This set the CONFIG_FRAME_WARN option depending on some target settings.
It will use the default from the upstream kernel and not the hard coded
value of 1024 now.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 16a20512d8)
Changes between 3.0.8 and 3.0.9 [30 May 2023]
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier. ([CVE-2023-2650])
To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
IDENTIFIER to canonical numeric text form if the size of that OBJECT
IDENTIFIER is 586 bytes or less, and fail otherwise.
The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
most 128 sub-identifiers, and that the maximum value that each sub-
identifier may have is 2^32-1 (4294967295 decimal).
For each byte of every sub-identifier, only the 7 lower bits are part of
the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
these restrictions may occupy is 32 * 128 / 7, which is approximately 586
bytes.
Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
*Richard Levitte*
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
trigger a crash of an application using AES-XTS decryption if the memory
just after the buffer being decrypted is not mapped.
Thanks to Anton Romanov (Amazon) for discovering the issue.
([CVE-2023-1255])
*Nevine Ebeid*
* Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 3.0.7. The new fix uses existing constant time
code paths, and restores the previous performance level while
fully eliminating all existing timing side channels.
The fix was developed by Bernd Edlinger with testing support
by Hubert Kario.
*Bernd Edlinger*
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
that it does not enable policy checking. Thanks to David Benjamin for
discovering this issue.
([CVE-2023-0466])
*Tomáš Mráz*
* Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are skipped
for that certificate. A malicious CA could use this to deliberately assert
invalid certificate policies in order to circumvent policy checking on the
certificate altogether.
([CVE-2023-0465])
*Matt Caswell*
* Limited the number of nodes created in a policy tree to mitigate
against CVE-2023-0464. The default limit is set to 1000 nodes, which
should be sufficient for most installations. If required, the limit
can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
time define to a desired maximum number of nodes or zero to allow
unlimited growth.
([CVE-2023-0464])
*Paul Dale*
Removed upstreamed patches.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 03e1f2cc2a)
A package may run git as part of its build process, and if the package
source code is not from a git checkout, then git may traverse up the
directory tree to find buildroot's repository directory (.git).
For instance, Poetry Core, a Python build backend, will read the
contents of .gitignore for paths to exclude when creating a Python
package. If it finds buildroot's .gitignore file, then Poetry Core will
exclude all of the package's files[1].
This exports GIT_CEILING_DIRECTORIES for both package and host builds so
that git will not traverse beyond $(BUILD_DIR)/$(BUILD_DIR_HOST).
[1]: https://github.com/python-poetry/poetry/issues/5547
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit f597f34f3a)
Built-in engine configs are added in libopenssl-conf/install stage
already, postinst/add_engine_config is just duplicating them, and
due to the lack of `config` header it results a broken uci config:
> uci: Parse error (invalid command) at line 3, byte 0
```
config engine 'devcrypto'
option enabled '1'
engine 'devcrypto'
option enabled '1'
option builtin '1'
```
Add `builtin` option in libopenssl-conf/install stage and remove
duplicate engine configuration in postinst/add_engine_config to
fix this issue.
Also add `exit 0` to postinst to silent (potential) pointless error.
Fixes: 0b70d55a64 ("openssl: make UCI config aware of built-in engines")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit b4192342f1)
Currently, e2600ac-c1 cannot be built as the kernel is larger than the defined KERNEL_SIZE,
however, there is no bootloader limit for the kernel size so remove KERNEL_SIZE completely.
Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ improve commit title, fix merge conflict ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b764268acb)
Convert E2600ac c2 to DSA and enable it.
Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ rename port to more generic name ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 0dca52cf59)
Convert E2600ac c1 to DSA and enable it.
Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ rename port to more generic name ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 7f2ecab0f4)
The set_spi_clock_speed() function is not used, this causes a compile
warning which results in a build error with -WError.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2d5f3b3c4c)
Add kmod-nft-dup-inet package to allow packet duplication in ip/ip6/inet nftables family
Signed-off-by: Michał Kwiatek <michal@kwiatek.it>
(cherry picked from commit a7e9445975)
This partially reverts commit 7fae1e5677
as it should be no longer necessary to do a full clone since commit
48ed07bc0b ("treewide: replace AUTORELEASE with real PKG_RELEASE").
Suggested-by: Thibaut VARÈNE <hacks@slashdirt.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 11bb5337b8)
[adjusted to 23.05]
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Our *cute* users often ignore README so add dependencies check for it.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 8cd920a8c5)
read_page() need to return maximum number of bitflips instead of the
accumulated number. Change takes from upstream mt7621 u-boot [1].
* @read_page: function to read a page according to the ECC generator
* requirements; returns maximum number of bitflips
* corrected in any single ECC step, -EIO hw error
[1] https://lore.kernel.org/all/cover.1653015383.git.weijie.gao@mediatek.com/
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
(cherry picked from commit 2fbb91d73f)
Management Complex (MC) userspace support is required for userspace
helpers working with DPAA2 objects exported by the Management Complex BUS.
Without it, there is the error:
```
root@OpenWrt:/# ls-addni dpmac.1
error: Did not find a device file
Restool wrapper scripts only support the latest major MC version
that currently is MC10.x. Use with caution.
error: Did not find a device file
```
This patch fixes it.
Suggested-by: Alexandra Alth <alexandra@alth.de>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
(cherry picked from commit d04d6a82da)
At this moment loadaddr in most layerscape boards are configured to
0x81000000. 5.15 kernel on some boards is bigger than 5.10 and it cause error:
Loading kernel from FIT Image at 81000000 ...
Using 'config-1' configuration
Trying 'kernel-1' kernel subimage
Description: ARM64 OpenWrt Linux-5.15.112
Created: 2023-05-21 17:39:35 UTC
Type: Kernel Image
Compression: gzip compressed
Data Start: 0x810000ec
Data Size: 7513944 Bytes = 7.2 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x80000000
Entry Point: 0x80000000
Hash algo: crc32
Hash value: 6fd69550
Hash algo: sha1
Hash value: ee34c753ffb615e199a428762824ad4a0aaef90a
Verifying Hash Integrity ... crc32+ sha1+ OK
Loading fdt from FIT Image at 81000000 ...
Using 'config-1' configuration
Trying 'fdt-1' fdt subimage
Description: ARM64 OpenWrt fsl_ls1088a-rdb-sdboot device tree blob
Created: 2023-05-21 17:39:35 UTC
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x8172a98c
Data Size: 19794 Bytes = 19.3 KiB
Architecture: AArch64
Hash algo: crc32
Hash value: 59792ba3
Hash algo: sha1
Hash value: 135585a49f86cd85acea559b78b0098ae99d5e12
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x8172a98c
Uncompressing Kernel Image
ERROR: new format image overwritten - must RESET the board to recover
resetting ...
This patch changes loadaddr to 0x88000000 (like LS1012A-FRDM board) to
avoid overlapping for bigger images (like initramfs) too.
Tested-by: Alexandra Alth <alexandra@alth.de> [LS1088ARDB]
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
(cherry picked from commit 0822040671)
The USXGMII driver in SDK was heavily refactored, some bugs have been
fixed and it has switched to use phylink_pcs. Follow up with changes
in SDK driver and sync our on-top-of-mainline driver with the SDK
driver.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit ba58245e83)
Use renamed build step names for all boards which were not handled by
commit c620409d58 ("mediatek: filogic: add uboot build for mt7981")
and now breaking the build.
