Re: [ptxdist] ?= ?==?utf-8?q? [PATCH]?==?utf-8?q? DRAFT:l
On Mon, Nov 16, 2020 at 04:09:58PM +0100, Artur Wiebe wrote: > Doesn't work... :( Hmm, might be a bug in install_script_replace. It's not actually used in any upstream package... I'll have a closer look. Michael > On Monday, November 16, 2020 11:32 CET, Michael Olbrich > wrote: > > > On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote: > > > On Monday, November 16, 2020 10:36 CET, Michael Olbrich > > > wrote: > > > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote: > > > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote: > > > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote: > > > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote: > > > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > > > > > > > > > How can openssh.postinst be disabled from within the rule > > > > > > > > > files? > > > > > > > > > > > > > > > > The very same could be achieved with symlink in your BSP: > > > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null > > > > > > > > > > > > > > I don't understand why you want to disable this. The SSH server > > > > > > > will not > > > > > > > start without host keys. Or do you want to install a static > > > > > > > version of > > > > > > > the host keys generated at build time? > > > > > > > > > > > > Yes, keys are static, generated at build time. Root filesystem is > > > > > > read-only. > > > > > > > > > > > > > If so, there should be an option for this. But for now, in my > > > > > > > opinion, > > > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH > > > > > > > server. > > > > > > > > > > > > As this is easy to solve at BSP level I never thought it could > > > > > > be a thing :) > > > > > > > > > > OK, but at least I would mention it in the kconfig help text. The > > > > > > > > Ack. > > > > > > > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via > > > > > install_alternative if this option is disabled. > > > > > > > > No. Shared ssh server keys are a bad idea. That's not something I want > > > > to > > > > merge upstream. > > > > > > This was also my concern... > > > > > > > > > > > But there are other use-cases to not use rc-once, e.g. if the server > > > > keys > > > > are generated during provisioning. And not selecting rc-once in this > > > > case > > > > makes sense, so this is acceptable im general. > > > > > > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is > > > not set. > > > > Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but > > we currently don't have a way to not install the postinst script. We could > > do something like this (untested): > > > > $(call install_script_replace, openssh, postinst, @RC_ONCE@, \ > > $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#)) > > - > target: openssh.targetinstall > - > > install_init: preparing for image creation of 'openssh'... > install_init: @ARCH@ -> x86_64 > install_init: @PACKAGE@ -> openssh > install_init: @VERSION@ -> 8.3p1 > install_init: @DEPENDS@ -> openssl, rc-once, zlib > install_init: preinst not available > install_init: postinst packaging: 'root/rules/openssh.postinst' > install_init: prerm not available > install_init: postrm not available > install_fixup: @PRIORITY@ -> optional ... done. > install_fixup: @SECTION@ -> base ... done. > install_fixup: @AUTHOR@ -> "Marc Kleine-Budde " ... > done. > install_fixup: @DESCRIPTION@ -> missing ... done. > XPKG=openssh; FILE=postinst; PLACEHOLDER=@RC_ONCE@; VALUE=; > CMD="install_script_replace"; if [ ! -f > "/tmp/ptxdist.qS1dcP/openssh.targetinstall.$XPKG" ]; then echo; echo "Error: > install_init was not called for package '$XPKG'!"; echo "This is probably > caused by a typo in the package name of:"; echo "\$(call $CMD, $XPKG, ...)"; > echo; exit 1; fi; echo "ptxd_install_script_replace '$FILE' '$PLACEHOLDER' > '$VALUE'" >> "/mnt/root/platform-x86/state/$XPKG.cmds" > xpkg_finish:collecting license (BSD AND BSD-2-Clause AND BSD-3-Clause AND > MIT AND Beerware AND ISC) ... done. > xpkg_finish:creating opkg package ... > > > ptxdist: error: ptxd_install_script_replace: 'dst' must be an absolute path! > > > xpkg_finish: failed. > > > > > And in rules/openssh.postinst: > > > > #!/bin/sh > > @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh > > > > This way the script may be installed, but it will do nothing. If > > PTXCONF_OPENSSH_SSHD_GENKEYS is disabled. > > > > Michael > > > > -- > > Pengutronix e.K. | | > > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| > > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | > > > >
Re: [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l
Hi Michael, I found a solution. What do you think? Artur On Monday, November 16, 2020 11:32 CET, Michael Olbrich wrote: > On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote: > > On Monday, November 16, 2020 10:36 CET, Michael Olbrich > > wrote: > > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote: > > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote: > > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote: > > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote: > > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > > > > > > > > How can openssh.postinst be disabled from within the rule files? > > > > > > > > > > > > > > The very same could be achieved with symlink in your BSP: > > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null > > > > > > > > > > > > I don't understand why you want to disable this. The SSH server > > > > > > will not > > > > > > start without host keys. Or do you want to install a static version > > > > > > of > > > > > > the host keys generated at build time? > > > > > > > > > > Yes, keys are static, generated at build time. Root filesystem is > > > > > read-only. > > > > > > > > > > > If so, there should be an option for this. But for now, in my > > > > > > opinion, > > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH > > > > > > server. > > > > > > > > > > As this is easy to solve at BSP level I never thought it could > > > > > be a thing :) > > > > > > > > OK, but at least I would mention it in the kconfig help text. The > > > > > > Ack. > > > > > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via > > > > install_alternative if this option is disabled. > > > > > > No. Shared ssh server keys are a bad idea. That's not something I want to > > > merge upstream. > > > > This was also my concern... > > > > > > > > But there are other use-cases to not use rc-once, e.g. if the server keys > > > are generated during provisioning. And not selecting rc-once in this case > > > makes sense, so this is acceptable im general. > > > > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is > > not set. > > Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but > we currently don't have a way to not install the postinst script. We could > do something like this (untested): > > $(call install_script_replace, openssh, postinst, @RC_ONCE@, \ > $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#)) > > And in rules/openssh.postinst: > > #!/bin/sh > @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh > > This way the script may be installed, but it will do nothing. If > PTXCONF_OPENSSH_SSHD_GENKEYS is disabled. > > Michael > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to > ptxdist-requ...@pengutronix.de ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
