Commit Graph

288 Commits

Author SHA1 Message Date
Stijn Tintel
d5dc6cdc53 kernel: add missing dependency to KERNEL_RPI_AXIPERF
This symbol is added by the bcm27xx target patches so it should depend
on that target.

Fixes: efd9463dcf ("kernel: add missing symbol for bcm27xx")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-05-18 13:31:05 +03:00
Stijn Tintel
efd9463dcf kernel: add missing symbol for bcm27xx
When KERNEL_PERF_EVENTS is enabled in OpenWrt, the RPI_AXIPERF symbol is
exposed. Add a build option for it to fix build failures with
KERNEL_PERF_EVENTS enabled.

Fixes: 20ea6adbf1 ("bcm27xx: add support for linux v5.15")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-05-17 20:54:25 +03:00
Stijn Tintel
500c37c56f kernel: add missing symbol
Enabling KERNEL_KPROBES exposes KERNEL_BPF_KPROBE_OVERRIDE. Add a build
option for it to fix build failures with KERNEL_KPROBES enabled.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-04-02 23:41:27 +03:00
Petr Štetiar
ce7264a6e0 config: build: cleanup whitespace issue
In order to have it tidy.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-02-19 13:10:01 +01:00
Marek Behún
45d541bb40 kernel: add kmod-vrf
Add option to compile kmod-vrf, support for Virtual Routing and
Forwarding (Lite).

This module depends on NET_L3_MASTER_DEV, which is a boolean kernel
option, so we need to create a configuration option also for this, and
make kmod-vrf depend on it.

Signed-off-by: Marek Behún <kabel@kernel.org>
2022-02-01 22:59:09 +01:00
Daniel Golle
8a324fb759
uml: make use of 'rootfs-part' feature
Use 'rootfs-part' feature instead of referencing the TARGET_uml in
Config-images.in.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-23 19:48:31 +00:00
Daniel Golle
d05ac928f6
sunxi: make use of 'rootfs-part' feature
Use 'rootfs-part' feature instead of referencing the TARGET_sunxi in
Config-images.in.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-23 19:48:25 +00:00
Daniel Golle
3a69b4bbb9
omap: make use of 'rootfs-part' feature
Use 'rootfs-part' feature instead of referencing the TARGET_omap in
Config-images.in.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-23 19:48:20 +00:00
Matthew Hagan
033b6cef94 kernel: enhance multicast routing support
Certain utilities, such as smcroute [1], require additional multicast
routing options to be enabled, otherwise they will not function
correctly. Enable these relevant dependancies when IPv4 and/or IPv6
multicast routing are enabled.

[1] https://github.com/troglobit/smcroute/blob/master/README.md#linux-requirements

This increases the uncompressed kernel size on MIPS 24kc by 8KBytes
and the compressed kernel size by 1.8KBytes.

Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
2022-01-08 00:48:39 +01:00
Oldřich Jedlička
fd4ad6cae8 x86: added support to generate VHDX images
Added support to generate dynamic-sized VHDX images for Hyper-V.
Compile-tested on x86 and run-tested on Windows 10 21H2 (Hyper-V).

Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
2021-12-05 18:49:14 +01:00
Jianhui Zhao
43b498f669 kernel: remove non-existent config symbols
The crashlog patch as not ported to kernel 5.4.

Fixes: 4e0c54bc5b ("kernel: add support for kernel 5.4")
Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
2021-11-20 18:53:14 +01:00
Stijn Tintel
38106a484c kernel: add missing symbol
Enabling KERNEL_FTRACE exposes the HIST_TRIGGERS triggers symbol. Add a
build option for it to fix build failures with KERNEL_FTRACE enabled.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-15 03:13:43 +02:00
Stijn Tintel
786cbf0fa4 kernel: fix KERNEL_KASAN_VMALLOC build option
It should be config, not CONFIG.

Fixes: cbeab2cd99 ("kernel: add another missing KASAN symbol")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-07 18:57:12 +02:00
Stijn Tintel
0ccbcb0223 kernel: add missing keyword to KERNEL_KASAN_VMALLOC
The help keyword is missing, which breaks menuconfig etc.

Fixes: cbeab2cd99 ("kernel: add another missing KASAN symbol")

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-07 18:55:17 +02:00
Stijn Tintel
cbeab2cd99 kernel: add another missing KASAN symbol
Enabling KERNEL_KASAN exposes yet another missing symbol. This did not
appear on bcm27xx but is appearing now on x86/64. Add a new kernel build
option for KASAN_VMALLOC to fix build on x86/64 with KERNEL_KASAN
enabled.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-11-07 18:38:16 +02:00
Stijn Tintel
c5fa7ec2a6 kernel: add missing UBSAN config symbols
Enabling KERNEL_UBSAN exposes several missing symbols. Add new kernel
build options for UBSAN_BOUNDS and UBSAN_TRAP, disable CONFIG_TEST_UBSAN
in the generic kernel configs and enable CONFIG_UBSAN_MISC in generic
5.10 config. The latter symbol was removed in later kernels, as it was
causing some issues, so just disable it in 5.10 instead of adding a
build option for it.

Fixes build failures with KERNEL_UBSAN enabled.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-11-07 17:38:01 +02:00
Stijn Tintel
ec68c75c62 kernel: add missing KASAN config symbols
Enabling KERNEL_KASAN exposes several missing symbols. As KASAN_SW_TAGS
is only implemented for arm64 CPUs and requires clang, it doesn't make
sense to make this a build option so just default to KASAN_GENERIC and
disable KASAN_SW_TAGS.

While at it, disable TEST_KASAN_MODULE in the generic 5.10 config.

