Commit Graph

51 Commits (bdc7d9691d8d60364f40505d44346e5fa6374f66)

Author SHA1 Message Date
Felix Fietkau eb155f755a build: make prefix mapping of debug information optional
Remapping the local build path in debug information makes debugging
using ./scripts/remote-gdb harder, because files no longer refer to the full
path on the build host.

For local builds, debug information does not need to be reproducible,
since it will be stripped out of packages anyway.

For buildbot builds, it makes sense to keep debug information reproducible,
since the full path is not needed (nor desired) anywhere.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-08-06 12:36:24 +02:00
Hauke Mehrtens f94b09867d build: Remove dependency of user space stack cookies from kernel
Currently the user space stack cookies work well also when the kernel
stack cookies are not activated. This is handled completely in user
space and does not need kernel support.

This dependency was probably needed some years ago when the libc did not
support stack cookies.

Reviewed-by: Ian Cooper <iancooper@hotmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-07-24 00:35:21 +02:00
Ian Cooper b933f9cf0c toolchain: remove gcc libssp and use libc variant
Removes the standalone implementation of stack smashing protection
in gcc's libssp in favour of the native implementation available
in glibc and uclibc. Musl libc already uses its native ssp, so this
patch does not affect musl-based toolchains.

Stack smashing protection configuration options are now uniform
across all supported libc variants.

This also makes kernel-level stack smashing protection available
for x86_64 and i386 builds using non-musl libc.

Signed-off-by: Ian Cooper <iancooper@hotmail.com>
2020-06-17 23:57:07 +02:00
Paul Spooren 07449f692c build: refactor JSON info files to `profiles.json`
JSON info files contain machine readable information of built profiles
and resulting images. These files were added in commit 881ed09ee6
("build: create JSON files containing image info").

They are useful for firmware wizards and script checking for
reproducibility.

Currently all JSON files are stored next to the built images, resulting
in up to 168 individual files for the ath79/generic target.

This patch refactors the JSON creation to store individual per image
(not per profile) files in $(BUILD_DIR)/json_info_files and create an
single overview file called `profiles.json` in the target directory.

Storing per image files and not per profile solves the problem of
parallel file writes. If a profiles sysupgrade and factory image are
finished at the same time both processes would write to the same JSON
file, resulting in randomly broken outputs.

Some target like x86/64 do not use the image code yet, resulting in
missing JSON files. If no JSON info files were created, no
`profiles.json` files is created as it would be empty anyway.

As before, this creation is enabled by default only if `BUILDBOT` is set.

Tested via buildroot & ImageBuilder on ath79/generic, imx6 and x86/64.

Signed-off-by: Paul Spooren <mail@aparcar.org>
[json_info_files dir handling in Make, if case refactoring]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-04-03 12:17:45 +02:00
Xu Wang 2299808c68 base-files: add all buildinfo with INCLUDE_CONFIG
CONFIG_INCLUDE_CONFIG option is helpful for being able to rebuild the
exact same firmware as you see on a live OpenWRT instance, but it's
crucially missing feeds information, so we can't rebuild the exact same
package versions. This commit fixes this by adding the remaining feeds
(and version) buildinfo files to the image.

Signed-off-by: Xu Wang <xwang1498@gmx.com>
2020-02-27 12:14:09 +01:00
Hauke Mehrtens 19cbac7d26 buildsystem: Make PIE ASLR option tristate
This tristate choose allows to select to build only some applications
with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE
is activated for the, which is a huge increase.

Network exposed applications like dnsmasq should then be build with PIE
enabled, but some applications which are normally not parsing data from
the network do not have it activated. The regular option should give a
good trade off between extra flash and RAM memory usage and security.

This changes the default from building no applications with PIE to build
some specifically marked applications with PIE enabled. This option is
only activated for targets with bigger flash and RAM to not consume
extra memory on the very small targets. On SDK builds the Regular option
should always be selected, because some tiny targets share the
applications with big targets and only the images for the tiny targets
should contain the none PIE applications, but the images for the normal
targets should use PIE. The shared packages should always use PIE when
it should be normally activated.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Rosen Penev fb19fb868c libcxx: Depenency fixes
Don't build with uClibc-ng. It's totally unsupported as several functions
are missing.

