Changes between 3.0.8 and 3.0.9 [30 May 2023]
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier. ([CVE-2023-2650])
To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
IDENTIFIER to canonical numeric text form if the size of that OBJECT
IDENTIFIER is 586 bytes or less, and fail otherwise.
The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
most 128 sub-identifiers, and that the maximum value that each sub-
identifier may have is 2^32-1 (4294967295 decimal).
For each byte of every sub-identifier, only the 7 lower bits are part of
the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
these restrictions may occupy is 32 * 128 / 7, which is approximately 586
bytes.
Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
*Richard Levitte*
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
trigger a crash of an application using AES-XTS decryption if the memory
just after the buffer being decrypted is not mapped.
Thanks to Anton Romanov (Amazon) for discovering the issue.
([CVE-2023-1255])
*Nevine Ebeid*
* Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 3.0.7. The new fix uses existing constant time
code paths, and restores the previous performance level while
fully eliminating all existing timing side channels.
The fix was developed by Bernd Edlinger with testing support
by Hubert Kario.
*Bernd Edlinger*
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
that it does not enable policy checking. Thanks to David Benjamin for
discovering this issue.
([CVE-2023-0466])
*Tomáš Mráz*
* Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are skipped
for that certificate. A malicious CA could use this to deliberately assert
invalid certificate policies in order to circumvent policy checking on the
certificate altogether.
([CVE-2023-0465])
*Matt Caswell*
* Limited the number of nodes created in a policy tree to mitigate
against CVE-2023-0464. The default limit is set to 1000 nodes, which
should be sufficient for most installations. If required, the limit
can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
time define to a desired maximum number of nodes or zero to allow
unlimited growth.
([CVE-2023-0464])
*Paul Dale*
Removed upstreamed patches.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 03e1f2cc2a)
Built-in engine configs are added in libopenssl-conf/install stage
already, postinst/add_engine_config is just duplicating them, and
due to the lack of `config` header it results a broken uci config:
> uci: Parse error (invalid command) at line 3, byte 0
```
config engine 'devcrypto'
option enabled '1'
engine 'devcrypto'
option enabled '1'
option builtin '1'
```
Add `builtin` option in libopenssl-conf/install stage and remove
duplicate engine configuration in postinst/add_engine_config to
fix this issue.
Also add `exit 0` to postinst to silent (potential) pointless error.
Fixes: 0b70d55a64 ("openssl: make UCI config aware of built-in engines")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit b4192342f1)
Add kmod-nft-dup-inet package to allow packet duplication in ip/ip6/inet nftables family
Signed-off-by: Michał Kwiatek <michal@kwiatek.it>
(cherry picked from commit a7e9445975)
Our *cute* users often ignore README so add dependencies check for it.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 8cd920a8c5)
At this moment loadaddr in most layerscape boards are configured to
0x81000000. 5.15 kernel on some boards is bigger than 5.10 and it cause error:
Loading kernel from FIT Image at 81000000 ...
Using 'config-1' configuration
Trying 'kernel-1' kernel subimage
Description: ARM64 OpenWrt Linux-5.15.112
Created: 2023-05-21 17:39:35 UTC
Type: Kernel Image
Compression: gzip compressed
Data Start: 0x810000ec
Data Size: 7513944 Bytes = 7.2 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x80000000
Entry Point: 0x80000000
Hash algo: crc32
Hash value: 6fd69550
Hash algo: sha1
Hash value: ee34c753ffb615e199a428762824ad4a0aaef90a
Verifying Hash Integrity ... crc32+ sha1+ OK
Loading fdt from FIT Image at 81000000 ...
Using 'config-1' configuration
Trying 'fdt-1' fdt subimage
Description: ARM64 OpenWrt fsl_ls1088a-rdb-sdboot device tree blob
Created: 2023-05-21 17:39:35 UTC
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x8172a98c
Data Size: 19794 Bytes = 19.3 KiB
Architecture: AArch64
Hash algo: crc32
Hash value: 59792ba3
Hash algo: sha1
Hash value: 135585a49f86cd85acea559b78b0098ae99d5e12
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x8172a98c
Uncompressing Kernel Image
ERROR: new format image overwritten - must RESET the board to recover
resetting ...
