:14 +01:00
Rafał Miłecki
7bffa8ab10 Revert "base-files: sysupgrade: include uci-defaults script disabling services"
This reverts commit bf304d10e9.

That uci-defaults script worked great but generating it required
mounting root dir as overlay lowerdir that needs to be reverted.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-02-22 22:08:04 +01:00
Hauke Mehrtens
5df7a78e82 wifi-scripts: Support HE Iftypes with multiple entries
With mac80211_hwsim I have seen such entries in OpenWrt 22.03:
    HE Iftypes: managed, AP
The mac80211.sh script did not detect the entry and failed. Allow
arbitrary other entries before to fix this problem.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-02-22 21:45:44 +01:00
Yegor Yefremov
62acd9a2f9 dnsmasq: rework network interface ignore
In some situations (slow protocol or interfaces with auto 0), the
interfaces are not available during the dnsmasq initialization and
hence, the ignore setting will be skipped.

Install an interface trigger for ignored interfaces in case their
ifname cannot be resolved.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2024-02-22 09:17:25 +01:00
Jo-Philipp Wich
97ad8501ad ucode: update to Git HEAD (2024-02-21)
ee4af9b55cb4 vm: rework object iteration
a275399dd8e2 uci: refactor uci.changes() to match documentation
ba3855ae3775 lib: fix documentation typo for `pop()` function

Fixes: https://github.com/jow-/ucode/issues/188
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2024-02-22 09:17:25 +01:00
Mantas Pucka
44168fda78 qualcommax: ipq60xx: Add 8devices Mango DVK
8devices Mango DVK is a single board computer / devkit for 8devices Mango
system-on-module (SoM).

Specifications:
* CPU: Qualcomm IPQ6010 Quad core Cortex-A53 1.8GHz
* RAM: 512 MB
* Storage:
    * 32 MB serial NOR flash (on SoM)
    * 256 MB parallel NAND flash (on DVK)
* Ethernet:
    * 2x1G RJ45 ports(QCA8072 or QCA8075)
    * 1x2.5G RJ45 port (QCA8081)
    * 1xSFP (shares SGMII with QCA8081)
* Switch: Qualcomm Atheros IPQ6010
* WLAN:
    * 2.4GHz: QCN5121 2x2 802.11b/g/n/ax 574 Mbps PHY rate
    * 5GHz: QCN5152 2x2 802.11a/n/ac/ax 1201 Mbps PHY rate
* USB:
    * 1x USB3.0 Type-A port
    * 1x USB2.0 available at mini PCIe slot
* PCIe: 1x mini PCIe slot 1xLane Gen3 (8GT/s)
* SD/eMMC (on a single shared bus - only one can be active):
    * micro SD slot
    * eMMC module connector
* LEDs:
    * Green power led (not controllable)
    * Green 2.4GHz radio led (GPIO 67)
    * Green 5GHz radio led (GPIO 66)
* Buttons:
    * 1x (WPS GPIO79) button
* GPIOs: 2.54mm header brings out 18 GPIOs (1.8V level)
* UART: 4-pin UART header (3.3V level)
    * 115200 8N1, 3.3V-Tx-Rx-GND (3.3V is pin 1 close to boot-switch SW2)
* Power:
    * PoE IN on 2.5G port (passive 24-48V)
    * DC power terminal (12-58V)

Installation instructions:

Vendor image format is compatible with squashfs-sysupgrade image. Run:

sysupgrade -n -F openwrt-qualcommax-ipq60xx-8devices_mango-dvk-squashfs-sysupgrade.bin

Signed-off-by: Mantas Pucka <mantas@8devices.com>
2024-02-21 21:42:23 +01:00
Mantas Pucka
10ba730b7b ipq-wifi: add support for 8devices Mango board
Add support for .ipq6018 BDF suffix and add Mango board entry

Signed-off-by: Mantas Pucka <mantas@8devices.com>
2024-02-21 21:42:23 +01:00
Mantas Pucka
03935cf7de ipq-wifi: update to Git HEAD (2024-02-19)
1cc59e1 ipq6018: add 8devices Mango BDF
10279cc ipq40xx:Add support for Netgear LBR20 with two BDF's

Signed-off-by: Mantas Pucka <mantas@8devices.com>
2024-02-21 21:42:23 +01:00
Mantas Pucka
586a051d4d ath11k-firmware: add wifi firmware for ipq6018
So far only stable FW is v2.4. It exists in a different
git repo, so add custom download routine.

