Most (all?) of the realtek devices have two u-boot config partitions
with a different set of variables in each. The U-Boot shell provides
two sets of apps to manipulate these:
printenv- print environment variables
printsys- printsys - print system information variables
saveenv - save environment variables to persistent storage
savesys - savesys - save system information variables to persistent storage
setenv - set environment variables
setsys - setsys - set system information variables
Add support for multiple ubootenv configuration types, allowing
more than one configuration file.
Section names are not suitable for naming the different
configurations since each file can be the result of multiple sections
in case of backup partitions.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
(cherry picked from commit a3e9fd7e5b)
Ensure the MAC address for all NanoPi R1 boards is assigned uniquely for
each board.
The vendor ships the device in two variants; one with and one without
eMMC; but both without static mac-addresses.
In order to assign both board types unique MAC addresses, fall back on
the same method used for the NanoPi R2S and R4S in case the EEPROM
chip is not present by generating the board MAC from the SD card CID.
[0] https://wiki.friendlyelec.com/wiki/index.php/NanoPi_R1#Hardware_Spec
Similar too and based on:
commit b5675f500d ("rockchip: ensure NanoPi R4S has unique MAC address")
Co-authored-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me>
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining package which have a CPE ID.
Not every package has CPE id.
Related: https://github.com/openwrt/packages/issues/8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
emmc_do_upgrade() relies on identify() from the nand.sh upgrade helper.
This only works because FEATURES=emmc targets also tend to include
FEATURES=nand.
Rename identify_magic() to identify_magic_long() to match the common.sh
style and make it clear it pairs with other *_long() variants (and not,
say *_word()).
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
(cherry picked from commit d3c19c71f6)
Rootfs overlays get created at a ROOTDEV_OVERLAY_ALIGN (64KiB)
alignment after the rootfs, but emmc_do_upgrade() is assuming
it comes at the very next 512-byte sector.
Suggested-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
(move spaces around, mention fstools' libtoolfs)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit e8a0c55909)
Adds generic support for sysupgrading on eMMC-based devices.
Provide function emmc_do_upgrade and emmc_copy_config to be used in
/lib/upgrade/platform.sh instead of redundantly implementing the same
logic over and over again.
Similar to generic sysupgrade on NAND, use environment variables
CI_KERNPART, CI_ROOTPART and newly introduce CI_DATAPART to indicate
GPT partition names to be used. On devices with more than one MMC
block device, CI_ROOTDEV can be used to specify the MMC device for
partition name lookups.
Also allow to select block devices directly using EMMC_KERN_DEV,
EMMC_ROOT_DEV and EMMC_DATA_DEV, as using GPT partition names is not
always an option (e.g. when forced to use MBR).
To easily handle writing kernel and rootfs make use of sysupgrade.tar
format convention which is also already used for generic NAND support.
Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
CC: Li Zhang <li.zhang@gl-inet.com>
CC: TruongSinh Tran-Nguyen <i@truongsinh.pro>
(cherry picked from commit 57c1f3f9c5)
Some devices got more than one mmc device.
Allow specifying the root device as 2nd parameter of find_mmc_part so
scripts can avoid matching irrelevant partitions on wrong mmc device.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 9f223a20bd)
Added minimal mmc support for helper functions:
- find_mmc_part: Look for a given partition name. Returns the
coresponding partition path
- caldata_extract_mmc: Look for a given partition name and then
extracts the calibration data
- mmc_get_mac_binary: Returns the mac address from a given partition
name and offset
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Signed-off-by: Robert Marko <robimarko@gmail.com>
[replace dd with caldata_dd, moved sysupgrade mmc to orbi]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 6e13794344)
It seems that the Makefile has both CC and CFLAGS hardcoded and does not
allow overriding them by ones being passed by the buildsystem.
This works fine until CONFIG_PKG_ASLR_PIE_ALL is selected, then building
will fail with:
arm-openwrt-linux-muslgnueabi/bin/ld.bfd: mhz.o: relocation R_ARM_MOVW_ABS_NC against `a local symbol' can not be used when making a shared object; recompile with -fPIC
arm-openwrt-linux-muslgnueabi/bin/ld.bfd: mhz.o(.text+0x75c): unresolvable R_ARM_CALL relocation against symbol `__aeabi_l2d@@GCC_3.5
So, lets add a patch pending upstream that allows both CC and CFLAGS to be
overriden so that ones passed by the buildsystem are actually respected.
