Mark Mentovai [Mon, 6 Jun 2022 18:53:31 +0000 (14:53 -0400)]
failsafe: fix console failsafe shell
When running a failsafe shell on a console, job control was unavailable,
and ^C did not function correctly.
This change invokes console failsafe shells via `setsid`, making them
session leaders and allowing them to claim controlling terminals, which
makes job control function properly. To support this, the busybox
`setsid` utility is enabled. This has a minimal 149-byte size impact on
a test x86_64 squashfs rootfs image.
^C was ignored in subprocesses of failsafe shells: it was not possible
to ^C out of a program that would not exit on its own, such as many
typical `ping` invocations. As job control was unavailable, it was not
possible to suspend these subprocesses either, causing a hung program to
tie up a console indefinitely, unless another means to signal the
program was available. This was caused by SIGINT being placed at
disposition SIG_IGN by the shell running preinit, which it did because
the console shell was executed asynchronously with &. That disposition
was inherited by the console shell and its subprocesses, generally
causing ^C to have no effect.
As there is no way in busybox `ash` to reset the disposition of a signal
already ignored at shell entry, and no apparent way to avoid SIGINT
being placed at SIG_IGN when & is used in preinit, an alternative
construct is needed. Now, `start-stop-daemon` is used to start (-S) the
console failsafe shell in the background (-b). This approach does not
alter SIGINT, allowing the console shell to be started with that
signal's handling intact, and normal ^C processing to occur.
busybox `ash` has some behaviors conditional on SHLVL, and while the
console shells ought to run at SHLVL=1, they were not by virtue of being
started by the shell-based preinit system. Additionally, a variety of
detritus was present in the console shell's environment, carried over
from preinit. These conditions are corrected by running the console
shell via `env -i` to clear the environment and establish a minimum and
correct set of environment variables for operation, in the same manner
as `login`. HOME is not explicitly set, because it's addressed in
/etc/profile. For non-failsafe console shells when
system.@system[0].ttylogin = 0, `login -f root` achieves a similar
effect. (`login` already started non-failsafe console shells when
ttylogin = 1 and behaved correctly. This brings the ttylogin = 0 case to
parity.) Note that even `login -f` is somewhat undesirable for failsafe
shells because it requires a viable /etc/passwd, hence the `env -i`
construct in that case.
The TERM environment variable from the preinit environment, with value
"linux", would rarely be correct for serial consoles. Now, the preinit
TERM value is preserved (or set to "linux" if unset) only when the
console is /dev/console or /dev/tty[0-9]*. Otherwise, it will be set to
a safe default appropriate for serial consoles, "vt102", as used for
serial consoles by busybox init. This "linux"/"vt102" TERM setting is
also duplicated for non-failsafe console shells.
This also indicates failsafe mode by showing "- failsafe -" on all
consoles (not just the last-defined one). It sets a hostname of
"OpenWrt-failsafe" in failsafe mode which is rendered in the shell's
prompt as a reminder of the mode during interactive failsafe use.
Previously, no hostname was set, which resulted in the kernel-default
hostname, "(none)", appearing in failsafe shell prompts.
Sylvain Monné [Mon, 5 Aug 2024 13:40:12 +0000 (15:40 +0200)]
uhttpd: restart daemon if certificate has changed
Fixes #16075
When the SSL certificate used by uhttpd has been changed, calling
`/etc/init.d/uhttpd reload` will now have the effect of restarting the
daemon to make the change effective.
r8168, r8125 and r8126 have been transferred from https://github.com/noltari to
https://github.com/openwrt.
The old URL should still work after the transfer, but let's update it anyway.
There are unpopulated areas on the board for 5 GHz WiFi via PCIe as well
as (most likely) Quectel EG25-G 4G module. As both are not populated on
my board support for both is missing for now.
Installation:
The installation can be done via the recovery HTTP server which is built
into the bootloader. Hold down the reset button while connecting the
device to power and keep holding a bit more than 3 seconds. Connect to
http://192.168.188.253/ and upload sysupgrade.bin file.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Romanov Danila [Wed, 14 Aug 2024 12:58:43 +0000 (15:58 +0300)]
kernel: Fix section mismatch in ubi
Fix ubiblock_create_from_param() ubiblock_create_auto_rootfs section mismatch.
Without this, the system upgrade will not work if the kernel was compiled with clang-18.