Signed-off-by: Mantas Pucka <mantas@8devices.com>
2024-02-21 21:42:23 +01:00
Mantas Pucka
aa6cc0a52b mac80211: ath11k: disable coldboot for ipq6018
Coldboot calibration does not work at the moment and causes failure during
wifi startup.

Signed-off-by: Mantas Pucka <mantas@8devices.com>
2024-02-21 21:42:23 +01:00
Mantas Pucka
d08d53346b qca-ssdk: support selecting PCS channel for PORT3 on IPQ6018
When QCA8072 is used in PSGMII mode with IPQ6018, PCS used for second
PHY port would overlap with one used by SGMII+ port. SoC has register
to select different PCS in such case.

Original code used PHY_ID for this decision, which also had other
issues, but is no longer viable since we moved to upstream QCA807x
driver.

Introduce DT property port3_pcs_channel to allow describing this in DT.
Default value is <2>, and for some QCA8072 designs <4> would be needed.

Signed-off-by: Mantas Pucka <mantas@8devices.com>
2024-02-21 21:42:23 +01:00
Felix Fietkau
2a752ff028 mac80211: add a fix for racy drv_sta_rc_update calls
Fixes potential crash issues in mt76 and other drivers

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-02-21 15:28:53 +01:00
Marius Durbaca
4821cb24ed uboot-rockchip: add Radxa CM3 IO board support
Add support for the Radxa CM3 IO board.

Reviewed-by: Tianling Shen <cnsztl@immortalwrt.org>
Signed-off-by: Marius Durbaca <mariusd84@gmail.com>
2024-02-21 13:29:26 +01:00
Marius Durbaca
eec0bec630 rkbin: add rk3566 atf/tpl blobs
Currently there are no atf/tpl blobs for rk3566 SoCs
so this commit adds the prebuilt firmware from the vendor.

Signed-off-by: Marius Durbaca <mariusd84@gmail.com>
2024-02-21 13:29:26 +01:00
Felix Fietkau
95e633efbd mac80211: add AQL support for broadcast/multicast packets
Should improve performance/reliability with lots of mcast packets

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-02-21 10:56:22 +01:00
Robert Marko
fb45887e85 mac80211: update to 6.6.15
Update backports to the latest 6.6 point release.

Signed-off-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-02-21 10:56:22 +01:00
Tianling Shen
afca1236f3 rockchip: add NanoPi R4S Enterprise Edition build
FriendlyElec renamed the NanoPi R4S board with EEPROM (mac address)
to "enterprise" edition, and it was added as a "new" board in upstream
kernel.

This patch switched to use that upstreamed dts and removed local
EEPROM patch.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2024-02-19 20:52:06 +01:00
Tianling Shen
23cb2b1636 uboot-rockchip: add NanoPi R2C Plus support
Add support for the FriendlyARM NanoPi R2C Plus.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2024-02-19 16:23:32 +01:00
Rafał Miłecki
bf304d10e9 base-files: sysupgrade: include uci-defaults script disabling services
Disabled services should be kept disabled after sysupgrade. This can be
easily handled using a proper uci-defaults script.

Extend sysupgrade to check for disabled services, generate uci-defaults
script disabling them and include it in backup.

Cc: Christian Marangi <ansuelsmth@gmail.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Jonas Gorski <jonas.gorski@gmail.com>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2024-02-19 13:53:14 +01:00
Rafał Miłecki
4fa9aaf0be base-files: sysupgrade: always setup overlay when creating backup
Setting overlay while creating backup allows including extra files in
archive without actually writing them to flash. Right now this feature
is limited to /etc/backup/ directory and is used only for including
installed_packages.txt.