Fixes: 89123b308f98 ("mhz: add new package")
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 6c28f46f37d35dce06c320d9ac7f256c113aea22)
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 8c90527a80)
7aefb47 jitterentropy-rngd: update to the v1.2.0
What's interesting about jitterentropy-rngd v1.2.0 release is that it
bumps its copy of jitterentropy-library from v2.2.0 to the v3.0.0. That
bump includes a relevant commit 3130cd9 ("replace LSFR with SHA-3 256").
When initializing entropy jent calculates time delta. Time values are
obtained using clock_gettime() + CLOCK_REALTIME. There is no guarantee
from CLOCK_REALTIME of unique values and slow devices often return
duplicated ones.
A switch from jent_lfsr_time() to jent_hash_time() resulted in many less
cases of zero delta and avoids ECOARSETIME.
Long story short: on some system this fixes:
[ 6.722725] urngd: jent-rng init failed, err: 2
This is important change for BCM53573 which doesn't include hwrng and
seems to have arch_timer running at 36,8 Hz.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit c74b5e09e6)
7aefb47 jitterentropy-rngd: update to the v1.2.0
What's interesting about jitterentropy-rngd v1.2.0 release is that it
bumps its copy of jitterentropy-library from v2.2.0 to the v3.0.0. That
bump includes a relevant commit 3130cd9 ("replace LSFR with SHA-3 256").
When initializing entropy jent calculates time delta. Time values are
obtained using clock_gettime() + CLOCK_REALTIME. There is no guarantee
from CLOCK_REALTIME of unique values and slow devices often return
duplicated ones.
A switch from jent_lfsr_time() to jent_hash_time() resulted in many less
cases of zero delta and avoids ECOARSETIME.
Long story short: on some system this fixes:
[ 6.722725] urngd: jent-rng init failed, err: 2
This is important change for BCM53573 which doesn't include hwrng and
seems to have arch_timer running at 36,8 Hz.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit c74b5e09e6)
Inline the preinst.arm-ce script. Support for including was added in
make 4.2 and is not working with older make versions.
Fixes: https://github.com/openwrt/openwrt/issues/11866
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
(cherry picked from commit fcde517d35)
Safely detect integer overflow in try_addint() and try_subint().
Old code relied on undefined behavior, and recent versions of GCC on x86
optimized away the if-statements.
This caused integer overflow in Lua code instead of falling back to
floating-point numbers.
Signed-off-by: Adam Bailey <aebailey@gmail.com>
(cherry picked from commit 3a2e7c30d3)
openssl sets additional cflags in its configuration script. We need to
make it aware of our custom cflags to avoid adding conflicting cflags.
Fixes: #12866
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
(cherry picked from commit 51f57e7c2d)
A static-linked binary doesn't have a .dynamic section, but when
starting ujail with -r or -w will automatically search for PT_DYNAMIC in
ELF and exit with failure if it is not found.
Fixes: #970
Signed-off-by: Yuteng Zhong <zonyitoo@qq.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Changes between 1.1.1t and 1.1.1u [30 May 2023]
*) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier. (CVE-2023-2650)
To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
IDENTIFIER to canonical numeric text form if the size of that OBJECT
IDENTIFIER is 586 bytes or less, and fail otherwise.
The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
most 128 sub-identifiers, and that the maximum value that each sub-
identifier may have is 2^32-1 (4294967295 decimal).
For each byte of every sub-identifier, only the 7 lower bits are part of
the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
these restrictions may occupy is 32 * 128 / 7, which is approximately 586
bytes.
Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
[Richard Levitte]
*) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 1.1.1s. The new fix uses existing constant time
code paths, and restores the previous performance level while
fully eliminating all existing timing side channels.
The fix was developed by Bernd Edlinger with testing support
by Hubert Kario.
[Bernd Edlinger]
*) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
that it does not enable policy checking. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0466)
[Tomas Mraz]
*) Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are skipped
for that certificate. A malicious CA could use this to deliberately assert
invalid certificate policies in order to circumvent policy checking on the
certificate altogether. (CVE-2023-0465)
[Matt Caswell]
*) Limited the number of nodes created in a policy tree to mitigate
against CVE-2023-0464. The default limit is set to 1000 nodes, which
should be sufficient for most installations. If required, the limit
can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
time define to a desired maximum number of nodes or zero to allow
unlimited growth. (CVE-2023-0464)
[Paul Dale]
Removed upstreamed patches.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