[ptxdist] [PATCH] openssh: fix INITMETHOD dependencies
Signed-off-by: Artur Wiebe --- rules/openssh.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/openssh.in b/rules/openssh.in index 37013250c..b04a7a8a5 100644 --- a/rules/openssh.in +++ b/rules/openssh.in @@ -40,13 +40,13 @@ config OPENSSH_SSHD config OPENSSH_SSHD_STARTSCRIPT bool default y - depends on OPENSSH_SSHD + depends on OPENSSH_SSHD && INITMETHOD_BBINIT prompt "install /etc/init.d/openssh" config OPENSSH_SSHD_SYSTEMD_UNIT bool default y - depends on OPENSSH_SSHD && SYSTEMD + depends on OPENSSH_SSHD && INITMETHOD_SYSTEMD prompt "install systemd unit files for sshd" config OPENSSH_SSHD_GENKEYS -- 2.29.2 ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
[ptxdist] [PATCH] openssh: make host key generation optional
If not set host keys must be provided in some other way (otherwise sshd will not start) Signed-off-by: Artur Wiebe --- rules/openssh.in | 12 ++-- rules/openssh.make | 2 ++ rules/openssh.postinst | 4 +++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/rules/openssh.in b/rules/openssh.in index 09f5c..37013250c 100644 --- a/rules/openssh.in +++ b/rules/openssh.in @@ -6,10 +6,10 @@ menuconfig OPENSSH select OPENSSL select LIBC_CRYPT select LIBC_UTIL - select RC_ONCE if OPENSSH_SSHD && RUNTIME + select RC_ONCE if OPENSSH_SSHD_GENKEYS && RUNTIME select BUSYBOX_START_STOP_DAEMON if OPENSSH_SSHD_STARTSCRIPT select LIBSELINUX if GLOBAL_SELINUX - select OPENSSH_KEYGEN if OPENSSH_SSHD + select OPENSSH_KEYGEN if OPENSSH_SSHD_GENKEYS prompt "openssh " help secure shell client/server, an rlogin/rsh/rcp replacement @@ -49,6 +49,14 @@ config OPENSSH_SSHD_SYSTEMD_UNIT depends on OPENSSH_SSHD && SYSTEMD prompt "install systemd unit files for sshd" +config OPENSSH_SSHD_GENKEYS + bool "generate sshd host keys at first boot" + default y + depends on OPENSSH_SSHD + help + If not set host keys must be provided in some other way + (otherwise sshd will not start) + config OPENSSH_SCP bool "scp" help diff --git a/rules/openssh.make b/rules/openssh.make index cae04487f..99fca3f46 100644 --- a/rules/openssh.make +++ b/rules/openssh.make @@ -105,8 +105,10 @@ ifdef PTXCONF_OPENSSH_SSHD /etc/ssh/moduli) @$(call install_copy, openssh, 0, 0, 0755, -, \ /usr/sbin/sshd) +ifdef PTXCONF_OPENSSH_SSHD_GENKEYS @$(call install_alternative, openssh, 0, 0, 0755, /etc/rc.once.d/openssh) endif +endif ifdef PTXCONF_INITMETHOD_BBINIT ifdef PTXCONF_OPENSSH_SSHD_STARTSCRIPT diff --git a/rules/openssh.postinst b/rules/openssh.postinst index fcfbf9149..a7bbf1c58 100644 --- a/rules/openssh.postinst +++ b/rules/openssh.postinst @@ -1,2 +1,4 @@ #!/bin/sh -$DESTDIR/usr/sbin/enable-rc-once openssh +if [ -f $DESTDIR/etc/rc.once.d/openssh ]; then + $DESTDIR/usr/sbin/enable-rc-once openssh +fi -- 2.29.2 ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
Re: [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? openssh: make host key generation optional
Hi, If I have a ro root, I disable rconce completely and implement something comparable for a data partition and mount the device unique keys to /etc/ssh/. rconce mount your ro root rw and stores something, at least the "done" marker file, to your root. I assume you are fine with this changes and just want to keep the key over updates and therefor you should really consider a data/config partition. You may also generate the keys in production and mount the config partition read-only to /etc/ssh/. But do NOT deploy the same key to different devices. Regards, Denis Am Montag, den 16.11.2020, 11:32 +0100 schrieb Michael Olbrich: > On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote: > > On Monday, November 16, 2020 10:36 CET, Michael Olbrich > > wrote: > > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote: > > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote: > > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote: > > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote: > > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > > > > > > > > How can openssh.postinst be disabled from within the rule files? > > > > > > > > > > > > > > The very same could be achieved with symlink in your BSP: > > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null > > > > > > > > > > > > I don't understand why you want to disable this. The SSH server > > > > > > will not > > > > > > start without host keys. Or do you want to install a static version > > > > > > of > > > > > > the host keys generated at build time? > > > > > > > > > > Yes, keys are static, generated at build time. Root filesystem is > > > > > read-only. > > > > > > > > > > > If so, there should be an option for this. But for now, in my > > > > > > opinion, > > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH > > > > > > server. > > > > > > > > > > As this is easy to solve at BSP level I never thought it could > > > > > be a thing :) > > > > > > > > OK, but at least I would mention it in the kconfig help text. The > > > > > > Ack. > > > > > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via > > > > install_alternative if this option is disabled. > > > > > > No. Shared ssh server keys are a bad idea. That's not something I want to > > > merge upstream. > > > > This was also my concern... > > > > > > > > But there are other use-cases to not use rc-once, e.g. if the server keys > > > are generated during provisioning. And not selecting rc-once in this case > > > makes sense, so this is acceptable im general. > > > > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is > > not set. > > Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but > we currently don't have a way to not install the postinst script. We could > do something like this (untested): > > $(call install_script_replace, openssh, postinst, @RC_ONCE@, \ > $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#)) > > And in rules/openssh.postinst: > > #!/bin/sh > @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh > > This way the script may be installed, but it will do nothing. If > PTXCONF_OPENSSH_SSHD_GENKEYS is disabled. > > Michael > Diehl Connectivity Solutions GmbH Geschäftsführung: Horst Leonberger Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht Nürnberg: HRB 32315 Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht. Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt. - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter: https://www.diehl.com/group/de/transparenz-und-informationspflichten/ The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. - For general information on data protection and your respective rights please visit: https://www.diehl.com/group/en/transparency-and-information-obligations/ ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
Re: [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l