Make the musl libc support conditional.

Fix hash with make check FIXUP=1. Apparently I based the Makefile off of
libedit and forgot to fix the hash.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fixes: 856ea2bad3 ("libcxx: Add package")
2019-12-23 12:08:23 +01:00
Rosen Penev 856ea2bad3 libcxx: Add package
Currently in OpenWrt, there are two libc++: libstdcpp and uClibc++. The
former is huge and the latter supports only C++98 with some basic support
for C++11. Those C++ versions seem to be specific to the compiler version

libcxx supports C++11 and above while being much smaller than libstdcpp.
On mt7621, these are the sizes of the ipks that I get:

libstdcpp: 460786
libcxx: 182881
uClibc++:67720

libcxx is faster than uClibc++ and is under active development as part of
the LLVM project while uClibc++ is effectively dead.

This PR modifies uclibc++.mk to expose the make menuconfig option. Further
cleanup is beyond the scope of this PR. What that means is, this is not
used by default.

A g++-libcxx wrapper based on the uClibc++ one was added. Works the same
way.

Compile tested with all packages that use uclibc++.mk in their Makefiles
under mipsel_24kc. kismet fails compilation but that package needs to be
cleaned up and updated.

Runtime tested with gddrescue, gdisk, dcwapd, bonnie++, and aircrack-ng
on a TP-Link Archer C7v2.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-12-23 00:22:07 +01:00
John Crispin f4aaee01fa Revert "build: separate signing logic"
This reverts commit 4a45e69d19.

This broke the buildbots

Signed-off-by: John Crispin <john@phrozen.org>
2019-10-21 16:26:24 +02:00
Paul Spooren 4a45e69d19 build: separate signing logic
This separates the options for signature creation and verification

* SIGNED_PACKAGES create Packages.sig
* SIGNED_IMAGES add ucert signature to created images
* CHECK_SIGNATURE add verification capabilities to images
* INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys

Right now the buildbot.git contains some hacks to create images that
have signature verification capabilities while not storing private keys
on buildbot slaves. This commit allows to disable these steps for the
buildbots and only perform signing on the master.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2019-10-21 14:06:42 +02:00
Paul Spooren 419eff50f9 config: remove unused GCC_VERSION_4_8 config symbols
Lets remove unused GCC_VERSION_4_8 symbol after the series of patches
which has switched to target gcc-8 by default.

Signed-off-by: Paul Spooren <mail@aparcar.org>
[refactored into separate commit]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-10-09 09:13:44 +02:00
Paul Spooren 881ed09ee6 build: create JSON files containing image info
The JSON info files contain details about the created firmware images
per device and are stored next to the created images.

The JSON files are stored as "$(IMAGE_PREFIX).json" and contain some
device/image meta data as well as a list of created firmware images.

An example of openwrt-ramips-rt305x-aztech_hw550-3g.json

    {
      "id": "aztech_hw550-3g",
      "image_prefix": "openwrt-ramips-rt305x-aztech_hw550-3g",
      "images": [
        {
          "name": "openwrt-ramips-rt305x-aztech_hw550-3g-squashfs-sysupgrade.bin",
          "sha256": "db2b34b0ec4a83d9bf612cf66fab0dc3722b191cb9bedf111e5627a4298baf20",
          "type": "sysupgrade"
        }
      ],
      "metadata_version": 1,
      "supported_devices": [
        "aztech,hw550-3g",
        "hw550-3g"
      ],
      "target": "ramips/rt305x",
      "titles": [
        {
          "model": "HW550-3G",
          "vendor": "Aztech"
        },
        {
          "model": "ALL0239-3G",
          "vendor": "Allnet"
        }
      ],
      "version_commit": "r10920+123-0cc87b3bac",
      "version_number": "SNAPSHOT"
    }

Signed-off-by: Paul Spooren <mail@aparcar.org>
2019-09-29 13:51:28 +02:00
Paul Spooren 454021581f build: add buildinfo files for reproducibility
generate feeds.buildinfo and version.buildinfo in build dir after
containing the feed revisions (via ./scripts/feeds list -sf) as well as
the current revision of buildroot (via ./scripts/getver.sh).