Fixes build failures with KERNEL_KASAN enabled.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-11-07 17:26:47 +02:00
Hauke Mehrtens
bdc2194cbb config: Activate SECCOMP also on MIPS 64
This activates SECCOMP also on mips64 and mips64el.

This was working fine in a basic test in qemu.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-11-03 23:52:08 +01:00
Felix Fietkau
2d5b83197a build: add HOST_OS_LINUX and HOST_OS_MACOS config symbols
This can be used to simplify host os tests in various places

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-01 16:37:52 +01:00
Josh Soref
323bd7b0f5 build: fix various typos
Fix typos in comment and user-facing help text.

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
[split out config changes, adjust commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-10-31 21:24:47 +01:00
Rosen Penev
6b2ed6101e uclibc++: remove
No package here depends on it. Furthermore, uClibc++ is a fairly buggy
C++ library and seems to be relatively inactive upstream.

It also lacks proper support for modern C++11 features.

The main benefit of it is size: 66.6 KB	vs 287.3 KB on mips24kc. Static
linking and LTO can help bring the size down of packages that need it.

Added warning message to uclibc++.mk

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-10-24 18:20:50 +02:00
Florian Eckert
b118efa0d2
buildsystem: add CONFIG_SECCOMP
Until now, this feature was switched on via the kernel configuration
option KERNEL_SECCOMP.

The follwing change a7f794cd2a now requires that
the package procd-seccomp must also enabled for buildinmg.

However, this is not the case we have no dependency and the imagebuilder
cannot build the image, because of the implicit package selection.

This change adds a new configuration option CONFIG_SECCOMP.
The new option  has the same behaviour as the configuration
option CONFIG_SELINUX.

If the CONFIG_SECCOMP is selected then the package procd-seccomp and
KERNEL_SECCOMP is enabled for this build.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-16 02:00:47 +01:00
Hauke Mehrtens
d27f6e2c5d build: Replace KERNEL_LOCKUP_DETECTOR with KERNEL_SOFTLOCKUP_DETECTOR
The LOCKUP_DETECTOR configuration option split into the
SOFTLOCKUP_DETECTOR and HARDLOCKUP_DETECTOR configuration option some
time ago. The HARDLOCKUP_DETECTOR option is only working on some
architectures, but SOFTLOCKUP_DETECTOR should work everywhere. Replace
KERNEL_LOCKUP_DETECTOR with KERNEL_SOFTLOCKUP_DETECTOR.

LOCKUP_DETECTOR will be selected by SOFTLOCKUP_DETECTOR automatically.

Fixes: b951f53fba ("build: Add additional kernel debug options")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-09-13 13:04:21 +02:00
Stijn Tintel
57807f50de base-files: add option to make /var persistent
In OpenWrt, /var is symlinked to /tmp by default. This is done to reduce
the amount of writes to the flash chip, which often have not the
greatest durability. As a result, things like DHCP or UPnP lease files,
are not persistent across reboots.

Since OpenWrt can run on devices with more durable storage, it makes
sense to have an option for a persistent /var. Add an option to make
/var persistent. When enabled, /var will no longer be symlinked to /tmp,
but /var/run will be symlink to /tmp/run, as it should contains only
files that should not be kept during reboot. The option is off by
default, to maintain the current behaviour.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-08-22 18:07:51 +03:00
Paul Spooren
181054bf79 build: create profiles.json per default
The file is a info file just like config.buildinfo, feeds.buildinfo and
version.buildinfo. It bundles these and more information in a machine
readable way.

This commit enables the creation of profiles.json by default and not
only for buildbots. By doing so it follow the behaviour of the
ImageBuilder which always creates the file, lastly this increases the
files visibility for downstream projects.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-06-21 08:12:21 -10:00
李国
5876d6a62f grub2: make grub2-bios-setup as a separate package
The grub2 and grub2-efi packages should only contain boot-related code.
grub-bios-setup is the same as grub-editenv, they are both grub2 tools
and should be placed in a separate package.

Signed-off-by: 李国 <uxgood.org@gmail.com>
[use AUTORELEASE and update to SPDX]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-06-20 13:23:42 -10:00
Paul Fertser
04589cb549 build: Config-images: fix unit of partition sizes
The code interprets these config values as Mebibytes rather than
Megabytes so modify the description accordingly.

Signed-off-by: Paul Fertser <fercerpav@gmail.com>
[fix commit title prefix]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-06-20 00:49:06 +02:00
Daniel Golle
ebcb4f1d0a
treewide: fix spelling 'seperate' -> 'separate'
This popular spelling mistake was also introduced by myself lately.
Fix it everywhere.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-28 23:59:21 +00:00
Daniel Golle
dc68af4a13 image: improve Kconfig for seperate ramdisk option
* show only if target supports it (ie. seperate_ramdisk feature set)
* select XZ compression by default of ramdisk is seperate

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-25 16:39:55 +00:00
Daniel Golle
330bd380e8 image: allow building FIT and uImage with ramdisk
Instead of embedding the initrd cpio archive into the kernel, allow
for having an external ramdisk added to the FIT or uImage.
This is useful to overcome kernel size limitations present in many
stock bootloaders, as the ramdisk is then loaded seperately and doesn't
add to the kernel size. Hence we can have larger ramdisks to host ie.
installers with all binaries to flash included (or a web-based
firmware selector).
In terms of performance and total size the differences are neglectible.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-24 01:35:20 +00:00
Felix Fietkau
299b855418 build: make zstd initramfs selectable
fix typo in kernel initramfs zstd compression option

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-16 20:02:09 +01:00
Paul Spooren
a17b8eaa2e build: use SPDX license tags
The license folder is a core part of OpenWrt and all GPL-2.0 licensed.
Use SPDX license tags to allow machines to check licenses.