Doesn't work... :( On Monday, November 16, 2020 11:32 CET, Michael Olbrich wrote: > On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote: > > On Monday, November 16, 2020 10:36 CET, Michael Olbrich > > wrote: > > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote: > > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote: > > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote: > > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote: > > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > > > > > > > > How can openssh.postinst be disabled from within the rule files? > > > > > > > > > > > > > > The very same could be achieved with symlink in your BSP: > > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null > > > > > > > > > > > > I don't understand why you want to disable this. The SSH server > > > > > > will not > > > > > > start without host keys. Or do you want to install a static version > > > > > > of > > > > > > the host keys generated at build time? > > > > > > > > > > Yes, keys are static, generated at build time. Root filesystem is > > > > > read-only. > > > > > > > > > > > If so, there should be an option for this. But for now, in my > > > > > > opinion, > > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH > > > > > > server. > > > > > > > > > > As this is easy to solve at BSP level I never thought it could > > > > > be a thing :) > > > > > > > > OK, but at least I would mention it in the kconfig help text. The > > > > > > Ack. > > > > > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via > > > > install_alternative if this option is disabled. > > > > > > No. Shared ssh server keys are a bad idea. That's not something I want to > > > merge upstream. > > > > This was also my concern... > > > > > > > > But there are other use-cases to not use rc-once, e.g. if the server keys > > > are generated during provisioning. And not selecting rc-once in this case > > > makes sense, so this is acceptable im general. > > > > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is > > not set. > > Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but > we currently don't have a way to not install the postinst script. We could > do something like this (untested): > > $(call install_script_replace, openssh, postinst, @RC_ONCE@, \ > $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#)) - target: openssh.targetinstall - install_init: preparing for image creation of 'openssh'... install_init: @ARCH@ -> x86_64 install_init: @PACKAGE@ -> openssh install_init: @VERSION@ -> 8.3p1 install_init: @DEPENDS@ -> openssl, rc-once, zlib install_init: preinst not available install_init: postinst packaging: 'root/rules/openssh.postinst' install_init: prerm not available install_init: postrm not available install_fixup: @PRIORITY@ -> optional ... done. install_fixup: @SECTION@ -> base ... done. install_fixup: @AUTHOR@ -> "Marc Kleine-Budde " ... done. install_fixup: @DESCRIPTION@ -> missing ... done. XPKG=openssh; FILE=postinst; PLACEHOLDER=@RC_ONCE@; VALUE=; CMD="install_script_replace"; if [ ! -f "/tmp/ptxdist.qS1dcP/openssh.targetinstall.$XPKG" ]; then echo; echo "Error: install_init was not called for package '$XPKG'!"; echo "This is probably caused by a typo in the package name of:"; echo "\$(call $CMD, $XPKG, ...)"; echo; exit 1; fi; echo "ptxd_install_script_replace '$FILE' '$PLACEHOLDER' '$VALUE'" >> "/mnt/root/platform-x86/state/$XPKG.cmds" xpkg_finish:collecting license (BSD AND BSD-2-Clause AND BSD-3-Clause AND MIT AND Beerware AND ISC) ... done. xpkg_finish:creating opkg package ... ptxdist: error: ptxd_install_script_replace: 'dst' must be an absolute path! xpkg_finish: failed. > > And in rules/openssh.postinst: > > #!/bin/sh > @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh > > This way the script may be installed, but it will do nothing. If > PTXCONF_OPENSSH_SSHD_GENKEYS is disabled. > > Michael > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to > ptxdist-requ...@pengutronix.de ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
[ptxdist] [PATCH v2] wpewebkit: version bump 2.30.1 -> 2.30.2
Signed-off-by: Bastian Krause
---
Changes since v1:
- patch ported
---
...WebProcess-InjectedBundle-guard-setGenericCueAPIEnab.patch | 0
patches/{wpewebkit-2.30.1 => wpewebkit-2.30.2}/series | 0
rules/wpewebkit.make | 4 ++--
3 files changed, 2 insertions(+), 2 deletions(-)
rename patches/{wpewebkit-2.30.1 =>
wpewebkit-2.30.2}/0001-WebProcess-InjectedBundle-guard-setGenericCueAPIEnab.patch
(100%)
rename patches/{wpewebkit-2.30.1 => wpewebkit-2.30.2}/series (100%)
diff --git
a/patches/wpewebkit-2.30.1/0001-WebProcess-InjectedBundle-guard-setGenericCueAPIEnab.patch
b/patches/wpewebkit-2.30.2/0001-WebProcess-InjectedBundle-guard-setGenericCueAPIEnab.patch
similarity index 100%
rename from
patches/wpewebkit-2.30.1/0001-WebProcess-InjectedBundle-guard-setGenericCueAPIEnab.patch
rename to
patches/wpewebkit-2.30.2/0001-WebProcess-InjectedBundle-guard-setGenericCueAPIEnab.patch
diff --git a/patches/wpewebkit-2.30.1/series b/patches/wpewebkit-2.30.2/series
similarity index 100%
rename from patches/wpewebkit-2.30.1/series
rename to patches/wpewebkit-2.30.2/series
diff --git a/rules/wpewebkit.make b/rules/wpewebkit.make
index 2b8f8cd8b..a95efb209 100644
--- a/rules/wpewebkit.make
+++ b/rules/wpewebkit.make
@@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_WPEWEBKIT) += wpewebkit
#
# Paths and names
#
-WPEWEBKIT_VERSION := 2.30.1
-WPEWEBKIT_MD5 := 251228a6e2917eff90a3eb6e9a7e920d
+WPEWEBKIT_VERSION := 2.30.2
+WPEWEBKIT_MD5 := 5b0fedb53dbb36e572935fd54a7b
WPEWEBKIT := wpewebkit-$(WPEWEBKIT_VERSION)
WPEWEBKIT_SUFFIX := tar.xz
WPEWEBKIT_URL :=
https://wpewebkit.org/releases/$(WPEWEBKIT).$(WPEWEBKIT_SUFFIX)
--
2.28.0
___
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to
ptxdist-requ...@pengutronix.de
[ptxdist] [PATCH 4/4] piglit: switch to ninja build
Seems to work fine here and is quite a bit faster than the cmake native build. Signed-off-by: Lucas Stach --- rules/piglit.in | 1 + rules/piglit.make | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/piglit.in b/rules/piglit.in index 889765ee55af..c4414d545cc2 100644 --- a/rules/piglit.in +++ b/rules/piglit.in @@ -4,6 +4,7 @@ menuconfig PIGLIT tristate prompt "piglit" select HOST_CMAKE + select HOST_NINJA select HOST_SYSTEM_PYTHON3 select HOST_SYSTEM_PYTHON3_MAKO select HOST_SYSTEM_PYTHON3_NUMPY diff --git a/rules/piglit.make b/rules/piglit.make index 1f000cd467b0..9be2826493c0 100644 --- a/rules/piglit.make +++ b/rules/piglit.make @@ -31,6 +31,7 @@ PIGLIT_BUILD_OOT := NO PIGLIT_CONF_TOOL := cmake PIGLIT_CONF_OPT:= $(CROSS_CMAKE_USR) \ + -G Ninja \ -DPYTHON_EXECUTABLE:FILEPATH=$(SYSTEMPYTHON3) \ -DPIGLIT_USE_WAFFLE=1 \ -DPIGLIT_BUILD_GL_TESTS=$(call ptx/ifdef, PTXCONF_PIGLIT_TESTS_OPENGL,1,0) \ -- 2.20.1 ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
[ptxdist] [PATCH] sdl2: version bump 2.0.10 -> 2.0.12
Signed-off-by: Lucas Stach
---
...001-sdl-2.0.8-add-egl-cflags-to-test.patch | 55 ---
.../0002-fix-building-with-Mesa-19.2.patch| 37 -
patches/SDL2-2.0.10/autogen.sh| 3 -
patches/SDL2-2.0.10/series| 5 --
rules/sdl2-test.make | 3 +-
rules/sdl2.make | 7 ++-
6 files changed, 7 insertions(+), 103 deletions(-)
delete mode 100644
patches/SDL2-2.0.10/0001-sdl-2.0.8-add-egl-cflags-to-test.patch
delete mode 100644 patches/SDL2-2.0.10/0002-fix-building-with-Mesa-19.2.patch
delete mode 100755 patches/SDL2-2.0.10/autogen.sh
delete mode 100644 patches/SDL2-2.0.10/series
diff --git a/patches/SDL2-2.0.10/0001-sdl-2.0.8-add-egl-cflags-to-test.patch
b/patches/SDL2-2.0.10/0001-sdl-2.0.8-add-egl-cflags-to-test.patch
deleted file mode 100644
index dd2ec8400925..