Extend this solution to make it more generic:
1. Always mount overlay while creating backup
2. Overlay whole / to don't limit it to /etc/backup/

This allows including any additional files in backups and adding more
sysupgrade features.

Cc: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Cc: Christian Marangi <ansuelsmth@gmail.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Jonas Gorski <jonas.gorski@gmail.com>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-02-19 13:53:14 +01:00
Luiz Angelo Daros de Luca
700907bc63 base-files: sysupgrade: always cleanup after backups
When tar was failing, it was exiting immediately. Some files and the
tmpfs mount (-k) would remain breaking the next backup attempt.

Also remove redundant $? from exit builtin call as exit already returns
the last command exit code when called.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2024-02-19 12:41:40 +01:00
Luiz Angelo Daros de Luca
14ac91c68c base-files: sysupgrade: do not hide tar errors
tar stderr was probably discarded only to remove this message:

  tar: removing leading '/' from member names

However, together with that, any other error would also be discarded.
It is easier to fix that allowing the error message to be printed.

In sysupgrade, the backup file list only uses absolute paths. That way,
the solution is to remove the leading '/' from all files (sed) and chdir
to / (option -C /)

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2024-02-19 12:41:40 +01:00
Janusz Dziedzic
a56292d9f5 linux-firmware: intel: add BE200 wifi firmware
Add option to install Intel BE200 firmware
required by iwlwifi driver and Wifi7 hardware.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2024-02-18 13:49:12 +01:00
Seo Suchan
6b904fa95b ca-certificates: update to version 20240203
Update Mozilla certificate authority bundle to version 2.64

Signed-off-by: Seo Suchan <tjtncks@gmail.com>
2024-02-18 11:49:04 +01:00
Eneas U de Queiroz
472312f83f
wifi-scripts: fix FILS AKM selection with EAP-192
Fix netifd hostapd.sh selection of FILS-SHA384 algorithm with eap-192.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2024-02-17 08:36:48 -03:00
Rosen Penev
24d3eb7629
lua5.3: backport CVE fix
Also refreshed some patches

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2024-02-17 01:55:49 +01:00
Rosen Penev
78b0106f7d
lua: fix CVE-2014-5461
Patch taken from Debian.

Refresh patches

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2024-02-17 01:55:21 +01:00
Daniel Golle
f96289ddff uboot-mediatek: bpi-r3-mini: fix typo in bootmenu
Fix typo in eMMC bootmenu.

Fixes: bc25519f98 ("uboot-mediatek: add builds for BananaPi BPi-R3 mini")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-16 13:56:01 +00:00
Daniel Golle
ae1c0f1b15 mediatek: filogic: bpi-r3-mini: fix NAND flash layout
Fix NAND flash layout which was out-of-sync with the definition in
ARM TrustedFirmware-A which expects UBI to start at 0x200000.

Fixes: b03d3644cf ("mediatek: filogic: add BananaPi BPi-R3 mini")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-16 05:40:14 +00:00
Daniel Golle
b03d3644cf mediatek: filogic: add BananaPi BPi-R3 mini
Hardware specification
----------------------
 SoC: MediaTek MT7986A 4x A53
 Flash: 128MB SPI-NAND, 8GB eMMC
 RAM: 2GB DDR4
 Ethernet: 2x 2.5GbE (Airoha EN8811H)
 WiFi: MediaTek MT7976C 2x2 2.4G + 3x3 5G
 Interfaces:
  * M.2 Key-M: PCIe 2.0 x2 for NVMe SSD
  * M.2 Key-B: USB 3.0 with SIM slot
  * front USB 2.0 port
 LED: Power, Status, WLAN2G, WLAN5G, LTE, SSD
 Button: Reset, internal boot switch
 Fan: PWM-controlled 5V fan
 Power: 12V Type-C PD

