Introduce configuration options to build an "hardened" OpenWRT.
Options to enable Stack-Smashing Protection, FORTIFY_SOURCE and RELRO
have been introduced.
uClibc makefile now automatically detects if SSP support is necessary.
hostapd makefile has been fixed to use "^" as sed separator since
using a comma was problematic when using "-Wl,-z,now" and the like in
TARGET_CFLAGS.
Currently enabling SSP on user space depends on enabling SSP kernel
side, this is due to the fact that TARGET_CFLAGS are used to build
kernel modules (at least). Suggestions on how to avoid this are welcome.
Using "select" instead of "depends on" doesn't seem to work with choice
entries.
Tested with a lantiq (WBMR) router, GCC 4.8, uClibc and a subset of
the available packages.
Needs to be tested with GCC 4.9 and the remaining packages.
PIE not currently included.
Signed-off-by: Alessandro Di Federico <ale+owrt@clearmind.me>
SVN-Revision: 44005
This simplifies building device / profile specific images, and allows
the build system to parallelize generating images
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 43907
Initialize a Git repository in the SDK and use git reset / git clean
to rollback any SDK changes with "make clean" or "make dirclean".
This approach is more robust than nuking entire directory trees because
some parts of them might have been shipped with the original archive.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43904
Implement "%s" placeholder that expands to either the target name,
e.g. "ar71xx" if the subtarget is generic or to target.subtarget, e.g.
"ar71xx.nand" is a subtarget is choosen.
Also change the default repository url template to use "%s" instead
of "%T" to reflect the directory structure used by the buildbot systems.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43871
This commit introduces a new option CONFIG_VERSION_FILENAMES which causes
OpenWrt to embed the version number in generated image files, SDK- and
ImageBuilder archives.
The option is enabled by default if CONFIG_VERSIONOPT is set.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43869
When using UbinizeImage with ubifs rootfs, ubinize.cfg is no longer
needed. Yet, the absance of ubinize.cfg would make the build process
abort with an error.
Fix that by checking if ubinize.cfg is present and do no not call the
"classic" ubinize image generation if it isn't.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[missing new-line before UbinizeImage added itentionally]
SVN-Revision: 43788
Since GCC 4.7, GCC provides its own wrappers around ar, nm and ranlib, which
should be used for builds with link-time optimization. Since GCC 4.9, using them
actually necessary for LTO builds using convenience libraries to succeed.
There are some packages which try to automatically detect if gcc-{ar,nm,ranlib}
exist (one example is my package "fastd" in the package repository, which tries
to use LTO). This breaks because the OpenWrt build system explicitly sets the
binutils versions of these tools.
As it doesn't cause any issues to use gcc-{ar,nm,ranlib} instead of
{ar,nm,ranlib} even without LTO, this patch just makes OpenWrt use the
GCC-provided versions by default, which fixes the build of such packages with
GCC 4.9.
(I know that builds fail though when clang is used with -flto and
gcc-{ar,nm,ranlib}, but as all OpenWrt toolchains are based on GCC, this isn't
a real issue.)
Completely cleaning the tree (or at least `make clean toolchain/clean`) is
necessary to get a consistent state after the binutils plugins support patch and
this one (as trying to use gcc-{ar,nm,ranlib} with a binutils built without
plugin support will definitely lead to a build failure).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 43784
x64 is handled by the x86 architecture in Linux, add a case for it in
LINUX_KARCH.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
SVN-Revision: 43672
Switch to a dumber implementation that will be easier to maintain in the long
run, with only if statements instead of having nested subst calls.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
SVN-Revision: 43671
We don't ship the kernel sources, so using the base git as a feed will
fail when trying to build kernel modules with separate install steps.
Instead of trying to fixup the install steps, let's just skip building
kernel modules alltogether and just create empty packages.
Out-of-kernel modules are still expected to exist and are packaged, as
for these sources are fetched during the normal build steps.