--- a/patches/SDL2-2.0.10/0001-sdl-2.0.8-add-egl-cflags-to-test.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Sergey Zhuravlevich
-Date: Mon, 16 Jul 2018 12:03:42 +0200
-Subject: [PATCH] sdl-2.0.8: add egl-cflags to test
-
-- also call aclocal to expand PKG_CHECK_MODULES
-
-Signed-off-by: Sergey Zhuravlevich
-Signed-off-by: Michael Grzeschik
- autogen.sh | 2 +-
- configure.ac | 11 +++
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/autogen.sh b/autogen.sh
-index 9edfb8a7d913..2f1e2ef3d419 100755
a/autogen.sh
-+++ b/autogen.sh
-@@ -8,7 +8,7 @@ test -z "$srcdir" && srcdir=.
- cd "$srcdir"
-
- # Regenerate configuration files
--cat acinclude/* >aclocal.m4
-+aclocal
- found=false
- for autoconf in autoconf autoconf259 autoconf-2.59
- do if which $autoconf >/dev/null 2>&1; then $autoconf && found=true; break; fi
-diff --git a/configure.ac b/configure.ac
-index 9e782c653dfd..1e0477d1d0f2 100644
a/configure.ac
-+++ b/configure.ac
-@@ -2268,6 +2268,14 @@ dnl Find OpenGL ES
- CheckOpenGLESX11()
- {
- if test x$enable_video = xyes -a x$enable_video_opengles = xyes; then
-+PKG_CHECK_MODULES(EGL, [egl], [have_egl="yes"], [have_egl="no"])
-+
-+save_CFLAGS="$CFLAGS"
-+if test x$have_egl = xyes; then
-+ CFLAGS="$save_CFLAGS $EGL_CFLAGS"
-+ EXTRA_CFLAGS="$EXTRA_CFLAGS $EGL_CFLAGS"
-+fi
-+
- AC_MSG_CHECKING(for EGL support)
- video_opengl_egl=no
- AC_TRY_COMPILE([
-@@ -2421,6 +2429,9 @@ CheckEmscriptenGLES()
- video_opengl_egl=yes
- ])
- AC_MSG_RESULT($video_opengl_egl)
-+
-+CFLAGS="$save_CFLAGS"
-+
- if test x$video_opengl_egl = xyes; then
- AC_DEFINE(SDL_VIDEO_OPENGL_EGL, 1, [ ])
- fi
diff --git a/patches/SDL2-2.0.10/0002-fix-building-with-Mesa-19.2.patch
b/patches/SDL2-2.0.10/0002-fix-building-with-Mesa-19.2.patch
deleted file mode 100644
index 0c29e7bd05cb..
--- a/patches/SDL2-2.0.10/0002-fix-building-with-Mesa-19.2.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Michael Olbrich
-Date: Thu, 10 Oct 2019 18:09:14 +0200
-Subject: [PATCH] fix building with Mesa 19.2
-
-With Mesa 19.2 building fails with:
-
-/include/GLES/gl.h:63:25: error: conflicting types for 'GLsizeiptr'
-
-The same type is defined in include/SDL_opengl.h for OpenGL and the two
-headers should not be included at the same time.
-This was just never noticed because the same header guard '__gl_h_' was
-used. This was changed in Mesa. The result is this error.
-
-Fix this the same way GLES2 already handles this: Don't include the GLES
-header when the OpenGL header was already included.
-
-Signed-off-by: Michael Olbrich
- src/video/SDL_video.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/video/SDL_video.c b/src/video/SDL_video.c
-index c63f74631b71..62b9075a3d5f 100644
a/src/video/SDL_video.c
-+++ b/src/video/SDL_video.c
-@@ -37,9 +37,9 @@
- #include "SDL_opengl.h"
- #endif /* SDL_VIDEO_OPENGL */
-
--#if SDL_VIDEO_OPENGL_ES
-+#if SDL_VIDEO_OPENGL_ES && !SDL_VIDEO_OPENGL
- #include "SDL_opengles.h"
--#endif /* SDL_VIDEO_OPENGL_ES */
-+#endif /* SDL_VIDEO_OPENGL_ES && !SDL_VIDEO_OPENGL */
-
- /* GL and GLES2 headers conflict on Linux 32 bits */
- #if SDL_VIDEO_OPENGL_ES2 && !SDL_VIDEO_OPENGL
diff --git a/patches/SDL2-2.0.10/autogen.sh b/patches/SDL2-2.0.10/autogen.sh
deleted file mode 100755
index a430a4eb793e..
--- a/patches/SDL2-2.0.10/autogen.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-./autogen.sh
diff --git a/patches/SDL2-2.0.10/series b/patches/SDL2-2.0.10/series
deleted file mode 100644
index 9b148ffb87ec..
--- a/patches/SDL2-2.0.10/series
+++ /dev/null
@@ -1,5 +0,0 @@
-# generated by git-ptx-patches
-#tag:base --start-number 1
-0001-sdl-2.0.8-add-egl-cflags-to-test.patch
-0002-fix-building-with-Mesa-19.2.patch
-# 270a9679587ad5b5f637efc4218d7208 - git-ptx-patches magic
diff --git a/rules/sdl2-test.make b/rules/sdl2-test.make
index 5c92ebf6b583..c90d4d680370 100644
--- a/rules/sdl2-test.make
+++
[ptxdist] [PATCH 3/4] piglit: drop freeglut dependency
We always build piglit with libwaffle support, so the freeglut based winsys in never built. Drop the dependency. Signed-off-by: Lucas Stach --- rules/piglit.in | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/piglit.in b/rules/piglit.in index d4577200d458..889765ee55af 100644 --- a/rules/piglit.in +++ b/rules/piglit.in @@ -17,7 +17,6 @@ menuconfig PIGLIT select WAFFLE select WAYLAND if PIGLIT_WAYLAND select LIBXKBCOMMON if PIGLIT_WAYLAND - select FREEGLUT if PIGLIT_TESTS_OPENGL select MESALIB_GLX if PIGLIT_TESTS_OPENGL select MESALIB_OPENGL if PIGLIT_TESTS_OPENGL select XORG if PIGLIT_TESTS_OPENGL -- 2.20.1 ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
[ptxdist] [PATCH 2/4] waffle: version bump 1.5.2 -> 1.6.1
- version bump
- use ptx/onoff configuration helper
Signed-off-by: Lucas Stach
---
...se-EGL-CFLAGS-reported-by-pkg-config.patch | 47 ---
patches/waffle-1.5.2/series | 1 -
rules/waffle.make | 18 ---
3 files changed, 12 insertions(+), 54 deletions(-)
delete mode 100644
patches/waffle-1.5.2/0001-egl-use-EGL-CFLAGS-reported-by-pkg-config.patch
delete mode 100644 patches/waffle-1.5.2/series
diff --git
a/patches/waffle-1.5.2/0001-egl-use-EGL-CFLAGS-reported-by-pkg-config.patch
b/patches/waffle-1.5.2/0001-egl-use-EGL-CFLAGS-reported-by-pkg-config.patch
deleted file mode 100644
index 30759ce4e427..