Signed-off-by: Paul Spooren <mail@aparcar.org>
[rebase, keep some Copyright lines, sharpen commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-05 14:54:47 +01:00
Daniel Golle
a21be2a703 kernel: add defaults for new SELinux options
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-05 13:17:49 +00:00
Tony Ambardar
af20332dec config: drop CONFIG_KPROBE_EVENT unused since kernel 4.9
The config setting was renamed to CONFIG_KPROBE_EVENTS.

Fixes: 97d3f800a8 ("config: kernel: Add KPROBE_EVENTS config option)
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2021-01-25 14:37:41 +01:00
Rui Salvaterra
412dc26c99 kernel: make lwtunnel support optional
Not everyone will want to bloat their kernel by 24 kiB for such a niche
feature.

Fixes: a1a7f3274e "kernel: enable SRv6 support by
enabling lwtunnel"

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-01-14 22:38:39 -10:00
Andy Walsh
9afbf33b60 kernel: drop unneeded kernel version dependency
The current master only supports kernel 5.4, and there is no reason
to remove KERNEL_IO_URING for future kernels.

Drop the unneeded dependency.

Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
[improve commit title/message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-14 01:23:16 +01:00
Nick Hainke
a1a7f3274e kernel: enable SRv6 support by enabling lwtunnel
Enable the ability to use segment routing based on IPv6. It allows the
packet to specify a path that the packet should take through the
network.

Lwtunnel allow an easy encapsulation of a package. You can just install
ip-full package and use it:

  ip -6 route add  2003::/64 dev eth0 encap seg6 mode encap \
    segs 2001::1,2002::2

An IPv6 package looks like this:
  [IPv6 HDR][IPv6 RH][IPv6 HDR][Data...]

Netifd support:
  https://git.openwrt.org/?p=project/netifd.git;
     a=commit;h=458b1a7e9473c150a40cae5d8be174f4bb03bd39

Increases imagesize by 24.125 KiB. Therefore, only enable for devices
with enough flash.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-01-11 11:09:05 -10:00
Nick Hainke
4943bc5cff kernel: only strip proc for small flash devices
Currently, you are not able to get statistics about IPv4 and IPv6
usage. This information can be collected via the snmp and snmp6.
However, in the current state this interface is disabled as you can
read in the "902-debloat_proc.patch":
 "Strip non-essential /proc functionality to reduce code size"

Tools like netstat use the snmp/6 interface to collect interface
statistics. Some prometheus exporters also mention this:
- prometheus-collectors/netstat.lua
- prometheus-collectors/snmp6 (still a PR)
- collectd/snmp6 (still a PR)

PRs:
- https://github.com/collectd/collectd/pull/3789
- https://github.com/openwrt/packages/pull/14158

Instead of enabling it as default for all devices we condition it
 default y if SMALL_FLASH

A test shows it needs around 16 kiB.

Signed-off-by: Nick Hainke <vincent@systemli.org>
[fixed whitespace issue]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-22 19:11:50 +01:00
Andy Walsh
9361964a3a kernel: add KERNEL_IO_URING option
* add KERNEL_IO_URING option

NOTES:
Adds configurable support for the io_uring interface (CONFIG_IO_URING) via KERNEL_IO_URING option.

The kernel only zImage grows by about 5-9KB ?

I would like to enable this by default for all 5.4 kernels, so i can use the new io_uring samba-4.12.x vfs module by default.

The associated liburing was already submitted and merged.
The kernel + liburing was tested on ARM/mvebu via samba4 vfs_io_uring module and i have no issues so far.

Some extra reads on it and why we should enable it by default, since i expect more packages to use this in the future.
https://wiki.samba.org/index.php/Samba_4.12_Features_added/changed#.27io_uring.27_vfs_module
https://lwn.net/Articles/810414/
https://kernel.dk/io_uring.pdf
https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.6-IO-uring-Tests

Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
2020-12-22 19:11:50 +01:00
Hauke Mehrtens
1926ffb5ab build: Add IRQSOFF and PREEMPT TRACER kernel config option
This adds the CONFIG_IRQSOFF_TRACER and the CONFIG_PREEMPT_TRACER kernel
configuration option to the OpenWrt menu. This can be used to debug
latencies in the system.
The CONFIG_PREEMPT_TRACER option needs the CONFIG_PREEMPT option which is
supposed to be used for Low-Latency Desktop and not used by many targets
in OpenWrt.

The help text is copied from the Linux kernel Kconfig.

Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
2020-12-16 22:11:19 +01:00
Daniel Golle
23049f9c31 kernel: enable kernel keyring by default on !SMALL_FLASH
Enable CONFIG_KEYS by default on systems which are not marked as
flash-space constraint by the 'small_flash' feature.
CONFIG_KEYS is required by Docker, enabling it in our kernel allows
users to run Docker on stock OpenWrt.
It is also used of by some network file systems (such as NFSv4) to
store credentials as well as UID/GID mappings.

Adds about 50kB to vmlinux on ath79/generic (~18kB compressed)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-14 17:26:45 +00:00
Daniel Golle
7b85dd3788 kernel: update and clean kernel keyring options
Add KERNEL_KEYS_REQUEST_CACHE option.
'tristate' (ie. module builds) are not valid in Config-kernel.in, hence
remove tristate KERNEL_ENCRYPTED_KEYS. It will be readded as a kernel
module in a follow-up commit.

Fixes: 39d817cf38 ("Add config symbols for kernel keyring support")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-14 17:25:14 +00:00
Daniel Golle
8663072854 config: add big EXPERIMENTAL option
As discussed in the today's (2020-12-10) meeting, add a new option to
menuconfig to group the selection of all experimental features to be
selected by default.
Developers are recommended to make use of this new symbol to guard
new features.
Other developers and community members should feel encouraged to
build with this flag enabled to help testing and provide feedback.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-10 19:33:51 +00:00
Rosen Penev
f7d7a3a18b libcxx[abi]: remove
This is a neat project, but offers no benefit to OpenWrt. The initial
reason for it was to be a replacement for libstdcpp as it is smaller
and lacks compatibility for C++98. Unfortunately, compiling several
packages with it results in larger ipk sizes.

