Introduce configuration options to build an "hardened" OpenWRT.
Options to enable Stack-Smashing Protection, FORTIFY_SOURCE and RELRO
have been introduced.
uClibc makefile now automatically detects if SSP support is necessary.
hostapd makefile has been fixed to use "^" as sed separator since
using a comma was problematic when using "-Wl,-z,now" and the like in
TARGET_CFLAGS.
Currently enabling SSP on user space depends on enabling SSP kernel
side, this is due to the fact that TARGET_CFLAGS are used to build
kernel modules (at least). Suggestions on how to avoid this are welcome.
Using "select" instead of "depends on" doesn't seem to work with choice
entries.
Tested with a lantiq (WBMR) router, GCC 4.8, uClibc and a subset of
the available packages.
Needs to be tested with GCC 4.9 and the remaining packages.
PIE not currently included.
Signed-off-by: Alessandro Di Federico <ale+owrt@clearmind.me>
SVN-Revision: 44005
This simplifies building device / profile specific images, and allows
the build system to parallelize generating images
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 43907
Initialize a Git repository in the SDK and use git reset / git clean
to rollback any SDK changes with "make clean" or "make dirclean".
This approach is more robust than nuking entire directory trees because
some parts of them might have been shipped with the original archive.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43904
Implement "%s" placeholder that expands to either the target name,
e.g. "ar71xx" if the subtarget is generic or to target.subtarget, e.g.
"ar71xx.nand" is a subtarget is choosen.
Also change the default repository url template to use "%s" instead
of "%T" to reflect the directory structure used by the buildbot systems.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43871
This commit introduces a new option CONFIG_VERSION_FILENAMES which causes
OpenWrt to embed the version number in generated image files, SDK- and
ImageBuilder archives.
The option is enabled by default if CONFIG_VERSIONOPT is set.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43869
When using UbinizeImage with ubifs rootfs, ubinize.cfg is no longer
needed. Yet, the absance of ubinize.cfg would make the build process
abort with an error.
Fix that by checking if ubinize.cfg is present and do no not call the
"classic" ubinize image generation if it isn't.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[missing new-line before UbinizeImage added itentionally]
SVN-Revision: 43788
Since GCC 4.7, GCC provides its own wrappers around ar, nm and ranlib, which
should be used for builds with link-time optimization. Since GCC 4.9, using them
actually necessary for LTO builds using convenience libraries to succeed.
There are some packages which try to automatically detect if gcc-{ar,nm,ranlib}
exist (one example is my package "fastd" in the package repository, which tries
to use LTO). This breaks because the OpenWrt build system explicitly sets the
binutils versions of these tools.
As it doesn't cause any issues to use gcc-{ar,nm,ranlib} instead of
{ar,nm,ranlib} even without LTO, this patch just makes OpenWrt use the
GCC-provided versions by default, which fixes the build of such packages with
GCC 4.9.
(I know that builds fail though when clang is used with -flto and
gcc-{ar,nm,ranlib}, but as all OpenWrt toolchains are based on GCC, this isn't
a real issue.)
Completely cleaning the tree (or at least `make clean toolchain/clean`) is
necessary to get a consistent state after the binutils plugins support patch and
this one (as trying to use gcc-{ar,nm,ranlib} with a binutils built without
plugin support will definitely lead to a build failure).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 43784
x64 is handled by the x86 architecture in Linux, add a case for it in
LINUX_KARCH.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
SVN-Revision: 43672
Switch to a dumber implementation that will be easier to maintain in the long
run, with only if statements instead of having nested subst calls.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
SVN-Revision: 43671
We don't ship the kernel sources, so using the base git as a feed will
fail when trying to build kernel modules with separate install steps.
Instead of trying to fixup the install steps, let's just skip building
kernel modules alltogether and just create empty packages.
Out-of-kernel modules are still expected to exist and are packaged, as
for these sources are fetched during the normal build steps.
Reported-by: Jo-Philipp Wich <jow@openwrt.org>
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 43525
On out-of-tree modules depending on other out-of-tree modules from a
different tree, module dependencies are not filled properly.
