Introduce configuration options to build an "hardened" OpenWRT.
Options to enable Stack-Smashing Protection, FORTIFY_SOURCE and RELRO
have been introduced.
uClibc makefile now automatically detects if SSP support is necessary.
hostapd makefile has been fixed to use "^" as sed separator since
using a comma was problematic when using "-Wl,-z,now" and the like in
TARGET_CFLAGS.
Currently enabling SSP on user space depends on enabling SSP kernel
side, this is due to the fact that TARGET_CFLAGS are used to build
kernel modules (at least). Suggestions on how to avoid this are welcome.
Using "select" instead of "depends on" doesn't seem to work with choice
entries.
Tested with a lantiq (WBMR) router, GCC 4.8, uClibc and a subset of
the available packages.
Needs to be tested with GCC 4.9 and the remaining packages.
PIE not currently included.
Signed-off-by: Alessandro Di Federico <ale+owrt@clearmind.me>
SVN-Revision: 44005
This simplifies building device / profile specific images, and allows
the build system to parallelize generating images
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 43907
Initialize a Git repository in the SDK and use git reset / git clean
to rollback any SDK changes with "make clean" or "make dirclean".
This approach is more robust than nuking entire directory trees because
some parts of them might have been shipped with the original archive.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43904
Implement "%s" placeholder that expands to either the target name,
e.g. "ar71xx" if the subtarget is generic or to target.subtarget, e.g.
"ar71xx.nand" is a subtarget is choosen.
Also change the default repository url template to use "%s" instead
of "%T" to reflect the directory structure used by the buildbot systems.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43871
This commit introduces a new option CONFIG_VERSION_FILENAMES which causes
OpenWrt to embed the version number in generated image files, SDK- and
ImageBuilder archives.
The option is enabled by default if CONFIG_VERSIONOPT is set.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43869
When using UbinizeImage with ubifs rootfs, ubinize.cfg is no longer
needed. Yet, the absance of ubinize.cfg would make the build process
abort with an error.
Fix that by checking if ubinize.cfg is present and do no not call the
"classic" ubinize image generation if it isn't.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[missing new-line before UbinizeImage added itentionally]
SVN-Revision: 43788
Since GCC 4.7, GCC provides its own wrappers around ar, nm and ranlib, which
should be used for builds with link-time optimization. Since GCC 4.9, using them
actually necessary for LTO builds using convenience libraries to succeed.
There are some packages which try to automatically detect if gcc-{ar,nm,ranlib}
exist (one example is my package "fastd" in the package repository, which tries
to use LTO). This breaks because the OpenWrt build system explicitly sets the
binutils versions of these tools.
As it doesn't cause any issues to use gcc-{ar,nm,ranlib} instead of
{ar,nm,ranlib} even without LTO, this patch just makes OpenWrt use the
GCC-provided versions by default, which fixes the build of such packages with
GCC 4.9.
(I know that builds fail though when clang is used with -flto and
gcc-{ar,nm,ranlib}, but as all OpenWrt toolchains are based on GCC, this isn't
a real issue.)
Completely cleaning the tree (or at least `make clean toolchain/clean`) is
necessary to get a consistent state after the binutils plugins support patch and
this one (as trying to use gcc-{ar,nm,ranlib} with a binutils built without
plugin support will definitely lead to a build failure).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 43784
x64 is handled by the x86 architecture in Linux, add a case for it in
LINUX_KARCH.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
SVN-Revision: 43672
Switch to a dumber implementation that will be easier to maintain in the long
run, with only if statements instead of having nested subst calls.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
SVN-Revision: 43671
We don't ship the kernel sources, so using the base git as a feed will
fail when trying to build kernel modules with separate install steps.
Instead of trying to fixup the install steps, let's just skip building
kernel modules alltogether and just create empty packages.
Out-of-kernel modules are still expected to exist and are packaged, as
for these sources are fetched during the normal build steps.
Reported-by: Jo-Philipp Wich <jow@openwrt.org>
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 43525
On out-of-tree modules depending on other out-of-tree modules from a
different tree, module dependencies are not filled properly.
This change helps with adding those dependencies in the AutoLoad call
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 43323
Building current trunk with 3.18 kernel fired some errors like 'missed
dependancy of module XXX from library kmod_YYY.ko'. These patch fixes 3
of such issues which are critical to have a successful build.