Reported-by: Jo-Philipp Wich <jow@openwrt.org>
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 43525
On out-of-tree modules depending on other out-of-tree modules from a
different tree, module dependencies are not filled properly.
This change helps with adding those dependencies in the AutoLoad call
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 43323
Building current trunk with 3.18 kernel fired some errors like 'missed
dependancy of module XXX from library kmod_YYY.ko'. These patch fixes 3
of such issues which are critical to have a successful build.
Signed-off-by: Alexey N Vinogradov <a.n.vinogradov@gmail.com>
SVN-Revision: 43318
The 3.18 kernel introduced new Kconfig options for the xt_nat and iptable_nat
kernel modules, that both belong to the ipt_nat kernel package.
Enable this new options.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
SVN-Revision: 43212
This patch adds the userspace and kernelspace for
- match NETFILTER_XT_MATCH_CLUSTER
This match can be used to deploy gateway and back-end load-sharing clusters.
- target IP_NF_TARGET_CLUSTERIP
This module allows you to configure a simple cluster of nodes
that share a certain IP and MAC address
without an explicit load balancer in front of them.
Connections are statically distributed between the nodes in this cluster.
This is used i.e. by strongswan-ha.
Signed-off-by: Christian Scheele <cs@embedd.com>
SVN-Revision: 43174
Many packages define already metadata about their license (PKG_LICENSE),
but this is only included in the ipk files.
This change allows to create the information also on the build-host,
to get an overview on the used licenses.
In the full list, also all packages without this info are shown
Signed-off-by: Thomas Langer <thomas.langer@lantiq.com>
SVN-Revision: 43070
All platforms which are using 3.10.x at the moment are upgraded.
Changelogs:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.50https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.51https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.52https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.53https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.54https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.55https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.56https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.57https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.58
A new symbol 'X86_16BIT' appeared in 3.10.52 with commit 34273f41d57ee8d854dcd2a1d754cbb546cb548f
("x86-espfix-make-it-possible-to-disable-16-bit-support.patch")
I defaults to 'unset', but it's worth a discussion to enable it
("turn off support for any 16-bit software").
Also removed the patch 0db3db45f5bd6df4bdc03bbd5dec672e16164c4e
("fix build failure on memcpy() in decompress.c")
and is obsolete by commit 29593fd5a8149462ed6fad0d522234facdaee6c8 upstream.
included in kernel 3.10.56
compile tested on all platforms with:
make tools/install
make toolchain/install
make target/linux/compile
user@box:~/user/openwrt$ cat /tmp/log.txt
[Wed Oct 22 00:36:02 CEST 2014] ./smoketest.sh: ar71xx - OK
[Wed Oct 22 00:53:22 CEST 2014] ./smoketest.sh: ar7 - OK
[Wed Oct 22 01:08:27 CEST 2014] ./smoketest.sh: au1000 - OK
[Wed Oct 22 01:21:43 CEST 2014] ./smoketest.sh: avr32 - OK
[Wed Oct 22 01:37:47 CEST 2014] ./smoketest.sh: cns21xx - OK
[Wed Oct 22 01:52:05 CEST 2014] ./smoketest.sh: cns3xxx - OK
[Wed Oct 22 02:10:23 CEST 2014] ./smoketest.sh: gemini - OK
[Wed Oct 22 02:29:07 CEST 2014] ./smoketest.sh: ixp4xx - OK
[Wed Oct 22 02:44:01 CEST 2014] ./smoketest.sh: malta - OK
[Wed Oct 22 02:55:57 CEST 2014] ./smoketest.sh: mpc85xx - OK
[Wed Oct 22 03:07:56 CEST 2014] ./smoketest.sh: orion - OK
[Wed Oct 22 03:24:30 CEST 2014] ./smoketest.sh: ppc40x - OK
[Wed Oct 22 03:40:19 CEST 2014] ./smoketest.sh: ppc44x - OK
[Wed Oct 22 03:55:29 CEST 2014] ./smoketest.sh: realview - OK
[Wed Oct 22 04:09:47 CEST 2014] ./smoketest.sh: sparc - OK
[Wed Oct 22 04:23:37 CEST 2014] ./smoketest.sh: x86 - OK
[Wed Oct 22 04:35:56 CEST 2014] ./smoketest.sh: xburst - OK
run tested on x86, au1000, ar71xx, mpc85xx and brcm47xx
Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>
SVN-Revision: 43049
Changeset r43017 reworked the ipkg control metadata generation but broke
the export of conffiles, postinst and prerm defines.
