Commit 2127425434 introduced an AP-side
workaround for key reinstallation attacks. This option can be used to
mitigate KRACK on the station side, in case those stations cannot be
updated. Since many devices are out there will not receive an update
anytime soon (if at all), it makes sense to include this workaround.
Unfortunately this can cause interoperability issues and reduced
robustness of key negotiation, so disable the workaround by default, and
add an option to allow the user to enable it if he deems necessary.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This reverts commit 13e5e47369.
This commit causes a severe regression in LAN->WAN routing performance
for several devices. This appears to be caused by the extra requirement
to validate the SKB checksum early in the rx path, which the ethernet
hardware does not do
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefore the
fixed hostapd/wpad/wpa_supplicant packages do not appear as opkg update.
Bump the PKG_RELEASE to signify upgrades to downstream users.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The build system took the DTB_SIZE definition from Default and not from
production-dtb under some conditions. Move the size definitions to
Default now as it is only used in production-dtb anyway.
Thanks Mathias Kresin for helping me with this.
Fixes: c2f052acae ("at91: convert boards to generic build target")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes a compile problem recently introduced by me.
Fixes: f40fd43ab2 ("ppp: fix compile warning")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Move wireguard from openwrt/packages to base a package.
This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.
WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Felix Fietkau <nbd@nbd.name>
These options where deactivated in the malta kernel, take the default
options form the generic kernel configuration now to better match the
other targets.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This change makes it possible to configure the wan/dsl ppp interface
settings independantly from the used TC-Layer (ATM/PTM).
Now you can move a device from an ADSL/ATM port to an VDSL/PTM port
without any configuration changes for example.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[use the dsl0 interface name for the default netdev trigger in 01_led,
add ip dependency]
Signed-off-by: Mathias Kresin <dev@kresin.me>
This fixes a build problem with many targets.
Fixes 618ed77a17 ("mac80211: add ath6kl kernel modules")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
MACsec/IEEE 802.1AE is useful to secure communication to and
from endpoints at Layer 2.
Starting with 4.6, the linux kernel provides a universal
macsec driver for authentication and encryption of traffic
in a LAN, typically with GCM-AES-128, and optional replay
protection.
http://standards.ieee.org/getieee802/download/802.1AE-2006.pdf
Note:
LEDE can utilize MACsec with a static connectivity association
key (static PSK) with the ip-full package installed.
<http://man7.org/linux/man-pages/man8/ip-macsec.8.html>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
It is unclear why so many packages are selected for ClearFog Base compared
to its big brother, and there is no reason to not append metadata for Base.
Tidy this up as the only hardware difference between Base/Pro is the
presence of a switch and a different board name / device tree.
Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
Remove redundancy for platform_do_upgrade_clearfog
Fix platform_copy_config_clearfog to reflect -base/-pro split
Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
This patch adds the help tool wpan-ping to test the 6LoWPAN
network to help the user debug network problem.
Signed-off-by: Yunhui Fu <yhfudev@gmail.com>
This is the final bugfix release in the gcc-5 series.
Compile and run tested on macOS 10.13 (Xcode 9), mvebu/ar71xx.
Removed redundant patch for macOS (backported upstream by yours truly)
Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
This module from Laird includes the following:
- CPU Atmel SoC SAMA5D31
- Wifi QCA6004
- Bluetooth CSR8811
- RAM 64MB LPDDR
- FLASH 128MB
The flash is a dual image layout, kernel a/b, rootfs a/b, and a user
partition.
Signed-off-by: Ben Whitten <ben.whitten@gmail.com>
This module from Laird includes the following:
- CPU Atmel SoC ARM926EJS
- Wifi AR6003
- Bluetooth CSR8510
- RAM 64MB LPDDR
- FLASH 128MB
The flash is a dual image layout, kernel a/b, rootfs a/b, and a user
partition.
Signed-off-by: Ben Whitten <ben.whitten@gmail.com>
Instead of applying global defaults based on selected board, transition
to using a per board setting for UBIFS and UBINIZE.
Signed-off-by: Ben Whitten <ben.whitten@gmail.com>
The platform generates squashfs images in a UBI block but misses the
kernel module to be able to mount the block.
DMA is also enabled to allow systems which include them in the DTS to
use it.
Signed-off-by: Ben Whitten <ben.whitten@gmail.com>
Specifications:
- SoC: Qualcomm QCA9531 (650MHz)
- RAM: 64MB
- Storage: 16MB NOR SPI flash
- Ethernet: 5x100M (1 PoE in, 4 PoE out)
- Outdoor use ready
This ethernet router is based on the same platform as the hEX PoE lite.
Installation
1. login to the Mikrotik WebUI to backup your licence keys
2. setup a DHCP/BOOTP Server with:
* DHCP-Option 66 (TFTP server name) pointing to a local TFTP
Server within the same subnet of the DHCP range
* DHCP-Option 67 (Bootfile-Name) matching the initramfs filename
of the to be booted image
3. connect the port labled internet to your local network
4. keep the reset button pushed down and power on the board
The board should load and start the initramfs image from the TFTP
Server. Login as root/without password to the started LEDE via ssh
listing on IPv4 address 192.168.1.1. Use sysupgrade to install LEDE.