Installation instructions for eMMC
----------------------------------
0. Set boot switch to boot from SPI-NAND (assuming stock rom or immortalwrt
   running there).
1. Write GPT partition table to eMMC
   Move openwrt-mediatek-filogic-bananapi_bpi-r3-mini-emmc-gpt.bin to
   the device /tmp using scp and write it to /dev/mmcblk0:
    dd if=/tmp/openwrt-*-r3-mini-emmc-gpt.bin of=/dev/mmcblk0
2. Reboot (to reload partition table)
3. Write bootloader and OpenWrt images
   Move files to the device /tmp using scp:
    - openwrt-*-bananapi_bpi-r3-mini-emmc-preloader.bin
    - openwrt-*-bananapi_bpi-r3-mini-emmc-bl31-uboot.fip
    - openwrt-*-bananapi_bpi-r3-mini-initramfs-recovery.itb
    - openwrt-*-bananapi_bpi-r3-mini-squashfs-sysupgrade.itb
   Write them to the appropriate partitions:
    echo 0 > /sys/block/mmcblk0boot0/force_ro
    dd if=/tmp/openwrt-*-bananapi_bpi-r3-mini-emmc-preloader.bin of=/dev/mmcblk0boot0
    dd if=/tmp/openwrt-*-bananapi_bpi-r3-mini-emmc-bl31-uboot.fip of=/dev/mmcblk0p3
    dd if=/tmp/openwrt-*-bananapi_bpi-r3-mini-initramfs-recovery.itb of=/dev/mmcblk0p4
    dd if=/tmp/openwrt-*-bananapi_bpi-r3-mini-squashfs-sysupgrade.itb of=/dev/mmcblk0p5
    sync

4. Remove the device from power, set boot switch to eMMC and boot into
   OpenWrt. The device will come up with IP 192.168.1.1 and assume the
   Ethernet port closer to the USB-C power connector as LAN port.

5. If you like to have Ethernet support inside U-Boot (eg. to boot via
   TFTP) you also need to write the PHY firmware to /dev/mmcblk0boot1:
    echo 0 > /sys/block/mmcblk0boot1/force_ro
    dd if=/lib/firmware/airoha/EthMD32.dm.bin of=/dev/mmcblk0boot1
    dd if=/lib/firmware/airoha/EthMD32.DSP.bin bs=16384 seek=1 of=/dev/mmcblk0boot1

Installation instructions for NAND
----------------------------------
0. Set boot switch to boot from eMMC (assuming OpenWrt is installed there
   by instructions above. Using stock rom or immortalwrt does NOT work!)

1. Write things to NAND
   Move files to the device /tmp using scp:
    - openwrt-*-bananapi_bpi-r3-mini-snand-preloader.bin
    - openwrt-*-bananapi_bpi-r3-mini-snand-bl31-uboot.fip
    - openwrt-*-bananapi_bpi-r3-mini-initramfs-recovery.itb
    - openwrt-*-bananapi_bpi-r3-mini-squashfs-sysupgrade.itb
   Write them to the appropriate locations:
    mtd write /tmp/openwrt-*-bananapi_bpi-r3-mini-snand-preloader.bin /dev/mtd0
    ubidetach -m 1
    ubiformat /dev/mtd1
    ubiattach -m 1
    volsize=$(wc -c < /tmp/openwrt-*-bananapi_bpi-r3-mini-snand-bl31-uboot.fip)
    ubimkvol /dev/ubi0 -N fip -n 0 -s $volsize -t static
    ubiupdatevol /dev/ubi0_0 /tmp/openwrt-*-bananapi_bpi-r3-mini-snand-bl31-uboot.fip
    cd /lib/firmware/airoha
    cat EthMD32.dm.bin EthMD32.DSP.bin > /tmp/en8811h-fw.bin
    ubimkvol /dev/ubi0 -N en8811h-firmware -n 1 -s 147456 -t static
    ubiupdatevol /dev/ubi0_1 /tmp/en8811h-fw.bin
    ubimkvol /dev/ubi0 -n 2 -N ubootenv -s 126976
    ubimkvol /dev/ubi0 -n 3 -N ubootenv2 -s 126976
    volsize=$(wc -c < /tmp/openwrt-*-bananapi_bpi-r3-mini-initramfs-recovery.itb)
    ubimkvol /dev/ubi0 -n 4 -N recovery -s $volsize
    ubiupdatevol /dev/ubi0_4 /tmp/openwrt-*-bananapi_bpi-r3-mini-initramfs-recovery.itb
    volsize=$(wc -c < /tmp/openwrt-*-bananapi_bpi-r3-mini-squashfs-sysupgrade.itb)
    ubimkvol /dev/ubi0 -n 4 -N recovery -s $volsize
    ubiupdatevol /dev/ubi0_4 /tmp/openwrt-*-bananapi_bpi-r3-mini-squashfs-sysupgrade.itb

