Re: dm-verity support
Hello, On Thu, 30 Jul 2020 00:17:28 +0200 wrote: > your dm-verity patchset is in our patchwork since November 2019 (v2). > Unfortunately, nobody seemed to be particularly interested in > reviewing/merging it. > > Since I don't see a reason why this should change in another 8 > months, I'm going to finally mark it as Rejected now. After all, our > resources are limited. > > I'm sorry, and although I fear a similar fate will hit the SELinux > effort, I still hope you will not feel repelled and continue to > contribute to OpenWrt in the future. This is overall quite unfortunate. Initially, I have done this work for a customer that was using an old vendor-modified OpenWrt version. Instead of doing like most companies do: simply hack the old vendor-modified OpenWrt and keep the changes private, I instead took an upstream compatible approach: I did all my development on the latest OpenWrt upstream, submitted it to the community, and only then backported it to my customer vendor-specific OpenWrt. It is therefore quite sad that despite this intention of being a good open-source citizen and try to do the "right" thing, OpenWrt as an upstream project is not interested. Such security features are more and more commonly needed, and it will at some point be a problem for OpenWrt to not have such features supported. Best regards, Thomas Petazzoni -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: dm-verity support
Hello, On Wed, 29 Jul 2020 23:40:29 -0500 "W. Michael Petullo" wrote: > Please see > > https://github.com/openwrt/openwrt/pull/3207#issuecomment-660555489 > > for the steps you could use to test this. > > I am not sure what architecture Thomas tested, but he used squashfs. I > used ext4 on x86_64. This should support a wide range of architectures; > I would be interested to hear how much this is the case in practice. I tested the SELinux work on upstream OpenWRT with Qemu/ARM and a squashfs filesystem. I also used it on a custom ARM Qualcomm platform, though that was using an older OpenWRT on which I had backported my work. Best regards, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH v2 00/12] dm-verity support
Hello, I have received absolutely no feedback on this v2. Would it be possible to get these patches reviewed or merged ? Thanks a lot, Thomas Petazzoni On Fri, 20 Dec 2019 15:04:32 +0100 Thomas Petazzoni wrote: > Hello, > > On Thu, 21 Nov 2019 17:23:10 +0100 > Thomas Petazzoni wrote: > > > This is the second iteration of my patch series adding support for > > dm-verity in OpenWRT. See below for some introduction about the > > purpose of this series. > > Unless I missed it, I don't think I have received any feedback on the > v2 of this patch series. Is there any chance of getting it merged, or > at least parts of it ? > > Thanks! > > Thomas Petazzoni -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 1/7] package/utils/busybox: add optional selinux support
Hello, On Sat, 4 Jan 2020 15:06:38 +0200 Daniel Golle wrote: > > @@ -76,6 +76,9 @@ LDLIBS += $(call BUSYBOX_IF_ENABLED,PAM,pam pam_misc > > pthread) > > ifeq ($(CONFIG_USE_GLIBC),y) > >LDLIBS += $(call BUSYBOX_IF_ENABLED,NSLOOKUP_OPENWRT,resolv) > > endif > > +ifeq ($(CONFIG_BUSYBOX_CONFIG_SELINUX),y) > > + LDLIBS += selinux sepol > > +endif > > also here, it would be better to have a build-variant of busybox with > has selinux enabled instead of a buildroot compile option. Thanks for your feedback. Could you give some initial hints on what you mean by "build-variant", or at least point at some existing examples ? Thanks a lot, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH v2 00/12] dm-verity support
Hello, On Thu, 21 Nov 2019 17:23:10 +0100 Thomas Petazzoni wrote: > This is the second iteration of my patch series adding support for > dm-verity in OpenWRT. See below for some introduction about the > purpose of this series. Unless I missed it, I don't think I have received any feedback on the v2 of this patch series. Is there any chance of getting it merged, or at least parts of it ? Thanks! Thomas Petazzoni -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 4/7] include/image.mk: implement SELinux squashfs image generation
Hello Daniel, On Fri, 29 Nov 2019 00:01:26 +0100 Daniel Golle wrote: > I thought about introducing fakeroot in a similar way before, but for > different purposes such as having setuid binaries or files owned by > users other than root contained in the rootfs. Right, that would indeed allow that. Buildroot uses fakeroot in a consistent way to build all filesystem images, which allows us to create files with arbitrary permissions/owernship. > +1 for your work to enable SELinux in OpenWrt, I'll try to find time > for some testing that. Thanks! Best regards, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH packages 00/11] SELinux support: packages feed changes
Hello Jan, On Thu, 28 Nov 2019 13:25:24 +0100 Jan Pavlinec wrote: > I think that maintainers of openwrt/openwrt repo are more active on the > mailing list but openwrt/packages maintainers prefer GitHub. But that is > just my personal feeling. Thanks for the suggestion. I just opened a Github pull request for the packages part: https://github.com/openwrt/packages/pull/10664 Best regards, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH packages 00/11] SELinux support: packages feed changes
Hello Jan, On Thu, 28 Nov 2019 12:35:36 +0100 Jan Pavlinec wrote: > I really like the idea of SELinux support in OpenWrt, but I think that > if you send these patches directly to > https://github.com/openwrt/packages/ they will receive more attention > than here in mailing list. Thanks a lot for your feedback. Should I do this only for the package patches (i.e the package feeds), or also for the "core" changes ? Best regards, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 08/11] utils/checkpolicy: new package
Signed-off-by: Thomas Petazzoni --- utils/checkpolicy/Makefile | 42 ++ 1 file changed, 42 insertions(+) create mode 100644 utils/checkpolicy/Makefile diff --git a/utils/checkpolicy/Makefile b/utils/checkpolicy/Makefile new file mode 100644 index 0..305e3b507 --- /dev/null +++ b/utils/checkpolicy/Makefile @@ -0,0 +1,42 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=checkpolicy +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=a946c32b284532447857e4c48830f8816867c61220c8c08bdd32e6f691335f8e +HOST_BUILD_DEPENDS:=libselinux/host + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/checkpolicy + SECTION:=utils + CATEGORY:=Utilities + TITLE:=SELinux policy compiler + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/checkpolicy/description + checkpolicy is the SELinux policy compiler. It uses libsepol + to generate the binary policy. checkpolicy uses the static + libsepol since it deals with low level details of the policy + that have not been encapsulated/abstracted by a proper + shared library interface. +endef + +include $(INCLUDE_DIR)/host-build.mk + +HOST_MAKE_FLAGS += \ + PREFIX=$(STAGING_DIR_HOSTPKG) + +$(eval $(call HostBuild)) +$(eval $(call BuildPackage,checkpolicy)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 09/11] admin/refpolicy: new package
Signed-off-by: Thomas Petazzoni --- admin/refpolicy/Makefile | 78 admin/refpolicy/files/selinux-config | 7 +++ 2 files changed, 85 insertions(+) create mode 100644 admin/refpolicy/Makefile create mode 100644 admin/refpolicy/files/selinux-config diff --git a/admin/refpolicy/Makefile b/admin/refpolicy/Makefile new file mode 100644 index 0..fcf13cedf --- /dev/null +++ b/admin/refpolicy/Makefile @@ -0,0 +1,78 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=refpolicy +PKG_VERSION:=2.20190201 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201 +PKG_HASH:=ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843 +PKG_INSTALL:=1 +PKG_BUILD_DEPENDS:=checkpolicy/host policycoreutils/host + +PKG_MAINTAINER:=Thomas Petazzoni + +TAR_OPTIONS:=--transform='s%^refpolicy%$(PKG_NAME)-$(PKG_VERSION)%' -xf - + +include $(INCLUDE_DIR)/package.mk + +define Package/refpolicy + SECTION:=admin + CATEGORY:=Administration + TITLE:=SELinux reference policy + URL:=http://selinuxproject.org/page/Main_Page + DEPENDS:=+@TARGET_ROOTFS_NEEDS_XATTR +endef + +define Package/refpolicy/description + The SELinux Reference Policy project (refpolicy) is a + complete SELinux policy that can be used as the system + policy for a variety of systems and used as the basis for + creating other policies. Reference Policy was originally + based on the NSA example policy, but aims to accomplish many + additional goals. + + The current refpolicy does not fully support OpenWRT and + needs modifications to work with the default system file + layout. These changes should be added as patches to the + refpolicy that modify a single SELinux policy. + + The refpolicy works for the most part in permissive + mode. Only the basic set of utilities are enabled in the + example policy config and some of the pathing in the + policies is not correct. Individual policies would need to + be tweaked to get everything functioning properly. +endef + +# Yes, we want CC=$(HOSTCC) because the only code that checkpolicy +# builds is a small host tool that gets run as part of the build +# process. +MAKE_FLAGS += \ + TEST_TOOLCHAIN=$(STAGING_DIR_HOSTPKG) \ + BINDIR=/bin \ + SBINDIR=/sbin \ + CC=$(HOSTCC) \ + CFLAGS=$(HOST_CFLAGS) + +define Build/Configure + $(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(PKG_BUILD_DIR)/build.conf + $(SED) "/NAME/c\NAME = targeted" $(PKG_BUILD_DIR)/build.conf + $(call Build/Compile/Default,conf) +endef + +define Package/refpolicy/conffiles +/etc/selinux/config +endef + +define Package/refpolicy/install + $(INSTALL_DIR) $(1)/etc/selinux + $(CP) $(PKG_INSTALL_DIR)/etc/selinux/* $(1)/etc/selinux/ + $(CP) ./files/selinux-config $(1)/etc/selinux/config +endef + +$(eval $(call BuildPackage,refpolicy)) diff --git a/admin/refpolicy/files/selinux-config b/admin/refpolicy/files/selinux-config new file mode 100644 index 0..2ae174d29 --- /dev/null +++ b/admin/refpolicy/files/selinux-config @@ -0,0 +1,7 @@ +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=permissive +SELINUXTYPE=targeted -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 10/11] libs/libselinux: add support for building the Python bindings
Signed-off-by: Thomas Petazzoni --- libs/libselinux/Makefile | 28 +++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/libs/libselinux/Makefile b/libs/libselinux/Makefile index 30e50a9ba..08b43f0f7 100644 --- a/libs/libselinux/Makefile +++ b/libs/libselinux/Makefile @@ -12,11 +12,13 @@ PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 PKG_HASH:=1bccc8873e449587d9a2b2cf253de9b89a8291b9fbc7c59393ca9e5f5f4d2693 +PKG_BUILD_DEPENDS:=PACKAGE_python-libselinux:python PACKAGE_python-libselinux:swig/host HOST_BUILD_DEPENDS:=libsepol/host pcre/host PKG_MAINTAINER:=Thomas Petazzoni include $(INCLUDE_DIR)/package.mk +include ../../lang/python/python-package.mk define Package/libselinux SECTION:=libs @@ -26,6 +28,14 @@ define Package/libselinux URL:=http://selinuxproject.org/page/Main_Page endef +define Package/python-libselinux + TITLE:=Python bindings sur the runtime SELinux library + SUBMENU:=Python + SECTION:=lang + CATEGORY:=Languages + DEPENDS:=+python +libselinux +endef + define Package/libselinux/description libselinux is the runtime SELinux library that provides interfaces (e.g. library functions for the SELinux kernel @@ -51,14 +61,28 @@ $(eval $(call HostBuild)) MAKE_FLAGS += \ FTS_LDLIBS=-lfts \ - SHLIBDIR=/usr/lib + SHLIBDIR=/usr/lib \ + PYTHON=$(PYTHON) \ + PYINC="-I $(PYTHON_INC_DIR)" + +ifdef CONFIG_PACKAGE_python-libselinux + define Build/Compile/python-libselinux + $(call Build/Compile/Default,swigify pywrap) + endef + + define Build/Install/python-libselinux + $(call Build/Install/Default,install-pywrap) + endef +endif define Build/Compile $(call Build/Compile/Default,all) + $(Build/Compile/python-libselinux) endef define Build/Install $(call Build/Install/Default,install) + $(Build/Install/python-libselinux) endef define Build/InstallDev @@ -76,3 +100,5 @@ define Package/libselinux/install endef $(eval $(call BuildPackage,libselinux)) +$(eval $(call PyPackage,python-libselinux)) +$(eval $(call BuildPackage,python-libselinux)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 11/11] utils/selinux-python: new package
Signed-off-by: Thomas Petazzoni --- utils/selinux-python/Makefile | 155 ++ .../0001-sepolgen-adjust-data_dir.patch | 26 +++ ...hardcode-search-for-ausearch-in-sbin.patch | 38 + .../0003-Don-t-force-using-python3.patch | 67 4 files changed, 286 insertions(+) create mode 100644 utils/selinux-python/Makefile create mode 100644 utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch create mode 100644 utils/selinux-python/patches/0002-sepolgen-don-t-hardcode-search-for-ausearch-in-sbin.patch create mode 100644 utils/selinux-python/patches/0003-Don-t-force-using-python3.patch diff --git a/utils/selinux-python/Makefile b/utils/selinux-python/Makefile new file mode 100644 index 0..4fd0376b6 --- /dev/null +++ b/utils/selinux-python/Makefile @@ -0,0 +1,155 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=selinux-python +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=3650b5393b0d1790cac66db00e34f059aa91c23cfe3c2559676594e295d75fde +PKG_BUILD_DEPENDS:=PACKAGE_selinux-audit2allow:libsepol + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk +include ../../lang/python/python-package.mk + +# +# common definitions +# + +define Package/selinux-python/Default + SECTION:=utils + DEPENDS:=+python +python-libselinux + CATEGORY:=Utilities + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/selinux-python/Default/description + A set of SELinux tools written in python that help with + managing a system with SELinux enabled. +endef + +MAKE_VARS = \ + PYTHON=$(HOST_PYTHON_BIN) \ + PYTHONLIBDIR=$(PYTHON_PKG_DIR) + +define Build/Compile + $(call Build/Compile/Default,all) +endef + +# +# selinux-audit2allow +# + +define Package/selinux-audit2allow +$(call Package/selinux-python/Default) + TITLE:=selinux-audit2allow + DEPENDS:=+python-sepolgen +libsepol +endef + +define Package/selinux-audit2allow/description +$(call Package/selinux-python/Default/description) + This package contains the audit2allow and audit2why tools. +endef + +define Package/selinux-audit2allow/install + $(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR)/audit2allow DESTDIR=$(1) install + rm -rf $(1)/usr/share/man +endef + +# +# selinux-chchat +# + +define Package/selinux-chcat +$(call Package/selinux-python/Default) + TITLE:=selinux-chcat +endef + +define Package/selinux-chcat/description +$(call Package/selinux-python/Default/description) + This package contains the chcat tool. +endef + +define Package/selinux-chcat/install + $(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR)/chcat DESTDIR=$(1) install + rm -rf $(1)/usr/share +endef + +# +# selinux-semanage +# + +define Package/selinux-semanage +$(call Package/selinux-python/Default) + TITLE:=selinux-semanage + DEPENDS:=+python-sepolicy +endef + +define Package/selinux-semanage/description +$(call Package/selinux-python/Default/description) + This package contains the semanage tool. +endef + +define Package/selinux-semanage/install + $(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR)/semanage DESTDIR=$(1) install + rm -rf $(1)/usr/share +endef + +# +# python-sepolgen +# + +define Package/python-sepolgen +$(call Package/selinux-python/Default) + SUBMENU:=Python + SECTION:=lang + CATEGORY:=Languages + TITLE:=python-sepolgen +endef + +define Package/python-sepolgen/description +$(call Package/selinux-python/Default/description) + This package contains the sepolgen Python library. +endef + +define Package/python-sepolgen/install + $(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR)/sepolgen DESTDIR=$(1) install + $(INSTALL_DIR) $(1)/usr/share/sepolgen/ + $(INSTALL_DATA) $(1)/var/lib/sepolgen/perm_map $(1)/usr/share/sepolgen/perm_map + $(RM) -rf $(1)/var +endef + +# +# python-sepolicy +# + +define Package/python-sepolicy +$(call Package/selinux-python/Default) + SUBMENU:=Python + SECTION:=lang + CATEGORY:=Languages + TITLE:=python-sepolicy +endef + +define Package/python-sepolicy/description +$(call Package/selinux-python/Default/description) + This package contains the sepolicy Python library. +endef + +define Package/python-sepolicy/install + $(MAKE_VARS) $(MAKE) -C $(PKG_BUILD_DIR)/sepolicy DESTDIR=$(1) install + rm -rf $(1)/usr/share +endef + +$(eval $(call BuildPackage,selinux-audit2allow)) +$(eval $(call BuildPackage,selinux-chcat)) +$(eval $(call BuildPackage,selinux-semanage)) +$(eval $(call BuildPackage,python-sepolgen)) +$(eval $(call BuildPackage,python-sepolicy)) diff --git a/utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch b/utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch new file mode 100644 index 0