Revert to RouterOS
Use the "rbcfg" package on in LEDE:
* rbcfg set boot_protocol bootp
* rbcfg set boot_device ethnand
* rbcfg apply
Open Netinstall and reboot routerboard. Now netinstall sees routerboard
and you can install RouterOS. If NetInstall gets stuck on Sending offer
just wait for it to timeout and then close and open Netinstall again.
Click on install again.
In order for RouterOS to function properly, you need to restore license
for the device. You can do that by including license in NetInstall
Signed-off-by: Robert Marko <robimarko@gmail.com>
Kimax U-25AWF-H1 is is a 2,5" HDD Enclosure with Wi-Fi/Eth conection
and battery, based on MediaTek MT7620A.
Patch rewritten from: https://forum.openwrt.org/viewtopic.php?pid=305643
Specification:
- MT7620A CPU
- 64 MB of RAM
- 16 MB of FLASH
- 802.11bgn WiFi
- 1x 10/100 Mbps Ethernet
- USB 2.0 Host
- UART for serial console
Flash instruction:
1. Download lede-ramips-mt7620-u25awf-h1-squashfs-sysupgrade.bin
2. Open webinterface a upgrade
3. After boot connect via ethernet to ip 192.168.1.1
Signed-off-by: Daniel Kucera <daniel.kucera@gmail.com>
[fix reset button gpio, don't add a lan/wan vlan config for single
port board, add -H1 suffix do make sure that this revision of the
board is supported/tested]
Signed-off-by: Mathias Kresin <dev@kresin.me>
The following adds the Aerohive HiveAP-330 Access Point to LEDE under
the mpc85xx/p1020 subtarget.
Hardware:
- SoC: Freescale P1020NSE2DFB
- NAND: Intel JS28F512M29EWH 64MB
- Memory: 2x ProMOS V59C1G01168QBJ3 128MB (Total of 256MB)
- 2.4GHz WiFi: Atheros AR9390-AL1A
- 5.0GHz WiFi: Atheros AR9390-AL1A
- Eth1: Atheros AR8035-A PoE
- Eth2: Atheros AR8035-A
- TPM: Atmel AT97SC3204
- LED Driver: TI LP5521
Flashing:
1. Hook into UART (9600 baud) and enter U-Boot. You may need to enter a
password of administrator or AhNf?d@ta06 if prompted.
2. Once in U-Boot, tftp boot the initramfs image:
dhcp;
tftpboot 0x1000000 192.168.1.101:lede-
mpc85xx-p1020-hiveap-330-initramfs.zImage;
tftpboot 0x6000000 192.168.1.101:lede-mpc85xx-p1020-hiveap-330.fdt;
bootm 0x1000000 - 0x6000000;
3. Once booted, scp over the sysupgrade file and sysupgrade the device
to flash LEDE to the NAND.
sysupgrade /tmp/lede-mpc85xx-p1020-hiveap-330-sysupgrade.img
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
This patch adds a new kernel option called CONFIG_CMDLINE_OVERRIDE. This
setting is for devices with locked down u-boot environments, where users
are unable to change the default bootargs. When set, the fdt driver will
propagate the cmdline for the kernel from chosen/bootargs-override
instead of chosen/bootargs as long as it exists within the DTB.
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
The following patch enables building of initramfs images by default for
the P1020 subtarget in mpc85xx.
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Add ext4 filesystem for creating sdcard image with ext4 rootfs and
removing ext2 as it superset of ext4.
Signed-off-by: Sandeep Sheriker Mallikarjun <sandeepsheriker.mallikarjun@microchip.com>
Enabled SDHCI for sama5 in kernel default config and this is needed
to mount sdcard rootfs partition during boot.
Signed-off-by: Sandeep Sheriker Mallikarjun <sandeepsheriker.mallikarjun@microchip.com>
removed copying of binaries to BIN_DIR during install and using
default/install to install binaries to BIN_DIR folder.
Signed-off-by: Sandeep Sheriker Mallikarjun <sandeepsheriker.mallikarjun@microchip.com>
Added sama5 to BUILD_SUBTARGET variable.This will populate at91bootstrap
menu options in bootloader menu only when SAMA5 devices are selected as
SUBTARGET and to avoid showing up this menu when legacy device is
selected as SUBTARGET and fixed typo mistake: sama5d3 -> sama5d2.
Signed-off-by: Sandeep Sheriker Mallikarjun <sandeepsheriker.mallikarjun@microchip.com>
This fixes the following problems:
* Add BUILD_DEVICES for legacy subtarget
* Use features from u-boot.mk for sama5 subtarget This is mainly done
by changing the prefix from uboot to U-Boot. This makes them depend
on the sama5 subtarget and not selectable for the legacy subtarget
any more
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Revert an accidental change that was introduced by having an old version
of the patch in my git tree, which was merged in 609208597b
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This patch adds a parser for the uci representation of
dnsmasq's "-a | --listen-address" option.
In summary, this option forces dnsmasq to listen on the
given IP address(es). Both interface and listen-address
options may be given, in which case the set of both
interfaces and addresses is used.
Note that if no interface option is given, but listen_address is,
dnsmasq will not automatically listen on the loopback interface.
To achieve this, the loopback IP addresses, 127.0.0.1 and/or ::1
must be explicitly added.
This option is useful for ujailed dnsmasq instances, that would
otherwise fail to work properly, because listening to the
"This host on this network" address (aka 0.0.0.0 see rfc1700 page 4)
may not be allowed.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)