3. Remove the device from power, set boot switch to NAND, power up and
   boot into OpenWrt.

Partially based on immortalwrt support for the R3 mini, big thanks for
doing the ground work!

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
5a2eb8082f kernel: add driver for Airoha EN8811H PHY as module
Add PHY driver for Airoha EN8811H PHY and package it as kernel module.
The PHY needs to load firmware from rootfs, so there is no point in
having the driver built-into the kernel.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
bc25519f98 uboot-mediatek: add builds for BananaPi BPi-R3 mini
The R3 mini comes with two Airoha EN8811H PHYs for 2.5G Ethernet.
The driver added to U-Boot expects the firmware for the PHY to be
stored inside UBI volume en8811h-fw or MMC boot1 hardware partition.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
adb1e30b7e linux-firmware: package firmware for Airoha EN8811H PHY
Add package with firmware for Airoha EN8811H 2.5G Ethernet PHY which
needs to be loaded via MDIO before the PHY can be used.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
1e58ce7652 firmware: package firmware for built-in 2.5G PHY on MT7988
Firmware for the built-in 2.5G Ethernet PHY of the MediaTek MT7988 SoC
is now part of linux-firmware, so we can package it.
Only a single file is needed with recent driver.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
6aec3c7b5b mediatek: mt7622: modernize Linksys E8450 / Belkin RT3200 UBI build
Move fip and factory into UBI static volumes.
Use fitblk instead of partition parser.

 !! RUN INSTALLER FIRST !!
Existing users of previous OpenWrt releases or snapshot builds will
have to **re-run the updated installer** before upgrading to firmware
after this commit.
DO NOT flash or run even just the initramfs image unless you have
run the updated installer which moves the content of the 'factory'
partition into a UBI volume.

tl;dr: DON'T USE YET!

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
41c053141e mediatek: mt7622: convert unifi6lr-v{1,2,3}-ubootmod to fitblk
No bootloader changes needed in this case, smooth transition.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
208f6c1232 mediatek: mt7622: convert BPi-R64 to all-UBI layout and fitblk
Modernize bootloader and flash memory layout of the BPi-R64 similar to
how it has also been done for the BPi-R3.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
8f9b10d917 arm-trusted-firmware-mediatek: add UBI-enabled builds for MT7622
Use custom UBI start address 0x80000 on MT7622 which is more than
enough for a single bl2 (MT7622 BootROM doesn't support redundant bl2).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
8afce4893b uboot-envtools: mediatek_filogic: update bpi-r3
Unify env configuration now that BPi-R4 and BPi-R3 both use fitblk.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
033db3a95d uboot-mediatek: bpi-r3: all-UBI NAND layout, use fitblk
Modernize U-Boot to provide a better reference:
 * store fip image in UBI now that TF-A supports that
 * switch from uImage.FIT partition parser to new fitblk
   virtual firmware block driver (root=/dev/fit0)
 * automatically set root device according to boot_mode register

