| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This way, seatd can by used by all users in the group 'seat' not just by
root.
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
| |
systemd-udevd: /usr/lib/udev/rules.d/50-udev-default.rules:42 Unknown group 'sgx', ignoring
SUBSYSTEM=="misc", KERNEL=="sgx_enclave", GROUP="sgx", MODE="0660"
Signed-off-by: Artur Wiebe <artur@4wiebe.de>
Message-Id: <20220128140310.2632256-1-artur@4wiebe.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
| |
The return of gen_keys() never threw an error, so last block was useless
so far. Script worked because gen_key() exited instead of returning.
Messages are done like in the openssh rc-once script now.
Fixes: cf0424f8ba23 ("dropbear: Refactor rc-once and init to use KEYTYPES")
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20211209105127.120588-1-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new package for redis, an open source (BSD licensed), in-memory
data structure store, used as a database, cache, and message broker.
The systemd service file was taken from ArchLinux.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
Message-Id: <20211207144223.23091-1-clemens.gruber@pqgruber.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When storing your keys not in rootfs but on a separate data partition
(using symbolic links or overlay fs), keys are overwritten on each
firmware upgrade which lets rc-once run again (which happens when using
opkg upgrade/update or RAUC in an A/B scheme for example).
Changing keys are at best annoying, but may be interpreted as an attack
as well.
Note: if an empty or invalid key is found, the key is still regenerated.
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20211105154734.19983-9-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously just existence of a key file was checked, which allowed
empty key files or invalid key files to persist. That would have
prevented dropbear server daemon startup.
Note: this does not always regenerate keys, only if rc-once is triggered
and run again for whatever reason.
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20211105154734.19983-8-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
| |
With 54afea33423c ("dropbear: Added Elliptic Curve Cryptography
options.") an option was added to built with ecdsa host key support, but
scripts where not adapted back then.
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20211105154734.19983-7-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously DSS and RSA keys were always generated, regardless if
dropbear was built with support for that host key or not, which somehow
contradicts what commit message of 01ac7cc409b5 ("dropbear: Remove
deprecated options") promised.
No other things changed here, just considering that KEYTYPES list for
'rsa' for now.
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20211105154734.19983-6-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
| |
The variable is currently not used, but it will be useful later for key
generation and daemon startup based on actually selected host key types.
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20211105154734.19983-5-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
init script and rc-once script use some common variables and
targetinstall replace happens twice for each, so to make things less
complex put those common variables in a common place.
While at it, remove that DROPBEAR_xxxKEY_DEFAULT indirection, which
probably originates in the init script from Debian, which seems was the
base for developing this script at least 15 years ago.
The lib will be extended with more variables later.
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20211105154734.19983-4-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
| |
DSS option was removed already from ptxdist, it is not recommended for
new keys. In dropbear however, it was still default enabled, this is
disabled through localoptions.h now.
Fixes: 01ac7cc409b5 ("dropbear: Remove deprecated options")
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20211105154734.19983-2-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
| |
It's possible to run multiple instances for multiple ubi devices by
creating multiple symlinks. One symlink for the first device ubi0 is
already created.
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20210909101652.9288-3-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
| |
The initmethod shell library was moved, but the include path in scripts
using it, was not adapted back then.
Fixes: 5c7e5b48a39f ("initmethod: /usr merge")
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20210827083353.22152-4-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
| |
The usr/lib/init/rc-once.sh script was moved for /usr merge, but scripts
using this piece were not updated.
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Fixes: e74c5e613d9e ("rc-once: /usr merge")
Message-Id: <20210827083353.22152-3-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
| |
After migrating to rc-once this script does not use any functions from
the included (shell) library anymore.
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Fixes: 0e0f5d31e0e0 ("[dropbear] use rc-once to create server keys")
Message-Id: <20210827083353.22152-2-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
systemd-bless-boot.service
Mark the system "good" when the boot-complete.target [1] is reached.
"Type=oneshot" (instead of implicit "Type=simple") makes sure the unit is
considered started once "rauc status mark-good" exits.
"RemainAfterExit=yes" ensures that this service unit is only started once
[2].
These options were adapted from [3] and [4].