--- a/patches/waffle-1.5.2/0001-egl-use-EGL-CFLAGS-reported-by-pkg-config.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 359902f8f043e7a7d782d1df3d5d74c3b2a3bd04 Mon Sep 17 00:00:00 2001
-From: Philipp Zabel
-Date: Thu, 8 Jun 2017 13:52:02 +0200
-Subject: [PATCH] egl: use EGL CFLAGS reported by pkg-config
-
-Some platforms need -DMESA_EGL_NO_X11_HEADERS set, as indicated by the
-Cflags: field in egl.pc. pkg-config provides this information, pass it
-to the compiler.
-
-Signed-off-by: Philipp Zabel
- src/waffle/CMakeLists.txt | 5 +
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/waffle/CMakeLists.txt b/src/waffle/CMakeLists.txt
-index d76e029..954774c 100644
a/src/waffle/CMakeLists.txt
-+++ b/src/waffle/CMakeLists.txt
-@@ -94,6 +94,9 @@ if(waffle_on_mac)
- endif()
-
- if(waffle_has_egl)
-+list(APPEND waffle_cflags
-+${egl_CFLAGS}
-+)
- list(APPEND waffle_sources
- egl/wegl_config.c
- egl/wegl_context.c
-@@ -227,6 +230,7 @@ target_link_libraries(${waffle_libname} ${waffle_libdeps})
-
- set_target_properties(${waffle_libname}
- PROPERTIES
-+COMPILE_FLAGS ${waffle_cflags}
- SOVERSION ${waffle_soversion}
- VERSION
${waffle_soversion}.${waffle_minor_version}.${waffle_patch_version}
- )
-@@ -266,6 +270,7 @@ target_link_libraries(waffle_static ${waffle_libdeps})
-
- set_target_properties(waffle_static
- PROPERTIES
-+COMPILE_FLAGS ${waffle_cflags}
- OUTPUT_NAME "waffle-static-${waffle_major_version}"
- )
-
---
-2.11.0
-
diff --git a/patches/waffle-1.5.2/series b/patches/waffle-1.5.2/series
deleted file mode 100644
index 6b680e422f5a..
--- a/patches/waffle-1.5.2/series
+++ /dev/null
@@ -1 +0,0 @@
-0001-egl-use-EGL-CFLAGS-reported-by-pkg-config.patch
diff --git a/rules/waffle.make b/rules/waffle.make
index f2c72420793f..7a384476ecc7 100644
--- a/rules/waffle.make
+++ b/rules/waffle.make
@@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_WAFFLE) += waffle
#
# Paths and names
#
-WAFFLE_VERSION := 1.5.2
-WAFFLE_MD5 := c669c91bf2f7e13a5d781c3dbb30fd8c
+WAFFLE_VERSION := 1.6.1
+WAFFLE_MD5 := c91529e579483f44fb330052872b9c73
WAFFLE := waffle-$(WAFFLE_VERSION)
WAFFLE_SUFFIX := tar.xz
WAFFLE_URL :=
http://www.waffle-gl.org/files/release/$(WAFFLE)/$(WAFFLE).$(WAFFLE_SUFFIX)
@@ -32,10 +32,16 @@ WAFFLE_LICENSE_FILES := \
WAFFLE_CONF_TOOL := cmake
WAFFLE_CONF_OPT:= \
$(CROSS_CMAKE_USR) \
- -Dwaffle_has_glx=$(call ptx/ifdef,PTXCONF_WAFFLE_GLX,1,0) \
- -Dwaffle_has_wayland=$(call ptx/ifdef,PTXCONF_WAFFLE_WAYLAND,1,0) \
- -Dwaffle_has_x11_egl=$(call ptx/ifdef,PTXCONF_WAFFLE_X11_EGL,1,0) \
- -Dwaffle_has_gbm=$(call ptx/ifdef,PTXCONF_WAFFLE_GBM,1,0)
+ -Dwaffle_build_examples=OFF \
+ -Dwaffle_build_htmldocs=OFF \
+ -Dwaffle_build_manpages=OFF \
+ -Dwaffle_build_tests=OFF \
+ -Dwaffle_has_gbm=$(call ptx/onoff,PTXCONF_WAFFLE_GBM) \
+ -Dwaffle_has_glx=$(call ptx/onoff,PTXCONF_WAFFLE_GLX) \
+ -Dwaffle_has_nacl=OFF \
+ -Dwaffle_has_surfaceless_egl=OFF \
+ -Dwaffle_has_wayland=$(call ptx/onoff,PTXCONF_WAFFLE_WAYLAND) \
+ -Dwaffle_has_x11_egl=$(call ptx/onoff,PTXCONF_WAFFLE_X11_EGL) \
#
--
2.20.1
___
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to
ptxdist-requ...@pengutronix.de
[ptxdist] [PATCH 1/4] xcb-proto: version bump 1.13 -> 1.14.1
Signed-off-by: Lucas Stach --- rules/xcb-proto.make | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/xcb-proto.make b/rules/xcb-proto.make index ca54478561c9..fa0e0b97c64b 100644 --- a/rules/xcb-proto.make +++ b/rules/xcb-proto.make @@ -15,11 +15,11 @@ PACKAGES-$(PTXCONF_XCB_PROTO) += xcb-proto # # Paths and names # -XCB_PROTO_VERSION := 1.13 -XCB_PROTO_MD5 := abe9aa4886138150bbc04ae4f29b90e3 +XCB_PROTO_VERSION := 1.14.1 +XCB_PROTO_MD5 := ecd6955dab1a7b9ba9756a11b8bdb48f XCB_PROTO := xcb-proto-$(XCB_PROTO_VERSION) -XCB_PROTO_SUFFIX := tar.bz2 -XCB_PROTO_URL := http://xcb.freedesktop.org/dist/$(XCB_PROTO).$(XCB_PROTO_SUFFIX) +XCB_PROTO_SUFFIX := tar.xz +XCB_PROTO_URL := http://xorg.freedesktop.org/archive/individual/proto/$(XCB_PROTO).$(XCB_PROTO_SUFFIX) XCB_PROTO_SOURCE := $(SRCDIR)/$(XCB_PROTO).$(XCB_PROTO_SUFFIX) XCB_PROTO_DIR := $(BUILDDIR)/$(XCB_PROTO) XCB_PROTO_LICENSE := MIT -- 2.20.1 ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
[ptxdist] [PATCH v3] ptxd_make_fit_image: Add support for kernel load/entry addresses
From: AVazquez
Make it possible to specify load/entry addresses for the kernel.