While not a member of the packages feed, this will be moved to
packages-abandoned to keep it somewhere.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-07 10:46:43 -10:00
Petr Štetiar
796d51834c toolchain: kernel-headers: kernel Git tree mirror hash
Allow setting of mirror hash for Git kernel tree.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-11-27 14:46:13 +01:00
Rui Salvaterra
3f567d8452 tools/sstrip: update to latest version
Drop our local sstrip copy and use the current ELFKickers upstream
version.

Patch the original makefile in order to avoid building elftoc, since it
fails with musl's elf.h. This is fine, since we only need sstrip anyway.

Finally, add the possibility to pass additional arguments to sstrip and
pass -z (remove trailing zeros) by default, which matches the behaviour
of the previous version.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[shorten long commit msg lines]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-26 12:44:25 -10:00
Paul Spooren
6e99e3157a config: clean double whitespace in Config-build.in
Trivial cosmetic cleanup. This also helps for script that parse for
options in Config files.

Signed-off-by: Paul Spooren <mail@aparcar.org>
Reviewed-by: Petr Štetiar <ynezz@true.cz>
2020-11-25 08:09:13 -10:00
Daniel Golle
6e9b707ee2 Revert "refpolicy: add variant that builds modular policy"
This reverts commit 9eb9943f82.
Building the 'modular' variant requires 'semodule_package' from
'selinux-python' to be installed on the buildhost.
Apart from that, this change also broke the monolithic refpolicy
'targeted' build.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-22 15:20:35 +00:00
W. Michael Petullo
9eb9943f82 refpolicy: add variant that builds modular policy
This adds a variant of refpolicy that builds the modular form of the
policy. While this requires more memory on the target device, along with
some tricks to deal with OpenWrt's volatile /var directory, it is useful
for experiementing with SELinux policy.

Signed-off-by: W. Michael Petullo <mike@flyn.org>
2020-11-09 13:06:19 +00:00
Hauke Mehrtens
f6d1adbafb kernel: Activate KERNEL_MIPS_FP_SUPPORT for pistachio target
The pistachio target uses a MIPS CPU with FPU and OpenWrt uses a
toolchain with hard FPU support. MIPS FPU support needs the FPU
emulation code in the kernel.

Fixes: ac5671f46c ("kernel: remove obsolete kernel version switches for 4.19")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-11-01 20:54:37 +01:00
Adrian Schmutzler
ac5671f46c kernel: remove obsolete kernel version switches for 4.19
This removes switches dependent on kernel version 4.19 as well as
several packages/modules selected only for that version.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-10-30 19:44:41 +01:00
Daniel Golle
ba9b6702aa config: clean up SELinux options
In order to make it easier for users to build with SELinux, have a
single option in 'Global build settings' to enable all necessary
kernel features, userland packages and build-system hooks.
Also add better descriptions and help messages while at it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-16 14:29:48 +01:00
Daniel Golle
a439f1bb47 config: add option for dssp selinux policy
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-09 02:10:05 +01:00
Daniel Golle
1a22964399 config: prepare for choice of SELinux policy
Only 'targeted' from refpolicy is supported for now.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-29 02:50:00 +01:00
Paul Spooren
f922a3e00e config: add KERNEL_LSM symbol
The LSM (Linux security mechanism) list is the successor of the now
legacy *major LSM*. Instead of defining a single security mechanism the
LSM symbol is a comma separated list of mechanisms to load.

Until recently OpenWrt would only support DAC (Unix discretionary access
controls) which don't require an additional entry in the LSM list. With
the newly introduced SELinux support the LSM needs to be extended else
only a manual modified Kernel cmdline (`security=selinux`) would
activate SELinux.

As the default OpenWrt Kernel config sets DAC as default security
mechanism, SELinux is stripped from the LSM list, even if
`KERNEL_DEFAULT_SECURITY_SELINUX` is activated. To allow SELinux without
a modified cmdline this commit sets a specific LSM list if
`KERNEL_SECURITY_SELINUX` is enabled.

The upstream Kconfig adds even more mechanisms
(smack,selinux,tomoyo,apparmor), but until they're ported to OpenWrt,
these can be ignored.

To compile SELinux Kernel support but disable it from loading, the
already present options `KERNEL_SECURITY_SELINUX_DISABLE` or
`KERNEL_SECURITY_SELINUX_BOOTPARAM` (with custom cmdline `selinux=0`)
can be used. Further it's possible to edit `/etc/selinux/config`.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-09-03 14:14:33 +01:00
Adrian Schmutzler
6362a04725 kernel: remove obsolete kernel version switches for 4.14
This removes switches dependent on kernel version 4.14 as well as
several packages/modules selected only for that version.

This also removes sched-cake-virtual, which is not required anymore
now that we have only one variant of cake.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-02 16:29:23 +02:00
Adrian Schmutzler
94198e2a1c rb532: drop target
This target is still on kernel 4.14, and recent attempts to move it to
kernel 5.4 have not led to success. The device tester reported that it
wouldn't boot with the following messages:

From sysupgrade:

  Press any key within 4 seconds to enter setup....
  loading kernel from nand... OK
  setting up elf image... OK
  jumping to kernel code

At this point the system hangs.

From CompactFlash:

  Press any key within 4 seconds to enter setup....
  Booting CF
  Loading kernel... done
  setting up elf image... kernel out of range kernel loading failed

The tester reported that the same was observed with current master
(kernel 4.14) as well. This looks like some kernel size restriction.

