"Alternate certification chains, as oppossed to requiring full chain
validataion. Certificate validation behavior is relaxed, similar to
openssl and browsers. Only the peer certificate must validate to a trusted
certificate. Without this, all certificates sent by a peer must be
used in the trust chain or the connection will be rejected."
This fixes e.g. uclient-fetch and curl connecting to servers using a Let's
Encrypt certificate which are cross-signed by the now expired
DST Root CA X3, see [0].
This is the recommended solution from upstream [1].
The binary size increases by ~12.3kb:
1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
[0] https://github.com/openwrt/packages/issues/16674
[1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793
Signed-off-by: Andre Heider <a.heider@gmail.com>
[bump PKG_RELEASE]
Signed-off-by: David Bauer <mail@david-bauer.net>
This firmware should only be used for mobile devices (e.g. laptops), where
AP mode functionality is typically not used. This firmware supports a lot
of power saving offload functionality at the expense of AP mode support.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Use kernel 5.10 by default
compile-tested: all devices from target (wth ALL_KMODS)
run-tested: Digilent Zybo Z7-20
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
This fixes compilation of several wireless drivers that
require support for the old wireless extension to work.
One example is kmod-hermes.
The symbols are set to "y" on generic configuration.
But they were wrongly disabled on the target-specific
configuration.
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
Until now, this feature was switched on via the kernel configuration
option KERNEL_SECCOMP.
The follwing change a7f794cd2a now requires that
the package procd-seccomp must also enabled for buildinmg.
However, this is not the case we have no dependency and the imagebuilder
cannot build the image, because of the implicit package selection.
This change adds a new configuration option CONFIG_SECCOMP.
The new option has the same behaviour as the configuration
option CONFIG_SELINUX.
If the CONFIG_SECCOMP is selected then the package procd-seccomp and
KERNEL_SECCOMP is enabled for this build.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The existing wnm_disassoc_imminent ubus method only supports issuing a
bss transition request with the disassoc imminent flag set.
For use-cases, where the client is requested to roam to another BSS
without a pending disassoc, this existing method is not suitable.
Add a new bss_transition_request ubus method, which provides a more
universal way to dispatch a transition request. It takes the following
arguments:
Required:
addr: String - MAC-address of the STA to send the request to (colon-seperated)
Optional:
abridged - Bool - Indicates if the abridged flag is set
disassociation_imminent: Bool - Whether or not the disassoc_imminent
flag is set
disassociation_timer: I32 - number of TBTTs after which the client will
be disassociated
validity_period: I32 - number of TBTTs after which the beacon
candidate list (if included) will be invalid
neighbors: blob-array - Array of strings containing neighbor reports as
hex-string
Signed-off-by: David Bauer <mail@david-bauer.net>
To allow steering daemons to be aware of the STA-decided transition
target, publish WNM transition responses to ubus. This way, steerings
daemons can learn about STA-chosen targets and send a better selection
of transition candidates.
Signed-off-by: David Bauer <mail@david-bauer.net>
For some reason, the generated configure script fails to properly set up
the internal preprocessor command variable, causing the host OS check for
Darwin to fail after the last update.
Explicitly setting CPP fixes this issue
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This Kernel option allows to run OpenWrt witin a `firecracker` micro VM.
Firecracker is a KVM-based tool for superfast booting VMs on x86_64 and
aarch64. It makes rootfs available to the guest as a virtio-mmio device
and passes its address via the kernel cmdline. A kernel without
CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES will not recognize the rootfs
virtio-mmio device.
Suggested-by: Packet Please <pktpls@systemli.org>
Signed-off-by: Paul Spooren <mail@aparcar.org>
This Kernel option allows to run OpenWrt witin a `firecracker` micro VM.
Firecracker is a KVM-based tool for superfast booting VMs on x86_64 and
aarch64. It makes rootfs available to the guest as a virtio-mmio device
and passes its address via the kernel cmdline. A kernel without
CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES will not recognize the rootfs
virtio-mmio device.
Suggested-by: Packet Please <pktpls@systemli.org>
Signed-off-by: Paul Spooren <mail@aparcar.org>
97bcdcf uxc: fix segfault caused by use-after-free
6398e05 uxc: don't free the stack
324ebd0 jail: fs: add support for asymmetric mount bind
c44ab7f jail: netifd: generate netifd uci config and mount it
82dd390 jail: make use of per-container netifd via ubus
The new per-jail netifd is now configured by filtering the host
network configuration. As libuci is used for that, procd-ujail now
depends on libuci.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This reverts commit f536f5ebdd.
As Hauke commented, this causes builder failures on 5.4 kernels.
This revert includes changes to the mx100 kernel modules
dependency as well as the uci led definitions.
Tested-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
In the "ipq40xx: switch to Kernel 5.10" discussion at GitHub,
Adrian noted [0] that these GL.iNet Conexa series devices,
GL-B1300 and GL-S1300 failed their image generation [1] as their gzipped
uImage kernel went above 4096k.
While notifying the vendor about this problem [2], I tested all U-Boot
releases from GL.iNet:
- they really fail to boot kernel above 4096k
- they don't support lzma: "Unimplemented compression type 3"
- but they boot zImage
Using zImage (xz compression) the kernel is 2909k which is
more than a megabyte away from the KERNEL_SIZE := 4096k limit.
The gzip compressed version would be 4116k.
[0]: https://github.com/openwrt/openwrt/pull/4620#issuecomment-932765776
[1]: commit 7b1fa276f5 ("ipq40xx: add testing support for kernel 5.10")
[2]: https://forum.gl-inet.com/t/ipq40xx-kernel-size-and-u-boot-v5-10-is-too-big-for-4-mb/17619
Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
This commit will add support for the Meraki MX100 in OpenWRT.