[OpenWrt-Devel] [PATCH packages 05/11] libs/libcap-ng: new package
Signed-off-by: Thomas Petazzoni --- libs/libcap-ng/Makefile | 53 + 1 file changed, 53 insertions(+) create mode 100644 libs/libcap-ng/Makefile diff --git a/libs/libcap-ng/Makefile b/libs/libcap-ng/Makefile new file mode 100644 index 0..5cf1f2499 --- /dev/null +++ b/libs/libcap-ng/Makefile @@ -0,0 +1,53 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libcap-ng +PKG_VERSION:=0.7.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=http://people.redhat.com/sgrubb/libcap-ng +PKG_HASH:=4a1532bcf3731aade40936f6d6a586ed5a66ca4c7455e1338d1f6c3e09221328 +PKG_INSTALL:=1 + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/libcap-ng + SECTION:=libs + CATEGORY:=Libraries + TITLE:=POSIX capabilities programming library + URL:=http://people.redhat.com/sgrubb/libcap-ng/ +endef + +define Package/libcap-ng/description + The libcap-ng library is intended to make programming with + posix capabilities much easier than the traditional libcap + library. It includes utilities that can analyse all currently + running applications and print out any capabilities and + whether or not it has an open ended bounding set. +endef #' + +CONFIGURE_ARGS += --without-python +CONFIGURE_VARS += ac_cv_prog_swig_found=no + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libcap-ng.pc $(1)/usr/lib/pkgconfig/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ +endef + +define Package/libcap-ng/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libcap-ng.so.* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libcap-ng)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 07/11] utils/policycoreutils: new package
Signed-off-by: Thomas Petazzoni --- utils/policycoreutils/Makefile | 60 ++ 1 file changed, 60 insertions(+) create mode 100644 utils/policycoreutils/Makefile diff --git a/utils/policycoreutils/Makefile b/utils/policycoreutils/Makefile new file mode 100644 index 0..ce3f68692 --- /dev/null +++ b/utils/policycoreutils/Makefile @@ -0,0 +1,60 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=policycoreutils +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=c53c344f28007b3c0742bd958751e9b5d2385898adeb8aec6281ae57342f0f7b +PKG_INSTALL:=1 +HOST_BUILD_DEPENDS:=libsemanage/host + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/policycoreutils + SECTION:=utils + CATEGORY:=Utilities + DEPENDS:= +libsemanage +libcap-ng + TITLE:=SELinux policy utilities + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/policycoreutils/description + Policycoreutils is a collection of policy utilities + (originally the "core" set of utilities needed to use + SELinux, although it has grown a bit over time), which have + different dependencies. sestatus, secon, run_init, and + newrole only use libselinux. load_policy and setfiles only + use libselinux and libsepol. semodule and semanage use + libsemanage (and thus bring in dependencies on libsepol and + libselinux as well). setsebool uses libselinux to make + non-persistent boolean changes (via the kernel interface) + and uses libsemanage to make persistent boolean changes. +endef + +include $(INCLUDE_DIR)/host-build.mk + +HOST_MAKE_FLAGS += \ + PREFIX=$(STAGING_DIR_HOSTPKG) \ + SBINDIR=$(STAGING_DIR_HOSTPKG)/sbin \ + ETCDIR=$(STAGING_DIR_HOSTPKG)/etc + +define Package/policycoreutils/install + $(INSTALL_DIR) $(1)/usr/bin + $(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/* $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/sbin + $(CP) $(PKG_INSTALL_DIR)/sbin/* $(1)/sbin/ +endef + +$(eval $(call HostBuild)) +$(eval $(call BuildPackage,policycoreutils)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 06/11] libs/libsemanage: new package
Signed-off-by: Thomas Petazzoni --- libs/libsemanage/Makefile | 70 +++ 1 file changed, 70 insertions(+) create mode 100644 libs/libsemanage/Makefile diff --git a/libs/libsemanage/Makefile b/libs/libsemanage/Makefile new file mode 100644 index 0..75aea0305 --- /dev/null +++ b/libs/libsemanage/Makefile @@ -0,0 +1,70 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libsemanage +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=2576349d344492e73b468059767268dec1dabd8c35f3c7222c3ec2448737bc1c +HOST_BUILD_DEPENDS:=audit/host libselinux/host bzip2/host + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/libsemanage + SECTION:=libs + DEPENDS:=+libaudit +libselinux +libbz2 + CATEGORY:=Libraries + TITLE:=SELinux policy management library + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/libsemanage/description + libsemanage is the policy management library. It uses + libsepol for binary policy manipulation and libselinux for + interacting with the SELinux system. It also exec's helper + programs for loading policy and for checking whether the + file_contexts configuration is valid (load_policy and + setfiles from policycoreutils) presently, although this may + change at least for the bootstrapping case (for rpm). +endef #' + +include $(INCLUDE_DIR)/host-build.mk + +HOST_MAKE_FLAGS += \ + PREFIX=$(STAGING_DIR_HOSTPKG) + +define Build/Configure +endef + +define Build/Compile + $(call Build/Compile/Default,all) +endef + +define Build/Install + $(call Build/Install/Default,install) +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libsemanage.pc $(1)/usr/lib/pkgconfig/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ +endef + +define Package/libsemanage/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libsemanage.so.* $(1)/usr/lib/ +endef + +$(eval $(call HostBuild)) +$(eval $(call BuildPackage,libsemanage)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 01/11] libs/pcre: add host variant of libpcre
This is needed to build the host variant of libselinux. Signed-off-by: Thomas Petazzoni --- libs/pcre/Makefile | 11 +++ 1 file changed, 11 insertions(+) diff --git a/libs/pcre/Makefile b/libs/pcre/Makefile index 720142332..29fda6749 100644 --- a/libs/pcre/Makefile +++ b/libs/pcre/Makefile @@ -51,6 +51,17 @@ define Package/libpcrecpp DEPENDS:=+libpcre $(CXX_DEPENDS) endef +include $(INCLUDE_DIR)/host-build.mk + +HOST_CONFIGURE_ARGS += \ + --enable-utf8 \ + --enable-unicode-properties \ + --enable-pcre16 \ + --with-match-limit-recursion=16000 \ + --enable-cpp + +$(eval $(call HostBuild)) + TARGET_CFLAGS += $(FPIC) CONFIGURE_ARGS += \ -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 03/11] libs/libselinux: new package
Signed-off-by: Thomas Petazzoni --- libs/libselinux/Makefile | 78 1 file changed, 78 insertions(+) create mode 100644 libs/libselinux/Makefile diff --git a/libs/libselinux/Makefile b/libs/libselinux/Makefile new file mode 100644 index 0..30e50a9ba --- /dev/null +++ b/libs/libselinux/Makefile @@ -0,0 +1,78 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libselinux +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=1bccc8873e449587d9a2b2cf253de9b89a8291b9fbc7c59393ca9e5f5f4d2693 +HOST_BUILD_DEPENDS:=libsepol/host pcre/host + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/libselinux + SECTION:=libs + DEPENDS:=+libsepol +libpcre +musl-fts +@KERNEL_SECURITY +@KERNEL_SECURITY_NETWORK +@KERNEL_SECURITY_SELINUX + CATEGORY:=Libraries + TITLE:=Runtime SELinux library + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/libselinux/description + libselinux is the runtime SELinux library that provides + interfaces (e.g. library functions for the SELinux kernel + APIs like getcon(), other support functions like + getseuserbyname()) to SELinux-aware applications. libselinux + may use the shared libsepol to manipulate the binary policy + if necessary (e.g. to downgrade the policy format to an + older version supported by the kernel) when loading policy. +endef + +include $(INCLUDE_DIR)/host-build.mk + +# Needed to link libselinux utilities, which link against +# libselinux.so, which indirectly depends on libpcre.so, installed in +# $(STAGING_DIR_HOSTPKG). +HOST_LDFLAGS += -Wl,-rpath="$(STAGING_DIR_HOSTPKG)/lib" + +HOST_MAKE_FLAGS += \ + PREFIX=$(STAGING_DIR_HOSTPKG) \ + SHLIBDIR=$(STAGING_DIR_HOSTPKG)/lib + +$(eval $(call HostBuild)) + +MAKE_FLAGS += \ + FTS_LDLIBS=-lfts \ + SHLIBDIR=/usr/lib + +define Build/Compile + $(call Build/Compile/Default,all) +endef + +define Build/Install + $(call Build/Install/Default,install) +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libselinux.pc $(1)/usr/lib/pkgconfig/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ +endef + +define Package/libselinux/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libselinux.so.* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libselinux)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 02/11] libs/libsepol: new package
Signed-off-by: Thomas Petazzoni --- libs/libsepol/Makefile | 65 ++ 1 file changed, 65 insertions(+) create mode 100644 libs/libsepol/Makefile diff --git a/libs/libsepol/Makefile b/libs/libsepol/Makefile new file mode 100644 index 0..225f74996 --- /dev/null +++ b/libs/libsepol/Makefile @@ -0,0 +1,65 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libsepol +PKG_VERSION:=2.9 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/20190315 +PKG_HASH:=a34b12b038d121e3e459b1cbaca3c9202e983137819c16baf63658390e3f1d5d + +PKG_MAINTAINER:=Thomas Petazzoni + +include $(INCLUDE_DIR)/package.mk + +define Package/libsepol + SECTION:=libs + CATEGORY:=Libraries + TITLE:=SELinux binary policy manipulation library + URL:=http://selinuxproject.org/page/Main_Page +endef + +define Package/libsepol/description + Libsepol is the binary policy manipulation library. It doesn't + depend upon or use any of the other SELinux components. +endef #' + +include $(INCLUDE_DIR)/host-build.mk + +HOST_MAKE_FLAGS += \ + PREFIX=$(STAGING_DIR_HOSTPKG) \ + SHLIBDIR=$(STAGING_DIR_HOSTPKG)/lib + +$(eval $(call HostBuild)) + +MAKE_FLAGS += \ + SHLIBDIR=/usr/lib + +define Build/Compile + $(call Build/Compile/Default,all) +endef + +define Build/Install + $(call Build/Install/Default,install) +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libsepol.pc $(1)/usr/lib/pkgconfig/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ +endef + +define Package/libsepol/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libsepol.so.* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libsepol)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/7] package/utils/busybox: add optional selinux support
Signed-off-by: Thomas Petazzoni --- package/utils/busybox/Makefile | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile index c0f3007e5d..bad4598525 100644 --- a/package/utils/busybox/Makefile +++ b/package/utils/busybox/Makefile @@ -17,7 +17,7 @@ PKG_SOURCE_URL:=https://www.busybox.net/downloads \ http://sources.buildroot.net PKG_HASH:=d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998 -PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam +PKG_BUILD_DEPENDS:=BUSYBOX_CONFIG_PAM:libpam BUSYBOX_CONFIG_SELINUX:libselinux PKG_BUILD_PARALLEL:=1 PKG_CHECK_FORMAT_SECURITY:=0 @@ -45,7 +45,7 @@ define Package/busybox MAINTAINER:=Felix Fietkau TITLE:=Core utilities for embedded Linux URL:=http://busybox.net/ - DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter + DEPENDS:=+BUSYBOX_CONFIG_PAM:libpam +BUSYBOX_CONFIG_NTPD:jsonfilter +BUSYBOX_CONFIG_SELINUX:libselinux MENU:=1 endef @@ -76,6 +76,9 @@ LDLIBS += $(call BUSYBOX_IF_ENABLED,PAM,pam pam_misc pthread) ifeq ($(CONFIG_USE_GLIBC),y) LDLIBS += $(call BUSYBOX_IF_ENABLED,NSLOOKUP_OPENWRT,resolv) endif +ifeq ($(CONFIG_BUSYBOX_CONFIG_SELINUX),y) + LDLIBS += selinux sepol +endif TARGET_CFLAGS += -flto TARGET_LDFLAGS += -flto=jobserver -fuse-linker-plugin -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 04/11] utils/audit: new package
Signed-off-by: Thomas Petazzoni
---
utils/audit/Makefile | 125
utils/audit/files/audit.init | 16 +++
...tue-functions-for-strndupa-rawmemchr.patch | 133 ++
3 files changed, 274 insertions(+)
create mode 100644 utils/audit/Makefile
create mode 100644 utils/audit/files/audit.init
create mode 100644
utils/audit/patches/0001-Add-substitue-functions-for-strndupa-rawmemchr.patch
diff --git a/utils/audit/Makefile b/utils/audit/Makefile
new file mode 100644
index 0..16ee560a1
--- /dev/null
+++ b/utils/audit/Makefile
@@ -0,0 +1,125 @@
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=audit
+PKG_VERSION:=2.8.5
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=http://people.redhat.com/sgrubb/audit
+PKG_HASH:=0e5d4103646e00f8d1981e1cd2faea7a2ae28e854c31a803e907a383c5e2ecb7
+
+PKG_MAINTAINER:=Thomas Petazzoni
+PKG_FIXUP:=autoreconf
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/audit/Default
+ SECTION:=utils
+ TITLE:=Audit Daemon
+ URL:=http://people.redhat.com/sgrubb/audit/
+endef
+
+define Package/audit/Default/description
+ The audit package contains the user space utilities for
+ storing and searching the audit records generated by
+ the audit subsystem in the Linux 2.6 kernel
+endef
+
+define Package/libaudit
+$(call Package/audit/Default)
+ CATEGORY:=Libraries
+ TITLE+= (library)
+ DEPENDS:=+@KERNEL_AUDIT
+endef
+
+define Package/libaudit/description
+$(call Package/audit/Default/description)
+ This package contains the audit shared library.
+endef
+
+define Package/audit
+$(call Package/audit/Default)
+ CATEGORY:=Utilities
+ TITLE+= (daemon)
+ DEPENDS:= +libaudit
+endef
+
+define Package/audit/description
+$(call Package/audit/Default/description)
+ This package contains the audit daemon.