Since this target is quite old and only supports one device, and since
nobody else seemed interested in working on this for quite some time,
I decided to not put further work into analyzing the problem and drop
this together with the other 4.14-only targets.

Patchwork series:
https://patchwork.ozlabs.org/project/openwrt/list/?series=197066&state=*

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-02 16:29:22 +02:00
Thomas Petazzoni
168faef443 kernel: add options needed for SELinux
This adds a number of options to config/Config-kernel.in so that
packages related to SELinux support can enable the appropriate Linux
kernel support.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase; add ext4, F2FS, UBIFS, and JFFS2 support; add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
2020-08-31 01:15:41 +01:00
Thomas Petazzoni
aee58d52ce build: add support for SELinux to include/image.mk
This allows the build process to prepare a squashfs filesystem for use
with SELinux.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
2020-08-31 01:15:41 +01:00
Adrian Schmutzler
4e4ee46495 ar71xx: drop target
This target has been mostly replaced by ath79 and won't be included
in the upcoming release anymore. Finally put it to rest.

This also removes all references in packages, tools, etc. as well as
the uboot-ar71xx and vsc73x5-ucode packages.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-30 22:18:35 +02:00
Yuan Tao
ba2ddba56b config: kernel: fix missed CGROUP_HUGETLB symbol
The symbol KERNEL_CGROUP_HUGETLB is always used whenever KERNEL_CGROUPS is enabled.
The absence of this notation will cause the user to be asked to enter this parameter the first time it is compiled.

Signed-off-by: Yuan Tao <ty@wevs.org>
2020-08-24 01:09:30 +01:00
Daniel Golle
42abe56f1b kernel: further clean-up options and defaults
Remove `if !SMALL_FLASH` in places which are anyway already augmented
by `if !SMALL_FLASH`.
Always enable CONFIG_BLK_DEV_THROTTLING on !SMALL_FLASH devices rather
than just enabling it on bcm27xx.
Enabled CPU bandwidth provisioning for FAIR_GROUP_SCHED on !SMALL_FLASH
devices as CONFIG_FAIR_GROUP_SCHED is already enabled and becomes more
useful for cgroups with that option enbled as well.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-10 09:54:14 +01:00
Felix Fietkau
eb155f755a build: make prefix mapping of debug information optional
Remapping the local build path in debug information makes debugging
using ./scripts/remote-gdb harder, because files no longer refer to the full
path on the build host.

For local builds, debug information does not need to be reproducible,
since it will be stripped out of packages anyway.

For buildbot builds, it makes sense to keep debug information reproducible,
since the full path is not needed (nor desired) anywhere.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-08-06 12:36:24 +02:00
Stijn Tintel
5c3e83fa88 kernel: fix missing TRANSPARENT_HUGEPAGE symbols
Enabling KERNEL_TRANSPARENT_HUGEPAGE exposes 2 missing symbols:
* CONFIG_READ_ONLY_THP_FOR_FS
* TRANSPARENT_HUGEPAGE_ALWAYS
* TRANSPARENT_HUGEPAGE_MADVISE

The first one was added in 5.4, and is marked experimental there so just
disable it in the generic config.

For the latter two, we should not force the user to use either of them,
so add them as build-configurable kernel options.

Fixes: d1a8217d87 ("kernel: clean-up build-configurable kernel config symbols")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2020-08-01 14:33:46 +01:00
Daniel Golle
9950bc92e3 kernel: add menuconfig entry for kernel CONFIG_CGROUP_NET_CLASSID
It was removed from target defaults though it didn't exist in the
build-systems kernel configuration options. Add it there.

Fixes: d1a8217d87 ("kernel: clean-up build-configurable kernel config symbols")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-31 22:50:38 +01:00
Adrian Schmutzler
1d5260cf72 build: add option to mark devices as BROKEN
By specifying "BROKEN := 1" or "BROKEN := y" for a device, it will be
hidden (and deselected) by default. By that, it provides a stronger
option to "disable" a device beyond just using DEFAULT := n.

To make these devices visible, just enable the BROKEN option in
developer settings as already implemented for targets and packages.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-30 21:49:07 +02:00
Daniel Golle
d1a8217d87 kernel: clean-up build-configurable kernel config symbols
Don't explicitely disable options in target/linux/generic/config-* if
they are already controlled in config/Config-kernel.in.
Add a bunch of new symbols  and prepare defaults for using only unified
hierarchy (ie. cgroup2). Update symbol dependencies while at it

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-30 16:59:47 +01:00
Hauke Mehrtens
f94b09867d build: Remove dependency of user space stack cookies from kernel
Currently the user space stack cookies work well also when the kernel
stack cookies are not activated. This is handled completely in user
space and does not need kernel support.

This dependency was probably needed some years ago when the libc did not
support stack cookies.

Reviewed-by: Ian Cooper <iancooper@hotmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-07-24 00:35:21 +02:00
Roman Yeryomin
2ca084ccaa build: improve ccache support
Set CCACHE_DIR to $(TOPDIR)/.ccache and CCACHE_BASEDIR to $(TOPDIR).
This allows to do clean and dirclean. Cache hit rate for test build
after dirclean is ~65%.
If CCACHE is enabled stats are printed out at the end of building process.
CCACHE_DIR config variable allows to override default, which could be useful
when sharing cache with many builds.
cacheclean make target allows to clean the cache.

Changes from v1:
- remove ccache directory using CCACHE_DIR variable
- remove ccache leftovers from sdk and toolchain make files
- introduce CONFIG_CCACHE_DIR variable
- introduce cacheclean make target

Signed-off-by: Roman Yeryomin <roman@advem.lv>
2020-07-11 15:19:53 +02:00
Javier Marcet
caf09f2b84 kernel: rename CONFIG_NETPRIO_CGROUP to CONFIG_CGROUP_NET_PRIO
This has been changed in kernel 3.14.