Marek Behún [Mon, 22 Jul 2024 14:57:50 +0000 (16:57 +0200)]
config: kernel: Add support for configuring BTRFS to be built-in
Add the KERNEL_BTRFS_FS config option so that targets can select
whether BTRFS support must be built-in.
Select this option (alongside KERNEL_BTRFS_FS_POSIX_ACL) from the
layerscape/armv8_64b subtarget instead of enabling it in
target/linux/layerscape/armv8_64b/config-* files.
Move disabling of CONFIG_BTRFS_FS_CHECK_INTEGRITY into generic configs.
This makes it possible for OpenWRT to be built with built-in BTRFS
support on specific boards, instead of whole targets.
Roland Reinl [Thu, 18 Jul 2024 14:10:53 +0000 (16:10 +0200)]
mediatek: Add support for Linksys EA7500 v3
Specification:
- MT7629 CPU
- MT7531 switch
- MT7761N and MT7762N wifi
- 256 MB RAM
- 128 MB NAND flash with dual-boot partitions
- 2 buttons: WPS and reset
- 1 WAN port (1G)
- 4 LAN ports (1G)
- 1 USB port
Limitations (same as other MT7629/MT7761N/MT7762N devices):
- Wifi is not working
- Second core is not working (kernel error message "CPU1: failed to come online")
Disassembly:
- There are two screws under the front rubber feet and two under the label on the bottom (in the corners towards the back, you should be able to feel them).
Serial Interface:
- UART pin header is already soldered on the board. Pinning from front to back:
1 - VCC
2 - TX
3 - RX
4 - n/a
5 - GND
GPIO:
- 1 white LED, connected to GPIO 52
- 1 reset button, connected to GPIO 60
- 1 WPS button, connected to GPIO 58
MAC Adresses:
- The MAC address printed on the device label is used for LAN and WAN
- The MAC address is stored in the devinfo partition in ASCII format (hw_mac_addr=aa:bb:cc:dd:ee)
- 2.4 GHz wifi uses MAC of the device label + 1
- 5 GHz wifi uses MAC of the device label + 2
Flashing:
- OpenWrt is only runnig in the first partition of dual boot
- To ensure to be able to go back to the factory image, flash the last OEM firmware via OEM web interface. This will ensure that the OEM firmware is present on both partitions
- Because of dual boot partitions, flashing via OEM interface is not supported
- Start a TFTP server and provide the initramfs image. Default settings:
- Router IP: 192.168.1.1
- TFTP server IP: 192.168.1.100
- TFTP file name: 7531.bin
- Open the device, connect UART and select " 1. System Load Linux to SDRAM via TFTP." during startup
- Adapt the settings to your environment, if required
- After initramfs is booted, flash the sysupgrade image
Return to OEM firmware:
- Run the following commands in OpenWrt to switch to the second partition
fw_setenv boot_part 2
fw_setenv bootimage 2
- Reboot the device. OEM firmware will start up again
Linus Walleij [Wed, 14 Aug 2024 08:26:26 +0000 (10:26 +0200)]
bmips: inteno-xg6846: Add DSA LED definitions
This adds the LED definitons for the XG6846 DSA port LEDs.
These are standard properties compatible with the existing
Marvell 88e6xxx DT bindings and fully standardized so this
is fine to add. They will be used by the in-flight Marvell
88e6xxx LEDs support patch.
Hannu Nyman [Wed, 1 May 2024 10:53:34 +0000 (13:53 +0300)]
uhttpd: Decrease the default validity time of certificate
The recommended maximum validity period is currently 397 days
and some browsers throw warning with longer periods.
Reference to
https://cabforum.org/working-groups/server/baseline-requirements/
6.3.2 Certificate operational periods and key pair usage periods
Subscriber Certificates issued on or after 1 September 2020
SHOULD NOT have a Validity Period greater than 397 days and
MUST NOT have a Validity Period greater than 398 days.
Pat Fruth [Wed, 1 May 2024 10:50:23 +0000 (13:50 +0300)]
uhttpd: Include new extensions in uhttpd self-signed certs
The introduction of MacOS Catalina includes new requirements for self-signed certificates.
See: https://support.apple.com/en-us/HT210176
These new requirements include the addition of two TLS server certificate extensions.
- extendedKeyUsage
- subjectAltName
The extendedKeyUsage must be set to serverAuth.
The subjectAltName must be set to the DNS name of the server.
In the absense of these new extensions, when the LUCI web interface is configured to use HTTPS and
self-signed certs, MacOS user running Google Chrome browsers will not be able to access the LUCI web enterface.