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
91b55ca4c8 arm-trusted-firmware-mediatek: add mt7986-spim-nand-ubi-ddr4
Add UBI-enabled build for MT7986 with SPIM-NAND and DDR4 for use with
the BananaPi R3 board.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
1192554d56 uboot-envtools: filogic: add support for BananaPi R4
Add environment settings for the BananaPi BPI-R4 router board which
can boot from (and store its bootloader environment on) micro SD card,
SPI-NAND and eMMC.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
13ddc65b2c uboot-envtools: filogic: de-duplicate UBI env settings
Use function instead of duplicating the env settings on UBI for
OpenWrt-built U-Boot over and over.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:30:08 +00:00
Daniel Golle
74a8f416f4 uboot-mediatek: update to U-Boot 2024.01 release
Rebase local patches on top of quarterly timed release, allowing to
drop numerous patches which have been accepted upstream since the
release of U-Boot 2023.07.02.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:06:37 +00:00
Daniel Golle
54f99ebe5c uboot-mediatek: add build for BPi-R4
Add build for the BananaPi R4 board which can boot from micro SD,
SPI-NAND or eMMC.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:06:37 +00:00
Daniel Golle
b165d451bd uboot-mediatek: mt7988: set rootdisk according to boot device
If nodes /chosen/rootdisk-${bootdevice} exists, set /chosen/rootdisk
phandle according to boot device selected by the bootstrap pins.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:06:37 +00:00
Daniel Golle
89fcf211cb uboot-mediatek: fix MMC erase timeout
When erasing large amounts of blocks at once this can take a long
time on slow cards. Instead of a fixed timeout, wait longer if more
blocks are being erased.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:06:37 +00:00
Daniel Golle
927334a8f7 uboot-mediatek: add basic build for ZBT-WG3526 (MT7621, 16M SPI-NOR)
Add basic U-Boot drop-in replacement compatible with the flash layout
of the vendor loader of the Zbtlink WG3526 (16M) MT7621 router board.
The idea here is a to have a reference build of uboot-mediatek also for
a simple MIPS boards more popular than MT7621 RFB.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:06:37 +00:00
Daniel Golle
ddcc8f9f4e package: add fitblk util to release /dev/fit* devices
Add minimalistic tool to allow releasing /dev/fit* devices which is
needed on sysupgrade when using the fitblk driver.
The package is hidden in menuconfig, it should only be selected by
adding it to the default package selection of boards using it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:06:36 +00:00
Daniel Golle
7cecabbe34 arm-trusted-firmware-mediatek: use UBI on new NAND targets
Make use of recently added UBI support in MediaTek's ARM
TrustedFirmware-A on new MT7988 SoC.

Load fip from static UBI volume instead of fixed offset on SPIM-NAND
and SNFI.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:06:36 +00:00
Daniel Golle
c55c56b3fd arm-trusted-firmware-mediatek: set HIDDEN=y
Hide arm-trusted-firmware-mediatek packages from interactive config.
Exposing them only causes confusion and needed variants are anyway
selected as dependencies by uboot-mediatek packages.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-15 19:06:36 +00:00
Chukun Pan
b61ecb7d75 ipq807x: add support for CMCC RM2-6
Hardware specifications:
  SoC: Qualcomm IPQ8070A
  RAM: 512MB of DDR3
  Flash: 256MB Micron NAND
  Ethernet: 2x 1G RJ45 port
  WiFi1: QCN5024 2x2 2.4GHz
  WiFi2: QCN5054 2x2 5GHz
  Fan: 1x GPIO controlled
  Button: Reset, WPS

Flash instructions:
  Upload factory.bin in stock firmware's upgrade page.

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
Reviewed-by: Robert Marko <robimarko@gmail.com>
2024-02-15 18:44:35 +01:00
Robert Marko
588b5df50a qca-ssdk: drop not used Malibu PHY patch
Now that Malibu (QCA807x) PHY-s use an upstream driver we dont need support
for defining address of the first PHY in the package so drop the patch.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-02-15 18:25:48 +01:00
Petr Štetiar
79888f9127
ugps: update to Git HEAD (2024-02-14)
69561a074d6f ugps: add quality measurement parameters

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2024-02-14 10:02:25 +00:00
Felix Fietkau
2a2abed0be wifi-scripts: create the wlan object in board_data if not present
Fixes an error in wifi detection

