On 06/07/2021 03:45, Enrico Mioso wrote:
I would like to know your opinion on a topic I know has already been
discussed: enabling Wi-Fi on first boot.
We had to do it here for some modified firmware we distribute (the
device with the modified openwrt firmware is then used to measure
internet connection quality in a neutral way, and works as well as a
home router when desired).
It is a fact[1] that >55% of homes in Brazil only have wireless
terminals (read: cellphones, a few might also have tablets): no laptops
or desktops. It would be utterly useless to deliver to them something
that needs an ethernet cable to enable the wireless.
However, it is *not* a simple matter to just "enable wireless" at first
boot in OpenWrt (due to a "default password" issue), except maybe in a
home-and-enthusiast setting. You cannot just do it for a device (or
firmware) you're going to deliver to third parties: it is *unsafe*, and
extremely strongly discouraged.
So, to safely and responsibly enable wireless by default in a device (or
firmware) you're delivering to a third-party, you need that "per-unit
unique wireless password" per device thing most vendors are doing.
Now, unique per-device passwords are "easy" [2] to do if you're
delivering whole devices, as you can just print a label with the
device's unique password and attach to it or to its documentation.
It is far less easy when you're delivering just the firmware
(openwrt-based), which the third-party/user will install by herself. At
least for generic devices in the general case.
I would very very much like to see this feature present in OpenWRt:
because I find myself in a scenario where plugging an Ethernet cable
after a fresh sysupgrade without keeping settings (due a a major upgrade
or just to "start clean") could be impractical.
Indeed.
This would allow us to relax the security settings for the moment being,
and discuss and plan them later on. It seems to me there is the general
desire for having such a feature.
I would very much like to have a config option that allows one to
implement what I described in [2] below -- or something else that could
be likewise used. Basically, a way to append to an already-finished
sysupgrade/factory file some signed configuration data that will resist
factory-reset, so that it is easy/fast to do so at download time without
the need to run the image builder.
Around here, the ISPs call this kind of variable data that resists a
factory-reset "preseed configuration". Apparently, your typical home
user will factory-reset the device every time anything goes wrong, once
they know how to do it. So it is extremely important that the
factory-reset settings match whatever is needed for ISP connectivity and
local wireless to work. Easy to do if you're the router vendor and have
a mtd partition set aside for it, a lot more difficult otherwise.
Then, you could at least easily address the "you're shipping the device
with the label attached" case: you can do that right now using custom
code on specific devices you know of a partition you can reuse like
that, etc. But a "generic device" solution is still missing.
The solution for "you ship firmware" could then become "build once, but
at download time you append the signed variable data that resists
factory-reset, and contains any unit-specific passwords. You also
attach a PDF with the device passwords for the user to print and glue to
his unit".
[1] The reports are public, and available at https://ceptro.br.
Disclaimer: I work for a different division of the same NGO that
produced those reports.
[2] not really: openwrt sysugrade *does not help* in that there is no
way to add variable information to an already *finished* image file, to
be used on first-boot only, and which would *survive a factory reset*.
--
Henrique de Moraes Holschuh
Analista de Projetos
Centro de Estudos e Pesquisas em Tecnologias de Redes e Operações
(Ceptro.br)
+55 11 5509-3537 R.:4023
INOC 22548*625
www.nic.br
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