Signed-off-by: Javier Marcet <javier@marcet.info>
2020-06-27 00:19:13 +02:00
Ian Cooper
b933f9cf0c toolchain: remove gcc libssp and use libc variant
Removes the standalone implementation of stack smashing protection
in gcc's libssp in favour of the native implementation available
in glibc and uclibc. Musl libc already uses its native ssp, so this
patch does not affect musl-based toolchains.

Stack smashing protection configuration options are now uniform
across all supported libc variants.

This also makes kernel-level stack smashing protection available
for x86_64 and i386 builds using non-musl libc.

Signed-off-by: Ian Cooper <iancooper@hotmail.com>
2020-06-17 23:57:07 +02:00
Christopher Hill
b7a8a54542 ath79: add support for MikroTik RouterBOARD 493G (rb4xx series)
This patch adds support for the MikroTik RouterBOARD RB493G, ported
from the ar71xx target.

See https://routerboard.com/RB493G for details

Specification:
- SoC Qualcomm Atheros AR7161
- RAM: 256 MiB
- Storage: 128MiB NAND
- Ethernet: 9x 1000/100/10 Mbps
- USB 1x 2.0 / 1.0 type A
- PCIe: 3x Mini slot
- MicroSD slot

Working:
- Board/system detection
- Ethernet
- SPI
- NAND
- LEDs
- USB
- Sysupgrade

Enabled (but untested due to lack of hardware):
- PCIe - ath79_pci_irq struct has the slot/pin/IRQ mappings if needed

Installation methods:
- tftp boot initramfs image, scp then flash via "sysupgrade -n"
- nand boot existing OpenWrt, scp then flash via "sysupgrade -n"

Notes:
- initramfs image will not work if uncompressed image size over ~8.5Mb
- The "rb4xx" drivers have been enabled

Signed-off-by: Christopher Hill <ch6574@gmail.com>
2020-06-15 21:16:18 +02:00
Paul Spooren
07449f692c build: refactor JSON info files to profiles.json
JSON info files contain machine readable information of built profiles
and resulting images. These files were added in commit 881ed09ee6
("build: create JSON files containing image info").

They are useful for firmware wizards and script checking for
reproducibility.

Currently all JSON files are stored next to the built images, resulting
in up to 168 individual files for the ath79/generic target.

This patch refactors the JSON creation to store individual per image
(not per profile) files in $(BUILD_DIR)/json_info_files and create an
single overview file called `profiles.json` in the target directory.

Storing per image files and not per profile solves the problem of
parallel file writes. If a profiles sysupgrade and factory image are
finished at the same time both processes would write to the same JSON
file, resulting in randomly broken outputs.

Some target like x86/64 do not use the image code yet, resulting in
missing JSON files. If no JSON info files were created, no
`profiles.json` files is created as it would be empty anyway.

As before, this creation is enabled by default only if `BUILDBOT` is set.

Tested via buildroot & ImageBuilder on ath79/generic, imx6 and x86/64.

Signed-off-by: Paul Spooren <mail@aparcar.org>
[json_info_files dir handling in Make, if case refactoring]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-04-03 12:17:45 +02:00
李国
a6b7c3e672 x86: generate EFI platform bootable images
Add EFI platform bootable images for x86 platforms. These images can
also boot from legacy BIOS platform.

EFI System Partition need to be fat12/fat16/fat32 (not need to load
filesystem drivers), so the first partition of EFI images are not ext4
filesystem any more.

GPT partition table has an alternate partition table, we did not
generate it. This may cause problems when use these images as qemu disk
(kernel can not find rootfs), we pad enough sectors will be ok.

Signed-off-by: 李国 <uxgood.org@gmail.com>
[part_magic_* refactoring, removed genisoimage checks]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-03-31 16:20:47 +02:00
Paul Spooren
cb007a7bf6 x86: switch image generation to new code
This commit introduces few related changes which need to be done in
single commit to keep images buildable between git revisions. In result
it retains all previous image creation possibilities with slight name
change of generated images. Brief summary of the commit:

* Split up image generation recipe to smaller chunks to make it more
  generic and reusable.

* Make iso images x86 specific and drop their definition as root
  filesystem.

* Convert image creation process to generic code specified in image.mk.

* Make geode subtarget inherit features from the main target instead of
  redefining them.

* For subtargets create device definitions with basic packages set.

Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
[rebased]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-03-21 10:36:00 +00:00
Chen Minqiang
ec5e8461c1 x86: make crashdump works
1. KERNEL_CRASH_DUMP should depends on KERNEL_PROC_KCORE (kexec use it)
2. select crashkernel mem size by totalmem
   mem <= 256M disable crashkernel by default
   mem >= 4G use 256M for crashkernel
   mem >= 8G use 512M for crashkernel
   default use 128M
3. set BOOT_IMAGE in kdump.init
4. resolve a "Unhandled rela relocation: R_X86_64_PLT32" error

Tested on x86_64

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2020-03-20 21:45:06 +00:00
Hauke Mehrtens
69d179ec81 kernel: Use new symbol to deactivate MIPS FPU support
With kernel 5.4 the upstream kernel supports deactivating the FPU
support on MIPS. Use this new upstream feature instead of our older
patch which was removed when porting the kernel patches to kernel 5.4.