+endef
+
+CONFIGURE_VARS += \
+ LDFLAGS_FOR_BUILD="$(HOST_LDFLAGS)" \
+ CPPFLAGS_FOR_BUILD="$(HOST_CPPFLAGS)" \
+ CFLAGS_FOR_BUILD="$(HOST_CFLAGS)" \
+ CC_FOR_BUILD="$(HOSTCC)"
+
+CONFIGURE_ARGS += \
+ --without-libcap-ng \
+ --disable-systemd \
+ --without-python \
+ --without-python3 \
+ --disable-zos-remote
+
+ifeq ($(ARCH),aarch64)
+CONFIGURE_ARGS += --with-aarch64
+else ifeq ($(ARCH),arm)
+CONFIGURE_ARGS += --with-arm
+endif
+
+# We can't use the default, as the default passes $(MAKE_ARGS), which
+# overrides CC, CFLAGS, etc. and defeats the *_FOR_BUILD definitions
+# passed in CONFIGURE_VARS
+define Build/Compile
+ $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/$(MAKE_PATH)
+endef
+
+define Build/Install
+ $(call Build/Install/Default,install)
+ $(SED) 's%^dispatcher *=.*%dispatcher = /usr/sbin/audispd%'
$(PKG_INSTALL_DIR)/etc/audit/auditd.conf
+endef
+
+define Build/InstallDev
+ $(INSTALL_DIR) $(1)/usr/include
+ $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
+ $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/*.pc
$(1)/usr/lib/pkgconfig/
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/
+endef
+
+define Package/libaudit/install
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so.* $(1)/usr/lib/
+ $(INSTALL_DIR) $(1)/etc
+ $(CP) $(PKG_INSTALL_DIR)/etc/libaudit.conf $(1)/etc/
+endef
+
+define Package/audit/install
+ $(INSTALL_DIR) $(1)/usr/bin
+ $(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/
+ $(INSTALL_DIR) $(1)/usr/sbin
+ $(CP) $(PKG_INSTALL_DIR)/usr/sbin/* $(1)/usr/sbin/
+ $(INSTALL_DIR) $(1)/etc/audit
+ $(CP) $(PKG_INSTALL_DIR)/etc/audit/* $(1)/etc/audit/
+ $(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_BIN) ./files/audit.init $(1)/etc/init.d/audit
+endef
+
+include $(INCLUDE_DIR)/host-build.mk
+
+HOST_CONFIGURE_ARGS += \
+--without-python \
+--without-python3 \
+--disable-zos-remote \
+--without-libcap-ng
+
+$(eval $(call HostBuild))
+$(eval $(call BuildPackage,libaudit))
+$(eval $(call BuildPackage,audit))
diff --git a/utils/audit/files/audit.init b/utils/audit/files/audit.init
new file mode 100644
index 0..4a9f53884
--- /dev/null
+++ b/utils/audit/files/audit.init
@@ -0,0 +1,16 @@
+#!/bin/sh /etc/rc.common
+# Copyright (c) 2014 OpenWrt.org
+
+START=11
+
+USE_PROCD=1
+PROG=/usr/sbin/auditd
+
+start_service() {
+ mkdir -p /var/log/audit
+ procd_open_instance
+ procd_set_param command "$PROG" -n
+ procd_set_param respawn
+ procd_close_instance
+ test -f /etc/audit/rules.d/audit.rules && /usr/sbin/auditctl -R
/etc/audit/rules.d/audit.rules
+}
diff --git
a/utils/audit/patches/0001-Add-substitue-functions-for-strndupa-rawmemchr.patch
b/uti
[OpenWrt-Devel] [PATCH 6/7] config/Config-kernel.in: add various options needed for SELinux
This commit adds a small number of options to config/Config-kernel.in so that packages related to SELinux support can enable the appropriate Linux kernel support. Signed-off-by: Thomas Petazzoni --- config/Config-kernel.in | 12 1 file changed, 12 insertions(+) diff --git a/config/Config-kernel.in b/config/Config-kernel.in index 7f8c63f25d..2aa059e56b 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -863,3 +863,15 @@ config KERNEL_CC_OPTIMIZE_FOR_SIZE your compiler resulting in a smaller kernel. endchoice + +config KERNEL_AUDIT + bool "Auditing support" + +config KERNEL_SECURITY + bool "Enable different security models" + +config KERNEL_SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + +config KERNEL_SECURITY_SELINUX + bool "NSA SELinux Support" -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 3/7] tools/fakeroot: new tool
SELinux support requires setting the appropriate SELinux security context to files and directories, which needs to happen at build time in order to support read-only root filesystem scenarios. In order to create these security contexts, we will have to run some SELinux-specific tool on the host machine, but that requires root access. So this tool adds support for fakeroot, which will be used to run the SELinux security context creation and the image creation. Signed-off-by: Thomas Petazzoni --- tools/Makefile | 2 +- tools/fakeroot/Makefile | 20 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 tools/fakeroot/Makefile diff --git a/tools/Makefile b/tools/Makefile index 2f57d25525..fd67a880de 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -26,7 +26,7 @@ tools-y += m4 libtool autoconf automake flex bison pkg-config mklibs zlib tools-y += sstrip make-ext4fs e2fsprogs mtd-utils mkimage tools-y += firmware-utils patch-image quilt padjffs2 tools-y += mm-macros missing-macros cmake bc findutils gengetopt patchelf -tools-y += mtools dosfstools libressl +tools-y += mtools dosfstools libressl fakeroot tools-$(CONFIG_TARGET_orion_generic) += wrt350nv2-builder upslug2 tools-$(CONFIG_TARGET_x86) += qemu tools-$(CONFIG_TARGET_mxs) += elftosb sdimage diff --git a/tools/fakeroot/Makefile b/tools/fakeroot/Makefile new file mode 100644 index 00..04d9a0dd60 --- /dev/null +++ b/tools/fakeroot/Makefile @@ -0,0 +1,20 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# +include $(TOPDIR)/rules.mk + +PKG_NAME:=fakeroot +PKG_VERSION:=1.20.2 + +PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).orig.tar.bz2 +PKG_SOURCE_URL:=http://snapshot.debian.org/archive/debian/20141005T221953Z/pool/main/f/fakeroot +PKG_HASH:=7c0a164d19db3efa9e802e0fc7cdfeff70ec6d26cdbdc4338c9c2823c5ea230c + +include $(INCLUDE_DIR)/host-build.mk + +HOST_CONFIGURE_VARS += \ + ac_cv_header_sys_capability_h=no \ + ac_cv_func_capset=no + +$(eval $(call HostBuild)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 5/7] config/Config-kernel.in: add option to enable squashfs xattr support
Extended attribute support is needed to run a SELinux-enabled system, as SELinux security contexts are stored as extended attributes. Signed-off-by: Thomas Petazzoni --- config/Config-kernel.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/Config-kernel.in b/config/Config-kernel.in index bdb6b91cbb..7f8c63f25d 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -839,6 +839,9 @@ config KERNEL_SQUASHFS_FRAGMENT_CACHE_SIZE default 2 if (SMALL_FLASH && !LOW_MEMORY_FOOTPRINT) default 3 +config KERNEL_SQUASHFS_XATTR + bool "Squashfs XATTR support" + # # compile optimiziation setting # -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH packages 00/11] SELinux support: packages feed changes
Hello, This patch series is one part of the changes needed to bring minimal SELinux support to OpenWrt. SELinux is a mandatory access control Linux security module, which I assume most if not all OpenWrt users are already familiar with. The work presented in these patch series presents a minimal integration, in the sense that it allows to: (1) Build all the important SELinux components, both on the build system (for example to compile a SELinux policy) and on the target system (libselinux, policy management tools, etc.) (2) Set the SELinux security contexts on the files in the filesystem image generated by OpenWrt. (3) Compile the SELinux policy on the build machine, and integrate the compiled SELinux policy in the target filesystem. (4) Load at boot time the SELinux policy and enable it. The provided SELinux policy is the default SELinux policy from the upstream project: it has not been tuned specifically for OpenWrt. There are two patch series for this work: - One for OpenWrt itself - One for the OpenWrt packages feed (this patch series) OpenWrt changes === This patch series brings the following changes: - Allow to build Busybox with SELinux support, mainly to get -Z option support in several commands. This requires linking against libselinux, which is provided in the packages feeds as part of the second patch series. - Addition of minimal SELinux support in procd, to load the SELinux policy at boot time. The patch has been submitted separately to procd, and is being discussed. - Addition of the fakeroot tool, which we need when generating the filesystem image to run the SELinux command "setfiles" that sets the appropriate security context for the files in the filesystem. It obviously requires root access, which is why it is executed under fakeroot. - Addition of support for generating a SquashFS image with the SELinux security contexts defined. It could be extended to other filesystem formats of course. - Add some logic to be able to enable SquashFS extended attribute support in the kernel configuration, as well as SELinux support. - Enable extended attribute support in mksquashfs. OpenWrt packages feed changes = This patch series brings new packages for the different user-space components of SELinux and their dependencies: - libsepol - libselinux, including its Python bindings - audit - libcap-ng - libsemanage - policycoreutils - checkpolicy - refpolicy - selinux-python These are pretty regular packages. I'm looking forward to the feedback of the OpenWrt community on this proposal. Best regards, Thomas Petazzoni Thomas Petazzoni (11): libs/pcre: add host variant of libpcre libs/libsepol: new package libs/libselinux: new package utils/audit: new package libs/libcap-ng: new package libs/libsemanage: new package utils/policycoreutils: new package utils/checkpolicy: new package admin/refpolicy: new package libs/libselinux: add support for building the Python bindings utils/selinux-python: new package admin/refpolicy/Makefile | 78 + admin/refpolicy/files/selinux-config | 7 + libs/libcap-ng/Makefile | 53 ++ libs/libselinux/Makefile | 104 libs/libsemanage/Makefile | 70 libs/libsepol/Makefile| 65 libs/pcre/Makefile| 11 ++ utils/audit/Makefile | 125 ++ utils/audit/files/audit.init | 16 ++ ...tue-functions-for-strndupa-rawmemchr.patch | 133 +++ utils/checkpolicy/Makefile| 42 + utils/policycoreutils/Makefile| 60 +++ utils/selinux-python/Makefile | 155 ++ .../0001-sepolgen-adjust-data_dir.patch | 26 +++ ...hardcode-search-for-ausearch-in-sbin.patch | 38 + .../0003-Don-t-force-using-python3.patch | 67 16 files changed, 1050 insertions(+) create mode 100644 admin/refpolicy/Makefile create mode 100644 admin/refpolicy/files/selinux-config create mode 100644 libs/libcap-ng/Makefile create mode 100644 libs/libselinux/Makefile create mode 100644 libs/libsemanage/Makefile create mode 100644 libs/libsepol/Makefile create mode 100644 utils/audit/Makefile create mode 100644 utils/audit/files/audit.init create mode 100644 utils/audit/patches/0001-Add-substitue-functions-for-strndupa-rawmemchr.patch create mode 100644 utils/checkpolicy/Makefile create mode 100644 utils/policycoreutils/Makefile create mode 100644 utils/selinux-python/Makefile create mode 100644 utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch create mode 100644 utils/selinux-python/patches/0002-sepolgen-don-t-hardcode-search-for-ausearch-in-sbin.patch create mode 100644 uti
[OpenWrt-Devel] [PATCH 2/7] package/system/procd: add SELinux support
This commit adds a patch to procd to support loading the SELinux
policy early at boot time, and adjusts the procd package to use this
SELinux support when libselinux is enabled.
The procd patch has been submitted separately [1]: obviously the
intent is to have it merged in the procd Git repository rather than
have it in OpenWrt itself.
[1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/020070.html
Signed-off-by: Thomas Petazzoni
---
package/system/procd/Makefile | 5 +-
...inimal-SELinux-policy-loading-suppor.patch | 110 ++
2 files changed, 113 insertions(+), 2 deletions(-)
create mode 100644
package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch
diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile
index c4b86ba746..53d9e1120f 100644
--- a/package/system/procd/Makefile
+++ b/package/system/procd/Makefile
@@ -43,7 +43,7 @@ TARGET_LDFLAGS += -flto
define Package/procd
SECTION:=base
CATEGORY:=Base system
- DEPENDS:=+ubusd +ubus +libjson-script +ubox +USE_GLIBC:librt +libubox
+libubus +libblobmsg-json +libjson-c
+ DEPENDS:=+ubusd +ubus +libjson-script +ubox +USE_GLIBC:librt +libubox
+libubus +libblobmsg-json +libjson-c +PACKAGE_libselinux:libselinux
TITLE:=OpenWrt system process manager
USERID:=:dialout=20 :audio=29
endef
@@ -92,7 +92,8 @@ ifdef CONFIG_PACKAGE_procd-ujail
endif
SECCOMP=$(if $(CONFIG_PACKAGE_procd-seccomp),1,0)
-CMAKE_OPTIONS += -DSECCOMP_SUPPORT=$(SECCOMP) -DUTRACE_SUPPORT=$(SECCOMP)
+SELINUX=$(if $(CONFIG_PACKAGE_libselinux),1,0)
+CMAKE_OPTIONS += -DSECCOMP_SUPPORT=$(SECCOMP) -DUTRACE_SUPPORT=$(SECCOMP)
-DSELINUX=$(SELINUX)
define Package/procd/install
$(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions
diff --git
a/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch
b/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch
new file mode 100644
index 00..cfab059b40
--- /dev/null
+++
b/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch
@@ -0,0 +1,110 @@
+From fe74ad8b11977d0ced5c44f5e389c50ee70bc008 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni
+Date: Thu, 23 May 2019 13:57:30 +0200
+Subject: [PATCH] initd/init: add minimal SELinux policy loading support
+
+In order to support SELinux in OpenWRT, this commit introduces minimal
+support for loading the SELinux policy in the init code. The logic is
+very much inspired from what Busybox is doing: call
+selinux_init_load_policy() from libselinux, and then re-execute init
+so that it runs with the SELinux policy in place and enforced.
+
+Signed-off-by: Thomas Petazzoni
+---
+ CMakeLists.txt | 9 -
+ initd/init.c | 38 ++
+ 2 files changed, 46 insertions(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 4b3eebd..865e43c 100644
+--- a/CMakeLists.txt
b/CMakeLists.txt
+@@ -40,6 +40,12 @@ IF(ZRAM_TMPFS)
+ SET(SOURCES_ZRAM initd/zram.c)
+ ENDIF()
+
++IF(SELINUX)
++ include(FindPkgConfig)
++ pkg_search_module(SELINUX REQUIRED libselinux)
++ add_compile_definitions(WITH_SELINUX)
++ENDIF()
++
+ add_subdirectory(upgraded)
+
+ ADD_EXECUTABLE(procd ${SOURCES})
+@@ -56,7 +62,8 @@ ADD_DEFINITIONS(-DDISABLE_INIT)
+ ELSE()
+ ADD_EXECUTABLE(init initd/init.c initd/early.c initd/preinit.c initd/mkdev.c
sysupgrade.c watchdog.c
+ utils/utils.c ${SOURCES_ZRAM})
+-TARGET_LINK_LIBRARIES(init ${LIBS})
++TARGET_INCLUDE_DIRECTORIES(init PUBLIC ${SELINUX_INCLUDE_DIRS})
++TARGET_LINK_LIBRARIES(init ${LIBS} ${SELINUX_LIBRARIES})
+ INSTALL(TARGETS init
+ RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}
+ )
+diff --git a/initd/init.c b/initd/init.c
+index 29eee50..561970c 100644
+--- a/initd/init.c
b/initd/init.c
+@@ -29,6 +29,10 @@
+ #include
+ #include
+
++#if defined(WITH_SELINUX)
++#include
++#endif
++
+ #include "../utils/utils.h"
+ #include "init.h"
+ #include "../watchdog.h"
+@@ -67,6 +71,38 @@ cmdline(void)
+ }
+ }
+
++#if defined(WITH_SELINUX)
++static int
++selinux(char **argv)
++{
++ int enforce = 0;
++ int ret;
++
++ /* SELinux already initialized */
++ if (getenv("SELINUX_INIT"))
++ return 0;
++
++ putenv("SELINUX_INIT=1");
++
++ ret = selinux_init_load_policy();
++ if (ret == 0)
++ execv(argv[0], argv);
++
++ if (enforce > 0) {
++ fprintf(stderr, "Cannot load SELinux policy, but system in
enforcing mode. Halting.\n");
++ return 1;
++ }
++
++ return 0;
++}
++#else
++static int
++selinux(char **argv)
++{
++ return 0;
++}
++#endif
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -79,6 +115,8 @@ main(int argc, char **argv)
+ sigaction(SIGUSR2, _shutdown, NULL);
+ sigaction(SIGPWR, _shutdow
[OpenWrt-Devel] [PATCH 7/7] tools/squashfs4: enable xattr support
xattr support in mksquashfs is needed to be able to store SELinux security contexts. Signed-off-by: Thomas Petazzoni --- tools/squashfskit4/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/squashfskit4/Makefile b/tools/squashfskit4/Makefile index 4808c5607f..a54d86be4d 100644 --- a/tools/squashfskit4/Makefile +++ b/tools/squashfskit4/Makefile @@ -22,7 +22,7 @@ define Host/Compile $(MAKE) -C $(HOST_BUILD_DIR)/squashfs-tools \ XZ_SUPPORT=1 \ LZMA_XZ_SUPPORT=1 \ - XATTR_SUPPORT= \ + XATTR_SUPPORT=1 \ LZMA_LIB="$(STAGING_DIR_HOST)/lib/liblzma.a" \ EXTRA_CFLAGS="-I$(STAGING_DIR_HOST)/include" \ mksquashfs unsquashfs -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 4/7] include/image.mk: implement SELinux squashfs image generation
Signed-off-by: Thomas Petazzoni --- include/image.mk | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/include/image.mk b/include/image.mk index 8592c19b99..86b3edeb87 100644 --- a/include/image.mk +++ b/include/image.mk @@ -239,13 +239,26 @@ endef $(eval $(foreach S,$(JFFS2_BLOCKSIZE),$(call Image/mkfs/jffs2/template,$(S $(eval $(foreach S,$(NAND_BLOCKSIZE),$(call Image/mkfs/jffs2-nand/template,$(S -define Image/mkfs/squashfs +define Image/mkfs/squashfs-common $(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \ -nopad -noappend -root-owned \ -comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \ -processors 1 endef +ifeq ($(CONFIG_PACKAGE_refpolicy),y) +define Image/mkfs/squashfs + echo "LD_LIBRARY_PATH=\$$LD_LIBRARY_PATH:$(STAGING_DIR_HOSTPKG)/lib $(STAGING_DIR_HOSTPKG)/sbin/setfiles -r $(call mkfs_target_dir,$(1)) $(call mkfs_target_dir,$(1))/etc/selinux/targeted/contexts/files/file_contexts $(call mkfs_target_dir,$(1))" > $@.fakeroot-script + echo "$(Image/mkfs/squashfs-common)" >> $@.fakeroot-script + chmod +x $@.fakeroot-script + $(STAGING_DIR_HOST)/bin/fakeroot $@.fakeroot-script +endef +else +define Image/mkfs/squashfs + $(call Image/mkfs/squashfs-common,$(1)) +endef +endif + # $(1): board name # $(2): rootfs type # $(3): kernel image -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 0/7] SELinux support: core OpenWrt changes