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-02-13 19:26:58 +01:00
Jo-Philipp Wich
7a1fac2dda ucode: update to Git HEAD (2024-02-13)
7e5830edfb38 nl80211: fix datatype of NL80211_BAND_IFTYPE_ATTR_HE_CAP_{MAC,PHY} attrs
5c8fd34bac42 nl80211: fix parsing of NL80211_BAND_ATTR_VHT_MCS_SET attribute
e8d4e4fe967d nl80211: fix decoding of NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET attribute
30a3f7ad0433 rtnl: store callback in listener registry only on success
9cbe8294909f rtnl: optimize reception of rtnl events
534417132e18 rtnl: increase event socket rx buffer size limit to 1 MiB
3f9811d2f7b7 compiler: close upvalues on loop control statements

Fixes: https://github.com/jow-/ucode.git/issues/187
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2024-02-13 17:16:04 +01:00
Nick Hainke
c47b7571f0 libxml2: update to 2.12.5
Release Notes:
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5

Fixes: CVE-2024-25062
Signed-off-by: Nick Hainke <vincent@systemli.org>
2024-02-13 12:34:56 +01:00
Nick Hainke
a42075435a binutils: update to 2.42
Refresh patch:
- 001-replace-attribute_const.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2024-02-12 23:41:03 +01:00
Sander Vanheule
6f83a708c8 base-files: move uci_set_poe() to uci-defaults.sh
PoE devices in the realtek target have the possibility to add PSE info
to the board description via 02_network. Make this available for all
targets, by moving the uci_set_poe() function to the globally available
uci-default.sh script.

Signed-off-by: Sander Vanheule <sander@svanheule.net>
2024-02-12 20:46:51 +01:00
Christian Marangi
dfc1e8cfee
qca-ssdk: drop deprecated Xiaomi LEDs quirk patch
Drop deprecated Xiaomi LEDs quirk patches as they are not needed anymore
as LEDs are now supported by the upstream qca807x driver.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-11 21:15:31 +01:00
Christian Marangi
c8aded65c1
qca-ssdk: add patch to support detection of PSGMII mode for PHY
If a PHY doesn't use the integrated driver, SSDK use poll the phydev to
get the real PHY mode. qca807x use PSGMII as PHY mode and this specific
mode is not detected in qca SSDK while used in the entire driver.

Add support for it in the hsl_port_phydev_interface_mode_status_get
function used to translate PHY mode to the internal SSDK value.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-11 21:12:29 +01:00
Christian Marangi
8d7f747757
qca-ssdk: disable Malibu PHY in favor of upstream version
Disable Malibu PHY driver in Qca SSDK in favor of the upstream version.
The same workaround are applied and the version upstream is just a drop
in replacement and is well tested from the ipq40xx target.

Also using the upstream version permits further support for LEDs.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-11 21:09:34 +01:00
Shiji Yang
3b74ae780c uboot-envtools: backport some usefull patches from v2024.04-rc1
Highlights:
- Silence small page read warning.
- Autodetect NAND erase size and env sectors.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2024-02-11 10:48:59 +01:00
Robert Marko
a79efe4cdf
qca-ssdk: add support for ipq60xx
IPQ60xx uses a different codename for SSDK, so lets pass the correct one
as otherwise SSDK asumes we are building for the old MIPS SoC-s.

Signed-off-by: Robert Marko <robimarko@gmail.com>
[ drop outdated commit description info ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-09 14:01:51 +01:00
Nick Hainke
5a016cc3af uboot-envtools: update to 2024.01
Update to latest version.

Refresh patches:
- 002-Revert-tools-env-use-run-to-store-lockfile.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2024-02-09 13:55:18 +01:00
Felix Fietkau
2b4941a6f1 wifi-scripts: fix fullmac phy detection
Checking for AP_VLAN misdetects ath10k-ath12k as fullmac, because of software
crypto limitations. Check for monitor mode support instead, which is more
reliable.