Change the code back to rely on shvar and shexport, this is required to
properly output multiline contents.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43041
- Consider not installed feeds as well
- Add option to decide whether to comment disabled feeds
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 42931
I defined a new download method @SAVANNAH in include/download.mk and scripts/download.pl,
and converted quilt and qemu to use that method.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 42840
The build system sets a make variable TAR_OPTIONS to the unpacking
command, i.e. "-xf -". Now if an environment variable with the same
name is set, the make variable is automatically exported to the
environment. The make variable is added to the tar command in the
makefile, and tar adds the environment variable. This results in a
command like "tar -c /some/dir -xf - -xf -" which of course doesn't
work. It is also difficult to spot as the second "-xf -" is not
visible on the command line.
I suggest this is fixed by unexporting TAR_OPTIONS as I see no use
of the evironment variable, and it is changed from the original
value anyway.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
SVN-Revision: 42794
Otherwise the modpost steps for individual modules that are compiled
manually (using make package/<name_of_module>/install) will give warning
of missing symbols when that module depends other modules.
This is caused by the Module.symvers file not containing any symbols
anymore of external modules when the initramfs image is built without
specifically giving the modules target.
Signed-off-by: Tjalling Hattink <t.hattink@fugro.nl>
SVN-Revision: 42773
Recent kernels started to mark exported symbols as global.
Adapt expressions in kernel-build.mk to also match global symbols
when grep'ing through nm output.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 42555
config.{sub,guess} could be symlinks to a shared common version of
this file (e.g. in staging). So we remove the destination file via
--remove-destination option of cp. This prevents replaceing the
common file that other packages could be build with if running at
the same time.
This fixes a class of errors where config.sub is missing, or
only partially present when running configure because a cp is
currently in progress
This is commonly seen building with a lot of parallel jobs and
on packages that use 'PKG_FIXUP:=autoreconf'
Signed-off-by: Matthew McClintock <mmcclint@qca.qualcomm.com>
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
SVN-Revision: 42547
the postinst script enables/starts the init.d scripts upon package installation
and installs the users required by the package.
the prerm script stops and disables the init.d scripts.
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 42470
this is in preparation of having services run as !root with
ACL'ed access to ubus.
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 42469
The idea is still to enable it by default at some point
I've tested all ar71xx packages (except oldpackages) using CONFIG_ALL=y
Failing packages have been marked with PKG_CHECK_FORMAT_SECURITY:=0 for now
I can test more targets but i have no idea which are the most used
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
SVN-Revision: 42282
NFLOG and NFQUEUE targets' full support for iptables.
Includes all needed kernel modules (Xtables's and Netlink's)
and userspace libraries.
All added kernel modules can be individually disabled,
all other new libraries get their own individual packages.