These are required by the FIT image specification, but in some cases
users may not want to include them, so they are made optional.
Also add mandatory "os" property for kernel and ramdisk.
Signed-off-by: AVazquez
---
Changes since v2:
- add help text.
- fix align problem.
Changes since v1:
- load/entry addresses made optional.
platforms/kernel-fit.in| 12
scripts/lib/ptxd_make_fit_image.sh | 14 ++
2 files changed, 26 insertions(+)
diff --git a/platforms/kernel-fit.in b/platforms/kernel-fit.in
index 8cbc1a8..9585ce6 100644
--- a/platforms/kernel-fit.in
+++ b/platforms/kernel-fit.in
@@ -17,6 +17,18 @@ menuconfig KERNEL_FIT
if KERNEL_FIT
+config KERNEL_FIT_LOAD
+ string
+ prompt "Kernel load address (optional)"
+ help
+ Required by most bootloaders. Optional for Barebox.
+
+config KERNEL_FIT_ENTRY
+ string
+ prompt "Kernel entry address (optional)"
+ help
+ Required by most bootloaders. Optional for Barebox.
+
config KERNEL_FIT_SIGNED
bool
prompt "sign FIT image"
diff --git a/scripts/lib/ptxd_make_fit_image.sh
b/scripts/lib/ptxd_make_fit_image.sh
index 9754d1e..af53566 100644
--- a/scripts/lib/ptxd_make_fit_image.sh
+++ b/scripts/lib/ptxd_make_fit_image.sh
@@ -21,7 +21,20 @@ ptxd_make_image_fit_its() {
data = /incbin/("${image_kernel}");
type = "kernel";
arch = "$(ptxd_get_ptxconf PTXCONF_ARCH_STRING)";
+ os = "linux";
compression = "none";
+EOF
+if [ -n "$(ptxd_get_ptxconf PTXCONF_KERNEL_FIT_LOAD)" ]; then
+cat << EOF
+ load = <$(ptxd_get_ptxconf PTXCONF_KERNEL_FIT_LOAD)>;
+EOF
+fi
+if [ -n "$(ptxd_get_ptxconf PTXCONF_KERNEL_FIT_ENTRY)" ]; then
+cat << EOF
+ entry = <$(ptxd_get_ptxconf PTXCONF_KERNEL_FIT_ENTRY)>;
+EOF
+fi
+cat << EOF
hash-1 {
algo = "sha256";
};
@@ -33,6 +46,7 @@ EOF
description = "initramfs";
data = /incbin/("${image_initramfs}");
type = "ramdisk";
+ os = "linux";
compression = "none";
hash-1 {
algo = "sha256";
--
1.9.1
___
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to
ptxdist-requ...@pengutronix.de
Re: [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? openssh: make host key generation optional
On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote: > On Monday, November 16, 2020 10:36 CET, Michael Olbrich > wrote: > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote: > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote: > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote: > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote: > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > > > > > > > How can openssh.postinst be disabled from within the rule files? > > > > > > > > > > > > The very same could be achieved with symlink in your BSP: > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null > > > > > > > > > > I don't understand why you want to disable this. The SSH server will > > > > > not > > > > > start without host keys. Or do you want to install a static version of > > > > > the host keys generated at build time? > > > > > > > > Yes, keys are static, generated at build time. Root filesystem is > > > > read-only. > > > > > > > > > If so, there should be an option for this. But for now, in my opinion, > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server. > > > > > > > > As this is easy to solve at BSP level I never thought it could > > > > be a thing :) > > > > > > OK, but at least I would mention it in the kconfig help text. The > > > > Ack. > > > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via > > > install_alternative if this option is disabled. > > > > No. Shared ssh server keys are a bad idea. That's not something I want to > > merge upstream. > > This was also my concern... > > > > > But there are other use-cases to not use rc-once, e.g. if the server keys > > are generated during provisioning. And not selecting rc-once in this case > > makes sense, so this is acceptable im general. > > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not > set. Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but we currently don't have a way to not install the postinst script. We could do something like this (untested): $(call install_script_replace, openssh, postinst, @RC_ONCE@, \ $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#)) And in rules/openssh.postinst: #!/bin/sh @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh This way the script may be installed, but it will do nothing. If PTXCONF_OPENSSH_SSHD_GENKEYS is disabled. Michael -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
Re: [ptxdist] ?==?utf-8?q? ?==?utf-8?q? [PATCH] DRAFT:?==?utf-8?q? openssh: make host key generation optional
On Monday, November 16, 2020 10:36 CET, Michael Olbrich wrote: > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote: > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote: > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote: > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote: > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > > > > > > How can openssh.postinst be disabled from within the rule files? > > > > > > > > > > The very same could be achieved with symlink in your BSP: > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null > > > > > > > > I don't understand why you want to disable this. The SSH server will not > > > > start without host keys. Or do you want to install a static version of > > > > the host keys generated at build time? > > > > > > Yes, keys are static, generated at build time. Root filesystem is > > > read-only. > > > > > > > If so, there should be an option for this. But for now, in my opinion, > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server. > > > > > > As this is easy to solve at BSP level I never thought it could > > > be a thing :) > > > > OK, but at least I would mention it in the kconfig help text. The > > Ack. > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via > > install_alternative if this option is disabled. > > No. Shared ssh server keys are a bad idea. That's not something I want to > merge upstream. This was also my concern... > > But there are other use-cases to not use rc-once, e.g. if the server keys > are generated during provisioning. And not selecting rc-once in this case > makes sense, so this is acceptable im general. I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set. > > Michael > > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to > ptxdist-requ...