This patch changes loadaddr to 0x88000000 (like LS1012A-FRDM board) to
avoid overlapping for bigger images (like initramfs) too.
Tested-by: Alexandra Alth <alexandra@alth.de> [LS1088ARDB]
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
(cherry picked from commit 0822040671)
The vendor uboot will verify firmware at boot.
So add a custom uboot build for this device.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit c51eb17730)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add new build option BOARD_QFN/BOARD_BGA.
This option is only useful for MT7981 device.
MT7981A/B: BOARD_BGA, MT7981C: BOARD_QFN.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit 602cb4f325)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add reserved memory for pstore/ramoops to device tree used by Linux
as well as U-Boot.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 3eb354f999)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
My original bpftools package made "variant" builds of bpftool and libbpf
as a convenience, since both used the same local kernel sources with the
same versioning. This is no longer the case, since the commit below
switched to using an out-of-tree build mirror hosting repos for each.
Replace bpftools with separate bpftool and libbpf packages, each simplified
and correctly versioned. Also fix the broken libbpf ABI introduced in the
same commit. Existing build .config files are not impacted.
Fixes: 00cbf6f6ab ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit afe1bf11f2)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Release Notes:
http://lists.busybox.net/pipermail/busybox-cvs/2023-May/041510.html
Refresh commands, run after busybox is first built once (nothing changed
compared to 1.36.0):
cd package/utils/busybox/config/
../convert_menuconfig.pl ../../../../build_dir/target-mipsel_24kc_musl/busybox-default/busybox-1.36.1
cd ..
./convert_defaults.pl ../../../build_dir/target-mipsel_24kc_musl/busybox-default/busybox-1.36.1/.config > Config-defaults.in
Manual edits needed afterward:
* Config-defaults.in: OpenWrt config symbol IPV6 logic applied to
BUSYBOX_DEFAULT_FEATURE_IPV6
* Config-defaults.in: OpenWrt config TARGET_bcm53xx logic applied to
BUSYBOX_DEFAULT_TRUNCATE (commit 547f1ec)
* Config-defaults.in: OpenWrt logic applied to
BUSYBOX_DEFAULT_LOGIN_SESSION_AS_CHILD (commit dc92917)
* Config-defaults.in: correct the default ports that get reset
BUSYBOX_DEFAULT_FEATURE_HTTPD_PORT_DEFAULT 80
BUSYBOX_DEFAULT_FEATURE_TELNETD_PORT_DEFAULT 23
* config/editors/Config.in: Add USE_GLIBC dependency to
BUSYBOX_CONFIG_FEATURE_VI_REGEX_SEARCH (commit f141090)
* config/shell/Config.in: change at "Options common to all shells" the conditional symbol
SHELL_ASH --> BUSYBOX_CONFIG_SHELL_ASH
(discussion in http://lists.openwrt.org/pipermail/openwrt-devel/2021-January/033140.html
Apparently our script does not see the hidden option while
prepending config options with "BUSYBOX_CONFIG_" which leads to a
missed dependency when the options are later evaluated.)
* Edit a few Config.in files by adding quotes to sourced items in
config/Config.in, config/networking/Config.in and config/util-linux/Config.in (commit 1da014f)
Tested-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 3b76f6eee4)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Zyxel EX5601-T0 specifics
--------------
The operator specific firmware running on the Zyxel branded
EX5601-T0 includes U-Boot modifications affecting the OpenWrt
installation.