[1] https://www.freedesktop.org/software/systemd/man/systemd.special.html#boot-complete.target
[2] https://www.freedesktop.org/software/systemd/man/systemd.service.html#id-1.10.4
[3] https://github.com/systemd/systemd/blob/main/units/systemd-bless-boot.service.in
[4] https://github.com/rauc/meta-rauc/pull/197
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20210824165247.31292-1-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
| |
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Message-Id: <20210709074508.1301617-1-m.tretter@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Copy the following files from busybox 1.33:
* examples/udhcp/simple.script
* examples/udhcp/udhcpd.conf
This teaches the DHCP client to use iproute2 tools instead of the
outdated iputils.
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
Message-Id: <20210620173954.5608-1-rhi@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Copy the following files from the ISC DHCP tree:
* client/dhclient.conf.example
* server/dhcpd.conf.example
and comment out all lines, so they serve as examples only and don't
configure any strange things on the target.
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
Message-Id: <20210620171046.25968-4-rhi@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
systemd service/socket files are now part of rpcbind.
Remote call functionality is now configurable and disabled. Most people
won't use that. It also stops rpcbind from opening up random UDP ports.
See [1].
[1] https://git.linux-nfs.org/?p=steved/rpcbind.git;a=commitdiff;h=2e9c289246c647e25649914bdb0d9400c66f486e
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20210611125538.12935-1-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
| |
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
Message-Id: <20210609215336.22744-1-rhi@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
| |
ifupdown can usually be started quite early. There might be some additional
dependencies (e.g. on devices or kernel modules) but these are not formalized
with the default dependencies either. So in this case you have to overwrite
the service for your device anyhow.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Message-Id: <20210315132728.22554-1-u.kleine-koenig@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
| |
When system state is switched using systemctl isolate ssh sessions
usually shouldn't be killed. Make this the default.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Message-Id: <20210305170435.4466-1-u.kleine-koenig@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
| |
It's 2021!
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Message-Id: <20210226092643.165523-1-u.kleine-koenig@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New configure options in 8.2012.0 has been disabled,
except 2 new options:
- atomic-operations is always enabled.
- libsystemd support is {en,dis}abled with RSYSLOG_SYSTEMD.
Removed options are no longer available in configure.
lmstrmsrv does not exist any longer.
According to changelog the gcc 10 compile issues was
fixed in 8.2010.0 and included in this version.
Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
Message-Id: <20210128124111.5290-1-bruno.thomsen@gmail.com>
[mol: add local systemd service. It was removed upstream]
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The parameter is no longer needed.
Avoid this message during boot:
systemd[1]: /usr/lib/systemd/system/tpm2-abrmd.service:12:
Standard output type syslog is obsolete, automatically updating
to journal. Please update your unit file, and consider removing
the setting altogether.
Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
Message-Id: <20210111133724.4644-1-bruno.thomsen@gmail.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
| |
If not set /etc/machine-id will be installed from projectroot (default: empty file).
Signed-off-by: Artur Wiebe <artur@4wiebe.de>
Message-Id: <20201204093024.1785079-1-artur@4wiebe.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
| |
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20201021144149.27886-3-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
| |
The nfs-utils tools are installed into /usr/sbin since the /usr merge.
Fixes: e5068a95a ("nfsutils: /usr merge")
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20201021144149.27886-1-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
| |
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20200924165621.24177-2-bst@pengutronix.de>
[mol: use menuconfig instead of config]
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
| |
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20200924165621.24177-1-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nvmetcli is a program used for viewing, editing, saving, and starting a
Linux kernel NVMe Target, used for an NVMe-over-Fabrics network
configuration. It allows an administrator to export a storage resource
(such as NVMe devices, files, and volumes) to a local block device and
expose them to remote systems based on the NVMe-over-Fabrics
specification from http://www.nvmexpress.org.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Message-Id: <20200921083057.4074995-2-l.stach@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
| |
instead
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
...instead of relying on a hardcoded list of keytypes.
Some cleanup was performed as well:
* merge key gathering functions
* absence of sshd_config was tested but properly progagated and
therefore not properly handled.
Tested with sed implementations of busybox-1.31.1, toybox-0.8.3 and GNU.
Signed-off-by: Christian Hermann <christian.hermann@hytera.de>
Message-Id: <20200821112902.17281-2-christian.hermann@hytera.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
| |
The variable $_type does not exist, so $prettykeytype is always empty.
And 'tr' may not be available. It's just the debug output, so use the
lowercase key type to avoid any problem.
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a (very) minor optimisation. There is no semantical change as
the fixed list of possible filenames doesn't contain anything that has a
different meaning when interpreted as a regex, still I consider it
better style to interpret the filename as a fixed string to match.