@pengutronix.de ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > How can openssh.postinst be disabled from within the rule files? > --- > rules/openssh.in | 14 ++ > rules/openssh.make | 2 ++ > 2 files changed, 12 insertions(+), 4 deletions(-) > > diff --git a/rules/openssh.in b/rules/openssh.in > index 09f5c..f9d1affbd 100644 > --- a/rules/openssh.in > +++ b/rules/openssh.in > @@ -6,10 +6,10 @@ menuconfig OPENSSH > select OPENSSL > select LIBC_CRYPT > select LIBC_UTIL > - select RC_ONCE if OPENSSH_SSHD && RUNTIME > + select RC_ONCE if OPENSSH_SSHD_GENKEYS && RUNTIME > select BUSYBOX_START_STOP_DAEMON if OPENSSH_SSHD_STARTSCRIPT > select LIBSELINUX if GLOBAL_SELINUX > - select OPENSSH_KEYGEN if OPENSSH_SSHD > + select OPENSSH_KEYGEN if OPENSSH_SSHD_GENKEYS > prompt "openssh " > help > secure shell client/server, an rlogin/rsh/rcp replacement > @@ -40,15 +40,21 @@ config OPENSSH_SSHD > config OPENSSH_SSHD_STARTSCRIPT > bool > default y > - depends on OPENSSH_SSHD > + depends on OPENSSH_SSHD && INITMETHOD_BBINIT unrelated. > prompt "install /etc/init.d/openssh" > > config OPENSSH_SSHD_SYSTEMD_UNIT > bool > default y > - depends on OPENSSH_SSHD && SYSTEMD > + depends on OPENSSH_SSHD && INITMETHOD_SYSTEMD this as well. Michael > prompt "install systemd unit files for sshd" > > +config OPENSSH_SSHD_GENKEYS > + bool > + default y > + depends on OPENSSH_SSHD > + prompt "generate sshd host keys at first boot" > + > config OPENSSH_SCP > bool "scp" > help > diff --git a/rules/openssh.make b/rules/openssh.make > index cae04487f..0da2f23cd 100644 > --- a/rules/openssh.make > +++ b/rules/openssh.make > @@ -105,8 +105,10 @@ ifdef PTXCONF_OPENSSH_SSHD > /etc/ssh/moduli) > @$(call install_copy, openssh, 0, 0, 0755, -, \ > /usr/sbin/sshd) > +ifdef OPENSSH_SSHD_GENKEYS > @$(call install_alternative, openssh, 0, 0, 0755, > /etc/rc.once.d/openssh) > endif > +endif > > ifdef PTXCONF_INITMETHOD_BBINIT > ifdef PTXCONF_OPENSSH_SSHD_STARTSCRIPT > -- > 2.29.2 > > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to > ptxdist-requ...@pengutronix.de > ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote: > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote: > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote: > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote: > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote: > > > > > How can openssh.postinst be disabled from within the rule files? > > > > > > > > The very same could be achieved with symlink in your BSP: > > > > projectroot/etc/rc.once.d/openssh -> /dev/null > > > > > > I don't understand why you want to disable this. The SSH server will not > > > start without host keys. Or do you want to install a static version of > > > the host keys generated at build time? > > > > Yes, keys are static, generated at build time. Root filesystem is > > read-only. > > > > > If so, there should be an option for this. But for now, in my opinion, > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server. > > > > As this is easy to solve at BSP level I never thought it could > > be a thing :) > > OK, but at least I would mention it in the kconfig help text. The Ack. > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via > install_alternative if this option is disabled. No. Shared ssh server keys are a bad idea. That's not something I want to merge upstream. But there are other use-cases to not use rc-once, e.g. if the server keys are generated during provisioning. And not selecting rc-once in this case makes sense, so this is acceptable im general. Michael ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
[ptxdist] [PATCH v3 3/5] dropbear: Revise comments
Add more section markers and update recommendations based on upstream's 'default_options.h' file. Signed-off-by: Alexander Dahl --- Notes: v3: - Adapt to new patch 2/5 removing some options rules/dropbear.in | 8 +--- rules/dropbear.make | 18 +++--- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/rules/dropbear.in b/rules/dropbear.in index d23f9b17f..7f777ae64 100644 --- a/rules/dropbear.in +++ b/rules/dropbear.in @@ -208,7 +208,7 @@ config DROPBEAR_CTR_CIPHERS CBC mode against certain attacks. This adds around 1kB to binary size and is recommended for most cases. -comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96" +comment "Integrity, at least one required --- sha2-256 is recommended as a default, sha1 for compatibility" config DROPBEAR_SHA1 bool @@ -260,7 +260,7 @@ config DROPBEAR_SHA512 SHA-1. SHA-2 consists of a set of four hash functions with digests that are 224, 256, 384 or 512 bits. -comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa" +comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys" config DROPBEAR_RSA bool @@ -279,6 +279,8 @@ config DROPBEAR_ECDSA ECDSA stands for Elliptic Curve Digital Signature Algorithm. ECDSA is significantly faster than RSA or DSS. +comment "Key exchange algorithm ---" + config DROPBEAR_ECDH bool prompt "ecdh" @@ -348,7 +350,7 @@ config DROPBEAR_SCP comment "OpenSSH scp is selected!" depends on OPENSSH_SCP -comment "runtime options ---" +comment "runtime options---" config DROPBEAR_STARTSCRIPT bool diff --git a/rules/dropbear.make b/rules/dropbear.make index 9403afd00..e422eb4d5 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -67,6 +67,7 @@ $(STATEDIR)/dropbear.prepare: @echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS) +# features ifdef PTXCONF_DROPBEAR_DIS_X11 @echo "ptxdist: disabling x11 forwarding" @echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS) @@ -76,13 +77,13 @@ else endif ifdef PTXCONF_DROPBEAR_DIS_TCP - @echo "ptxdist: disabling tcp" + @echo "ptxdist: disabling tcp forwarding" @echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) @echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) @echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) @echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) else - @echo "ptxdist: enabling tcp" + @echo "ptxdist: enabling tcp forwarding" @echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) @echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) @echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) @@ -90,16 +91,16 @@ else endif ifdef PTXCONF_DROPBEAR_DIS_AGENT - @echo "ptxdist: disabling agent" + @echo "ptxdist: disabling auth agent forwarding" @echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS) @echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS) else - @echo "ptxdist: enabling agent" + @echo "ptxdist: enabling auth agent forwarding" @echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS) @echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS) endif - +# encryption ifdef PTXCONF_DROPBEAR_AES128 @echo "ptxdist: enabling aes128" @echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS) @@ -140,6 +141,7 @@ else @echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS) endif +# ciphers ifdef PTXCONF_DROPBEAR_CBC_CIPHERS @echo "ptxdist: enabling cbc ciphers" @echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS) @@ -157,6 +159,7 @@ else @echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS) endif +# integrity ifdef PTXCONF_DROPBEAR_SHA1 @echo "ptxdist: enabling sha1" @echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) @@ -193,7 +196,7 @@ else @echo "#define DROPBEAR_SHA2_512_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) endif - +# host key / public key ifdef PTXCONF_DROPBEAR_RSA @echo "ptxdist: enabling rsa" @echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS) @@ -210,6 +213,7 @@ else @echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS) endif +# key exchange algorithm ifdef PTXCONF_DROPBEAR_ECDH @echo "ptxdist: enabling ecdh" @echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS) @@ -226,7 +230,7 @@ else @echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS) endif