This way both options are set which should work for older kernel
versions and also new ones.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-02-28 17:50:46 +01:00
Xu Wang
2299808c68 base-files: add all buildinfo with INCLUDE_CONFIG
CONFIG_INCLUDE_CONFIG option is helpful for being able to rebuild the
exact same firmware as you see on a live OpenWRT instance, but it's
crucially missing feeds information, so we can't rebuild the exact same
package versions. This commit fixes this by adding the remaining feeds
(and version) buildinfo files to the image.

Signed-off-by: Xu Wang <xwang1498@gmx.com>
2020-02-27 12:14:09 +01:00
Hauke Mehrtens
b951f53fba build: Add additional kernel debug options
Make it possible to activate some additional kernel debug options.
This can be used to debug some problems in kernel drivers.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2020-02-22 16:34:57 +01:00
Hauke Mehrtens
947d2e0a70 build: Add KCOV kernel code coverage for fuzzing
The adds an option to activate KCOV (Code coverage for fuzzing).

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2020-02-22 16:34:57 +01:00
Hauke Mehrtens
431594a978 build: Add option KERNEL_KASAN
The kernel kernel address sanitizer is able to detect some memory
bugs in the kernel like out of range array accesses.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2020-02-22 16:34:57 +01:00
Hauke Mehrtens
d9b043c03c build: Add option KERNEL_UBSAN
The kernel Undefined Behavior Sanitizer is able to detect some memory
bugs in the kernel like out of range array accesses.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2020-02-22 16:34:57 +01:00
Adrian Schmutzler
7d7aa2fd92 brcm2708: rename target to bcm27xx
This change makes the names of Broadcom targets consistent by using
the common notation based on SoC/CPU ID (which is used internally
anyway), bcmXXXX instead of brcmXXXX.
This is even used for target TITLE in make menuconfig already,
only the short target name used brcm so far.

Despite, since subtargets range from bcm2708 to bcm2711, it seems
appropriate to use bcm27xx instead of bcm2708 (again, as already done
for BOARDNAME).

This also renames the packages brcm2708-userland and brcm2708-gpu-fw.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Álvaro Fernández Rojas <noltari@gmail.com>
2020-02-14 14:10:51 +01:00
Hauke Mehrtens
19cbac7d26 buildsystem: Make PIE ASLR option tristate
This tristate choose allows to select to build only some applications
with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE
is activated for the, which is a huge increase.

Network exposed applications like dnsmasq should then be build with PIE
enabled, but some applications which are normally not parsing data from
the network do not have it activated. The regular option should give a
good trade off between extra flash and RAM memory usage and security.

This changes the default from building no applications with PIE to build
some specifically marked applications with PIE enabled. This option is
only activated for targets with bigger flash and RAM to not consume
extra memory on the very small targets. On SDK builds the Regular option
should always be selected, because some tiny targets share the
applications with big targets and only the images for the tiny targets
should contain the none PIE applications, but the images for the normal
targets should use PIE. The shared packages should always use PIE when
it should be normally activated.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Rosen Penev
fb19fb868c libcxx: Depenency fixes
Don't build with uClibc-ng. It's totally unsupported as several functions
are missing.

Make the musl libc support conditional.

Fix hash with make check FIXUP=1. Apparently I based the Makefile off of
libedit and forgot to fix the hash.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fixes: 856ea2bad3 ("libcxx: Add package")
2019-12-23 12:08:23 +01:00
Rosen Penev
856ea2bad3 libcxx: Add package
Currently in OpenWrt, there are two libc++: libstdcpp and uClibc++. The
former is huge and the latter supports only C++98 with some basic support
for C++11. Those C++ versions seem to be specific to the compiler version

libcxx supports C++11 and above while being much smaller than libstdcpp.
On mt7621, these are the sizes of the ipks that I get:

libstdcpp: 460786
libcxx: 182881
uClibc++:67720

libcxx is faster than uClibc++ and is under active development as part of
the LLVM project while uClibc++ is effectively dead.

This PR modifies uclibc++.mk to expose the make menuconfig option. Further
cleanup is beyond the scope of this PR. What that means is, this is not
used by default.

A g++-libcxx wrapper based on the uClibc++ one was added. Works the same
way.

Compile tested with all packages that use uclibc++.mk in their Makefiles
under mipsel_24kc. kismet fails compilation but that package needs to be
cleaned up and updated.

Runtime tested with gddrescue, gdisk, dcwapd, bonnie++, and aircrack-ng
on a TP-Link Archer C7v2.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-12-23 00:22:07 +01:00
Stijn Tintel
5f68333952 config: kernel: fix typo in HFSPLUG_FS_POSIX_ACL
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2019-11-28 02:02:17 +02:00
John Crispin
f4aaee01fa Revert "build: separate signing logic"
This reverts commit 4a45e69d19.

This broke the buildbots

Signed-off-by: John Crispin <john@phrozen.org>
2019-10-21 16:26:24 +02:00
Paul Spooren
4a45e69d19 build: separate signing logic
This separates the options for signature creation and verification

* SIGNED_PACKAGES create Packages.sig
* SIGNED_IMAGES add ucert signature to created images
* CHECK_SIGNATURE add verification capabilities to images
* INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys

Right now the buildbot.git contains some hacks to create images that
have signature verification capabilities while not storing private keys
on buildbot slaves. This commit allows to disable these steps for the
buildbots and only perform signing on the master.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2019-10-21 14:06:42 +02:00
Paul Spooren
419eff50f9 config: remove unused GCC_VERSION_4_8 config symbols
Lets remove unused GCC_VERSION_4_8 symbol after the series of patches
which has switched to target gcc-8 by default.

Signed-off-by: Paul Spooren <mail@aparcar.org>
[refactored into separate commit]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-10-09 09:13:44 +02:00
Paul Spooren
881ed09ee6 build: create JSON files containing image info
The JSON info files contain details about the created firmware images
per device and are stored next to the created images.