Both busybox and the "big" grep support -F unconditionally so there is
no problem in using -F.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Message-Id: <20200808083456.26483-2-u.kleine-koenig@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
| |
The create_keys() function passed the key type three times. Now it's
only passed once.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Message-Id: <20200808083456.26483-1-u.kleine-koenig@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have seen that, if the first boot runs under a testsuite that powers
the board off after rc-once is finished, data hasn't found its way to
the medium. This has been observed to result in an empty ssh key.
Adding a sync helps.
Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
Message-Id: <20200810101713.247725-1-r.schwebel@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
| |
License checksum changed as '(c)' was removed from text, no
changes otherwise.
Also remove vanished options and modify systemd service files
to expect gpsd socket in /run.
Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
Message-Id: <20200807153000.GA2625913@lenoch>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By using DefaultDependencies=no the system can accept ssh connections
earlier. This makes it possible to debug problems during startup.
This means that tmpfiles.d cannot be used to create the privilege
separation directory. So create it as RuntimeDirectory instead.
As a side effect, this 'fixes' problems with nfsroot: tmpfiles.d refuses to
create /run/sshd if / is not owned by root. This is not checked for
RuntimeDirectory= so creating /run/sshd works here.
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
| |
gpsdctl@.service is supposed to call gpsdctl which is not installed
at all. Also fix gpsctl vs gpsdctl confusion.
Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
Message-Id: <20200803142935.GA2907440@lenoch>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
| |
Added chrony user id (UID) to /etc/passwd and
chrony group id (GID) to /etc/group using next
available numbers.
Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
Message-Id: <20200731161141.6155-4-bruno.thomsen@gmail.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HAProxy consists of a GPL core and GPL modules while exportable include
files are licensed under LGPL.
Some options (e.g. lua, pcre) are not yet configurable, this can be
extended if someone needs them.
A minimalistic config is provided to be able to test it, for everything
else an adjusted config must be installed. As HAProxy's config examples
expect some custom files in /etc/haproxy install_alternative_tree is
used to install custom configuration files and more easily.
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20200610120307.28245-1-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the keys provided by the currently active key provider via PKCS#11
instead of key files placed in the platform config directory. In order
to make sure the new mechanics are used after a BSP update the rauc.key
file is no longer allowed to exist in the platformconfig directory.
Note: requires genimage v13 or later and ptx-code-signing-dev 0.4 or
later
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20200515142641.812-14-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update and move out of staging. The new version adds compatiblity with
OpenSSL 1.1.x and switches to Python 3.
The AMQP and MongoDB destinations are removed, they were never buildable
without additional packages not available in plain PTXdist. Various
other modules are disabled explicitly to avoid the build
nondeterministically picking up undeclared dependencies.
A simple replacement for the old systemd unit is added, as the new version
only provides an instanced unit which cannot be linked as syslog.service
(which is necessary to use syslog-ng as the default system logger by
enabling ForwardToSyslog in journald.conf).
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Message-Id: <20200408123232.12718-1-matthias.schiffer@ew.tq-group.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
| |
As projectroot's dnsmasq.conf is copied from example config of
dnsmasq package, let's remove it from projectroot.
Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
Message-Id: <20200316191624.GD16217@lenoch>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
| |
metacopy=on is supported on Linux 4.19+ only. As metacopy is unlikely to
have a significant effect on the /var overlay anyways, simply remove the
option.
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Message-Id: <20200214103854.2448-1-matthias.schiffer@ew.tq-group.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
| |
Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For devices with no or defective HW RNG, it takes quite long until
the kernel random device is seeded, up to several 10 seconds.
See kernel "random: crng init done" message for this.
As a consequence, anything using /dev/random will block accordingly.
This is even true for "ssh-keygen -l" invocations, which should just
show the fingerprint of a pubkey. Which can be used e.g. to check for
valid keys to be present.
One way to expedite this is to run haveged, of course at the cost of
reduced quality of the random numbers.
But this start has to happen rather early in the boot process.
By default (based upon this (old) haveged package), haveged is started
late as user service in multi-user.target.
So move the start of haveged from multi-user.target to sysinit.target.
Also add a service dependency on after systemd-random-seed.service
(responsible to seed from a stored random pool, if enabled) and
systemd-tmpfiles-setup-dev.service (responsible to setup the dev files).
Comparable is done within Fedora and SuSE.
Signed-off-by: Andreas Pretzsch <apr@cn-eng.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|
|
|
|
|
| |
Signed-off-by: Andreas Pretzsch <apr@cn-eng.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
|