With this information it should be possible to reproduce any build,
especially the release builds.

Usage would be to move feeds.buildinfo to feeds.conf and git checkout the
revision hash of version.buildinfo.

Content of feeds.buildinfo would look similar to this:

    src-git routing https://git.openwrt.org/feed/routing.git^bf475d6
    src-git telephony https://git.openwrt.org/feed/telephony.git^470eb8e
    ...

Content of version.buildinfo would look similar to this:

    r10203+1-c12bd3a21b

Without the exact feed revision it is not possible to determine
installed package versions.

Also rename config.seed to config.buildinfo to follow the recommended
style of https://reproducible-builds.org/docs/recording/

Signed-off-by: Paul Spooren <mail@aparcar.org>
2019-08-13 10:40:36 +02:00
Jo-Philipp Wich f565f276e2 config: introduce separate CONFIG_SIGNATURE_CHECK option
Introduce a new option CONFIG_SIGNATURE_CHECK which defaults to the value
of CONFIG_SIGNED_PACKAGES and thus is enabled by default.

This option is needed to support building target opkg with enabled
signature verification while having the signed package lists disabled.

Our buildbots currently disable package signing globally in the
buildroot and SDK to avoid the need to ship private signing keys to
the build workers and to prevent the triggering of random key generation
on the worker nodes since package signing happens off-line on the master
nodes.

As unintended side-effect, updated opkg packages will get built with
disabled signature verification, hence the need for a new override option.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-08-06 21:22:27 +02:00
Felix Fietkau 85017c40f4 build: add a config option for enabling a testing version of the target kernel
If the target supports a newer kernel version that is not used by default
yet, it can be enabled with this option

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-05-11 11:37:10 +02:00
Michal Hrusecky 74450124f6 build: Optionally provide file checksums in package metadata
This may be useful if you don't entirely trust your flash and want to be able
to check for corruptions.

Signed-off-by: Michal Hrusecky <Michal@Hrusecky.net>
2019-01-22 09:22:25 +01:00
Hauke Mehrtens e790227553 kernel: Fix KERNEL_STACKPROTECTOR on kernel 4.19
The configuration option was renamed with kernel 4.19 from
CONFIG_CC_STACKPROTECTOR to CONFIG_STACKPROTECTOR adapt the code to set
both options.

CONFIG_STACKPROTECTOR now sets the regular stack protector and
CONFIG_STACKPROTECTOR_STRONG activates the additional protection of more
functions.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-12-26 17:32:48 +01:00
Julien Dusser 241e6dd3e9 build: cleanup SSP_SUPPORT configure option
Configure variable SSP_SUPPORT is ambiguous for packages (tor, openssh,
avahi, freeswitch). It means 'toolchain supporting SSP', but for toolchain
and depends it means 'build gcc with libssp'.

Musl no longer uses libssp (1877bc9d8f), it has internal support, so
SSP_SUPPORT was disabled leading some package to not use SSP.

No information why Glibc and uClibc use libssp, but they may also provide
their own SSP support. uClibc used it own with commit 933b588e25 but it was
reverted in f3cacb9e84 without details.

Create an new configure GCC_LIBSSP and automatically enable SSP_SUPPORT
if either USE_MUSL or GCC_LIBSSP.

Signed-off-by: Julien Dusser <julien.dusser@free.fr>
2018-01-27 19:02:48 +01:00
Julien Dusser df0bd42fde build: add hardened builds with PIE (ASLR) support
Introduce a configuration option to build a "hardened" OpenWrt with
ASLR PIE support.

Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR)
by building Position Independent Executables (PIE). This new option protects
against "return-to-text" attacks.

Busybox need a special care, link is done with ld, not gcc, leading to
unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE.

If other failing packages were found, PKG_ASLR_PIE:=0 should be added to
their Makefiles.