Fixes: c620409d58 ("mediatek: filogic: add uboot build for mt7981")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 037ce27244)
Hardware specification:
SoC: MediaTek MT7981B 2x A53
Flash: ESMT F50L1G41LB 128MB
RAM: MT5CC128M16JR-EK 256MB
Ethernet: 4x 10/100/1000 Mbps
Switch: MediaTek MT7531AE
WiFi: MediaTek MT7976C
Button: Reset, WPS
Power: DC 12V 1A
Flash instructions:
1. Attach UART, boot the stock firmware until
the message about failsafe mode appears.
2. Enter failsafe mode by pressing "f" and "Enter"
3. Type "mount_root", then run
"fw_setenv bootmenu_delay 3"
4. Back up all mtd partitions before flashing.
5. Reboot, U-Boot now presents a menu.
6. Connect to your PC via the Gigabit port of the router,
set a static ip on the ethernet interface of your PC.
(ip 192.168.1.254, gateway 192.168.1.1)
7. Select "Upgrade ATF BL2", then use this file:
openwrt-mediatek-filogic-qihoo_360t7-preloader.bin
8. Select "Upgrade ATF FIP", then use this file:
openwrt-mediatek-filogic-qihoo_360t7-bl31-uboot.fip
9. Download the initramfs image, and type "reset",
waiting for tftp recovery to complete.
a. After openwrt boots up, perform sysupgrade.
Note:
1. Since NMBM is disabled, we must back up all partitions.
2. Flash instructions is based on commit 28df7f7.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit dc2d4d7393)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The vendor uboot will verify firmware at boot.
So add a custom uboot build for this device.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit c51eb17730)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add new build option BOARD_QFN/BOARD_BGA.
This option is only useful for MT7981 device.
MT7981A/B: BOARD_BGA, MT7981C: BOARD_QFN.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit 602cb4f325)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Rename previous uboot build to mt7986-*.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit c620409d58)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add reserved memory for pstore/ramoops to device tree used by Linux
as well as U-Boot.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 3eb354f999)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Pick accepted patches from upstream Linux tree instead of having to
maintain our slightly different downstream patches.
Import pending patch fixing I2C on MT7981 by making sure all clocks
are enabled before accessing I2C registers.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 213b728276)
Add kernel tags to the patches that got accepted upstream.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 2388b119de)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Make sure sub-images on the SD card are size-checked, allow
generating SD card without squashfs and/or initramfs.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 43d27b0252)
This board was designed as a clone of NanoPi R4S. However, it didn't
follow the spec and changed the power-supply system massively, and
because of it there's no way to soft reset this board currently.
For reboot, you must cut off the power and reengage it.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Use toolchain container for label workflow to skip downloading external
toolchain from openwrt servers.
Fixes: 0fe5776f4a ("CI: build: Add support to use container included external toolchain")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 66fd0aa6ef)
Don't add "" in target and subtarget for label workflow from label
detection as it does cause problem in build workflow on container
target/subtarget matching.
Fixes: bf8187d5dc ("CI: use split target and subtarget in label workflow")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 1fa84354a9)
Commit 1cb8cdb ("ci: use new buildbot worker images with Debian 11")
introduced new Git version with strict rules for owner of the git
directory.
To handle this and not cause major change, just move the parsing before
the change of ownership of the openwrt directory permitting the correct
run of git fetch command with the same user that did the repository
checkout.
Fixes: 1cb8cdb ("ci: use new buildbot worker images with Debian 11")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 0063e71d66)
Commit bf8187d5dc ("CI: use split target and subtarget in label
workflow") didn't correctly output subtarget resulting in calling with
an empty subtarget. Fix this and correctly output generated subtarget.
Fixes: bf8187d5dc ("CI: use split target and subtarget in label workflow")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 8aa5a86010)
With eecc6e4811 ("CI: rework build workflow to have split target and
subtarget directly") target and subtarget are split in 2 different
variables. Label workflow were not aligned to this change and are
currently broken.
Fix them and correctly pass split target and subtarget.
Fixes: eecc6e4811 ("CI: rework build workflow to have split target and subtarget directly")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit bf8187d5dc)