Hello, This patch series is one part of the changes needed to bring minimal SELinux support to OpenWrt. SELinux is a mandatory access control Linux security module, which I assume most if not all OpenWrt users are already familiar with. The work presented in these patch series presents a minimal integration, in the sense that it allows to: (1) Build all the important SELinux components, both on the build system (for example to compile a SELinux policy) and on the target system (libselinux, policy management tools, etc.) (2) Set the SELinux security contexts on the files in the filesystem image generated by OpenWrt. (3) Compile the SELinux policy on the build machine, and integrate the compiled SELinux policy in the target filesystem. (4) Load at boot time the SELinux policy and enable it. The provided SELinux policy is the default SELinux policy from the upstream project: it has not been tuned specifically for OpenWrt. There are two patch series for this work: - One for OpenWrt itself (this patch series) - One for the OpenWrt packages feed OpenWrt changes === This patch series brings the following changes: - Allow to build Busybox with SELinux support, mainly to get -Z option support in several commands. This requires linking against libselinux, which is provided in the packages feeds as part of the second patch series. - Addition of minimal SELinux support in procd, to load the SELinux policy at boot time. The patch has been submitted separately to procd, and is being discussed. - Addition of the fakeroot tool, which we need when generating the filesystem image to run the SELinux command "setfiles" that sets the appropriate security context for the files in the filesystem. It obviously requires root access, which is why it is executed under fakeroot. - Addition of support for generating a SquashFS image with the SELinux security contexts defined. It could be extended to other filesystem formats of course. - Add some logic to be able to enable SquashFS extended attribute support in the kernel configuration, as well as SELinux support. - Enable extended attribute support in mksquashfs. OpenWrt packages feed changes = This patch series brings new packages for the different user-space components of SELinux and their dependencies: - libsepol - libselinux, including its Python bindings - audit - libcap-ng - libsemanage - policycoreutils - checkpolicy - refpolicy - selinux-python These are pretty regular packages. I'm looking forward to the feedback of the OpenWrt community on this proposal. Best regards, Thomas Petazzoni Thomas Petazzoni (7): package/utils/busybox: add optional selinux support package/system/procd: add SELinux support tools/fakeroot: new tool include/image.mk: implement SELinux squashfs image generation config/Config-kernel.in: add option to enable squashfs xattr support config/Config-kernel.in: add various options needed for SELinux tools/squashfs4: enable xattr support config/Config-kernel.in | 15 +++ include/image.mk | 15 ++- package/system/procd/Makefile | 5 +- ...inimal-SELinux-policy-loading-suppor.patch | 110 ++ package/utils/busybox/Makefile| 7 +- tools/Makefile| 2 +- tools/fakeroot/Makefile | 20 tools/squashfskit4/Makefile | 2 +- 8 files changed, 169 insertions(+), 7 deletions(-) create mode 100644 package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch create mode 100644 tools/fakeroot/Makefile -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 05/12] tools/cryptsetup: new package
cryptsetup for the host will be needed to create the hash tree of a dm-verity volume. Signed-off-by: Thomas Petazzoni --- tools/Makefile| 1 + tools/cryptsetup/Makefile | 28 +++ .../patches/0001-dont-use-c89.patch | 11 3 files changed, 40 insertions(+) create mode 100644 tools/cryptsetup/Makefile create mode 100644 tools/cryptsetup/patches/0001-dont-use-c89.patch diff --git a/tools/Makefile b/tools/Makefile index 26e2d19fee..cf91f04100 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -79,6 +79,7 @@ $(curdir)/lzma-old/compile := $(curdir)/zlib/compile $(curdir)/make-ext4fs/compile := $(curdir)/zlib/compile $(curdir)/cbootimage/compile += $(curdir)/automake/compile $(curdir)/lvm2/compile := $(curdir)/pkg-config/compile $(curdir)/libaio/compile +$(curdir)/cryptsetup/compile := $(curdir)/pkg-config/compile $(curdir)/libressl/compile $(curdir)/lvm2/compile $(curdir)/popt/compile $(curdir)/libjson-c/compile ifneq ($(HOST_OS),Linux) $(curdir)/squashfskit4/compile += $(curdir)/coreutils/compile diff --git a/tools/cryptsetup/Makefile b/tools/cryptsetup/Makefile new file mode 100644 index 00..3e500b81ea --- /dev/null +++ b/tools/cryptsetup/Makefile @@ -0,0 +1,28 @@ +# +# Copyright (C) 2010-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=cryptsetup +PKG_VERSION_MAJOR:=2.0 +PKG_VERSION:=$(PKG_VERSION_MAJOR).6 +PKG_HASH:=7c51fae0f0e7ea9af0f515b2ac77009fb2969a6619ebab47d097dca38b083d30 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL:=@KERNEL/linux/utils/cryptsetup/v$(PKG_VERSION_MAJOR)/ + +HOST_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/host-build.mk + +HOST_CONFIGURE_ARGS += \ + --with-crypto-backend=openssl \ + --disable-kernel_crypto \ + --disable-blkid + +$(eval $(call HostBuild)) diff --git a/tools/cryptsetup/patches/0001-dont-use-c89.patch b/tools/cryptsetup/patches/0001-dont-use-c89.patch new file mode 100644 index 00..84ee9c0ec2 --- /dev/null +++ b/tools/cryptsetup/patches/0001-dont-use-c89.patch @@ -0,0 +1,11 @@ +--- a/Makefile.in b/Makefile.in +@@ -901,7 +901,7 @@ tmpfilesd_DATA = $(am__append_5) + @PYTHON_CRYPTSETUP_TRUE@pycryptsetup_la_CPPFLAGS = $(AM_CPPFLAGS) $(PYTHON_CPPFLAGS) $(PYTHON_INCLUDES) -fno-strict-aliasing + @PYTHON_CRYPTSETUP_TRUE@pycryptsetup_la_LDFLAGS = -avoid-version -module -shared -export-dynamic + @PYTHON_CRYPTSETUP_TRUE@pycryptsetup_la_LIBADD = libcryptsetup.la $(PYTHON_LIBS) +-@CRYPTO_INTERNAL_ARGON2_TRUE@libargon2_la_CFLAGS = $(AM_CFLAGS) -std=c89 -pthread -O3 ++@CRYPTO_INTERNAL_ARGON2_TRUE@libargon2_la_CFLAGS = $(AM_CFLAGS) -pthread -O3 + @CRYPTO_INTERNAL_ARGON2_TRUE@libargon2_la_CPPFLAGS = $(AM_CPPFLAGS) \ + @CRYPTO_INTERNAL_ARGON2_TRUE@ -I lib/crypto_backend/argon2 \ + @CRYPTO_INTERNAL_ARGON2_TRUE@ -I lib/crypto_backend/argon2/blake2 -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 09/12] include/image.mk: add support for building a dm-verity enabled squashfs image
This commit adds a new TARGET_ROOTFS_SQUASHFS_HASHED option that asks
OpenWRT to generate a squashfs image suitable for usage with
dm-verity. The squashfs image is produced, and then passed through
"cryptsetup format" which appends the hash tree to the image.
The output of "cryptsetup format" is passed to a custom script that
parses that output and generates a U-Boot script that defines U-Boot
variables describing the different aspects of the dm-verity
volume. Such values are necessary to be able to build the kernel
command line to mount the dm-verity volume as the root filesystem.
We provide a common Image/mkfs/squashfs-common macro, which gets used
by both the normal SquashFS filesystem generation and the
verity-hashed SquashFS filesystem generation. There is one difference
between the two: the normal SquashFS filesystem is generated with
-nopad, but the one generated for dm-verity is generated without
-no-pad, as it needs to be properly aligned to a block size.
Signed-off-by: Thomas Petazzoni
---
config/Config-images.in | 8 +
include/image.mk | 17 --
scripts/prepare-dm-verity-uboot-script.sh | 41 +++
tools/Makefile| 1 +
4 files changed, 64 insertions(+), 3 deletions(-)
create mode 100755 scripts/prepare-dm-verity-uboot-script.sh
diff --git a/config/Config-images.in b/config/Config-images.in
index 4ee0273f63..37e7ad6cff 100644
--- a/config/Config-images.in
+++ b/config/Config-images.in
@@ -153,6 +153,14 @@ menu "Target Images"
default 1024 if (SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
default 256
+ config TARGET_ROOTFS_SQUASHFS_HASHED
+ bool "hash with veritysetup"
+ select KERNEL_MD
+ select KERNEL_BLK_DEV_DM
+ select KERNEL_DM_VERITY
+ select KERNEL_DM_INIT
+ depends on TARGET_ROOTFS_SQUASHFS
+
menuconfig TARGET_ROOTFS_UBIFS
bool "ubifs"
default y if USES_UBIFS
diff --git a/include/image.mk b/include/image.mk
index 8592c19b99..e4e4dc456d 100644
--- a/include/image.mk
+++ b/include/image.mk
@@ -90,6 +90,7 @@ endif
JFFS2_BLOCKSIZE ?= 64k 128k
fs-types-$(CONFIG_TARGET_ROOTFS_SQUASHFS) += squashfs
+fs-types-$(CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED) += squashfs-hashed
fs-types-$(CONFIG_TARGET_ROOTFS_JFFS2) += $(addprefix
jffs2-,$(JFFS2_BLOCKSIZE))
fs-types-$(CONFIG_TARGET_ROOTFS_JFFS2_NAND) += $(addprefix
jffs2-nand-,$(NAND_BLOCKSIZE))
fs-types-$(CONFIG_TARGET_ROOTFS_EXT4FS) += ext4
@@ -239,11 +240,21 @@ endef
$(eval $(foreach S,$(JFFS2_BLOCKSIZE),$(call Image/mkfs/jffs2/template,$(S
$(eval $(foreach S,$(NAND_BLOCKSIZE),$(call
Image/mkfs/jffs2-nand/template,$(S
-define Image/mkfs/squashfs
+define Image/mkfs/squashfs-common
$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
- -nopad -noappend -root-owned \
+ -noappend -root-owned \
-comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \
- -processors 1
+ -processors 1 $(2)
+endef
+
+define Image/mkfs/squashfs
+ $(call Image/mkfs/squashfs-common,$(1),-nopad)
+endef
+
+define Image/mkfs/squashfs-hashed
+ $(call Image/mkfs/squashfs-common,$(1))
+ $(STAGING_DIR_HOST)/bin/veritysetup format --hash-offset=`stat -c "%s"
$@` $@ $@ \
+ | $(TOPDIR)/scripts/prepare-dm-verity-uboot-script.sh >
$@-dm-verity-uboot-script.txt
endef
# $(1): board name
diff --git a/scripts/prepare-dm-verity-uboot-script.sh
b/scripts/prepare-dm-verity-uboot-script.sh
new file mode 100755
index 00..846e52b989
--- /dev/null
+++ b/scripts/prepare-dm-verity-uboot-script.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+while read line; do
+ key=$(echo ${line} | cut -f1 -d':')
+ value=$(echo ${line} | cut -f2 -d':')
+
+ case "${key}" in
+ "UUID")
+ UUID=${value}
+ ;;
+ "Data blocks")
+ DATA_BLOCKS=${value}
+ ;;
+ "Data block size")
+ DATA_BLOCK_SIZE=${value}
+ ;;
+ "Hash block size")
+ HASH_BLOCK_SIZE=${value}
+ ;;
+ "Hash algorithm")
+ HASH_ALG=${value}
+ ;;
+ "Salt")
+ SALT=${value}
+ ;;
+ "Root hash")
+ ROOT_HASH=${value}
+ ;;
+ esac
+done
+
+SECTORS=$((${DATA_BLOCKS} * 8))
+
+echo setenv verity_sectors $((${DATA_BLOCKS} * 8))
+echo setenv verity_data_blocks ${DATA_BLOCKS}
+echo setenv verity_hash_start $((${DATA_BLOCKS} + 1))
+echo setenv verity_data_block_sz ${DATA_BLOCK_SIZE}
+echo setenv verity_hash_bloc
[OpenWrt-Devel] [PATCH v2 10/12] target/linux/generic: backport patches adding DM_INIT functionality
The new DM_INIT functionality, merged in upstream Linux 5.1, allows to setup a device mapper target at boot time. It avoids the need to use an initramfs to setup a device mapper target. This is useful in the context of supporting dm-verity in OpenWRT. Signed-off-by: Thomas Petazzoni --- ...-to-directly-boot-to-a-mapped-device.patch | 668 ++ ...-init-fix-max-devices-targets-checks.patch | 48 ++ ...hang-in-early-create-error-condition.patch | 49 ++ ...ion-dm-init-fix-multi-device-example.patch | 45 ++ ...-to-directly-boot-to-a-mapped-device.patch | 668 ++ ...-init-fix-max-devices-targets-checks.patch | 48 ++ ...hang-in-early-create-error-condition.patch | 49 ++ ...ion-dm-init-fix-multi-device-example.patch | 45 ++ 8 files changed, 1620 insertions(+) create mode 100644 target/linux/generic/backport-4.14/390-dm-add-support-to-directly-boot-to-a-mapped-device.patch create mode 100644 target/linux/generic/backport-4.14/391-dm-init-fix-max-devices-targets-checks.patch create mode 100644 target/linux/generic/backport-4.14/392-dm-ioctl-fix-hang-in-early-create-error-condition.patch create mode 100644 target/linux/generic/backport-4.14/393-Documentation-dm-init-fix-multi-device-example.patch create mode 100644 target/linux/generic/backport-4.19/400-dm-add-support-to-directly-boot-to-a-mapped-device.patch create mode 100644 target/linux/generic/backport-4.19/401-dm-init-fix-max-devices-targets-checks.patch create mode 100644 target/linux/generic/backport-4.19/402-dm-ioctl-fix-hang-in-early-create-error-condition.patch create mode 100644 target/linux/generic/backport-4.19/403-Documentation-dm-init-fix-multi-device-example.patch diff --git a/target/linux/generic/backport-4.14/390-dm-add-support-to-directly-boot-to-a-mapped-device.patch b/target/linux/generic/backport-4.14/390-dm-add-support-to-directly-boot-to-a-mapped-device.patch new file mode 100644 index 00..291dbd783d --- /dev/null +++ b/target/linux/generic/backport-4.14/390-dm-add-support-to-directly-boot-to-a-mapped-device.patch @@ -0,0 +1,668 @@ +From d2f5bf5f2df9c9993564e4a03187f6aa79b58cc4 Mon Sep 17 00:00:00 2001 +From: Helen Koike +Date: Thu, 21 Feb 2019 17:33:34 -0300 +Subject: [PATCH 1/4] dm: add support to directly boot to a mapped device + +Add a "create" module parameter, which allows device-mapper targets to +be configured at boot time. This enables early use of DM targets in the +boot process (as the root device or otherwise) without the need of an +initramfs. + +The syntax used in the boot param is based on the concise format from +the dmsetup tool to follow the rule of least surprise: + + dmsetup table --concise /dev/mapper/lroot + +Which is: + dm-mod.create=[,+][;[,+]+] + +Where, + ::= The device name. + ::= ---- | "" +::= The device minor number | "" +::= "ro" | "rw" +::= + ::= "verity" | "linear" | ... + +For example, the following could be added in the boot parameters: +dm-mod.create="lroot,,,rw, 0 4096 linear 98:16 0, 4096 4096 linear 98:32 0" root=/dev/dm-0 + +Only the targets that were tested are allowed and the ones that don't +change any block device when the device is create as read-only. For +example, mirror and cache targets are not allowed. The rationale behind +this is that if the user makes a mistake, choosing the wrong device to +be the mirror or the cache can corrupt data. + +The only targets initially allowed are: +* crypt +* delay +* linear +* snapshot-origin +* striped +* verity + +Co-developed-by: Will Drewry +Co-developed-by: Kees Cook +Co-developed-by: Enric Balletbo i Serra +Signed-off-by: Helen Koike +Reviewed-by: Kees Cook +Signed-off-by: Mike Snitzer +--- + Documentation/device-mapper/dm-init.txt | 114 + + drivers/md/Kconfig | 12 + + drivers/md/Makefile | 4 + + drivers/md/dm-init.c| 303 + drivers/md/dm-ioctl.c | 103 + include/linux/device-mapper.h | 9 + + 6 files changed, 545 insertions(+) + create mode 100644 Documentation/device-mapper/dm-init.txt + create mode 100644 drivers/md/dm-init.c + +diff --git a/Documentation/device-mapper/dm-init.txt b/Documentation/device-mapper/dm-init.txt +new file mode 100644 +index ..8464ee7c01b8 +--- /dev/null b/Documentation/device-mapper/dm-init.txt +@@ -0,0 +1,114 @@ ++Early creation of mapped devices ++ ++ ++It is possible to configure a device-mapper device to act as the root device for ++your system in two ways. ++ ++The first is to build an initial ramdisk which boots to a minimal userspace ++which configures the device, then pivot_root(8) in to it. ++ ++The second is to create
[OpenWrt-Devel] [PATCH v2 03/12] tools/popt: new package
popt for the host will be needed as a dependency of cryptsetup for the host. Signed-off-by: Thomas Petazzoni --- tools/popt/Makefile | 22 ++ 1 file changed, 22 insertions(+) create mode 100644 tools/popt/Makefile diff --git a/tools/popt/Makefile b/tools/popt/Makefile new file mode 100644 index 00..7a6de9fa02 --- /dev/null +++ b/tools/popt/Makefile @@ -0,0 +1,22 @@ +# +# Copyright (C) 2010-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=popt +PKG_VERSION:=1.16 +PKG_HASH:=e728ed296fe9f069a0e005003c3d6b2dde3d9cad453422a10d6558616d304cc8 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=http://rpm5.org/files/popt + +HOST_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/host-build.mk + +$(eval $(call HostBuild)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 12/12] target/linux/mvebu: generate a FIT image on Armada XP GP with dm-verity
When a dm-verity capable is selected, the user will most likely need the U-Boot script that contains the various dm-verity related configuration details, needed by U-Boot to build the kernel command line with the appropriate dm="..." argument. Therefore, for the Marvell Armada XP GP platform, make sure a FIT image containing the dm-verity related U-Boot script is produced when CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED is enabled. Signed-off-by: Thomas Petazzoni --- target/linux/mvebu/image/cortex-a9.mk | 14 ++ 1 file changed, 14 insertions(+) diff --git a/target/linux/mvebu/image/cortex-a9.mk b/target/linux/mvebu/image/cortex-a9.mk index cf70031b99..1d3d37e987 100644 --- a/target/linux/mvebu/image/cortex-a9.mk +++ b/target/linux/mvebu/image/cortex-a9.mk @@ -142,6 +142,19 @@ define Device/marvell_axp-db endef TARGET_DEVICES += marvell_axp-db +ifeq ($(CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED),y) +define Device/armada-xp-gp/kernel + ITS_UBOOT_SCRIPT := $(KDIR)/root.squashfs-hashed-dm-verity-uboot-script.txt + KERNEL := kernel-bin | append-dtb | fit none + KERNEL_SIZE := 4096k +endef +else +define Device/armada-xp-gp/kernel + KERNEL := kernel-bin | append-dtb | uImage none + KERNEL_SIZE := 4096k +endef +endif + define Device/marvell_axp-gp $(Device/NAND-512K) DEVICE_VENDOR := Marvell @@ -149,6 +162,7 @@ define Device/marvell_axp-gp DEVICE_DTS := armada-xp-gp SUPPORTED_DEVICES += armada-xp-gp IMAGES += factory.img + $(Device/armada-xp-gp/kernel) endef TARGET_DEVICES += marvell_axp-gp -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 00/12] dm-verity support