Reported-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
Reported-by: Rainer Poisel <rainer.poisel@fhstp.ac.at>
Reported-by: Derek LaHousse <dlahouss@mtu.edu>
Signed-off-by: Guillaume Déflache <guillaume.deflache@ibwag.com>
SVN-Revision: 42022
This changeset implements a new menuconfig option to generate separate
repositories for each enabled package feed instead of one monolithic one.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 42002
This commit implements a new netfilter match "xt_id" which can be used to
attach unsigned 32bit IDs to iptables rules.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 41945
Make sure they don't break the sed command, and also make device_info
and openwrt_release more robust for parsing by scripts
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 41885
Creates /etc/device_info which will be used to fill in information for
WPS and other protocols that need manufacturer/device information
This helps with creating OpenWrt firmware for OEM or rebranded devices.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 41884
205-fix-headers_install.patch is obseleted by upstream commit 3246a0352e3d58380b9386570f1db1faf7edf8a8
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 41351
Removed unused ubi file file from template as ubinized images are
passed directly and not inside the tarball.
Also removed left-over white-space.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 41237
With this patch the mips74k subtarget will be compiled with optimized
compiler options to generated smaller and faster code. This currently
breaks broadcom-wl, because the binary blob is only compiled with
mipsr1 support.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 41050
This allows the selection of a specific branch in the menuconfig
when using a kernel downloaded from GIT.
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
SVN-Revision: 40946
The way git options are managed in kernel-defaults.mk makes additions
difficult. If requires different code path for each option; it's
ok so far as we handle only one option, but if we want to make the git
clone mechanism more flexible, more option will be required, which
will become tedious.
So; we'll move the GIT options into a variable, that may or may not be
set depending on the configuration, and we'll pass this variable to the
git command.
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
SVN-Revision: 40945
The GIT_LOCAL_REPOSITORY option adds the --reference argument to the
git clone kernel command line, if KERNEL_GIT_CLONE_URI is set.
This option is intended to speed-up the repo creation by using local
objets rather than downloading it. However, a local repo can be cloned
much faster by setting GIT_LOCAL_REPOSITORY directly to the local tree.
In that case, git clone will bypass the normal "git aware" transport
mechanism and clone the repository by copying and hardlinking objects
rather than downloading it, resulting in a significant speed increase.
That makes the GIT_LOCAL_REPOSITORY option pretty useless so we'll just
remove it and recommand the usage of KERNEL_GIT_CLONE_URI directly.
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
SVN-Revision: 40944
When using the options EXTERNAL_KERNEL_TREE or KERNEL_GIT_CLONE_URI,
the command "make downloads" fails as it tries to download the kernel
tarball despite the option. This doesn't happen during a regular build
as in that case, the dependency is conditionned through the LINUX_SITE
variable, which is not set in these cases.
Below is a snapshot of the error for an target using a 3.14 kernel:
make[3]: *** No rule to make target `.../dl/linux-3.14.tar.xz',
needed by `download'. Stop.
Change-Id: I1244969c1bbf9c81a6a64d68ae88ac58b0f8e79e
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
SVN-Revision: 40913
Remove leftover pieces from package-version-override.mk support
Add a new variable USE_SOURCE_DIR to use a custom build directory.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 40527
This change does multiple things, all related to enable sparse usage as
a static analysis tool selectable from the OpenWrt configuration:
*add a KERNEL_SPARSE option in the config to add sparse to the kernel
build (through the C=1 option usage)
*add sparse as a new host tools. It will get selected automatically when
the above option will be enabled
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
SVN-Revision: 40490
This is a cryptographically signed message in MIME format.
udev Makefile.am has two different .pc files and put them
into two locations. Don't know if changing the udev Makefile
or changing the pkgconfig paths is the right way - someone
has to decide :)
udev and vala use an additional pkg-config dir
add it to the path
discovered because openobex did not find udev.pc
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 39792
If a package directly depends on another package that recently changed
its ABI version, it will be cleaned up and rebuilt (assuming quilt is
not used).
This helps with packages that have no stable ABI, e.g. libubox, ubus,
etc.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 39720
Config symbols can have regular dashes, e.g.
CONFIG_TARGET_ramips_rt305x_UR-336UN=y
So no substitution should be performed on the last part of the symbol.