If you are generating self-signed certs which do not include that extension, Chrome will
report "NET::ERR_CERT_INVALID" instead of "NET::ERR_CERT_AUTHORITY_INVALID". You can click through to
ignore the latter, but not the former.
This change updates the uhttpd init script to generate self-signed cert that meets the new requirements. Signed-off-by: Pat Fruth <pat@patfruth.com> Link: https://github.com/openwrt/openwrt/pull/15366 Signed-off-by: Robert Marko <robimarko@gmail.com>
Hannu Nyman [Wed, 1 May 2024 11:49:46 +0000 (14:49 +0300)]
px5g-mbedtls: add subjectAltName and extendedKeyUsage to SSL certs
To better acommodate with the current browsers' requirements, also
self-signed certificates should have subjectAltName and
extendedKeyUsage defined in the self-signed x509 SSL certificates.
The following case sensitive options are now possible:
-addext subjectAltName=DNS:...
-addext subjectAltName=EMAIL:...
-addext subjectAltName=IP:...
-addext subjectAltName=URI:...
-addext extendedKeyUsage=serverAuth OR -addext extendedKeyUsage=any
Marek Behún [Tue, 13 Aug 2024 07:24:11 +0000 (09:24 +0200)]
firmware: omnia-mcu-firmware: Bump to 4.1
Bump `omnia-mcu-firmware` to version 4.1.
This version fixes the following issue on boards with GD32 MCU:
* the user has old GD32 MCU bootloader and application (version 2.0)
* the user upgraded MCU application firmware to newer version (from
2.99 to 4.0)
* the user wants to upgrade application again, but it is impossible,
because when MCU application firmware jumps into the old MCU
bootloader firmware (2.0), the old bootloader firmware gets stuck in
exception
* the user has to restart the board and upgrade the bootloader firmware
first, which is not ideal, since if bootloader firmware upgrade is
interrupted, the board gets bricked
Therefore the `omnia-mcutool` utility version 0.3-rc3 will refuse to
upgrade MCU application firmware to versions 2.99 to 4.0 if the MCU
bootloader firmware is at version 2.0.
For users to be able to upgrade MCU application firmware on GD32
boards, they will need this new 4.1 version.
Users that already upgraded the MCU application firmware to a version
version between 2.99 and 4.0 (using a previous version of the
`omnia-mcutool` utility) have no other choice but to upgrade MCU
bootloader firmware as well.
Rosen Penev [Mon, 12 Aug 2024 17:23:06 +0000 (10:23 -0700)]
mpc85xx: fix wdr4900 ethernet
997acc7f86ca985cba52f7ea8b72f0661a1e3c52 split this PHY driver up such
that external QCA switches now use CONFIG_QCA83XX_PHY. Fix it here so
that ethernet works again.
5. Flash new firmware
router# run mtd -r write /tmp/fw.bin OS1
6. Check result
Wait about 5-10 minutes after flash. Router should reboot itself and
turn left led from orange to blue.
In case of failure one can use Xiaomi 4a 100m debrick tool
(it uploads special image via tftpd in recovery mode)
After that you can start again from step 1.
Another actions are very similar to original Mi Router 4A 100M
1 mm: restrict the pcp batch scale factor to avoid too long latency
a new kconfig option (PCP_BATCH_SCALE_MAX) is added to
set the max batch scale factor.Whose default value is 5,
and users can reduce it when necessary.
uboot-envtools: Add support for Orange Pi R1 Plus & LTS
Add support this boards to envtools config
This commit integrates the latest changes from new U-Boot, which includes important updates to the DTSI files for the Orange Pi R1 Plus and Orange Pi R1 Plus LTS boards.
Daniel Golle [Sun, 11 Aug 2024 17:14:12 +0000 (18:14 +0100)]
base-files: get rid of forgotten traces of fitblk_get_bootdev
The function fitblk_get_bootdev doesn't exist any more, using it in
export_bootdevice anyway never made much sense and only worked for
classic block devices.
Just drop /dev/fit* handling there, it isn't needed anywhere.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Daniel Golle [Sun, 11 Aug 2024 22:45:46 +0000 (23:45 +0100)]
mediatek: add script to trigger scrubbing of FIP-in-UBI
Read the 'fip' static volume in order to trigger scrubbing in case of
detecting flipped bits while reading.