Hello, This is the second iteration of my patch series adding support for dm-verity in OpenWRT. See below for some introduction about the purpose of this series. Changes since v1 - Rebase the patch series on the latest master. - Make sure all patches have @bootlin.com as author, and not some stale @free-electrons.com - Switch to using the upstream kernel patches to set up a DM target at boot time using the kernel command line, rather than patches that were submitted years ago and not merged. - Make sure kernel patches are provided for both 4.14 and 4.19 - Drop the SOURCE_DATE_EPOCH usage when creating the mksquashfs image. - Format the cryptsetup patch properly. - Only build the host tools if CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED is enabled - Instead of unconditionally enabling the necessary kernel options for dm-verity support, we now add the appropriate options to config/Config-kernel.in, and select them only when needed. - Drop empty Host/Configure rule in tools/libaio/Makefile Introduction dm-verity is a Linux kernel Device Mapper target that verifies that the data in a block device has not been tampered with, by checking it at runtime against a hash tree, itself verified by a root hash, which is passed from a trusted source. dm-verity only supports read operations, so we only support the read-only squashfs root filesystem in this series. This "hash tree" is a bunch of metadata that needs to be stored on non-volatile storage. It can be appended to the filesystem data, or stored on a separate block device/partition. We have chosen to support only the case where it is appended to the filesystem data. In the proposed series: - Patches 1-5 introduce new host packages. The first four are simply dependencies needed for cryptsetup, which is the tool used to generate the hash tree at build time. - Patch 6 extends the mkits.sh script so that a U-Boot script can be embedded in a FIT image. Indeed, to set up a dm-verity device at boot time, you need to pass a lot of details to the kernel that describe the dm-verity device, including the root hash. Those details need to be trusted: having them as part of the FIT image allows to leverage the signing capabilities of FIT images. - Patch 7 extends config/Config-kernel.in to be able to enable the appropriate kernel options for dm-verity support. - Patch 8 allows to create a FIT image with an embedded U-Boot script, leveraging the feature added in patch 6. - Patch 9 adds the code itself that generates the dm-verity capable squashfs image, and a script that produces the U-Boot script with the various parameters needed to setup the DM device at boot time. - Patch 10 adds two kernel patches that allow setting up a DM device at boot time, which have been backported from the upstream kernel, while patch 10 updates the kernel configuration to enable the appropriate option for dm-verity. - Patches 11 and 12 are just related to enabling this mechanism on Armada XP GP, which is the platform I used to work on this topic. This work was tested on Armada XP GP, with both MMC and NAND storage. One aspect that is not solved by this patch series is the logic in the fstools programs to set up the overlay at boot time. Indeed, when there is a squashfs filesystem, fstools assumes that it can use the space after the squashfs filesystem for its overlay (in the MMC storage case). It is not the case with dm-verity, because we have the hash tree after the squashfs filesystem. This is something I intend to work on. Thomas Petazzoni Thomas Petazzoni (12): tools/libaio: new package tools/lvm2: new package tools/popt: new package tools/libjson-c: new package tools/cryptsetup: new package scripts/mkits.sh: extend with -s option to include a U-Boot script config/Config-kernel.in: add options to enable dm-verity related kernel features include/image-commands.mk: extend Build/fit for U-Boot script integration include/image.mk: add support for building a dm-verity enabled squashfs image target/linux/generic: backport patches adding DM_INIT functionality target/linux/mvebu: enable UBI factory image on Armada XP GP target/linux/mvebu: generate a FIT image on Armada XP GP with dm-verity config/Config-images.in | 8 + config/Config-kernel.in | 15 + include/image-commands.mk | 1 + include/image.mk | 17 +- scripts/mkits.sh | 22 +- scripts/prepare-dm-verity-uboot-script.sh | 41 ++ ...-to-directly-boot-to-a-mapped-device.patch | 668 ++ ...-init-fix-max-devices-targets-checks.patch | 48 ++ ...hang-in-early-create-error-condition.patch | 49 ++ ...ion-dm-init-fix-multi-device-example.patch | 45 ++ ...-to-directly-boot-to-a-mapped-device.patch | 668 ++ ...-init-fix-m
[OpenWrt-Devel] [PATCH v2 02/12] tools/lvm2: new package
lvm2 for the host will be needed as a dependency to build cryptsetup for the host. Signed-off-by: Thomas Petazzoni --- tools/Makefile | 1 + tools/lvm2/Makefile | 47 + 2 files changed, 48 insertions(+) create mode 100644 tools/lvm2/Makefile diff --git a/tools/Makefile b/tools/Makefile index 2f57d25525..26e2d19fee 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -78,6 +78,7 @@ $(curdir)/wrt350nv2-builder/compile := $(curdir)/zlib/compile $(curdir)/lzma-old/compile := $(curdir)/zlib/compile $(curdir)/make-ext4fs/compile := $(curdir)/zlib/compile $(curdir)/cbootimage/compile += $(curdir)/automake/compile +$(curdir)/lvm2/compile := $(curdir)/pkg-config/compile $(curdir)/libaio/compile ifneq ($(HOST_OS),Linux) $(curdir)/squashfskit4/compile += $(curdir)/coreutils/compile diff --git a/tools/lvm2/Makefile b/tools/lvm2/Makefile new file mode 100644 index 00..8b37cbaa6c --- /dev/null +++ b/tools/lvm2/Makefile @@ -0,0 +1,47 @@ +# +# Copyright (C) 2010-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=lvm2 +PKG_VERSION:=2.02.180 +PKG_HASH:=24997e26dfc916151707c9da504d38d0473bec3481a8230b676bc079041bead6 +PKG_RELEASE:=1 + +PKG_SOURCE:=LVM2.$(PKG_VERSION).tgz +PKG_SOURCE_URL:=ftp://sources.redhat.com/pub/lvm2/old + +HOST_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/host-build.mk + +HOST_CONFIGURE_ARGS += \ +--enable-write_install \ +--enable-pkgconfig \ +--disable-cmdlib \ +--disable-dmeventd \ +--disable-applib \ +--disable-fsadm \ +--disable-readline \ +--disable-selinux + +# lvm2 unpacks in the wrong folder +define Host/Prepare + $(call Host/Prepare/Default) + mv $(HOST_BUILD_DIR)/../LVM2.$(PKG_VERSION)/* $(HOST_BUILD_DIR)/ + rmdir $(HOST_BUILD_DIR)/../LVM2.$(PKG_VERSION) +endef + +define Host/Compile + $(call Host/Compile/Default,device-mapper) +endef + +define Host/Install + $(call Host/Compile/Default,install_device-mapper) +endef + +$(eval $(call HostBuild)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 11/12] target/linux/mvebu: enable UBI factory image on Armada XP GP
The Armada XP GP has a NAND storage device, so it makes sense to generate the UBI-based factory image for this platform. Signed-off-by: Thomas Petazzoni --- target/linux/mvebu/image/cortex-a9.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/target/linux/mvebu/image/cortex-a9.mk b/target/linux/mvebu/image/cortex-a9.mk index c2ada75c2d..cf70031b99 100644 --- a/target/linux/mvebu/image/cortex-a9.mk +++ b/target/linux/mvebu/image/cortex-a9.mk @@ -148,6 +148,7 @@ define Device/marvell_axp-gp DEVICE_MODEL := Armada Armada XP GP (DB-MV784MP-GP) DEVICE_DTS := armada-xp-gp SUPPORTED_DEVICES += armada-xp-gp + IMAGES += factory.img endef TARGET_DEVICES += marvell_axp-gp -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 01/12] tools/libaio: new package
libaio for the host will be needed as a dependency of lvm2, itself a dependency of cryptsetup. Signed-off-by: Thomas Petazzoni --- tools/libaio/Makefile | 30 ++ 1 file changed, 30 insertions(+) create mode 100644 tools/libaio/Makefile diff --git a/tools/libaio/Makefile b/tools/libaio/Makefile new file mode 100644 index 00..bb5b43a69c --- /dev/null +++ b/tools/libaio/Makefile @@ -0,0 +1,30 @@ +# +# Copyright (C) 2010-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libaio +PKG_VERSION:=0.3.111 +PKG_HASH:=62cf871ad8fd09eb3418f00aca7a7d449299b8e1de31c65f28bf6a2ef1fa502a +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://releases.pagure.org/libaio + +HOST_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/host-build.mk + +define Host/Compile + $(MAKE) -C $(HOST_BUILD_DIR) +endef + +define Host/Install + $(MAKE) -C $(HOST_BUILD_DIR) prefix=$(HOST_BUILD_PREFIX) install +endef + +$(eval $(call HostBuild)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 04/12] tools/libjson-c: new package
libjson-c is needed to build cryptsetup. While the host variant of libjson-c is already packaged in package/libs/libjson-c, we apparently can't express a dependency of something packaged in "tools/" against a library in package/libs/, so we have to duplicate libjson-c's Makefile in tools/libjson-c/. Signed-off-by: Thomas Petazzoni --- tools/libjson-c/Makefile | 25 + 1 file changed, 25 insertions(+) create mode 100644 tools/libjson-c/Makefile diff --git a/tools/libjson-c/Makefile b/tools/libjson-c/Makefile new file mode 100644 index 00..244594debc --- /dev/null +++ b/tools/libjson-c/Makefile @@ -0,0 +1,25 @@ +# +# Copyright (C) 2006-2014 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=json-c +PKG_VERSION:=0.13.1 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://s3.amazonaws.com/json-c_releases/releases/ +PKG_HASH:=b87e608d4d3f7bfdd36ef78d56d53c74e66ab278d318b71e6002a369d36f4873 + +PKG_LICENSE:=MIT +PKG_LICENSE_FILES:=COPYING + +HOST_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/host-build.mk + +$(eval $(call HostBuild)) -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 06/12] scripts/mkits.sh: extend with -s option to include a U-Boot script
The mkits.sh prepares a .its file describing a FIT image. This commit
extends it to support a -s option, that allows to pass a file that
should be embedded as a U-Boot script in the FIT image.
This will be used as part of the dm-verity integration to add in the
FIT image a U-Boot script that provides the details of the dm-verity
volume (salt, root hash, number of data blocks, start of hash blocks,
etc.).
Signed-off-by: Thomas Petazzoni
---
scripts/mkits.sh | 22 --
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/scripts/mkits.sh b/scripts/mkits.sh
index 93c8cedaed..ce14f664d6 100755
--- a/scripts/mkits.sh
+++ b/scripts/mkits.sh
@@ -16,7 +16,8 @@
usage() {
echo "Usage: `basename $0` -A arch -C comp -a addr -e entry" \
- "-v version -k kernel [-D name -d dtb] -o its_file"
+ "-v version -k kernel [-D name -d dtb] -o its_file" \
+ "-s script"
echo -e "\t-A ==> set architecture to 'arch'"
echo -e "\t-C ==> set compression type 'comp'"
echo -e "\t-c ==> set config name 'config'"
@@ -27,10 +28,11 @@ usage() {
echo -e "\t-D ==> human friendly Device Tree Blob 'name'"
echo -e "\t-d ==> include Device Tree Blob 'dtb'"
echo -e "\t-o ==> create output file 'its_file'"
+ echo -e "\t-s ==> include U-Boot script 'script'"
exit 1
}
-while getopts ":A:a:c:C:D:d:e:k:o:v:" OPTION
+while getopts ":A:a:c:C:D:d:e:k:o:s:v:" OPTION
do
case $OPTION in
A ) ARCH=$OPTARG;;
@@ -42,6 +44,7 @@ do
e ) ENTRY_ADDR=$OPTARG;;
k ) KERNEL=$OPTARG;;
o ) OUTPUT=$OPTARG;;
+ s ) SCRIPT=$OPTARG;;
v ) VERSION=$OPTARG;;
* ) echo "Invalid option passed to '$0' (options:$@)"
usage;;
@@ -77,6 +80,18 @@ if [ -n "${DTB}" ]; then
FDT_PROP="fdt = \"fdt@1\";"
fi
+# Conditionally create script information
+if [ -n "${SCRIPT}" ]; then
+ SCRIPT="
+ script {
+ description = \"Script\";
+ data = /incbin/(\"${SCRIPT}\");
+ type = \"script\";
+ compression = \"none\";
+ };
+"
+fi
+
# Create a default, fully populated DTS file
DATA="/dts-v1/;
@@ -102,6 +117,9 @@ DATA="/dts-v1/;
};
};
${FDT_NODE}
+
+${SCRIPT}
+
};
configurations {
--
2.23.0
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 08/12] include/image-commands.mk: extend Build/fit for U-Boot script integration
This commit extends the Build/fit macro so that if a ITS_UBOOT_SCRIPT variable is defined, it is pass to the mkits.sh script as "-s" argument. This allows the ITS_UBOOT_SCRIPT file to be integrated as a U-Boot script in the FIT image. This will be used as part of the dm-verity integration to add in the FIT image a U-Boot script that provides the details of the dm-verity volume (salt, root hash, number of data blocks, start of hash blocks, etc.). Signed-off-by: Thomas Petazzoni --- include/image-commands.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/include/image-commands.mk b/include/image-commands.mk index 5dfd6a2c2f..3662cb2821 100644 --- a/include/image-commands.mk +++ b/include/image-commands.mk @@ -155,6 +155,7 @@ define Build/fit $(if $(word 2,$(1)),-d $(word 2,$(1))) -C $(word 1,$(1)) \ -a $(KERNEL_LOADADDR) -e $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \ -c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config@1") \ + $(if $(ITS_UBOOT_SCRIPT),-s $(ITS_UBOOT_SCRIPT)) \ -A $(LINUX_KARCH) -v $(LINUX_VERSION) PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage -f $@.its $@.new @mv $@.new $@ -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 07/12] config/Config-kernel.in: add options to enable dm-verity related kernel features
The dm-verity support requires a number of kernel options to be enabled. This commit adds the corresponding options to config/Config-kernel.in, so that they can be selected by other OpenWrt options when needed. Signed-off-by: Thomas Petazzoni --- Note: I sometimes encounter an issue at build time where the kernel configuration system would prompt me for the values of the new options made visible as a result of enabling those MD, BLK_DEV_DM, DM_VERITY and DM_INIT options. Interestingly, I don't seem to encounter this at every build. I'm not sure why OpenWrt doesn't simply run a "make olddefconfig" to automatically accept the default values for unspecified options. What is the appropriate course of action to solve this problem ? --- config/Config-kernel.in | 15 +++ 1 file changed, 15 insertions(+) diff --git a/config/Config-kernel.in b/config/Config-kernel.in index bdb6b91cbb..eae413eb29 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -860,3 +860,18 @@ config KERNEL_CC_OPTIMIZE_FOR_SIZE your compiler resulting in a smaller kernel. endchoice + +config KERNEL_MD + bool "Multiple devices driver support (RAID and LVM)" + +config KERNEL_BLK_DEV_DM + bool "Device mapper support" + depends on KERNEL_MD + +config KERNEL_DM_VERITY + bool "Verity target support" + depends on KERNEL_BLK_DEV_DM + +config KERNEL_DM_INIT + bool "DM \"dm-mod.create=\" parameter support" + depends on KERNEL_BLK_DEV_DM -- 2.23.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH procd] initd/init: add minimal SELinux policy loading support
Hello Petr, Thanks for your feedback again. On Sat, 16 Nov 2019 14:22:13 +0100 Petr Å tetiar wrote: > (nitpick, it's OpenWrt, not OpenWRT) Thanks for this clarification, it's always good to use the proper capitalization for project names. I'll try to use OpenWrt in the future, but please bear with me if I sometimes forget. > > No, this patch is not RFC, it should be ready for merging, I'm already > > using it in some devices. > > Ok, this patch is good enough for your limited use case, but in order to > include SELinux support in OpenWrt, then the first patch series should be more > comprehensive, minimal yet complete. I guess I'll send the patch series itself, so we can have the discussion on the actual proposal. I sent this procd patch separately, just because it is a requirement for the rest of the series to work (right now I was working with this procd patch in the OpenWrt procd package). > > The thing is that the SELinux support in OpenWRT needs this improvement > > in procd, otherwise it won't work at runtime as nothing will be loading > > the SELinux policy. > > Where is that policy? What about kernel part? What about userspace part? What > about filesystem image? And so on. In terms of policy, I'm simply using the reference policy provided by the SELinux project itself, with no specific customization for OpenWrt. Of course, additional tuning may be required, but for my use case, it was sufficient. In terms of kernel part, it of course requires some kernel options to be enabled. In terms of user-space parts, this is where my patch series is the most interesting: it packages all the user-space components that are necessary to be able to work with SELinux. > > Regarding the flash space, RAM and CPU overhead, I'm not sure it's that > > relevant: the SELinux packaging I've done makes it completely optional, > > so you only have an impact of flash space, RAM and CPU if you enable > > SELinux support. > > Once its merged, we basically say, that its more or less supported, even if > it's optional. > > It's pretty much crystal clear, that some additional hardening layer would be > very welcome. I think, that OpenWrt should aim for something, which could be > usable on most of modern devices today and enabled by default. Security > shouldn't be an option, it should be default. > > SELinux is just one of the LSMs in Linux. Is SELinux the right one for > OpenWrt project? Are we going to support all of them? I doubt that, so > decision needs to be made. I guess here I don't have the OpenWrt mindset, as I come from a Buildroot background. Buildroot supports multiple solutions for the same "problem", and let users decide which solution they want to use (so the users have some integration work to do), while it seems that OpenWrt wants to make a decision on one solution to use, but provide something that is seamlessly integrated for users. > > Do you have more details about entering failsafe mode ? How do you do that > > ? > > It's usually triggered by the button during the boot process[1], but it should > be possible to force it from procd as well. > > 1. > https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset OK, thanks. Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH procd] initd/init: add minimal SELinux policy loading support
Hello Petr, Thanks for your feedback! On Fri, 15 Nov 2019 06:29:49 +0100 Petr Å tetiar wrote: > is this some kind of RFC/idea probe? I like the idea, additional hardening is > needed and welcome I would say. No, this patch is not RFC, it should be ready for merging, I'm already using it in some devices. > > I have patches ready to add some minimal SELinux support to OpenWRT, > > which I intend to send in the near future. > > It would probably make more sense to send somehow minimal but complete working > SELinux support so one could see what it would mean in terms of flash space, > RAM, CPU overhead etc. Maybe adding one of the default services exposed to the > network as initial example? The thing is that the SELinux support in OpenWRT needs this improvement in procd, otherwise it won't work at runtime as nothing will be loading the SELinux policy. Regarding the flash space, RAM and CPU overhead, I'm not sure it's that relevant: the SELinux packaging I've done makes it completely optional, so you only have an impact of flash space, RAM and CPU if you enable SELinux support. If you don't, then your OpenWRT system is exactly like it was before. > > + pkg_search_module(SELINUX REQUIRED libselinux) > > This looks like a missing dependency. Sorry, but I don't understand what you mean here. Or maybe you're saying that there is no libselinux package in OpenWRT ? That is true, and will be part of my patch series to OpenWRT adding all the packages related to OpenWRT support. > > fprintf(stderr, "Cannot load SELinux policy, but system in enforcing mode. > > Halting.\n"); > > Just a side note, halting in the context of running on the router means > flashing of factory image. Halting doesn't provide any feedback to the user, > if we don't consider stuck-in-the-bootlop as a proper feedback. Probably > entering failsafe(has LED feedback) or such would make more sense here? Do you have more details about entering failsafe mode ? How do you do that ? Thanks, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH procd] initd/init: add minimal SELinux policy loading support
In order to support SELinux in OpenWRT, this commit introduces minimal
support for loading the SELinux policy in the init code. The logic is
very much inspired from what Busybox is doing: call
selinux_init_load_policy() from libselinux, and then re-execute init
so that it runs with the SELinux policy in place and enforced.
