GCC supports starting version 5 --enable-default-ssp and starting version 6
--enable-default-pie.
It produces hardened binaries by default without dealing with package
compilation flags.
Signed-off-by: Julien Dusser <julien.dusser@free.fr>
Introduce a configuration option to build a "hardened" OpenWrt with
ASLR PIE support.
Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR)
by building Position Independent Executables (PIE). This new option protects
against "return-to-text" attacks.
Busybox need a special care, link is done with ld, not gcc, leading to
unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE.
If other failing packages were found, PKG_ASLR_PIE:=0 should be added to
their Makefiles.
Original Work by: Yongkui Han <yonhan@cisco.com>
Signed-off-by: Julien Dusser <julien.dusser@free.fr>
When using an external git clone for the kernel repo,
the build would fail because the build won't download
[via git] the kernel tarball.
This is because the `toolchain/kernel-headers` assumes
that the kernel would get downloaded via normal HTTP.
The reason for this is the `HostBuild` rule, which
calls the `Download/default` rule.
To use the `Download/default` we just need to conditionally
adjust some PKG_ vars.
We can safely use `LINUX_VERSION` as it was already adjusted
in the `kernel-version.mk` to avoid collisions with other tarballs.
Fixes:
https://bugs.openwrt.org/index.php?do=details&task_id=503
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
In case there is an external git repo specified,
it could overwrite the kernel tarball that was
downloaded from kernel.org.
The only identifier for such a file is the
KERNEL_GIT_CLONE_URI & KERNEL_GIT_REF symbols,
so if we have to download it we'll use that
information [after some sanitization]
to create a different filename for the kernel tarball.
If KERNEL_GIT_REF symbol is empty, HEAD will be used
as mentioned in the description of KERNEL_GIT_REF.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The Download/git rule will do a `git checkout <git-ref>`.
So, we can use any ref we want.
No need to limit just to branches.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Add support for hostapd's radius_client_addr in order to
force hostapd to send RADIUS packets from the correct source
interface rather than letting linux select the most appropriate.
Signed-off-by: Stephan Brunner <s.brunner@stephan-brunner.net>
Off-chip NICs can run hotter than the CPU, so they're definitely
worth instrumenting.
Adding hardware monitoring increases by ~3744 and ~2672 bytes,
respectively, the sizes of the igb.ko and ixgbe.ko drivers.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This commit finally bumps ARC tools to the most recent arc-2017.09 release version.
ARC GNU tools of version arc-2017.09 bring some quite significant changes like:
* Binutils v2.29 with additional ARC patches
* GCC 7.1.1 with additional ARC patches
More information on this release could be found here:
https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/releases/tag/arc-2017.09-release
Signed-off-by: Evgeniy Didin <Evgeniy.Didin@synopsys.com>
CC: Alexey Brodkin <abrodkin@synopsys.com>
CC: John Crispin <john@phrozen.org>
Revert upstream commit 1bd773c077de "wireless: set correct mandatory rate
flags", as it breaks 11s interoperability: nodes can only associate when
neither or both have this patch. As this is a regression from released
versions, revert to the old code for now.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
The only users of this were the python packages
from the `packages` feed.
The 2 python interpreters would export some mk
files (e.g. python-package.mk) and then other
python packages would include it via this rule.
But there's a few things wrong with this approach,
most of them drawing from the fact that python host
needs to be built first, to export these mk files.
By now all uses of include_mk have been corrected
in the feeds and this can be removed.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
So that it will not try to run c_rehash with the just built binaries on
certs/demo.