Partition Table
| dev | size | erasesize | name |
| ---- | -------- | --------- | ------------- |
| mtd0 | 20000000 | 00040000 | "spi0.1" |
| mtd1 | 00100000 | 00040000 | "BL2" |
| mtd2 | 00080000 | 00040000 | "u-boot-env" |
| mtd3 | 00200000 | 00040000 | "Factory" |
| mtd4 | 001c0000 | 00040000 | "FIP" |
| mtd5 | 00040000 | 00040000 | "zloader" |
| mtd6 | 04000000 | 00040000 | "ubi" |
| mtd7 | 04000000 | 00040000 | "ubi2" |
| mtd8 | 15a80000 | 00040000 | "zyubi" |
The router boots BL2 which than loads FIP (u-boot).
U-boot has hardcoded a command to always launch Zloader "mtd read zloader 0x46000000" and than "bootm". Bootargs are deactivated.
Zloader is the zyxel booloader which allow to dual-boot ubi or ubi2, by default access to zloader is blocked.
Too zloader checks that the firmware contains a particolar file called zyfwinfo.
Additional details regarding Zloader can be found here:
https://hack-gpon.github.io/zyxel/https://forum.openwrt.org/t/adding-openwrt-support-for-zyxel-ex5601-t0/155914
Hardware
--------
SOC: MediaTek MT7986a
CPU: 4 core cortex-a53 (2000MHz)
RAM: 1GB DDR4
FLASH: 512MB SPI-NAND (Micron xxx)
WIFI: Wifi6 Mediatek MT7976 802.11ax 5 GHz 4x4 + 2.4GHZ 4x4
ETH: MediaTek MT7531 Switch + SoC
3 x builtin 1G phy (lan1, lan2, lan3)
1 x MaxLinear GPY211B 2.5 N-Base-T phy5 (lan4)
1 x MaxLinear GPY211B 2.5Gbit xor SFP/N-Base-T phy6 (wan)
USB: 1 x USB 3.2 Enhanced SuperSpeed port
UART: 3V3 115200 8N1 (Pinout: GND KEY RX TX VCC)
VOIP: 2 FXS ports for analog phones
MAC Address Table
-----------------
eth0/lan Factory 0x002a
eth1/wan Factory 0x0024
wifi 2.4Ghz Factory 0x0004
wifi 5Ghz Factory 0x0004 + 1
Serial console (UART)
---------------------
+-------+-------+-------+-------+-------+
| +3.3V | RX | TX | KEY | GND |
+---+---+-------+-------+-------+-------+
|
+--- Don't connect
Installation
------------
Keep in mind that openwrt can only run on the UBI partition, the openwrt firmware is not able to understand the zloader bootargs.
The procedure allows restoring the UBI partition with the Zyxel firmware and retains all the OEM functionalities.
1. Unlock Zloader (this will allow to swap manually between partitions UBI and UBI2):
- Attach a usb-ttl adapter to your computer and boot the router.
- While the router is booting at some point you will read the following: `Please press Enter to activate this console.`
- As soon as you read that press enter, type root and than press enter again (just do it, don't care about the logs scrolling).
- Most likely the router is still printing the boot log, leave it boot until it stops.
- If everything went ok you should have full root access "root@EX5601-T0:/#".
- Type the following command and press enter: "fw_setenv EngDebugFlag 0x1".
- Reboot the router.
- As soon as you read `Hit any key to stop autoboot:` press Enter.
- If everything went ok you should have the following prompt: "ZHAL>".
- You have successfully unlocked zloader access, this procedure must be done only once.
2. Check the current active partition:
- Boot the router and repeat the steps above to gain root access.
- Type the following command to check the current active image: "cat /proc/cmdline".
- If `rootubi=ubi` it means that the active partition is `mtd6`
- If `rootubi=ubi2` it means that the active partition is `mtd7`
- As mentioned earlier we need to flash openwrt into ubi/mtd6 and never overwrite ubi2/mtd7 to be able to fully roll-back.
- To activate and boot from mtd7 (ubi2) enter into ZHAL> command prompt and type the following commands:
atbt 1 # unlock write
atsw # swap boot partition
atsr # reboot the router
- After rebooting check again with "cat /proc/cmdline" that you are correctly booting from mtd7/ubi2
- If yes proceed with the installation guide. If not probably you don't have a firmware into ubi2 or you did something wrong.