Signed-off-by: Thomas Petazzoni
---
I have patches ready to add some minimal SELinux support to OpenWRT,
which I intend to send in the near future.
---
CMakeLists.txt | 9 -
initd/init.c | 41 +
2 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 4b3eebd..865e43c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -40,6 +40,12 @@ IF(ZRAM_TMPFS)
SET(SOURCES_ZRAM initd/zram.c)
ENDIF()
+IF(SELINUX)
+ include(FindPkgConfig)
+ pkg_search_module(SELINUX REQUIRED libselinux)
+ add_compile_definitions(WITH_SELINUX)
+ENDIF()
+
add_subdirectory(upgraded)
ADD_EXECUTABLE(procd ${SOURCES})
@@ -56,7 +62,8 @@ ADD_DEFINITIONS(-DDISABLE_INIT)
ELSE()
ADD_EXECUTABLE(init initd/init.c initd/early.c initd/preinit.c initd/mkdev.c
sysupgrade.c watchdog.c
utils/utils.c ${SOURCES_ZRAM})
-TARGET_LINK_LIBRARIES(init ${LIBS})
+TARGET_INCLUDE_DIRECTORIES(init PUBLIC ${SELINUX_INCLUDE_DIRS})
+TARGET_LINK_LIBRARIES(init ${LIBS} ${SELINUX_LIBRARIES})
INSTALL(TARGETS init
RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}
)
diff --git a/initd/init.c b/initd/init.c
index 9b47826..f765b60 100644
--- a/initd/init.c
+++ b/initd/init.c
@@ -29,6 +29,10 @@
#include
#include
+#if defined(WITH_SELINUX)
+#include
+#endif
+
#include "../utils/utils.h"
#include "init.h"
#include "../watchdog.h"
@@ -67,6 +71,41 @@ cmdline(void)
}
}
+#if defined(WITH_SELINUX)
+static int
+selinux(char **argv)
+{
+ int enforce = 0;
+ int ret;
+
+ /* SELinux already initialized */
+ if (getenv("SELINUX_INIT"))
+ return 0;
+
+ putenv("SELINUX_INIT=1");
+
+ printf("Loading SELinux policy...\n");
+
+ ret = selinux_init_load_policy();
+ printf("selinux_init_load_policy returned %d\n", ret);
+ if (ret == 0)
+ execv(argv[0], argv);
+
+ if (enforce > 0) {
+ fprintf(stderr, "Cannot load SELinux policy, but system in
enforcing mode. Halting.\n");
+ return 1;
+ }
+
+ return 0;
+}
+#else
+static int
+selinux(char **argv)
+{
+ return 0;
+}
+#endif
+
int
main(int argc, char **argv)
{
@@ -79,6 +118,8 @@ main(int argc, char **argv)
sigaction(SIGUSR2, _shutdown, NULL);
sigaction(SIGPWR, _shutdown, NULL);
+ if (selinux(argv))
+ exit(-1);
early();
cmdline();
watchdog_init(1);
--
2.23.0
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 01/11] tools/libaio: new package
Hello Hauke, On Thu, 25 Jul 2019 15:07:50 +0200 Thomas Petazzoni wrote: > > Indeed, what CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED=y really needs is > > cryptsetup, the rest are mere build dependencies to build cryptsetup. > > Do you have some feedback on this particular question ? Ideally, I'd > like to have just: > > tools-$(CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED) += cryptsetup > > in tools/Makefile, but I don't know in tools/cryptsetup/Makefile how to > express the dependencies it has on other tools. I briefly looked at > other tools/*/Makefile, and couldn't spot any that has a dependency on > something else. Stupid me, the dependencies are obviously described in tools/Makefile, my patches even take that into account. So all clear on this, I'll take into account your comment in v2. Best regards, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 01/11] tools/libaio: new package
Hello Hauke, I'm finally getting back to this dm-verity work, and I have a question below. On Mon, 25 Mar 2019 18:20:09 +0100 Thomas Petazzoni wrote: > > > diff --git a/tools/Makefile b/tools/Makefile > > > index 9a354f6c70..9702b4df25 100644 > > > --- a/tools/Makefile > > > +++ b/tools/Makefile > > > @@ -27,6 +27,7 @@ tools-y += sstrip make-ext4fs e2fsprogs mtd-utils > > > mkimage > > > tools-y += firmware-utils patch-image quilt padjffs2 > > > tools-y += mm-macros missing-macros cmake scons bc findutils gengetopt > > > patchelf > > > tools-y += mtools dosfstools libressl > > > +tools-y += libaio > > > > I would prefer if this only gets build when > > CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED is set or some other config variable. > > Sure. I was a bit confused by this to be honest. Wouldn't it be > possible to just add "cryptsetup" to tools-y when > CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED=y, and have the other packages > (libaio, popt, lvm2) be simply built as dependencies of cryptsetup ? > > Indeed, what CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED=y really needs is > cryptsetup, the rest are mere build dependencies to build cryptsetup. Do you have some feedback on this particular question ? Ideally, I'd like to have just: tools-$(CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED) += cryptsetup in tools/Makefile, but I don't know in tools/cryptsetup/Makefile how to express the dependencies it has on other tools. I briefly looked at other tools/*/Makefile, and couldn't spot any that has a dependency on something else. > > > +include $(INCLUDE_DIR)/host-build.mk > > > + > > > +define Host/Configure > > > +endef > > > > Is this empty configure section needed? > > Meh, most likely not. Will fix and retest. In fact, if you look at tools/*/Makefile, there is a common pattern of defining Host/Configure to an empty variable: missing-macros/Makefile:define Host/Configure missing-macros/Makefile-endef padjffs2/Makefile:define Host/Configure padjffs2/Makefile-endef scons/Makefile:define Host/Configure scons/Makefile-endef sdimage/Makefile:define Host/Configure sdimage/Makefile-endef this is probably to avoid using the default Host/Configure implementation from include/host-build.mk. But ok, in my case, using the default implementation from include/host-build.mk, which does nothing if there's no configure script, should work just fine. Thanks, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 00/11] Proposal for dm-verity support
Hello Hauke, On Mon, 25 Mar 2019 23:13:17 +0100 Hauke Mehrtens wrote: > Using some boot arguments sounds like a good solution, but I am not an > expert on the file system handling. OK, thanks. Do you know who would be the appropriate person to discuss this ? > The default has to be the current > behavior, because we do not have control over all boot loaders, I assume > that people who need this special behavior have control over their boot > loader. Yes of course the default would be to preserve the current behavior. > Do you know if it is possible to support dm-verify also for the overlay > file system? dm-verity by essence only supports read-only accesses. dm-verity generates a tree of hashes at "build" time, i.e with "veritysetup format" and at runtime, dm-verity checks that the hash of the blocks being read matches the hash stored in the hash tree. So the data blocks cannot be changed: any change in a data block will cause a hash mismatch, which results in an I/O error: it's exactly what dm-verity wants to detect, that the data has been tampered with. > > As I replied to your review on patch 08/11, the 5.1 kernel will have > > support for setting up DM devices on the kernel command line, it has > > been merged upstream. > > It would be nice if you could backport the upstream version to kernel > 4.14 and 4.19, you do not have to care about the old kernels, when we > move to the next LTS kernel we can just remove the patches. OK, I'll see if the upstream version is reasonable enough to be backported. Best regards, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 00/11] Proposal for dm-verity support
Hello Hauke,
On Mon, 25 Mar 2019 18:31:19 +0100
Hauke Mehrtens wrote:
> > This "hash tree" is a bunch of metadata that needs to be stored on
> > non-volatile storage. It can be appended to the filesystem data, or
> > stored on a separate block device/partition. We have chosen to support
> > only the case where it is appended to the filesystem data.
>
> This sounds interesting, from a community perspective I do not like
> secure boot, because it makes it harder to hack the devices, but I know
> that many vendors are interested in this.
Indeed. That being said, dm-verity per-se is not sufficient to achieve
security: the root hash needs to come from a trusted source, i.e
typically a signed kernel image. But I agree overall dm-verity is part
of a plan to lock down devices.
> > - The seventh patch adds the code itself that generates the dm-verity
> >capable squashfs image, and a script that produces the U-Boot
> >script with the various parameters needed to setup the DM device at
> >boot time.
>
> How do you handle the overlay filesystem? An attacker could place there
> some new binaries which would just replace the original ones.
At the moment, I have a hacky patch on fstools that simply disables
mounting an overlay filesystem entirely, i.e the system is completely
read-only. I am not sure yet how to turn this into a clean solution
that can be accepted upstream: fstools is currently doing all its
overlay logic in a very automated way, with not much configuration to
adjust its behavior. I was thinking of adding a kernel argument like
openwrt.overlayfs={none,ram,default} to be able to force a certain
behavior with the overlay, but I'm open to suggestions.
> > - The eighth patch adds two kernel patches that allow setting up a DM
> >device at boot time. In the upstream kernel, setting up a DM device
> >requires userspace tools and therefore an initramfs, which is
> >unpractical. Those two patches have been submitted numerous times
> >by folks from Google and Redhat, but have remained out of tree so
> >far.
>
> We know this problem in that area. ;-)
As I replied to your review on patch 08/11, the 5.1 kernel will have
support for setting up DM devices on the kernel command line, it has
been merged upstream.
> There are some kernel patches (?) which detect how big the squashfs
> filesystem is and then create an extra partition there. You should
> probably make this detection aware of dm-verify.
It's actually user-space code in fstools that does this, at least for
the MMC case. It looks at the squashfs filesystem size, and then
creates a loop device that starts right after the squashfs filesystem,
and uses it as a f2fs filesystem to store the overlay information.