Fixesopenwrt/packages#5432
Reported-by: Val Kulkov <val.kulkov@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
The iptables TRACE target is only available in raw table that's why the
dependency was moved from iptables-mod-trace into kmod-ipt-debug
Fixes FS#1219
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
This is mainly for legal considerations and not promoting the usage of
and no redistribution of binaries of patented technologies seems to be
also the established practice in other linux distros.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2b7fae4 mt76: fix returnvar.cocci warnings
939e3e0 mt76x2: dfs: avoid tasklet scheduling during mt76x2_dfs_init_params()
cf59170 mt76x2: dfs: add set_domain handler
5e4d60e mt76x2: dfs: take into account dfs region in mt76x2_dfs_init_params()
f76e25f mt76x2: fix WMM parameter configuration
34d612d mt76: retry rx polling as long as there is budget left
0f8327a mt76x2: fix TSF value in probe responses
ad3f8e9 mt76: add an intermediate struct for rx status information
58a41f1 mt76: get station pointer by wcid and pass it to mac80211
b0508d3 mt76: implement A-MPDU rx reordering in the driver code
cf3cfc4 mt76: split mt76_rx_complete
461cdf9 mt76: pass the per-vif wcid to the core for multicast rx
9b2c778 mt76: validate rx CCMP PN
302af90 mt76x2: init: disable all pending tasklets during device removal
9f685fe mt7603: init: disable tbtt tasklet during device removal
c6f8cac mt76: let mac80211 validate CCMP PN for fragmented frames
3968dae mt7603: fix 40 mhz channel bandwidth reporting
9c2e03d mt7603: fix rx LDPC reporting
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add the Embedded Wireless "Balin" platform
SoC: QCA AR9344 or AR9350
RAM: DDR2-RAM 64MBytes
Flash: SPI-NOR 16MBytes
WLAN: 2 x 2 MIMO 2.4 & 5 GHz IEEE802.11 a/b/g/n
Ethernet: 3 x 10/100 Mb/s
USB: 1 x USB2.0 Host/Device bootstrap-pin at power-up
PCI-Express: 1 x lane PCIe 1.2
UART: 1 x Normal, 1 x High-Speed
JTAG: 1 x EJTAG
GPIO: 10 x Input/Output multiplexed
The module comes already with the current vanilla OpenWrt firmware.
To update, use "sysupgrade" image directly in vendor firmware.
Signed-off-by: Catrinel Catrinescu <cc@80211.de>
Autorebuild is disabled for the toolchain to avoid build-order issues.
However, rebuilding musl is safe, so exclude it from that restriction.
Avoids the need for manual cleaning on kernel header <-> libc API
changes like the ones introduced recently
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Widora has updated their Widora Neo board recently.
The new model uses 32MB WSON-8 factor SPI flash
instead of the original 16MB SOP-8 factor SPI flash.
All the other hardware components are the same as
the first revision.
Detailed hardware specs listed below:
CPU: MTK MT7688AN
RAM: 128MB DDR2
ROM: 32MB WSON-8 factor SPI Flash (Winbond)
WiFi: Built-in 802.11n 150Mbps?
Ethernet: 10/100Mbps x1
Audio codec: WM8960
Other IO: USB OTG;
USB Power+Serial (CP2104);
3x LEDs (Power, LAN, WiFi);
2x Keys (WPS, CPU Reset)
1x Audio In/Out
1x IPEX antenna port
1x Micro SD slot
Signed-off-by: Jackson Ming Hu <huming2207@gmail.com>
Signed-off-by: Mathias Kresin <dev@kresin.me>
Rename the Widora neo by adding a flash size prefix. Move the common parts
into a dtsi to be prepare everything for upcomming support of the 32MB
version.
Migrate the Widora neo to the generic board detection as well.
Signed-off-by: Mathias Kresin <dev@kresin.me>
When CGROUPS is enabled the new option CONFIG_CGROUP_NET_CLASSID is
selectable and not handled.
Add this option to the 4.9 kernel configuration.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
commit e15c63a375
ar71xx: add support for MikroTik RouterBOARD wAP G-5HacT2HnD (wAP AC)
changed the existing rb-nor-flash-16M-ac image in a way that it would
now only support the rb-wapg-5hact2hnd.
The board show however rather be added to the existing boards in the
rb-nor-flash-16M image template.
Reported-by: Mathias Kresin <dev@kresin.me>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The USB Ethernet is not working with the patches proposed for upstream,
fix this and activate the SPI node as this board always has a SPI flash.
Both patches are also targeted for upstream kernel 4.16 and 4.17.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Instead of using our own device tree definitions use the one provided in
the upstream kernel for 4.16.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Ethernet support was initial added in kernel 4.13, but deactivated
before the final release. This is backports the changes which are
activating it again from kernel 4.15.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is based on the code for kernel 4.9, but a lot of 4.9 patches are
backports from more recent kernel version and can be removed now.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Just refresh the sunxi kernel configuration.
This also moves the CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG option to the
config-4.9 file.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This reverts commit 666e9cf222.