Specs:
* CPU: Intel Xeon E3-1200 Series 1.5GHz 2C/4T
* Memory: 4GB DDR3 1600 ECC
* Storage: 1GB USB NAND, 1TB SATA HDD
* Wireless: None
* Wired: 10x 1Gb RJ45, 2x 1Gb SFP
UART:
The UART header is named CONN11 and is found in the
center of the mainboard. The pinout from Pin 1 (marked
with a black triangle) to pin 4 is below:
Pin 1: VCC
Pin 2: TX
Pin 3: RX
Pin 4: GND
Note that VCC is not required for UART on this device.
Booting:
1. Flash/burn one of the images from this repo to a
flash drive.
2. Take the top off the MX100, and unplug the SATA
cable from the HDD.
3. Hook up UART to the MX100, plug in the USB drive,
and then power up the device.
4. At the BIOS prompt, quickly press F7 and then
scroll to the Save & Exit tab.
5. Scroll down to Boot Override, and select the
UEFI entry for your jumpdrive.
Note: UEFI booting will fail if the SATA cable for
the HDD is plugged in.
The issue is explained under the Flashing instructions.
Flashing:
1. Ensure the MX100 is powered down, and not plugged
into power.
2. Take the top off the MX100, and unplug the SATA
cable from the HDD.
3. Using the Mini USB female port found by the SATA
port on the motherboard,
flash one of the images to the system. Example:
`dd if=image of=/dev/sdb conv=fdatasync` where sdb
is the USB device for the MX100's NAND.
4. Unplug the Mini USB, hook up UART to the MX100,
and then power up the device.
5. At the BIOS prompt, quickly press F7 and then
scroll to the Boot tab.
6. Change the boot order and set UEFI: USB DISK 2.0
as first, and USB DISK 2.0 as second.
Disable the other boot options.
7. Go to Save & Exit, and then select Save Changes and
Reset
Note that OpenWRT will fail to boot in UEFI mode when
the SATA hard drive is plugged in. To fix this, boot
with the SATA disk unplugged and then run the following
command:
`sed -i "s|hd0,gpt1|hd1,gpt1|g" boot/grub/grub.cfg`
Once the above is ran, OpenWRT will boot when the HDD
is plugged into SATA. The reason this happens is the
UEFI implementation for the MX100 will always set
anything on SATA to HD0 instead of the onboard USB
storage, so we have to accomidate it since OpenWRT's
GRUB does not support detecting a boot disk via UUID.
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
This adds a userspace interpretation of the nu801 driver used by Meraki
hardware. Previously this was a driver that was added per target, but as
multiple targets now have this driver, we should move to something that
can be shared by all targets since no driver exists upstream.
Co-developed-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
try to reduce the kernel size by disabling and moving
options from the common kernel configuration to the
SATA target that doesn't have the constraints.
For NAND this has become necessary because as with 5.10
some devices outgrew their kernels. Though, in my tests
this didn't help much: just a smidgen over 100kib was
saved on the uncompressed kernel.
... running make kernel_oldconfig also removed some
other config symbols, mostly those that already set
from elsewhere or became obsolete in the meantime.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
disables the MX60(W) from being built by the builders for now.
But there's an effort to bring it back:
<https://github.com/openwrt/openwrt/pull/4617>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The D-Link DIR-685 has a small screen with a framebuffer
console, so if we have this, when we start, display the
banner on this framebuffer console so the user know they
are running OpenWRT as root filesystem.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Due to 5.10 increased kernel size, the current 4MiB-ish kernel
partition got too small. Luckily, netgear's uboot environment
is setup to read 0x60000 bytes from the kernel partition location.
... While at it: also do some cleanups in the DTS in there.
The original (re-)installation described in
commit d82d84694e ("apm821xx: add support for the Netgear WNDAP620 and WNDAP660")
seemed to be still working for now. What I noticed though
is that the bigger initramfs images needed to use a different
destination address (1000000) to prevent it overwriting
itself during decompression. i.e:
# tftp 1000000 openwrt-...-wndap620-initramfs-kernel.bin
# bootm
However, in case of the WNDAP620+660 the factory.img image can be
written directly to the flash through uboot.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Both NAND and SATA targets need the DMA engine in one way
or another.
Due to a kernel config refresh various existing symbols
got removed from the apm821xx main config file as well.
(That being said, they are still included because the
built-in crpyto4xx depends on these.)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
While the binary `python3.10` is correctly detected by the build system
the default `python3` binary is currently not detected if pointing to a
Python 3.10 installation.
Fix this by extending the grep regex.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Kernel has added the different variants of the Rock Pi 4 in commit
b5edb0467370 ("arm64: dts: rockchip: Mark rock-pi-4 as rock-pi-4a
dts"). The former Rock Pi 4 is now Rock Pi 4A.
For compatibility with kernel 5.4, this rename has been held back
so far. Having switched to kernel 5.10 now, we can finally apply
it in our tree as well.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Now that we have fully switched to nvmem interface we can drop
the use of mtd-mac-address patches as it's not used anymore and
the new nvmem implementation should be used for any new device.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
LED labels got reversed by accident, so fix it to the usual color:led_name format.
Fixes: 78cf3e53b1 ("mvebu: add Globalscale MOCHAbin")
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
[add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Linux 5.10 has been there as testing kernel for a while now.
Do the switch and drop config and patches for Linux 5.4.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Enable kernel options to allow loading device tree overlay via configfs
at runtime. This is useful for devboards like the BPi-R2 and BPi-R64
which got RasbPi-compatible 40-pin GPIO header which allow all sorts
of extensions.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The otto GPIO driver does not work with rtl9300 SoCs. Add
the legacy driver again and use that by default in the 9300 .dtsi
Signed-off-by: Birger Koblitz <git@birger-koblitz.de>