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
SVN-Revision: 39242
GNU grep has a high per-expression setup overhead when compiling regular
expressions. Use -F to force it to interpret the input as fixed strings,
which is much faster (fraction of a second instead of multiple minutes).
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 39049
Small journal size can lead to problems if nand flash is too big. By default
ubifs will use ~12% of volume size or a maximum of 8MiB.
Signed-off-by: Luka Perkov <luka@openwrt.org>
SVN-Revision: 38799
Kernel 3.12 now offers LZ4 compression which will make initramfs builds
fail because we do not know how to substitute the relevant config
symbols, fix that.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
SVN-Revision: 38533
When creating an image it makes no sense to have files owned by
the uid and gid on the host (and even creates a bug when for
example dropbear authorized_keys is included via env/files).
Signed-off-by: Joris de Vries <joris@apptrician.nl>
SVN-Revision: 38442
The extra commas get output by the shell resulting in errors since
the commands that get called with those extra commas are then
malformed.
Signed-off-by: Joris de Vries <joris@apptrician.nl>
SVN-Revision: 38419
Now it is possible to build ubi/ubifs images for only selected boards inside
single target.
Signed-off-by: Luka Perkov <luka@openwrt.org>
SVN-Revision: 38375
When checking out git packages, buildroot doesn't seem to track the revisions
correctly of any submodules referenced by that project. As a result, the
submodule stays at whatever revision was referenced by the head of the master
branch. Running a 'git submodule update' after the checkout fixes this problem.
Signed-off-by: Owen Kirby <osk@exegin.com>
SVN-Revision: 38359
Add package signing key and certificate configuration options to the
"Image configuration" submenu. If enabled, the Packages.gz list will
be signed as file Packages.sig. The passphrase for the signing key can
be sourced from a file or entered by the user. The signing certificate
is automatically added to the firmware image if opkg-smime is selected.
Signed-off-by: Evan Hunt <each@isc.org>
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 38284
The new root.jffs2-*-raw images can be used for firmware
images with custom padding requirements.
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
SVN-Revision: 38196
Looking at the target 'defconfig' in include/toplevel, it doesn't
directly reference $(HOME)/.openwrt/defconfig nor does it reference any
prerequisites using it as a target.
Therefore, building "defconfig" as a target uses the defaults in the
tree, but not the defaults that a user might have explicitly specified.
This patch fixes this regression from r36361.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
[florian: apply with the proper patch level, wrap at 80 columns]
Signed-off-by: Florian Fainelli <florian@openwrt.org>
SVN-Revision: 37883
Linux expects that the /dev/console node is present in
the rootfs image. Create the node in rootfs images, in
order to make std{in,out,err} usable even in early init
process.
Note: tar.gz and cpio.gz images are not handled yet.
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
SVN-Revision: 37847
Sometimes it is useful to change platform's kernel config file but with loaded
subtarget's kernel config. Good example for this use case is malta.
Example:
$ make kernel_menuconfig CONFIG_TARGET=subtarget_platform
Signed-off-by: Luka Perkov <luka@openwrt.org>
SVN-Revision: 37818
Due to a typo in the Makefile variable, mkfs.jffs2 is called
without the correct parameters.
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
SVN-Revision: 37514
Preserve order of components in initramfs image filename
when doing copy from $(KDIR) to $(BIN_DIR).
Patchwork: http://patchwork.openwrt.org/patch/3811/
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
SVN-Revision: 37452
Recent kernels removed GENERIC_GPIO and require GPIO capable
targets to select GPIOLIB instead, so check for both symbols.
Fixed#13814.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 37166
Make sure that the kernel rebuilds the initramfs cpio archive file by
deleting it before so we get it re-generated properly.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
SVN-Revision: 37125
Makes all buildbot builds fail; until we get the right software
installed, revert this changeset.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
SVN-Revision: 37122
bc is required by the kernel to compute timeconsts files, add bc to the
list of prereq to build OpenWrt.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
SVN-Revision: 37108