Signed-off-by: Alexey N Vinogradov <a.n.vinogradov@gmail.com>
SVN-Revision: 43318
The 3.18 kernel introduced new Kconfig options for the xt_nat and iptable_nat
kernel modules, that both belong to the ipt_nat kernel package.
Enable this new options.
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
SVN-Revision: 43212
This patch adds the userspace and kernelspace for
- match NETFILTER_XT_MATCH_CLUSTER
This match can be used to deploy gateway and back-end load-sharing clusters.
- target IP_NF_TARGET_CLUSTERIP
This module allows you to configure a simple cluster of nodes
that share a certain IP and MAC address
without an explicit load balancer in front of them.
Connections are statically distributed between the nodes in this cluster.
This is used i.e. by strongswan-ha.
Signed-off-by: Christian Scheele <cs@embedd.com>
SVN-Revision: 43174
Many packages define already metadata about their license (PKG_LICENSE),
but this is only included in the ipk files.
This change allows to create the information also on the build-host,
to get an overview on the used licenses.
In the full list, also all packages without this info are shown
Signed-off-by: Thomas Langer <thomas.langer@lantiq.com>
SVN-Revision: 43070
All platforms which are using 3.10.x at the moment are upgraded.
Changelogs:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.50https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.51https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.52https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.53https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.54https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.55https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.56https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.57https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.58
A new symbol 'X86_16BIT' appeared in 3.10.52 with commit 34273f41d57ee8d854dcd2a1d754cbb546cb548f
("x86-espfix-make-it-possible-to-disable-16-bit-support.patch")
I defaults to 'unset', but it's worth a discussion to enable it
("turn off support for any 16-bit software").
Also removed the patch 0db3db45f5bd6df4bdc03bbd5dec672e16164c4e
("fix build failure on memcpy() in decompress.c")
and is obsolete by commit 29593fd5a8149462ed6fad0d522234facdaee6c8 upstream.
included in kernel 3.10.56
compile tested on all platforms with:
make tools/install
make toolchain/install
make target/linux/compile
user@box:~/user/openwrt$ cat /tmp/log.txt
[Wed Oct 22 00:36:02 CEST 2014] ./smoketest.sh: ar71xx - OK
[Wed Oct 22 00:53:22 CEST 2014] ./smoketest.sh: ar7 - OK
[Wed Oct 22 01:08:27 CEST 2014] ./smoketest.sh: au1000 - OK
[Wed Oct 22 01:21:43 CEST 2014] ./smoketest.sh: avr32 - OK
[Wed Oct 22 01:37:47 CEST 2014] ./smoketest.sh: cns21xx - OK
[Wed Oct 22 01:52:05 CEST 2014] ./smoketest.sh: cns3xxx - OK
[Wed Oct 22 02:10:23 CEST 2014] ./smoketest.sh: gemini - OK
[Wed Oct 22 02:29:07 CEST 2014] ./smoketest.sh: ixp4xx - OK
[Wed Oct 22 02:44:01 CEST 2014] ./smoketest.sh: malta - OK
[Wed Oct 22 02:55:57 CEST 2014] ./smoketest.sh: mpc85xx - OK
[Wed Oct 22 03:07:56 CEST 2014] ./smoketest.sh: orion - OK
[Wed Oct 22 03:24:30 CEST 2014] ./smoketest.sh: ppc40x - OK
[Wed Oct 22 03:40:19 CEST 2014] ./smoketest.sh: ppc44x - OK
[Wed Oct 22 03:55:29 CEST 2014] ./smoketest.sh: realview - OK
[Wed Oct 22 04:09:47 CEST 2014] ./smoketest.sh: sparc - OK
[Wed Oct 22 04:23:37 CEST 2014] ./smoketest.sh: x86 - OK
[Wed Oct 22 04:35:56 CEST 2014] ./smoketest.sh: xburst - OK
run tested on x86, au1000, ar71xx, mpc85xx and brcm47xx
Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>
SVN-Revision: 43049
Changeset r43017 reworked the ipkg control metadata generation but broke
the export of conffiles, postinst and prerm defines.
Change the code back to rely on shvar and shexport, this is required to
properly output multiline contents.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43041