This change helps with adding those dependencies in the AutoLoad call
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 43323
Building current trunk with 3.18 kernel fired some errors like 'missed
dependancy of module XXX from library kmod_YYY.ko'. These patch fixes 3
of such issues which are critical to have a successful build.
Signed-off-by: Alexey N Vinogradov <a.n.vinogradov@gmail.com>
SVN-Revision: 43318
The 3.18 kernel introduced new Kconfig options for the xt_nat and iptable_nat
kernel modules, that both belong to the ipt_nat kernel package.
Enable this new options.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
SVN-Revision: 43212
This patch adds the userspace and kernelspace for
- match NETFILTER_XT_MATCH_CLUSTER
This match can be used to deploy gateway and back-end load-sharing clusters.
- target IP_NF_TARGET_CLUSTERIP
This module allows you to configure a simple cluster of nodes
that share a certain IP and MAC address
without an explicit load balancer in front of them.
Connections are statically distributed between the nodes in this cluster.
This is used i.e. by strongswan-ha.
Signed-off-by: Christian Scheele <cs@embedd.com>
SVN-Revision: 43174
Many packages define already metadata about their license (PKG_LICENSE),
but this is only included in the ipk files.
This change allows to create the information also on the build-host,
to get an overview on the used licenses.
In the full list, also all packages without this info are shown
Signed-off-by: Thomas Langer <thomas.langer@lantiq.com>
SVN-Revision: 43070
All platforms which are using 3.10.x at the moment are upgraded.
Changelogs:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.50https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.51https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.52https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.53https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.54https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.55https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.56https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.57https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.58
A new symbol 'X86_16BIT' appeared in 3.10.52 with commit 34273f41d57ee8d854dcd2a1d754cbb546cb548f
("x86-espfix-make-it-possible-to-disable-16-bit-support.patch")
I defaults to 'unset', but it's worth a discussion to enable it
("turn off support for any 16-bit software").
Also removed the patch 0db3db45f5bd6df4bdc03bbd5dec672e16164c4e
("fix build failure on memcpy() in decompress.c")
and is obsolete by commit 29593fd5a8149462ed6fad0d522234facdaee6c8 upstream.
included in kernel 3.10.56
compile tested on all platforms with:
make tools/install
make toolchain/install
make target/linux/compile
user@box:~/user/openwrt$ cat /tmp/log.txt
[Wed Oct 22 00:36:02 CEST 2014] ./smoketest.sh: ar71xx - OK
[Wed Oct 22 00:53:22 CEST 2014] ./smoketest.sh: ar7 - OK
[Wed Oct 22 01:08:27 CEST 2014] ./smoketest.sh: au1000 - OK
[Wed Oct 22 01:21:43 CEST 2014] ./smoketest.sh: avr32 - OK
[Wed Oct 22 01:37:47 CEST 2014] ./smoketest.sh: cns21xx - OK
[Wed Oct 22 01:52:05 CEST 2014] ./smoketest.sh: cns3xxx - OK
[Wed Oct 22 02:10:23 CEST 2014] ./smoketest.sh: gemini - OK
[Wed Oct 22 02:29:07 CEST 2014] ./smoketest.sh: ixp4xx - OK
[Wed Oct 22 02:44:01 CEST 2014] ./smoketest.sh: malta - OK
[Wed Oct 22 02:55:57 CEST 2014] ./smoketest.sh: mpc85xx - OK
[Wed Oct 22 03:07:56 CEST 2014] ./smoketest.sh: orion - OK
[Wed Oct 22 03:24:30 CEST 2014] ./smoketest.sh: ppc40x - OK
[Wed Oct 22 03:40:19 CEST 2014] ./smoketest.sh: ppc44x - OK
[Wed Oct 22 03:55:29 CEST 2014] ./smoketest.sh: realview - OK
[Wed Oct 22 04:09:47 CEST 2014] ./smoketest.sh: sparc - OK
[Wed Oct 22 04:23:37 CEST 2014] ./smoketest.sh: x86 - OK
[Wed Oct 22 04:35:56 CEST 2014] ./smoketest.sh: xburst - OK
run tested on x86, au1000, ar71xx, mpc85xx and brcm47xx
Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>
SVN-Revision: 43049
Changeset r43017 reworked the ipkg control metadata generation but broke
the export of conffiles, postinst and prerm defines.