We have to do this in Linux because we never read or touch the 'fip'
volume and the UBISPL implementation in ARM TrustedFirmware-A does NOT
handle scrubbing itself.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Daniel Golle [Mon, 12 Aug 2024 02:06:14 +0000 (03:06 +0100)]
generic: import patch lowering bitflip_threshold on SPI-NAND
Reporting an unclean read from SPI-NAND only when the maximum number
of correctable bitflip errors has been hit seems a bit late.
UBI LEB scrubbing, which depends on the lower MTD device reporting
correctable bitflips, then only kicks in when it's almost too late.
Set bitflip_threshold to 75% of the ECC strength, which is also the
default for raw NAND.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Daniel Golle [Sun, 11 Aug 2024 22:18:53 +0000 (23:18 +0100)]
arm-trusted-firmware-mediatek: fix NAND read failure on SNFI
A bug has plagued bl2 which caused failure to boot and bricked Linksys
E8450 and Belkin RT3200 devices in case of correctable bitflips being
detected during a read operation. A simple logic error resulted in read
to be considered errornous instead of just continueing in case of
correctable bitflips.
Address this by importing a patch fixing that logic error.
The issue, which has been dubbed as the "OpenWrt Kiss of Death", and is
now a thing of the past.
Users should preemptively update bl2 to prevent their devices being at
risk.
Paul Spooren [Thu, 8 Aug 2024 15:31:18 +0000 (17:31 +0200)]
sdk: fix APK key creation
The keys are created differently compared to the old OPKG keys. Instead
of being part of base-files/configure, they are created as a Makefile
requirement of `package/compile`, which is a cleaner solution.
This requirement would only be added to non SDK environments, however
APK always requires keys to be available. Add an `else` case for the SDK
and create keys.
Installation: Serial connection
1. Open the AP to get access to the board. Connect RX, TX and GND.
2. Power on the AP, and short the CS pin of the SPI flash with
one of the APs GND pins.
3. Transfer the initramfs image with TFTP
(Default server IP is 192.168.0.120)
# tftpboot factory.ubi
4. Flash the rootfs partition
# flash rootfs
5. Reboot the AP
# reset
Tomas Lara [Sat, 3 Aug 2024 19:16:15 +0000 (19:16 +0000)]
rockchip: rock 3a: fix image check failed
Fixes the image check failed on system upgrade
"Image check failed:
upgrade: Device radxa,rock3a not supported by this image
upgrade: Supported devices: radxa,rock-3a"
Tianling Shen [Wed, 7 Aug 2024 18:53:51 +0000 (02:53 +0800)]
mediatek: increase phy assert time for jdcloud re-cp-03
According to RTL8221B's datasheet, the PHY requires at least 10ms
for assert and 68ms (recommended) for de-assert. So increase the
assert/de-assert time to 15ms and 68ms respectively.
Fixes: c0c3234e1720 ("mediatek: add support for JDCloud RE-CP-03") Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org> Link: https://github.com/openwrt/openwrt/pull/16106 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
- Enable CONFIG_HWMON and CONFIG_THERMAL_HWMON on all subtargets.
- Drop kmod-thermal from bcm2712.
- Add CONFIG_SENSORS_RASPBERRYPI_HWMON generic symbol.
target/linux/archs38/image/Makefile calls gen_axs10x_sdcard_img.sh
with $(CONFIG_TARGET_ROOTFS_PARTSIZE).
Make sure a rootfs partition is built and usable.
Qingfang Deng [Fri, 28 Jun 2024 08:20:09 +0000 (16:20 +0800)]
kernel: switch crc32 implementation back to default
Commit ec885796c05a switched the crc32 implementation from default to
byte-at-a-time algorithm, which runs slower but consumes less memory.
A decade has passed, and we have already abandoned targets that had
small memory, so switch it back to default for faster speed.
Signed-off-by: Qingfang Deng <qingfang.deng@siflower.com.cn>
Enable the CONFIG_MTD_SPI_NOR_USE_VARIABLE_ERASE kernel option to allow for
U-Boot environment writing. This might be hiding a problem somewhere else,
since the w25q128fw chip supports 32K erases, still this change makes it
much easier to switch the GL-MV1000 boot media without an UART cable
connection.
Thanks to @robimarko and @hacks for the precious hints and suggesting a
better approach.
This allows booting from internal eMMC or SD card just changing the
U-Boot mmc_dev variable.
In particular, setting mmc_dev to 1 will result in booting from the SD card.
Setting the variable to 0 will result in internal eMMC boot (the default).