As explained above, I've worked-around this stuff for now with a hacky
patch in fstools to completely disable setting up an overlayfs.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 08/11] target/linux/generic: add patches to support dm-verity volume at boot
Hello, On Mon, 25 Mar 2019 18:23:14 +0100 Hauke Mehrtens wrote: > > ...-to-directly-boot-to-a-mapped-device.patch | 633 ++ > > ...l-add-a-device-mapper-ioctl-function.patch | 98 +++ > > 2 files changed, 731 insertions(+) > > create mode 100644 > > target/linux/generic/pending-4.14/960-init-add-support-to-directly-boot-to-a-mapped-device.patch > > create mode 100644 > > target/linux/generic/pending-4.14/961-dm-ioctl-add-a-device-mapper-ioctl-function.patch > > > > Please add this also to target/linux/generic/pending-4.19, otherwise > this could get lost when we upgrade. OK, will do. In fact, I may need to change those patches: in the 5.1 merge window, the exact same feature was merged, but I'll probably try to backport those upstream patches instead. And when upgrade from 4.19 to something else, you'll be able to drop the patches anyway, as the feature is in upstream now. Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 07/11] include/image.mk: add support for building a dm-verity enabled squashfs image
Hello Hauke, One again, thanks for the review! On Mon, 25 Mar 2019 18:21:56 +0100 Hauke Mehrtens wrote: > > fs-types-$(CONFIG_TARGET_ROOTFS_SQUASHFS) += squashfs > > +fs-types-$(CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED) += squashfs-hashed > > fs-types-$(CONFIG_TARGET_ROOTFS_JFFS2) += $(addprefix > > jffs2-,$(JFFS2_BLOCKSIZE)) > > fs-types-$(CONFIG_TARGET_ROOTFS_JFFS2_NAND) += $(addprefix > > jffs2-nand-,$(NAND_BLOCKSIZE)) > > fs-types-$(CONFIG_TARGET_ROOTFS_EXT4FS) += ext4 > > @@ -207,6 +208,17 @@ define Image/mkfs/squashfs > > $(if $(SOURCE_DATE_EPOCH),-fixed-time $(SOURCE_DATE_EPOCH)) > > endef > > > > +define Image/mkfs/squashfs-hashed > > + $(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \ > > Why don't you just call Image/mkfs/squashfs here and then do the > additional veritysetup? Because Image/mkfs/squashfs passes the -nopad option, causing the image to not be 4 KB-padded, while "veritysetup format" needs a 4KB-padded image, which is what mksquashfs does by default when -nopad is *not* passed. An alternate solution is to use Image/mkfs/squashfs, and then pad the image separately. > > + -noappend -root-owned \ > > + -comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \ > > + -processors 1 \ > > + $(if $(SOURCE_DATE_EPOCH),-fixed-time $(SOURCE_DATE_EPOCH)) > > Setting SOURCE_DATE_EPOCH is not needed any more. Ah, indeed, it has been dropped from Image/mkfs/squashfs. Allowed me to discover the squashfskit fork of squashfs-tools, which I wasn't aware of. Thanks, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 01/11] tools/libaio: new package
Hello Hauke, Thanks for the review! On Mon, 25 Mar 2019 18:13:50 +0100 Hauke Mehrtens wrote: > On 3/11/19 5:20 PM, Thomas Petazzoni wrote: > > From: Thomas Petazzoni > > Does this email address still exists? It does exist and work, but I'm not supposed to use it. I'll fix this up, there was some old .gitconfig lying around. > > diff --git a/tools/Makefile b/tools/Makefile > > index 9a354f6c70..9702b4df25 100644 > > --- a/tools/Makefile > > +++ b/tools/Makefile > > @@ -27,6 +27,7 @@ tools-y += sstrip make-ext4fs e2fsprogs mtd-utils mkimage > > tools-y += firmware-utils patch-image quilt padjffs2 > > tools-y += mm-macros missing-macros cmake scons bc findutils gengetopt > > patchelf > > tools-y += mtools dosfstools libressl > > +tools-y += libaio > > I would prefer if this only gets build when > CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED is set or some other config variable. Sure. I was a bit confused by this to be honest. Wouldn't it be possible to just add "cryptsetup" to tools-y when CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED=y, and have the other packages (libaio, popt, lvm2) be simply built as dependencies of cryptsetup ? Indeed, what CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED=y really needs is cryptsetup, the rest are mere build dependencies to build cryptsetup. > > +PKG_NAME:=libaio > > +PKG_VERSION:=0.3.111 > > +PKG_HASH:=62cf871ad8fd09eb3418f00aca7a7d449299b8e1de31c65f28bf6a2ef1fa502a > > +PKG_RELEASE:=1 > > + > > +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz > > +PKG_SOURCE_URL:=https://releases.pagure.org/libaio > > + > > +HOST_BUILD_PARALLEL:=1 > > + > > +include $(INCLUDE_DIR)/host-build.mk > > + > > +define Host/Configure > > +endef > > Is this empty configure section needed? Meh, most likely not. Will fix and retest. Again, thanks for the review, much appreciated! Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 08/11] target/linux/generic: add patches to support dm-verity volume at boot
The upstream Linux kernel does not provide a mechanism to setup a DM volume at boot time using the kernel command line: an initramfs with user-space tools is strictly required. Since OpenWRT doesn't support an initramfs as an intermediate step before mounting the real root filesystem, this requirement of the upstream kernel makes it difficult to use dm-verity in the context of OpenWRT. However, some patches have been repeatedly contributed to the upstream kernel (but not accepted so far) to add a dm="..." kernel argument that allows to set up a DM device from the kernel command line. This allows to avoid the need for an initramfs just to set up a DM device at boot time. Signed-off-by: Thomas Petazzoni --- ...-to-directly-boot-to-a-mapped-device.patch | 633 ++ ...l-add-a-device-mapper-ioctl-function.patch | 98 +++ 2 files changed, 731 insertions(+) create mode 100644 target/linux/generic/pending-4.14/960-init-add-support-to-directly-boot-to-a-mapped-device.patch create mode 100644 target/linux/generic/pending-4.14/961-dm-ioctl-add-a-device-mapper-ioctl-function.patch diff --git a/target/linux/generic/pending-4.14/960-init-add-support-to-directly-boot-to-a-mapped-device.patch b/target/linux/generic/pending-4.14/960-init-add-support-to-directly-boot-to-a-mapped-device.patch new file mode 100644 index 00..0448ffe910 --- /dev/null +++ b/target/linux/generic/pending-4.14/960-init-add-support-to-directly-boot-to-a-mapped-device.patch @@ -0,0 +1,633 @@ +From da4abfee16ed5cb2411121a503264809c25e9a57 Mon Sep 17 00:00:00 2001 +From: Will Drewry +Date: Fri, 19 May 2017 09:11:45 +0200 +Subject: [PATCH] init: add support to directly boot to a mapped device + +Add a dm= kernel parameter modeled after the md= parameter from +do_mounts_md. It allows for device-mapper targets to be configured at +boot time for use early in the boot process (as the root device or +otherwise). + +Signed-off-by: Will Drewry +Signed-off-by: Kees Cook +[rework to use dm_ioctl calls] +Signed-off-by: Enric Balletbo i Serra +--- + .../admin-guide/kernel-parameters.rst | 1 + + .../admin-guide/kernel-parameters.txt | 3 + + Documentation/device-mapper/dm-boot.txt | 65 +++ + init/Makefile | 1 + + init/do_mounts.c | 1 + + init/do_mounts.h | 10 + + init/do_mounts_dm.c | 459 ++ + 7 files changed, 540 insertions(+) + create mode 100644 Documentation/device-mapper/dm-boot.txt + create mode 100644 init/do_mounts_dm.c + +diff --git a/Documentation/admin-guide/kernel-parameters.rst b/Documentation/admin-guide/kernel-parameters.rst +index b2598cc9834c..55eb1a39d3e1 100644 +--- a/Documentation/admin-guide/kernel-parameters.rst b/Documentation/admin-guide/kernel-parameters.rst +@@ -92,6 +92,7 @@ parameter is applicable:: + BLACKFIN Blackfin architecture is enabled. + CLK Common clock infrastructure is enabled. + CMA Contiguous Memory Area support is enabled. ++ DM Device mapper support is enabled. + DRM Direct Rendering Management support is enabled. + DYNAMIC_DEBUG Build in debug messages and enable them at runtime + EDD BIOS Enhanced Disk Drive Services (EDD) is enabled +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index 7d8b17ce8804..98c95029ec30 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +@@ -837,6 +837,9 @@ + + dis_ucode_ldr [X86] Disable the microcode loader. + ++ dm= [DM] Allows early creation of a device-mapper device. ++ See Documentation/device-mapper/boot.txt. ++ + dma_debug=off If the kernel is compiled with DMA_API_DEBUG support, + this option disables the debugging code at boot. + +diff --git a/Documentation/device-mapper/dm-boot.txt b/Documentation/device-mapper/dm-boot.txt +new file mode 100644 +index ..50f08ecd2a48 +--- /dev/null b/Documentation/device-mapper/dm-boot.txt +@@ -0,0 +1,65 @@ ++Boot time creation of mapped devices ++ ++ ++It is possible to configure a device mapper device to act as the root ++device for your system in two ways. ++ ++The first is to build an initial ramdisk which boots to a minimal ++userspace which configures the device, then pivot_root(8) in to it. ++ ++The second is to possible when the device-mapper and any targets are ++compiled into the kernel (not a module), one or more device-mappers may ++be created and used as the root device at boot time with the parameters ++given with the boot line dm=... ++ ++The format is specified as a simple string of data separated by commas and ++optionally semi-colons, where: ++ - a comma is used to separate fields like name, u
[OpenWrt-Devel] [PATCH 11/11] target/linux/mvebu: generate a FIT image on Armada XP GP with dm-verity
When a dm-verity capable is selected, the user will most likely need the U-Boot script that contains the various dm-verity related configuration details, needed by U-Boot to build the kernel command line with the appropriate dm="..." argument. Therefore, for the Marvell Armada XP GP platform, make sure a FIT image containing the dm-verity related U-Boot script is produced when CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED is enabled. Signed-off-by: Thomas Petazzoni --- target/linux/mvebu/image/cortex-a9.mk | 14 ++ 1 file changed, 14 insertions(+) diff --git a/target/linux/mvebu/image/cortex-a9.mk b/target/linux/mvebu/image/cortex-a9.mk index 6e38549d77..c959e871c6 100644 --- a/target/linux/mvebu/image/cortex-a9.mk +++ b/target/linux/mvebu/image/cortex-a9.mk @@ -110,9 +110,23 @@ define Device/armada-xp-db endef TARGET_DEVICES += armada-xp-db +ifeq ($(CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED),y) +define Device/armada-xp-gp/kernel + ITS_UBOOT_SCRIPT := $(KDIR)/root.squashfs-hashed-dm-verity-uboot-script.txt + KERNEL := kernel-bin | append-dtb | fit none + KERNEL_SIZE := 4096k +endef +else +define Device/armada-xp-gp/kernel + KERNEL := kernel-bin | append-dtb | uImage none + KERNEL_SIZE := 4096k +endef +endif + define Device/armada-xp-gp $(call Device/marvell-nand,XP GP (DB-MV784MP-GP)) $(Device/UBI-factory) + $(Device/armada-xp-gp/kernel) endef TARGET_DEVICES += armada-xp-gp -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 07/11] include/image.mk: add support for building a dm-verity enabled squashfs image
This commit adds a new TARGET_ROOTFS_SQUASHFS_HASHED option that asks
OpenWRT to generate a squashfs image suitable for usage with
dm-verity. The squashfs image is produced, and then passed through
"cryptsetup format" which appends the hash tree to the image.
The output of "cryptsetup format" is passed to a custom script that
parses that output and generates a U-Boot script that defines U-Boot
variables describing the different aspects of the dm-verity
volume. Such values are necessary to be able to build the kernel
command line to mount the dm-verity volume as the root filesystem.
Signed-off-by: Thomas Petazzoni
---
config/Config-images.in | 4 +++
include/image.mk | 12 +++
scripts/prepare-dm-verity-uboot-script.sh | 41 +++
3 files changed, 57 insertions(+)
create mode 100755 scripts/prepare-dm-verity-uboot-script.sh
diff --git a/config/Config-images.in b/config/Config-images.in
index 6fa9a67cb6..95a8af8502 100644
--- a/config/Config-images.in
+++ b/config/Config-images.in
@@ -152,6 +152,10 @@ menu "Target Images"
default 1024 if (SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
default 256
+ config TARGET_ROOTFS_SQUASHFS_HASHED
+ bool "hash with veritysetup"
+ depends on TARGET_ROOTFS_SQUASHFS
+
menuconfig TARGET_ROOTFS_UBIFS
bool "ubifs"
default y if USES_UBIFS
diff --git a/include/image.mk b/include/image.mk
index f2a85f6feb..718d3780c9 100644
--- a/include/image.mk
+++ b/include/image.mk
@@ -87,6 +87,7 @@ endif
JFFS2_BLOCKSIZE ?= 64k 128k
fs-types-$(CONFIG_TARGET_ROOTFS_SQUASHFS) += squashfs
+fs-types-$(CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED) += squashfs-hashed
fs-types-$(CONFIG_TARGET_ROOTFS_JFFS2) += $(addprefix
jffs2-,$(JFFS2_BLOCKSIZE))
fs-types-$(CONFIG_TARGET_ROOTFS_JFFS2_NAND) += $(addprefix
jffs2-nand-,$(NAND_BLOCKSIZE))
fs-types-$(CONFIG_TARGET_ROOTFS_EXT4FS) += ext4
@@ -207,6 +208,17 @@ define Image/mkfs/squashfs
$(if $(SOURCE_DATE_EPOCH),-fixed-time $(SOURCE_DATE_EPOCH))
endef
+define Image/mkfs/squashfs-hashed
+ $(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
+ -noappend -root-owned \
+ -comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \
+ -processors 1 \
+ $(if $(SOURCE_DATE_EPOCH),-fixed-time $(SOURCE_DATE_EPOCH))
+ filesize=`stat -c "%s" $@` ; \
+ $(STAGING_DIR_HOST)/bin/veritysetup format --hash-offset=$${filesize}
$@ $@ \
+ | $(TOPDIR)/scripts/prepare-dm-verity-uboot-script.sh >
$@-dm-verity-uboot-script.txt
+endef
+
# $(1): board name
# $(2): rootfs type
# $(3): kernel image
diff --git a/scripts/prepare-dm-verity-uboot-script.sh
b/scripts/prepare-dm-verity-uboot-script.sh
new file mode 100755
index 00..846e52b989
--- /dev/null
+++ b/scripts/prepare-dm-verity-uboot-script.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+while read line; do
+ key=$(echo ${line} | cut -f1 -d':')
+ value=$(echo ${line} | cut -f2 -d':')
+
+ case "${key}" in
+ "UUID")
+ UUID=${value}
+ ;;
+ "Data blocks")
+ DATA_BLOCKS=${value}
+ ;;
+ "Data block size")
+ DATA_BLOCK_SIZE=${value}
+ ;;
+ "Hash block size")
+ HASH_BLOCK_SIZE=${value}
+ ;;
+ "Hash algorithm")
+ HASH_ALG=${value}
+ ;;
+ "Salt")
+ SALT=${value}
+ ;;
+ "Root hash")
+ ROOT_HASH=${value}
+ ;;
+ esac
+done
+
+SECTORS=$((${DATA_BLOCKS} * 8))
+
+echo setenv verity_sectors $((${DATA_BLOCKS} * 8))
+echo setenv verity_data_blocks ${DATA_BLOCKS}
+echo setenv verity_hash_start $((${DATA_BLOCKS} + 1))
+echo setenv verity_data_block_sz ${DATA_BLOCK_SIZE}
+echo setenv verity_hash_block_sz ${HASH_BLOCK_SIZE}
+echo setenv verity_hash_alg ${HASH_ALG}
+echo setenv verity_salt ${SALT}
+echo setenv verity_root_hash ${ROOT_HASH}
--
2.20.1
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 10/11] target/linux/mvebu/config-4.14: enable options needed for dm-verity
This commit updates the Linux kernel configuration used on Marvell platforms to support dm-verity. Signed-off-by: Thomas Petazzoni --- target/linux/mvebu/config-4.14 | 11 +++ 1 file changed, 11 insertions(+) diff --git a/target/linux/mvebu/config-4.14 b/target/linux/mvebu/config-4.14 index 296da5a109..e904725e23 100644 --- a/target/linux/mvebu/config-4.14 +++ b/target/linux/mvebu/config-4.14 @@ -65,7 +65,10 @@ CONFIG_ASYNC_TX_ENABLE_CHANNEL_SWITCH=y CONFIG_ATA=y CONFIG_ATAGS=y CONFIG_AUTO_ZRELADDR=y +CONFIG_BLK_DEV_DM=y +CONFIG_BLK_DEV_DM_BUILTIN=y CONFIG_BLK_DEV_LOOP=y +# CONFIG_BLK_DEV_MD is not set CONFIG_BLK_DEV_SD=y CONFIG_BLK_MQ_PCI=y CONFIG_BLK_SCSI_REQUEST=y @@ -166,6 +169,13 @@ CONFIG_DMADEVICES=y CONFIG_DMA_ENGINE=y CONFIG_DMA_ENGINE_RAID=y CONFIG_DMA_OF=y +CONFIG_DM_BUFIO=y +# CONFIG_DM_CRYPT is not set +# CONFIG_DM_DEBUG_BLOCK_MANAGER_LOCKING is not set +# CONFIG_DM_MIRROR is not set +# CONFIG_DM_SNAPSHOT is not set +CONFIG_DM_VERITY=y +# CONFIG_DM_VERITY_FEC is not set CONFIG_DTC=y CONFIG_EARLY_PRINTK=y CONFIG_EDAC_ATOMIC_SCRUB=y @@ -302,6 +312,7 @@ CONFIG_MACH_MVEBU_V7=y CONFIG_MAGIC_SYSRQ=y CONFIG_MANGLE_BOOTARGS=y CONFIG_MARVELL_PHY=y +CONFIG_MD=y CONFIG_MDIO_BUS=y CONFIG_MDIO_DEVICE=y CONFIG_MDIO_I2C=y -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 03/11] tools/popt: new package
popt for the host will be needed as a dependency of cryptsetup for the host. Signed-off-by: Thomas Petazzoni --- tools/Makefile | 2 +- tools/popt/Makefile | 22 ++ 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 tools/popt/Makefile diff --git a/tools/Makefile b/tools/Makefile index 0127fa6fda..4941fed38d 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -27,7 +27,7 @@ tools-y += sstrip make-ext4fs e2fsprogs mtd-utils mkimage tools-y += firmware-utils patch-image quilt padjffs2 tools-y += mm-macros missing-macros cmake scons bc findutils gengetopt patchelf tools-y += mtools dosfstools libressl -tools-y += libaio lvm2 +tools-y += libaio lvm2 popt tools-$(CONFIG_TARGET_orion_generic) += wrt350nv2-builder upslug2 tools-$(CONFIG_TARGET_x86) += qemu tools-$(CONFIG_TARGET_mxs) += elftosb sdimage diff --git a/tools/popt/Makefile b/tools/popt/Makefile new file mode 100644 index 00..7a6de9fa02 --- /dev/null +++ b/tools/popt/Makefile @@ -0,0 +1,22 @@ +# +# Copyright (C) 2010-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=popt +PKG_VERSION:=1.16 +PKG_HASH:=e728ed296fe9f069a0e005003c3d6b2dde3d9cad453422a10d6558616d304cc8 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=http://rpm5.org/files/popt + +HOST_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/host-build.mk + +$(eval $(call HostBuild)) -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 05/11] scripts/mkits.sh: extend with -s option to include a U-Boot script
The mkits.sh prepares a .its file describing a FIT image. This commit
extends it to support a -s option, that allows to pass a file that
should be embedded as a U-Boot script in the FIT image.
This will be used as part of the dm-verity integration to add in the
FIT image a U-Boot script that provides the details of the dm-verity
volume (salt, root hash, number of data blocks, start of hash blocks,
etc.).