The JSON files are stored as "$(IMAGE_PREFIX).json" and contain some
device/image meta data as well as a list of created firmware images.

An example of openwrt-ramips-rt305x-aztech_hw550-3g.json

    {
      "id": "aztech_hw550-3g",
      "image_prefix": "openwrt-ramips-rt305x-aztech_hw550-3g",
      "images": [
        {
          "name": "openwrt-ramips-rt305x-aztech_hw550-3g-squashfs-sysupgrade.bin",
          "sha256": "db2b34b0ec4a83d9bf612cf66fab0dc3722b191cb9bedf111e5627a4298baf20",
          "type": "sysupgrade"
        }
      ],
      "metadata_version": 1,
      "supported_devices": [
        "aztech,hw550-3g",
        "hw550-3g"
      ],
      "target": "ramips/rt305x",
      "titles": [
        {
          "model": "HW550-3G",
          "vendor": "Aztech"
        },
        {
          "model": "ALL0239-3G",
          "vendor": "Allnet"
        }
      ],
      "version_commit": "r10920+123-0cc87b3bac",
      "version_number": "SNAPSHOT"
    }

Signed-off-by: Paul Spooren <mail@aparcar.org>
2019-09-29 13:51:28 +02:00
Paul Spooren
e78c1baa9f rules: allow arbitrary log destination
Add option BUILD_LOG_DIR to menuconfig to change log destination.

The mix-up of *DIR* and *FOLDER* is confusing however.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2019-09-29 00:08:20 +02:00
Matthias Schiffer
61c57af618
build: set TARGET_ROOTFS_PARTSIZE to make combined image fit in 128MB
Change TARGET_ROOTFS_PARTSIZE from 128 to 104 MiB, so the whole image
(bootloader + boot + root) will fit on a 128MB CF card by default.

With these settings, the generated images (tested on x86-generic and
x86-64) have 126,353,408 bytes; the smallest CF card marketed as "128MB"
that I found a datasheet for (a Transcend TS128MCF80) has 126,959,616
bytes.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2019-09-21 13:48:15 +02:00
Daniel Golle
7cc22d72e9 config: kernel: only enable container features if !SMALL_FLASH
KERNEL_DEVPTS_MULTIPLE_INSTANCES and KERNEL_POSIX_MQUEUE were
previously enabled by default only if KERNEL_LXC_MISC was selected.
KERNEL_LXC_MISC was enabled only if the SMALL_FLASH (anti-)feature
was not selected.
Now that KERNEL_LXC_MISC no longer exists, make sure that those
options are also only enabled by default for !SMALL_FLASH targets.

Fixes: 4f94a331 ("config: kernel: remove KERNEL_LXC_MISC")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-09-12 13:17:24 +02:00
Yousong Zhou
4f94a331e1 config: kernel: remove KERNEL_LXC_MISC
Kernel features are neutral.  The two cascaded features can also be
useful for other container related tools

It's also less error-prone if only kconfig symbols from the kernel are
prefixed KERNEL_

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-09-12 02:30:26 +00:00
Yousong Zhou
083bb9b6a4 config: kernel: add KERNEL_X86_VSYSCALL_EMULATION
Binaries in container images may need this.  E.g. nginx:1.7.9 used in
k8s default deployment manifest file for demostration [1]

 [1] https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#creating-a-deployment

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-09-12 02:30:26 +00:00
Paul Spooren
454021581f build: add buildinfo files for reproducibility
generate feeds.buildinfo and version.buildinfo in build dir after
containing the feed revisions (via ./scripts/feeds list -sf) as well as
the current revision of buildroot (via ./scripts/getver.sh).

With this information it should be possible to reproduce any build,
especially the release builds.

Usage would be to move feeds.buildinfo to feeds.conf and git checkout the
revision hash of version.buildinfo.

Content of feeds.buildinfo would look similar to this:

    src-git routing https://git.openwrt.org/feed/routing.git^bf475d6
    src-git telephony https://git.openwrt.org/feed/telephony.git^470eb8e
    ...

Content of version.buildinfo would look similar to this:

    r10203+1-c12bd3a21b

Without the exact feed revision it is not possible to determine
installed package versions.

Also rename config.seed to config.buildinfo to follow the recommended
style of https://reproducible-builds.org/docs/recording/

Signed-off-by: Paul Spooren <mail@aparcar.org>
2019-08-13 10:40:36 +02:00
Jo-Philipp Wich
f565f276e2 config: introduce separate CONFIG_SIGNATURE_CHECK option
Introduce a new option CONFIG_SIGNATURE_CHECK which defaults to the value
of CONFIG_SIGNED_PACKAGES and thus is enabled by default.

This option is needed to support building target opkg with enabled
signature verification while having the signed package lists disabled.

Our buildbots currently disable package signing globally in the
buildroot and SDK to avoid the need to ship private signing keys to
the build workers and to prevent the triggering of random key generation
on the worker nodes since package signing happens off-line on the master
nodes.

As unintended side-effect, updated opkg packages will get built with
disabled signature verification, hence the need for a new override option.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-08-06 21:22:27 +02:00
Álvaro Fernández Rojas
4295485719 brcm2708: add linux 4.19 support
Boot tested on Raspberry Pi B+ (BCM2708) and Raspberry Pi 2 (BCM2709)

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2019-07-14 12:44:14 +02:00
Alexander Couzens
fdd0a8d491
Make linux kernel builds reproducible when BUILDBOT selected
The linux kernel is not reproducible because the build user
and domain is included into the kernel. Set the build user
to `builder` and build domain to buildhost.

It's also possible to build reproducible builds by setting
KERNEL_BUILD_USER KERNEL_BUILD_DOMAIN to static values.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2019-07-02 16:32:47 +02:00