Should the variable be unset or an error condition occur while reading
from SD card, internal MMC booting will be tried.
Paul Spooren [Tue, 6 Aug 2024 12:22:00 +0000 (14:22 +0200)]
apk: switch to index-trust branch
Initially APK would sign packages and package index and verify
signatures individually. With the latest change, all packages inside a
trusted index are automatically trusted.
This is important within the OpenWrt eco-system since signing the index
happens on another machine than the package creation.
Stan Grishin [Mon, 22 Jul 2024 08:05:51 +0000 (08:05 +0000)]
base-files: improve Dell EMC Edge620 (x86) product support
This adds auto-configuration of network ports on Dell EMC Edge620 (x86) product.
It is similar in specs/features to some of the Sophos x86-based appliances, but:
1. Serial console terminal is built in and requires just the micro-USB cable
2. Comes with both MMC (16Gb) and SSD (256Gb) installed
3. Comes with 6 ethernet ports all 6 are functional when no SFP is used
4. Comes with two SFP cages and not one, like some of revision 3 Sophos products
5. Unlike Sophos devices, there are no non-wireless models of Edge 620,
it comes with Qualcomm Atheros QCA9880 radio
These devices can be now found both second-hand and new at online marketplaces below
(sometimes well below) US $100, I believe they make great candidates for running OpenWrt.
The ethernet network ports on the case are marked GE1 thru to GE6 with the
following mapping once booted into OpenWrt:
Dell's instructions for [standard configuration](https://infohub.delltechnologies.com/en-us/l/dell-emc-edge-620-advanced-activation-guide/dell-emc-sd-wan-edge-620-standard-configuration/)
recommend using GE3, GE4, GE5, or GE6 for WAN, I've selected the GE6 as the sole
WAN port under OpenWrt with the rest of ethernet ports assigned to LAN.
Please merge before 24.xx is forked and if possible, cherry-pick for 23.05
if there's no ETA for 24.xx forking.
PS. @Hurricos I'm struggling with ixgbe mappings on Sophos devices which use
very similar hardware to Dell EMC, so even tho I know the sys paths for ethernet ports,
I'd prefer to do a separate commit to properly map ethernet ports to match the case markings
for this device at some point later.
Marek Behún [Tue, 6 Aug 2024 07:21:42 +0000 (09:21 +0200)]
utils: omnia-mcutool: Bump to 0.3-rc3
Bump omnia-mcutool to 0.3-rc3:
* The `--upgrade` option will now work even if MCU is in bootloader (for
example if previous upgrade was aborted).
* On boards with GD32 MCUs, `omnia-mcutool` will now refuse to upgrade
application firmware to version lower than 4.1 if bootloader version
is 2.0 (the original for first batch of boards with GD32 MCUs) since
these versions of application and bootloader are not compatible.
If user already upgraded to such a combination, an upgrade of
bootloader firmware is required.
The `--upgrade` option will inform about this and will automatically
upgrade bootloader firmware if the `--force` option is given.
(Note that version 4.1 of the MCU firmware was will be released soon,
once it is properly tested.)
Use realtek,extif property instead of realtek,extif0 to extif2
by extending it with the cpu_port parameter.
The extif number is automatically calculated based on cpu_port.
Remove the rlvid analysis because for the rtl8367b family chips supported
by the driver (rtl8367rb and rtl8367r-vb), rlvid is always equal to 1.
So the code for rlvid equal to 0 is completely unnecessary.
Use realtek,extif property instead of realtek,extif0 and realtek,extif1
by extending it with the cpu_port parameter.
The extif number is automatically calculated based on cpu_port.
Stijn Tintel [Sat, 3 Aug 2024 12:55:18 +0000 (15:55 +0300)]
kernel: add missing symbol
Enabling KERNEL_DEBUG_INFO_BTF and KERNEL_KPROBE_EVENTS on 6.6 exposes
CONFIG_PROBE_EVENTS_BTF_ARGS in the kernel config. Add a build option
for it to fix build failures with KERNEL_DEBUG_INFO_BTF and
KERNEL_KPROBE_EVENTS enabled on targets using the 6.6 kernel.
Rany Hany [Wed, 31 Jul 2024 17:16:55 +0000 (17:16 +0000)]
hostapd: fix SAE H2E security vulnerability
This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.
As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].
An explanation of the impact of the vulnerability is provided from the
advisory[1]:
This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.
projects / thirdparty / openwrt.git / log