The change has not been build-tested on non-x86 targets and leads to
stalled kernel builds due to unset configuration symbols there.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The patch adds support for the MikroTik RB911-2Hn (911 Lite2)
and the RB911-5Hn (911 Lite5) boards:
https://mikrotik.com/product/RB911-2Hnhttps://mikrotik.com/product/RB911-5Hn
The two boards are using the same hardware design, the only difference
between the two is the supported wireless band.
Specifications:
* SoC: Atheros AR9344 (600MHz)
* RAM: 64MiB
* Storage: 16 MiB SPI NOR flash
* Ethernet: 1x100M (Passive PoE in)
* Wireless: AR9344 built-in wireless MAC, single chain
802.11b/g/n (911-2Hn) or 802.11a/g/n (911-5Hn)
Notes:
* Older versions of these boards might be equipped with a NAND
flash chip instead of the SPI NOR device. Those boards are not
supported (yet).
* The MikroTik RB911-5HnD (911 Lite5 Dual) board also uses the
same hardware. Support for that can be added later with little
effort probably.
Installation:
1. Setup a DHCP/BOOTP Server with the following parameters:
* DHCP-Option 66 (TFTP server name): pointing to a local TFTP
server within the same subnet of the DHCP range
* DHCP-Option 67 (Bootfile-Name): matching the initramfs filename
of the to be booted image. The usable intramfs files are:
- openwrt-ar71xx-mikrotik-vmlinux-initramfs.elf
- openwrt-ar71xx-mikrotik-vmlinux-initramfs-lzma.elf
- openwrt-ar71xx-mikrotik-rb-nor-flash-16M-initramfs-kernel.bin
2. Press the reset button on the board and keep that pressed.
3. Connect the board to your local network via its ethernet port.
4. Release the button after the LEDs on the board are turned off.
Now the board should load and start the initramfs image from
the TFTP server.
5. Upload the sysupgrade image to the board with scp:
$ scp openwrt-ar71xx-mikrotik-rb-nor-flash-16M-squashfs-sysupgrade.bin root@192.168.1.1:/tmp/fw.bin
5. Log in to the running system listening on 192.168.1.1 via ssh
as root (without password):
$ ssh root@192.168.1.1
7. Flash the uploaded firmware file from the ssh session via the
sysupgrade command:
root@OpenWrt:~# sysupgrade /tmp/fw.bin
Signed-off-by: Gabor Juhos <juhosg@freemail.hu>
Add patches for the leds-gpio driver to make it usable with
open-drain and open-source kind of GPIO lines.
This type of functionality is required by various MikroTik boards.
Signed-off-by: Gabor Juhos <juhosg@freemail.hu>
Modify the rbspi_platform_setup() function to return the pointer of the
rb_info structure. This allows board specific setup routines to access
the various fields of the information. It is useful for investigating
the hardware option bits for example.
Also update the board setup codes, to ensure that those handle the new
return value correctly.
Signed-off-by: Gabor Juhos <juhosg@freemail.hu>
Add bit definitions for the 'hardware options' tag which is used in
the MikroTik devices' hardware configurations. These values can be
used in board setup codes, to do different initialization sequences.
The values were obtained from the RouterOS 6.41-rc38 patches.
Additionally, introduce two helper functions what make the processing
of the hardware options easy.
Signed-off-by: Gabor Juhos <juhosg@freemail.hu>
If a device only supports the 2nd verification method (uim),
the first method will fail as expected reporting an error:
"Command not supported"
Silence both separate methods and only report an error regarding
pin verification if both fail.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
The kmod-lp package included both lp.ko and ppdev.ko, but ECP device
drivers may or may not require lp NOT to be loaded, needing only ppdev.
Additionally, There were no packages for any parport interface modules,
such as uss720 or parport_pc, provided here. It has not been otherwise
possible to use PC-style parport hardware for kmod-lp.
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
Support for Winbond NAND flash detection was added into the generic
patches and this conflicted with this patch adding Gigadevice support.
Fixes: 02050f7e7d ("kernel/4.{4, 9}: add manufacturer ID for Winbond NANDs")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Some part of this patch was added to the generic patches as it was
needed also for some other target. Do not add it here any more.
Fixes: 02050f7e7d ("kernel/4.{4, 9}: add manufacturer ID for Winbond NANDs")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>