[ptxdist] [PATCH v3 5/5] dropbear: version bump 2020.79 -> 2020.81
Changes in LICENSE file: - updated copyright years - pointed to licenses of bundled libs, instead of just stating their license Signed-off-by: Alexander Dahl --- rules/dropbear.make | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/dropbear.make b/rules/dropbear.make index a9404592e..6d6e248a2 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear # # Paths and names # -DROPBEAR_VERSION := 2020.79 -DROPBEAR_MD5 := 830a7bf6349ac52a39c487d061efb352 +DROPBEAR_VERSION := 2020.81 +DROPBEAR_MD5 := a07438a6159a24c61f98f1bce2d479c0 DROPBEAR := dropbear-$(DROPBEAR_VERSION) DROPBEAR_SUFFIX:= tar.bz2 DROPBEAR_URL := http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) @@ -26,7 +26,7 @@ DROPBEAR_DIR := $(BUILDDIR)/$(DROPBEAR) DROPBEAR_LICENSE := \ MIT AND BSD-2-Clause AND public_domain AND SSH-short AND (public_domain OR WTFPL) AND Unlicense DROPBEAR_LICENSE_FILES := \ - file://LICENSE;md5=da58928b5d844c6667963cb5a109272d \ + file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f \ file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \ file://libtommath/LICENSE;md5=23e7e0a32e53a2b1d35f5fd9ef053402 \ file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1 -- 2.27.0 ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
[ptxdist] [PATCH v3 2/5] dropbear: Remove deprecated options
All those options are cryptographically weak, already broken, or will be removed in the next version anyways. Signed-off-by: Alexander Dahl --- rules/dropbear.in | 29 - rules/dropbear.make | 25 - 2 files changed, 54 deletions(-) diff --git a/rules/dropbear.in b/rules/dropbear.in index 62a4a8427..d23f9b17f 100644 --- a/rules/dropbear.in +++ b/rules/dropbear.in @@ -170,17 +170,6 @@ config DROPBEAR_AES256 (and others) to protect sensitive information. -config DROPBEAR_BLOWFISH - bool - prompt "Blowfish" - help - Blowfish, by Bruce Schneier, combines a Feistel network, - key-dependent S-Boxes, with a non-invertible f function. - This block cipher iterates a simple encryption function - 16 times. - Blowfish was designed with a variable key length ranging - from 32 bits to 448 bits. - config DROPBEAR_TWOFISH128 bool prompt "Twofish128" @@ -271,14 +260,6 @@ config DROPBEAR_SHA512 SHA-1. SHA-2 consists of a set of four hash functions with digests that are 224, 256, 384 or 512 bits. -config DROPBEAR_MD5 - bool - prompt "md5" - help - MD5 was developed by Professor Ronald L. Rivest in 1994. - Its 128 bit (16 byte) message digest makes it a faster - implementation than SHA-1. - comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa" config DROPBEAR_RSA @@ -291,16 +272,6 @@ config DROPBEAR_RSA conjectured (but not proven) to be equivalent to the Integer Factorisation Problem (IFP). -config DROPBEAR_DSS - bool - prompt "dss" - help - DSS stands for Digital Signature Standard. - DSS employs the ElGamal and Schnorr PK systems to produce - a fixed width signature (irrespective of the public/private - key size). In contrast, RSA signature length is a function - of the key length employed. - config DROPBEAR_ECDSA bool prompt "ecdsa" diff --git a/rules/dropbear.make b/rules/dropbear.make index acd9ef5f9..9403afd00 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -124,14 +124,6 @@ else @echo "#define DROPBEAR_AES256 0" >> $(DROPBEAR_LOCALOPTIONS) endif -ifdef PTXCONF_DROPBEAR_BLOWFISH - @echo "ptxdist: enabling blowfish" - @echo "#define DROPBEAR_BLOWFISH 1" >> $(DROPBEAR_LOCALOPTIONS) -else - @echo "ptxdist: disabling blowfish" - @echo "#define DROPBEAR_BLOWFISH 0" >> $(DROPBEAR_LOCALOPTIONS) -endif - ifdef PTXCONF_DROPBEAR_TWOFISH256 @echo "ptxdist: enabling twofish256" @echo "#define DROPBEAR_TWOFISH256 1" >> $(DROPBEAR_LOCALOPTIONS) @@ -201,15 +193,6 @@ else @echo "#define DROPBEAR_SHA2_512_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) endif -ifdef PTXCONF_DROPBEAR_MD5 - @echo "ptxdist: enabling md5" - @echo "WARNING: md5 is considered broken and is deactivated in upstream dropbear by default!" - @echo "#define DROPBEAR_MD5_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) -else - @echo "ptxdist: disabling md5" - @echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) -endif - ifdef PTXCONF_DROPBEAR_RSA @echo "ptxdist: enabling rsa" @@ -219,14 +202,6 @@ else @echo "#define DROPBEAR_RSA 0" >> $(DROPBEAR_LOCALOPTIONS) endif -ifdef PTXCONF_DROPBEAR_DSS - @echo "ptxdist: enabling dss" - @echo "#define DROPBEAR_DSS 1" >> $(DROPBEAR_LOCALOPTIONS) -else - @echo "ptxdist: disabling dss" - @echo "#define DROPBEAR_DSS 0" >> $(DROPBEAR_LOCALOPTIONS) -endif - ifdef PTXCONF_DROPBEAR_ECDSA @echo "ptxdist: enabling ecdsa" @echo "#define DROPBEAR_ECDSA 1" >> $(DROPBEAR_LOCALOPTIONS) -- 2.27.0 ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
[ptxdist] [PATCH v3 0/5] dropbear: version bump 2019.78 -> 2020.81
Hei hei, this is the version bump for the dropbear SSH server split in five patches for easier review. - 1/5 fixes the license information - 2/5 removes deprecated, weak, or later removed options - 3/5 updates comments in kconfig and make file, first is for user, second for easier maintenance of the ptxdist package (I used that when reviewing what changed in dropbear from 2019.78 to 2020.79) - 4/5 is a version bump with quite some upstream changes, including the fix for CVE-2018-20685. - 5/5 is a second version bump, combining two more versions with regression fixes and other minor fixes, which I put in a second commit for easier review. This might also be squashed? Software itself briefly tested on armv7a aka sama5d27. v2 -> v3: - Added patch 2/5 to remove blowfish option, which would otherwise break build after version bump to 2020.79. (Michael Olbrich) v1 -> v2: - Removed patch stack with patch 3/4. Greets Alex Alexander Dahl (5): dropbear: Consider licenses of bundled libs dropbear: Remove deprecated options dropbear: Revise comments dropbear: version bump 2019.78 -> 2020.79 dropbear: version bump 2020.79 -> 2020.81 .../0001-configure-Fix-disable-fuzz.patch | 47 patches/dropbear-2019.78/autogen.sh | 1 - patches/dropbear-2019.78/series | 4 -- rules/dropbear.in | 39 ++--- rules/dropbear.make | 55 +++ 5 files changed, 25 insertions(+), 121 deletions(-) delete mode 100644 patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch delete mode 12 patches/dropbear-2019.78/autogen.sh delete mode 100644 patches/dropbear-2019.78/series base-commit: 8617870454388edf0f0728a92f3f188edbc14986 -- 2.27.0 ___ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-requ...@pengutronix.de