Change the code back to rely on shvar and shexport, this is required to
properly output multiline contents.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43041
- Consider not installed feeds as well
- Add option to decide whether to comment disabled feeds
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 42931
I defined a new download method @SAVANNAH in include/download.mk and scripts/download.pl,
and converted quilt and qemu to use that method.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 42840
The build system sets a make variable TAR_OPTIONS to the unpacking
command, i.e. "-xf -". Now if an environment variable with the same
name is set, the make variable is automatically exported to the
environment. The make variable is added to the tar command in the
makefile, and tar adds the environment variable. This results in a
command like "tar -c /some/dir -xf - -xf -" which of course doesn't
work. It is also difficult to spot as the second "-xf -" is not
visible on the command line.
I suggest this is fixed by unexporting TAR_OPTIONS as I see no use
of the evironment variable, and it is changed from the original
value anyway.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
SVN-Revision: 42794
Otherwise the modpost steps for individual modules that are compiled
manually (using make package/<name_of_module>/install) will give warning
of missing symbols when that module depends other modules.
This is caused by the Module.symvers file not containing any symbols
anymore of external modules when the initramfs image is built without
specifically giving the modules target.
Signed-off-by: Tjalling Hattink <t.hattink@fugro.nl>
SVN-Revision: 42773
Recent kernels started to mark exported symbols as global.
Adapt expressions in kernel-build.mk to also match global symbols
when grep'ing through nm output.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 42555
config.{sub,guess} could be symlinks to a shared common version of
this file (e.g. in staging). So we remove the destination file via
--remove-destination option of cp. This prevents replaceing the
common file that other packages could be build with if running at
the same time.
This fixes a class of errors where config.sub is missing, or
only partially present when running configure because a cp is
currently in progress
This is commonly seen building with a lot of parallel jobs and
on packages that use 'PKG_FIXUP:=autoreconf'
Signed-off-by: Matthew McClintock <mmcclint@qca.qualcomm.com>
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
SVN-Revision: 42547
the postinst script enables/starts the init.d scripts upon package installation
and installs the users required by the package.
the prerm script stops and disables the init.d scripts.
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 42470
this is in preparation of having services run as !root with
ACL'ed access to ubus.
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 42469
The idea is still to enable it by default at some point
I've tested all ar71xx packages (except oldpackages) using CONFIG_ALL=y
Failing packages have been marked with PKG_CHECK_FORMAT_SECURITY:=0 for now
I can test more targets but i have no idea which are the most used
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
SVN-Revision: 42282
NFLOG and NFQUEUE targets' full support for iptables.
Includes all needed kernel modules (Xtables's and Netlink's)
and userspace libraries.
All added kernel modules can be individually disabled,
all other new libraries get their own individual packages.
Reported-by: Fabian Hugelshofer <hugelshofer2006@gmx.ch>
Reported-by: Rainer Poisel <rainer.poisel@fhstp.ac.at>
Reported-by: Derek LaHousse <dlahouss@mtu.edu>
Signed-off-by: Guillaume Déflache <guillaume.deflache@ibwag.com>
SVN-Revision: 42022
This changeset implements a new menuconfig option to generate separate
repositories for each enabled package feed instead of one monolithic one.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 42002
This commit implements a new netfilter match "xt_id" which can be used to
attach unsigned 32bit IDs to iptables rules.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 41945
Make sure they don't break the sed command, and also make device_info
and openwrt_release more robust for parsing by scripts
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 41885
Creates /etc/device_info which will be used to fill in information for
WPS and other protocols that need manufacturer/device information
This helps with creating OpenWrt firmware for OEM or rebranded devices.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 41884