Signed-off-by: Thomas Petazzoni
---
scripts/mkits.sh | 21 +++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/scripts/mkits.sh b/scripts/mkits.sh
index 5d836be8e4..1033551555 100755
--- a/scripts/mkits.sh
+++ b/scripts/mkits.sh
@@ -16,7 +16,8 @@
usage() {
echo "Usage: `basename $0` -A arch -C comp -a addr -e entry" \
- "-v version -k kernel [-D name -d dtb] -o its_file"
+ "-v version -k kernel [-D name -d dtb] -o its_file" \
+ "-s script"
echo -e "\t-A ==> set architecture to 'arch'"
echo -e "\t-C ==> set compression type 'comp'"
echo -e "\t-c ==> set config name 'config'"
@@ -27,10 +28,11 @@ usage() {
echo -e "\t-D ==> human friendly Device Tree Blob 'name'"
echo -e "\t-d ==> include Device Tree Blob 'dtb'"
echo -e "\t-o ==> create output file 'its_file'"
+ echo -e "\t-s ==> include U-Boot script 'script'"
exit 1
}
-while getopts ":A:a:c:C:D:d:e:k:o:v:" OPTION
+while getopts ":A:a:c:C:D:d:e:k:o:s:v:" OPTION
do
case $OPTION in
A ) ARCH=$OPTARG;;
@@ -42,6 +44,7 @@ do
e ) ENTRY_ADDR=$OPTARG;;
k ) KERNEL=$OPTARG;;
o ) OUTPUT=$OPTARG;;
+ s ) SCRIPT=$OPTARG;;
v ) VERSION=$OPTARG;;
* ) echo "Invalid option passed to '$0' (options:$@)"
usage;;
@@ -76,6 +79,18 @@ if [ -n "${DTB}" ]; then
"
fi
+# Conditionally create script information
+if [ -n "${SCRIPT}" ]; then
+ SCRIPT="
+ script {
+ description = \"Script\";
+ data = /incbin/(\"${SCRIPT}\");
+ type = \"script\";
+ compression = \"none\";
+ };
+"
+fi
+
# Create a default, fully populated DTS file
DATA="/dts-v1/;
@@ -103,6 +118,8 @@ DATA="/dts-v1/;
${FDT}
+${SCRIPT}
+
};
configurations {
--
2.20.1
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 09/11] target/linux/mvebu: enable UBI factory image on Armada XP GP
The Armada XP GP has a NAND storage device, so it makes sense to generate the UBI-based factory image for this platform. Signed-off-by: Thomas Petazzoni --- target/linux/mvebu/image/cortex-a9.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/target/linux/mvebu/image/cortex-a9.mk b/target/linux/mvebu/image/cortex-a9.mk index 79c3bc7bdb..6e38549d77 100644 --- a/target/linux/mvebu/image/cortex-a9.mk +++ b/target/linux/mvebu/image/cortex-a9.mk @@ -112,6 +112,7 @@ TARGET_DEVICES += armada-xp-db define Device/armada-xp-gp $(call Device/marvell-nand,XP GP (DB-MV784MP-GP)) + $(Device/UBI-factory) endef TARGET_DEVICES += armada-xp-gp -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 02/11] tools/lvm2: new package
lvm2 for the host will be needed as a dependency to build cryptsetup for the host. Signed-off-by: Thomas Petazzoni --- tools/Makefile | 3 ++- tools/lvm2/Makefile | 47 + 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 tools/lvm2/Makefile diff --git a/tools/Makefile b/tools/Makefile index 9702b4df25..0127fa6fda 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -27,7 +27,7 @@ tools-y += sstrip make-ext4fs e2fsprogs mtd-utils mkimage tools-y += firmware-utils patch-image quilt padjffs2 tools-y += mm-macros missing-macros cmake scons bc findutils gengetopt patchelf tools-y += mtools dosfstools libressl -tools-y += libaio +tools-y += libaio lvm2 tools-$(CONFIG_TARGET_orion_generic) += wrt350nv2-builder upslug2 tools-$(CONFIG_TARGET_x86) += qemu tools-$(CONFIG_TARGET_mxs) += elftosb sdimage @@ -77,6 +77,7 @@ $(curdir)/zlib/compile := $(curdir)/cmake/compile $(curdir)/wrt350nv2-builder/compile := $(curdir)/zlib/compile $(curdir)/lzma-old/compile := $(curdir)/zlib/compile $(curdir)/make-ext4fs/compile := $(curdir)/zlib/compile +$(curdir)/lvm2/compile := $(curdir)/pkg-config/compile $(curdir)/libaio/compile ifneq ($(HOST_OS),Linux) tools-y += coreutils diff --git a/tools/lvm2/Makefile b/tools/lvm2/Makefile new file mode 100644 index 00..8b37cbaa6c --- /dev/null +++ b/tools/lvm2/Makefile @@ -0,0 +1,47 @@ +# +# Copyright (C) 2010-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=lvm2 +PKG_VERSION:=2.02.180 +PKG_HASH:=24997e26dfc916151707c9da504d38d0473bec3481a8230b676bc079041bead6 +PKG_RELEASE:=1 + +PKG_SOURCE:=LVM2.$(PKG_VERSION).tgz +PKG_SOURCE_URL:=ftp://sources.redhat.com/pub/lvm2/old + +HOST_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/host-build.mk + +HOST_CONFIGURE_ARGS += \ +--enable-write_install \ +--enable-pkgconfig \ +--disable-cmdlib \ +--disable-dmeventd \ +--disable-applib \ +--disable-fsadm \ +--disable-readline \ +--disable-selinux + +# lvm2 unpacks in the wrong folder +define Host/Prepare + $(call Host/Prepare/Default) + mv $(HOST_BUILD_DIR)/../LVM2.$(PKG_VERSION)/* $(HOST_BUILD_DIR)/ + rmdir $(HOST_BUILD_DIR)/../LVM2.$(PKG_VERSION) +endef + +define Host/Compile + $(call Host/Compile/Default,device-mapper) +endef + +define Host/Install + $(call Host/Compile/Default,install_device-mapper) +endef + +$(eval $(call HostBuild)) -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 04/11] tools/cryptsetup: new package
cryptsetup for the host will be needed to create the hash tree of a dm-verity volume. Signed-off-by: Thomas Petazzoni --- tools/Makefile| 3 +- tools/cryptsetup/Makefile | 28 +++ .../patches/0001-dont-use-c89.patch | 13 + 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 tools/cryptsetup/Makefile create mode 100644 tools/cryptsetup/patches/0001-dont-use-c89.patch diff --git a/tools/Makefile b/tools/Makefile index 4941fed38d..11f8e437fd 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -27,7 +27,7 @@ tools-y += sstrip make-ext4fs e2fsprogs mtd-utils mkimage tools-y += firmware-utils patch-image quilt padjffs2 tools-y += mm-macros missing-macros cmake scons bc findutils gengetopt patchelf tools-y += mtools dosfstools libressl -tools-y += libaio lvm2 popt +tools-y += libaio lvm2 popt cryptsetup tools-$(CONFIG_TARGET_orion_generic) += wrt350nv2-builder upslug2 tools-$(CONFIG_TARGET_x86) += qemu tools-$(CONFIG_TARGET_mxs) += elftosb sdimage @@ -78,6 +78,7 @@ $(curdir)/wrt350nv2-builder/compile := $(curdir)/zlib/compile $(curdir)/lzma-old/compile := $(curdir)/zlib/compile $(curdir)/make-ext4fs/compile := $(curdir)/zlib/compile $(curdir)/lvm2/compile := $(curdir)/pkg-config/compile $(curdir)/libaio/compile +$(curdir)/cryptsetup/compile := $(curdir)/pkg-config/compile $(curdir)/libressl/compile $(curdir)/lvm2/compile $(curdir)/popt/compile ifneq ($(HOST_OS),Linux) tools-y += coreutils diff --git a/tools/cryptsetup/Makefile b/tools/cryptsetup/Makefile new file mode 100644 index 00..3e500b81ea --- /dev/null +++ b/tools/cryptsetup/Makefile @@ -0,0 +1,28 @@ +# +# Copyright (C) 2010-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=cryptsetup +PKG_VERSION_MAJOR:=2.0 +PKG_VERSION:=$(PKG_VERSION_MAJOR).6 +PKG_HASH:=7c51fae0f0e7ea9af0f515b2ac77009fb2969a6619ebab47d097dca38b083d30 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL:=@KERNEL/linux/utils/cryptsetup/v$(PKG_VERSION_MAJOR)/ + +HOST_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/host-build.mk + +HOST_CONFIGURE_ARGS += \ + --with-crypto-backend=openssl \ + --disable-kernel_crypto \ + --disable-blkid + +$(eval $(call HostBuild)) diff --git a/tools/cryptsetup/patches/0001-dont-use-c89.patch b/tools/cryptsetup/patches/0001-dont-use-c89.patch new file mode 100644 index 00..3f05fd285b --- /dev/null +++ b/tools/cryptsetup/patches/0001-dont-use-c89.patch @@ -0,0 +1,13 @@ +Index: cryptsetup-2.0.6/Makefile.in +=== +--- cryptsetup-2.0.6.orig/Makefile.in cryptsetup-2.0.6/Makefile.in +@@ -901,7 +901,7 @@ tmpfilesd_DATA = $(am__append_5) + @PYTHON_CRYPTSETUP_TRUE@pycryptsetup_la_CPPFLAGS = $(AM_CPPFLAGS) $(PYTHON_CPPFLAGS) $(PYTHON_INCLUDES) -fno-strict-aliasing + @PYTHON_CRYPTSETUP_TRUE@pycryptsetup_la_LDFLAGS = -avoid-version -module -shared -export-dynamic + @PYTHON_CRYPTSETUP_TRUE@pycryptsetup_la_LIBADD = libcryptsetup.la $(PYTHON_LIBS) +-@CRYPTO_INTERNAL_ARGON2_TRUE@libargon2_la_CFLAGS = $(AM_CFLAGS) -std=c89 -pthread -O3 ++@CRYPTO_INTERNAL_ARGON2_TRUE@libargon2_la_CFLAGS = $(AM_CFLAGS) -pthread -O3 + @CRYPTO_INTERNAL_ARGON2_TRUE@libargon2_la_CPPFLAGS = $(AM_CPPFLAGS) \ + @CRYPTO_INTERNAL_ARGON2_TRUE@ -I lib/crypto_backend/argon2 \ + @CRYPTO_INTERNAL_ARGON2_TRUE@ -I lib/crypto_backend/argon2/blake2 -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 00/11] Proposal for dm-verity support
Hello, This patch series is a proposal to add support for dm-verity to OpenWRT. While I am familiar with build systems in general (I am one of the core developers of Buildroot), this is my first ever contribution to OpenWRT, so I am definitely not sure that the approach is correct and I'm interested in getting feedback. dm-verity is a Linux kernel Device Mapper target that verifies that the data in a block device has not been tampered with, by checking it at runtime against a hash tree, itself verified by a root hash, which is passed from a trusted source. dm-verity only supports read operations, so we only support the read-only squashfs root filesystem in this series. This "hash tree" is a bunch of metadata that needs to be stored on non-volatile storage. It can be appended to the filesystem data, or stored on a separate block device/partition. We have chosen to support only the case where it is appended to the filesystem data. In the proposed series: - The first four patches introduce new host packages. The first three are simply dependencies needed for cryptsetup, which is the tool used to generate the hash tree at build time. - The fifth and sixth patches introduce a way to include a U-Boot script inside a FIT image. Indeed, to set up a dm-verity device at boot time, you need to pass a lot of details to the kernel that describe the dm-verity device, including the root hash. Those details need to be trusted: having them as part of the FIT image allows to leverage the signing capabilities of FIT images. - The seventh patch adds the code itself that generates the dm-verity capable squashfs image, and a script that produces the U-Boot script with the various parameters needed to setup the DM device at boot time. - The eighth patch adds two kernel patches that allow setting up a DM device at boot time. In the upstream kernel, setting up a DM device requires userspace tools and therefore an initramfs, which is unpractical. Those two patches have been submitted numerous times by folks from Google and Redhat, but have remained out of tree so far. - The remaining patches are just related to enabling this mechanism on Armada XP GP, which is the platform I used to work on this topic. This work was tested on Armada XP GP, with both MMC and NAND storage. One aspect that is not solved by this patch series is the logic in the fstools programs to set up the overlay at boot time. Indeed, when there is a squashfs filesystem, fstools assumes that it can use the space after the squashfs filesystem for its overlay (in the MMC storage case). It is not the case with dm-verity, because we have the hash tree after the squashfs filesystem. This is something I intend to work on. Thanks in advance for your feedback, Thomas Petazzoni Thomas Petazzoni (11): tools/libaio: new package tools/lvm2: new package tools/popt: new package tools/cryptsetup: new package scripts/mkits.sh: extend with -s option to include a U-Boot script include/image-commands.mk: extend Build/fit for U-Boot script integration include/image.mk: add support for building a dm-verity enabled squashfs image target/linux/generic: add patches to support dm-verity volume at boot target/linux/mvebu: enable UBI factory image on Armada XP GP target/linux/mvebu/config-4.14: enable options needed for dm-verity target/linux/mvebu: generate a FIT image on Armada XP GP with dm-verity config/Config-images.in | 4 + include/image-commands.mk | 1 + include/image.mk | 12 + scripts/mkits.sh | 21 +- scripts/prepare-dm-verity-uboot-script.sh | 41 ++ ...-to-directly-boot-to-a-mapped-device.patch | 633 ++ ...l-add-a-device-mapper-ioctl-function.patch | 98 +++ target/linux/mvebu/config-4.14| 11 + target/linux/mvebu/image/cortex-a9.mk | 15 + tools/Makefile| 3 + tools/cryptsetup/Makefile | 28 + .../patches/0001-dont-use-c89.patch | 13 + tools/libaio/Makefile | 33 + tools/lvm2/Makefile | 47 ++ tools/popt/Makefile | 22 + 15 files changed, 980 insertions(+), 2 deletions(-) create mode 100755 scripts/prepare-dm-verity-uboot-script.sh create mode 100644 target/linux/generic/pending-4.14/960-init-add-support-to-directly-boot-to-a-mapped-device.patch create mode 100644 target/linux/generic/pending-4.14/961-dm-ioctl-add-a-device-mapper-ioctl-function.patch create mode 100644 tools/cryptsetup/Makefile create mode 100644 tools/cryptsetup/patches/0001-dont-use-c89.patch create mode 100644 tools/libaio/Makefile create mode 100644 tools/lvm2/Makefile create mode 100644 tools/popt/Makefile -- 2.20.1 ___ openwrt-devel ma
[OpenWrt-Devel] [PATCH 06/11] include/image-commands.mk: extend Build/fit for U-Boot script integration
This commit extends the Build/fit macro so that if a ITS_UBOOT_SCRIPT variable is defined, it is pass to the mkits.sh script as "-s" argument. This allows the ITS_UBOOT_SCRIPT file to be integrated as a U-Boot script in the FIT image. This will be used as part of the dm-verity integration to add in the FIT image a U-Boot script that provides the details of the dm-verity volume (salt, root hash, number of data blocks, start of hash blocks, etc.). Signed-off-by: Thomas Petazzoni --- include/image-commands.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/include/image-commands.mk b/include/image-commands.mk index 05d36093d3..95ecbac5f2 100644 --- a/include/image-commands.mk +++ b/include/image-commands.mk @@ -151,6 +151,7 @@ define Build/fit $(if $(word 2,$(1)),-d $(word 2,$(1))) -C $(word 1,$(1)) \ -a $(KERNEL_LOADADDR) -e $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \ -c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config@1") \ + $(if $(ITS_UBOOT_SCRIPT),-s $(ITS_UBOOT_SCRIPT)) \ -A $(LINUX_KARCH) -v $(LINUX_VERSION) PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage -f $@.its $@.new @mv $@.new $@ -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 01/11] tools/libaio: new package
From: Thomas Petazzoni libaio for the host will be needed as a dependency of lvm2, itself a dependency of cryptsetup. Signed-off-by: Thomas Petazzoni --- tools/Makefile| 1 + tools/libaio/Makefile | 33 + 2 files changed, 34 insertions(+) create mode 100644 tools/libaio/Makefile diff --git a/tools/Makefile b/tools/Makefile index 9a354f6c70..9702b4df25 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -27,6 +27,7 @@ tools-y += sstrip make-ext4fs e2fsprogs mtd-utils mkimage tools-y += firmware-utils patch-image quilt padjffs2 tools-y += mm-macros missing-macros cmake scons bc findutils gengetopt patchelf tools-y += mtools dosfstools libressl +tools-y += libaio tools-$(CONFIG_TARGET_orion_generic) += wrt350nv2-builder upslug2 tools-$(CONFIG_TARGET_x86) += qemu tools-$(CONFIG_TARGET_mxs) += elftosb sdimage diff --git a/tools/libaio/Makefile b/tools/libaio/Makefile new file mode 100644 index 00..475df7fc1d --- /dev/null +++ b/tools/libaio/Makefile @@ -0,0 +1,33 @@ +# +# Copyright (C) 2010-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libaio +PKG_VERSION:=0.3.111 +PKG_HASH:=62cf871ad8fd09eb3418f00aca7a7d449299b8e1de31c65f28bf6a2ef1fa502a +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://releases.pagure.org/libaio + +HOST_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/host-build.mk + +define Host/Configure +endef + +define Host/Compile + $(MAKE) -C $(HOST_BUILD_DIR) +endef + +define Host/Install + $(MAKE) -C $(HOST_BUILD_DIR) prefix=$(HOST_BUILD_PREFIX) install +endef + +$(eval $(call HostBuild)) -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