Original Work by: Yongkui Han <yonhan@cisco.com>
Signed-off-by: Julien Dusser <julien.dusser@free.fr>
2018-01-27 16:46:45 +01:00
Yousong Zhou dc555d003c build: disable BUILD_PATENTED by default
This is mainly for legal considerations and not promoting the usage of
and no redistribution of binaries of patented technologies seems to be
also the established practice in other linux distros.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-01-26 09:45:08 +08:00
Hauke Mehrtens 589621b1c0 config: make CONFIG_ALL_* select other CONIFG_ALL_* options
Select the other CONFIG_ALL_* options in the hierarchy when the master
option is selected. Currently CONFIG_ALL_KMODS is not selected when the
build bot selects CONFIG_ALL_NONSHARED for example.

Now the rtc kmods should get build when CONFIG_ALL_KMODS,
CONFIG_ALL_NONSHARED or CONFIG_ALL and CONFIG_RTC_SUPPORT are selected
like it is done by the build bots for targets with rtc support.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2017-08-26 14:59:20 +02:00
Florian Fainelli ce731158c8 kernel: Hide kernel options behind a menu
We are starting to add more and more kernel configurable options, to the
point where the Global build options menu is not really usable anymore,
hide all kernel-related configuration options behind a menu.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-05-26 15:42:13 -07:00
Vitaly Chekryzhev 01337ba472 build: add devel option to store build config in firmware
Store config.seed in firmware /etc/build.config

Signed-off-by: Vitaly Chekryzhev <13hakta@gmail.com>
2017-03-18 12:08:04 +01:00
Felix Fietkau 9dcb921d90 build: add buildbot specific config option for setting defaults
This can be used to tweak the buildbot behavior without having to change
buildbot's configuration.
It will also allow us to add more aggressive clean steps (e.g. on
toolchain changes), which would break developers' workflows if enable
by default.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-14 14:18:35 +01:00
Felix Fietkau 1e1d735e52 build: remove obsolete parallel build related options
Always use the main make jobserver, which has been the default for ages

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-10 12:10:20 +01:00
Matthias Schiffer 77f54eae45
config: enable shadow passwords unconditionally
Configurations without shadow passwords have been broken since the removal
of telnet: as the default entry in /etc/passwd is not empty (but rather
unset), there will be no way to log onto such a system by default. As
disabling shadow passwords is not useful anyways, remove this configuration
option.

The config symbol is kept (for a while), as packages from feeds depend on
it.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:56 +02:00
Felix Fietkau a4e90e2cac toolchain: get rid of GCC_VERSION_5 config symbol
Replace it with !GCC_VERSION_4_8 to be more future compatible

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-15 14:17:40 +02:00
Jo-Philipp Wich 941fc5e8c8 global: introduce ALL_NONSHARED symbol
Introduce a new symbol ALL_NONSHARED which selects all non-sharable packages
by default. This option is mainly intented for buildbot setups to build the
target dependant software subset only.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-04-13 17:24:12 +02:00
Felix Fietkau 657d0cc2ce build: do not deselect CONFIG_USE_SSTRIP if CONFIG_DEBUG is enabled
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48504
2016-01-26 08:39:21 +00:00
Felix Fietkau aec0e6ac8f build: use sstrip by default for musl
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48313
2016-01-18 12:47:36 +00:00
Steven Barth 0c8f0186d5 linux: make IPv6 builtin if selected (saves >30KB)
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46834
2015-09-09 12:20:36 +00:00
Felix Fietkau 400fb6cadc gcc: remove version 4.9-linaro
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 46798
2015-09-06 10:07:03 +00:00
Steven Barth ed53726072 enable strong SSP / Stackprotector on gcc5
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>

SVN-Revision: 46685
2015-08-18 09:20:34 +00:00
Felix Fietkau bf82deff70 build: disable kernel stack protector support for i386/x86_64
When stack protector support is disabled in libc (always the case for
!musl), gcc assumes that it needs to use __stack_chk_guard for the stack
canary.
This causes kernel build errors, because the kernel is only set up to
handle TLS stack canaries.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 46543
2015-08-02 07:40:12 +00:00
Steven Barth efe03e5fc7 hardening: disable user-space SSP for !musl
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46146
2015-06-29 16:44:27 +00:00
Steven Barth 2738526a16 toolchain: add fortify-headers, enable FORTIFY_SOURCE by default
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46117
2015-06-23 14:38:03 +00:00
Steven Barth 1877bc9d8f gcc/musl: rework SSP-support
Make musl provide libssp_nonshared.a and make GCC link it unconditionally
if musl is used. This should be a no-op if SSP is disabled and seems to be
the only reliable way of dealing with SSP over all packages due to the mess
that is linkerflags handling in packages.