3. Flashing:
- Download the sysupgrade file for the router from openwrt, than we need to add the zyfwinfo file into the sysupgrade tar.
Zloader only checks for the magic (which is a fixed value 'EXYZ') and the crc of the file itself (256bytes).
I created a script to create a valid zyfwinfo file but you can use anything that does exactly the same:
https://raw.githubusercontent.com/pameruoso/OpenWRT-Zyxel-EX5601-T0/main/gen_zyfwinfo.sh
- Add the zyfwinfo file into the sysupgrade tar.
- Enter via telnet or ssh into the router with admin credentials
- Enter the following commands to disable the firmware and model checks
"zycli fwidcheck off" and "zycli modelcheck off"
- Open the router web interface and in the update firmware page select the "restore default settings option"
- Select the sysupgrade file and click on upload.
- The router will flash and reboot itself into openwrt from UBI
4. Restoring and going back to Zyxel firmware.
- Use the ZHAL> command line to manually swap the boot parition to UBI2 with the following:
atbt 1 # unlock write
atsw # swap boot partition
atsr # reboot the router
- You will boot again the Zyxel firmware you have into UBI2 and you can flash the zyxel firmware to overwrite the UBI partition and openwrt.
Working features
----------------
3 gbit lan ports
Wifi
Zyxel partitioning for coexistance with Zloader and dual boot.
WAN SFP port (only after exporting pins 57 and 10. gpiobase411)
leds
reset button
serial interface
usb port
lan ethernet 2.5 gbit port (autosense)
wan ethernet 2.5 gbit port (autosense)
Not working
----------------
voip (missing drivers or proper zyxel platform software)
Swapping the wan ethernet/sfp xor port
----------------
The way to swap the wan port between sfp and ethernet is the following:
export the pins 57 and 10.
Pin 57 is used to probe if an sfp is present.
If pin 57 value is 0 it means that an sfp is present into the cage (cat /sys/class/gpio/gpio468/value).
If pin 57 value is 1 it means that no sfp is inserted into the cage.
In conclusion by default both 57 an 10 pins are by default 1, which means that the active port is the ethernet one.
After inserting an SFP pin 57 will become 0 and you have to manually change the value of pin 10 to 0 too.
This is totally scriptable of course.
Leds description
------------
All the leds are working out of the box but the leds managed by the 2 maxlinear phy (phy 5 lan, phy6 wan).
To activate the phy5 led (rj45 ethernet port led on the back of the router) you have to use mdio-tools.
To activate the phy6 led (led on the front of the router for 2.5gbit link) you have to use mdio-tools.
Example:
Set lan5 led to fast blink on 2500/1000, slow blink on 10/100:
mdio mdio-bus mmd 5:30 raw 0x0001 0x33FC
Set wan 2.5gbit led to constant on when wan is 2.5gbit:
mdio mdio-bus mmd 6:30 raw 0x0001 0x0080
Signed-off-by: Pietro Ameruoso <p.ameruoso@live.it>
(cherry picked from commit 1c05388ab0)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Specifications:
SOC: QCA9563 775 MHz + QCA9880
Switch: QCA8337N-AL3C
RAM: Winbond W9751G6KB-25 64 MiB
Flash: Winbond W25Q128FVSG 16 MiB
WLAN: Wi-Fi4 2.4 GHz 3*3 + 5 GHz 3*3
LAN: LAN ports *4
WAN: WAN port *1
Buttons: reset *1 + wps *1
LEDs: ethernet *5, power, wlan, wps
MAC Address:
use address source1 source2
label 40:9b:xx:xx:xx:3c lan && wlan u-boot,env@ethaddr
lan 40:9b:xx:xx:xx:3c devdata@0x3f $label
wan 40:9b:xx:xx:xx:3f devdata@0x8f $label + 3
wlan2g 40:9b:xx:xx:xx:3c devdata@0x5b $label
wlan5g 40:9b:xx:xx:xx:3e devdata@0x76 $label + 2
Install via Web UI:
Apply factory image in the stock firmware's Web UI.