Fixes: https://github.com/openwrt/openwrt/issues/14575
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-02-09 12:18:59 +01:00
Konstantin Demin
3f96246e97 dropbear: better handle interfaces
- introduce 'DirectInterface' option to bind exactly to specified interface;
  fixes #9666 and late IPv4/IPv6 address assignment
- option 'DirectInterface' takes precedence over 'Interface'
- improve interface/address handling,
  e.g. verify count of listening endpoints due to dropbear limit (10 for now)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
865ae1c10c dropbear: better handle receive window size
- correct maximum receive window size
- adjust receive window size against maximum allowed value
- warn about too high receive window size in syslog

improves f95eecfb

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
05100d8651 dropbear: adjust file permissions
runtime:
- adjust ownership/permissions while starting dropbear
build time:
- correct file permissions for preseed files in $(TOPDIR)/files/etc/dropbear/ (if any)

closes #10849

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
a97e0dad6e dropbear: 'rsakeyfile' -> 'keyfile' transition
end users should have done this since OpenWrt 19.07.
if they didn't do this yet - perform auto-transition.

schedule 'rsakeyfile' removal for next year release.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
ff1ccd85e8 dropbear: failsafe: handle all supported key types
dropbear may be configured and compiled with support for different host key types

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
55218bcedb dropbear: minor config reorder
move DROPBEAR_ASKPASS under DROPBEAR_DBCLIENT (in all meanings)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
c87a192386 dropbear: split U2F/FIDO support
these options allow one to configure U2F/FIDO support in more granular way

inspired by upstream commit aa6559db

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
bf900e02c7 dropbear: add option to enable modern crypto only
reduces binary/package size and increases overall performance

also:
- adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
  to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
88c8053d47 dropbear: adjust allowed shell list
this takes an effect only if getusershell(3) is missing

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
7f6fcaa3bf dropbear: honor CONFIG_TARGET_INIT_PATH
fixes 65256aee

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
2d9a0be307 dropbear: disable two weak kex/mac algorithms
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms.
A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1]

It has no place in a potentially internet-facing daemon like dropbear.
Upstream has acknowledged this and offered this solution to disable
these two until this is made to be the default in the next release
of dropbear next year. [2]

1. https://www.openssh.com/txt/release-8.2
2. https://github.com/mkj/dropbear/issues/138

Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
0b277f8659 dropbear: minor config clarification
- "default n" is not needed: options are not selected by default
- wrap config on 80 characters width (assuming tab is 8 characters long)
- add feature cost size and security notes for DROPBEAR_AGENTFORWARD
  and DROPBEAR_DBCLIENT_AGENTFORWARD:
  describe why and where it should be disabled

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
fa849fd411 dropbear: better object cleanup
improves b78aae79

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
f2b2293663 dropbear: allow more complex configuration
- switch DB_OPT_COMMON and DB_OPT_CONFIG to comma-separated lists:
  this allows to have values with "|" in DB_OPT_COMMON and DB_OPT_CONFIG
  which is more likely to be than values with commas;
  use $(comma) variable for values with commas.
- sort DB_OPT_COMMON and DB_OPT_CONFIG to have "overrides" on top of list.
- allow DB_OPT_COMMON to have values with commas.
- allow to replace multiline definitions in sysoptions.h.

improves e1bd9645

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
b5cde26048 dropbear: cherry-pick upstream patches
critical fixes:
- libtommath: possible integer overflow (CVE-2023-36328)
- implement Strict KEX mode (CVE-2023-48795)

various fixes:
- fix DROPBEAR_DSS and DROPBEAR_RSA config options
- y2038 issues
- remove SO_LINGER socket option
- make banner reading failure non-fatal
- fix "noremotetcp" behavior
- don't try to shutdown a pty
- fix test for multiuser kernels

adds new features:
- option to bind to interface
- allow inetd with non-syslog
- ignore unsupported command line options with dropbearkey

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
d4dfb566e2 dropbear: bump to 2022.83
- update dropbear to latest stable 2022.83;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop patches:
  - 001-fix-MAX_UNAUTH_CLIENTS-regression.patch
- rework patches:
  - 901-bundled-libs-cflags.patch
- refresh remaining patches

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00