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46108
2015-06-22 10:31:07 +00:00
Steven Barth 19810a5145 hardening: enable regular SSP support by default
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46020
2015-06-17 13:13:48 +00:00
Steven Barth f8140c9caf hardening: enable RELRO by default
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46004
2015-06-16 17:28:05 +00:00
Steven Barth 11489a85cf hardening: enable format security checking by default
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46003
2015-06-16 17:27:59 +00:00
Felix Fietkau ec73574027 build: enable package list signing by default
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45614
2015-05-05 21:16:13 +00:00
Felix Fietkau beca028bd6 build: add integration for managing opkg package feed keys
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45286
2015-04-06 19:39:51 +00:00
Jonas Gorski 9dc137397f buildroot: make it easier to build all kmods
Split out kmods from ALL to make it easier to create local builds that
are compatible kmod-wise with releases.

Signed-off-by: Jonas Gorski <jogo@openwrt.org>

SVN-Revision: 44830
2015-03-16 11:51:54 +00:00
John Crispin 3e2f578353 toolchain: The glorious return of glibc, ver 2.21
It's the eglibc packaging with a bit of spit-polishing. And testing. :-)

[blogic: merged glibc and eglibc into 1 and made eglibc a glibc variant]

Signed-off-by: Jeff Waugh <jdub@bethesignal.org>
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 44701
2015-03-12 19:50:57 +00:00
Jo-Philipp Wich 3f56785706 config: remove CONFIG_BUILD_STATIC_TOOLS
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44287
2015-02-06 00:00:51 +00:00
Nicolas Thill f6433f63ef config: fix typo in Global build settings menu
Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 44258
2015-02-05 05:10:44 +00:00
John Crispin 1c160bf082 config: fix typo in Global build settings menu
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 44163
2015-01-28 12:05:58 +00:00
John Crispin 491f3fc048 Support for building an hardened OpenWRT
Introduce configuration options to build an "hardened" OpenWRT.

Options to enable Stack-Smashing Protection, FORTIFY_SOURCE and RELRO
have been introduced.

uClibc makefile now automatically detects if SSP support is necessary.

hostapd makefile has been fixed to use "^" as sed separator since
using a comma was problematic when using "-Wl,-z,now" and the like in
TARGET_CFLAGS.

Currently enabling SSP on user space depends on enabling SSP kernel
side, this is due to the fact that TARGET_CFLAGS are used to build
kernel modules (at least). Suggestions on how to avoid this are welcome.
Using "select" instead of "depends on" doesn't seem to work with choice
entries.

Tested with a lantiq (WBMR) router, GCC 4.8, uClibc and a subset of
the available packages.
Needs to be tested with GCC 4.9 and the remaining packages.
PIE not currently included.

Signed-off-by: Alessandro Di Federico <ale+owrt@clearmind.me>

SVN-Revision: 44005
2015-01-17 14:31:30 +00:00
Hauke Mehrtens bdeda10f1c Kconfig: Various typo/grammar/line-length fixes in Config*.in files
Non-functional changes to config/Config-*.in files, including:

* spelling mistakes
* inconsistent terminology
* grammar
* overly long lines in "help" components

Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>

SVN-Revision: 42519
2014-09-13 20:27:25 +00:00
John Crispin 7a1f4c50fa PKG_CHECK_FORMAT_SECURITY: add a menuconfig option, disable by default
The idea is still to enable it by default at some point
I've tested all ar71xx packages (except oldpackages) using CONFIG_ALL=y
Failing packages have been marked with PKG_CHECK_FORMAT_SECURITY:=0 for now
I can test more targets but i have no idea which are the most used

Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>

SVN-Revision: 42282
2014-08-25 06:36:06 +00:00