Install via Emergency Room Mode:
DIR-859 A1 will enter recovery mode when the system fails to boot
or press reset button for about 10 seconds.
First, set computer IP to 192.168.0.5 and Gateway to 192.168.0.1.
Then we can open http://192.168.0.1 in the web browser to upload
OpenWrt factory image or stock firmware. Some modern browsers may
need to turn on compatibility mode.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
(cherry picked from commit 0ffbef9317)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
1. Remove unnecessary new lines in the dts.
2. Remove duplicate included file "gpio.h" in the device dts.
3. Add missing button labels "reset" and "wps".
4. Unify the format of the reg properties.
5. Add u-boot environment support.
6. Reduce spi clock frequency since the max value suggested by the
chip datasheet is only 25 MHz.
7. Add seama header fixup for DIR-859 A1. Without this header fixup,
u-boot checksum for kernel will fail after the first boot.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
(cherry picked from commit e5d8739aa8)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The x86_64 UML target wants to include SSSE3 optimized
crypto code which lives under /arch/x86/crypto.
However, these are not built and this causes an error.
| ERROR: module '[...]/arch/x86/crypto/sha512-ssse3.ko' is missing.
| make[3]: *** [modules/crypto.mk:990: [...]/kmod-crypto-sha512_5.15.112-1_x86_64.ipk] Error 1
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 959563fb81)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
That was a workaround for OpenWrt generation of config files. This patch
was used to postpone returning from probe function until loading
firmware and calling register_wiphy().
All of that is not needed anymore thanks to the ieee80211 hotplug.d
script introduced in the commit 5f8f8a3661 ("base-files, mac80211,
broadcom-wl: wifi detection and configuration"). That takes care of
generating /etc/config/wireless entries even if wireless device appears
late in the booting process.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit bd26266314)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Currently, SSDK is rather special in the sense that its not being built as
a proper out of tree module at all but rather like a userspace application
and that involves a lot of make magic which unfortunately broke with make
version 4.4 and newer.
Luckily QCA finally added a way to build SSDK as an out of tree module
and it uses the kernel buildsystem which makes it compile with make 4.4
as well.
So lets backport the support for it and switch to using it.
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 957f1ee85e)
IGD is only useful when accelerating a VM guest that wants to direct
render to memory in the host's framebuffer, but since OpenWrt
typically runs on headless hardware, this serves no purpose.
Also build vfio with VFIO_NOIOMMU undefined (to get all of the code
enabled), but allow it to be enabled via boot-time modparams
settings (or at run-time via sysfs writes to
"/sys/module/vfio/parameters/enable_unsafe_noiommu_mode".
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
adds ForceCommand option. If the command is specified,
it forces users to execute the command when they log in.
Signed-off-by: Nozomi Miyamori <inspc43313@yahoo.co.jp>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
A missing '\' caused the remaining parameters not to be passed to make.
This fixes the following error:
| gcc -c [...] fiptool.c -o fiptool.o
| In file included from fiptool.h:16,
| from fiptool.c:19:
|fiptool_platform.h:19:11: fatal error: openssl/sha.h: No such file or directory
| 19 | # include <openssl/sha.h>
| | ^~~~~~~~~~~~~~~
|compilation terminated.
|make[3]: *** [Makefile:58: fiptool.o] Error 1
as the HOST_CFLAGS are no longer passed.
then, HOST_CFLAGS is specified as a command argument, this
is a specific problem of our built since appending these
needs the override directive.
Fixes: df28bfe03247 ("tfa-layerscape: Change to github and use the latest tag")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The default location of tfa-layerscape has been changed from
codeuaurora to github. Also use the latest tag for Layerscape
Linux Development POC from NXP.
v2:
* restored ls1021a-afrdm board
* added platform defines to fiptool so ls-ddr-phy can be built
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@protonmail.ch>
(reset PKG_RELEASE)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
