rt as an
upstream project is not interested. Such security features are more and
more commonly needed, and it will at some point be a problem for
OpenWrt to not have such features supported.
Best regards,
Thomas Petazzoni
--
Thomas Petazzoni, CTO, Bootlin
mm platform,
though that was using an older OpenWRT on which I had backported my
work.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
___
openwrt-devel mailing list
openwrt-devel@lists.
Hello,
I have received absolutely no feedback on this v2.
Would it be possible to get these patches reviewed or merged ?
Thanks a lot,
Thomas Petazzoni
On Fri, 20 Dec 2019 15:04:32 +0100
Thomas Petazzoni wrote:
> Hello,
>
> On Thu, 21 Nov 2019 17:23:10 +0100
> Thomas Peta
initial hints on what you
mean by "build-variant", or at least point at some existing examples ?
Thanks a lot,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
___
openwrt-devel mailing lis
Hello,
On Thu, 21 Nov 2019 17:23:10 +0100
Thomas Petazzoni wrote:
> This is the second iteration of my patch series adding support for
> dm-verity in OpenWRT. See below for some introduction about the
> purpose of this series.
Unless I missed it, I don't think I have received a
eed allow that. Buildroot uses fakeroot in a
consistent way to build all filesystem images, which allows us to
create files with arbitrary permissions/owernship.
> +1 for your work to enable SELinux in OpenWrt, I'll try to find time
> for some testing that.
Thanks!
Best regards,
Thomas
a Github pull request for the
packages part: https://github.com/openwrt/packages/pull/10664
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
___
openwrt-devel mailing list
open
Thanks a lot for your feedback. Should I do this only for the package
patches (i.e the package feeds), or also for the "core" changes ?
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
___
Signed-off-by: Thomas Petazzoni
---
utils/checkpolicy/Makefile | 42 ++
1 file changed, 42 insertions(+)
create mode 100644 utils/checkpolicy/Makefile
diff --git a/utils/checkpolicy/Makefile b/utils/checkpolicy/Makefile
new file mode 100644
index 0
Signed-off-by: Thomas Petazzoni
---
admin/refpolicy/Makefile | 78
admin/refpolicy/files/selinux-config | 7 +++
2 files changed, 85 insertions(+)
create mode 100644 admin/refpolicy/Makefile
create mode 100644 admin/refpolicy/files/selinux-config
diff
Signed-off-by: Thomas Petazzoni
---
libs/libselinux/Makefile | 28 +++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/libs/libselinux/Makefile b/libs/libselinux/Makefile
index 30e50a9ba..08b43f0f7 100644
--- a/libs/libselinux/Makefile
+++ b/libs/libselinux
Signed-off-by: Thomas Petazzoni
---
utils/selinux-python/Makefile | 155 ++
.../0001-sepolgen-adjust-data_dir.patch | 26 +++
...hardcode-search-for-ausearch-in-sbin.patch | 38 +
.../0003-Don-t-force-using-python3.patch | 67
4 files
Signed-off-by: Thomas Petazzoni
---
libs/libcap-ng/Makefile | 53 +
1 file changed, 53 insertions(+)
create mode 100644 libs/libcap-ng/Makefile
diff --git a/libs/libcap-ng/Makefile b/libs/libcap-ng/Makefile
new file mode 100644
index 0..5cf1f2499
Signed-off-by: Thomas Petazzoni
---
utils/policycoreutils/Makefile | 60 ++
1 file changed, 60 insertions(+)
create mode 100644 utils/policycoreutils/Makefile
diff --git a/utils/policycoreutils/Makefile b/utils/policycoreutils/Makefile
new file mode 100644
index
Signed-off-by: Thomas Petazzoni
---
libs/libsemanage/Makefile | 70 +++
1 file changed, 70 insertions(+)
create mode 100644 libs/libsemanage/Makefile
diff --git a/libs/libsemanage/Makefile b/libs/libsemanage/Makefile
new file mode 100644
index 0
This is needed to build the host variant of libselinux.
Signed-off-by: Thomas Petazzoni
---
libs/pcre/Makefile | 11 +++
1 file changed, 11 insertions(+)
diff --git a/libs/pcre/Makefile b/libs/pcre/Makefile
index 720142332..29fda6749 100644
--- a/libs/pcre/Makefile
+++ b/libs/pcre
Signed-off-by: Thomas Petazzoni
---
libs/libselinux/Makefile | 78
1 file changed, 78 insertions(+)
create mode 100644 libs/libselinux/Makefile
diff --git a/libs/libselinux/Makefile b/libs/libselinux/Makefile
new file mode 100644
index 0
Signed-off-by: Thomas Petazzoni
---
libs/libsepol/Makefile | 65 ++
1 file changed, 65 insertions(+)
create mode 100644 libs/libsepol/Makefile
diff --git a/libs/libsepol/Makefile b/libs/libsepol/Makefile
new file mode 100644
index 0..225f74996
Signed-off-by: Thomas Petazzoni
---
package/utils/busybox/Makefile | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index c0f3007e5d..bad4598525 100644
--- a/package/utils/busybox/Makefile
+++ b/package
Signed-off-by: Thomas Petazzoni
---
utils/audit/Makefile | 125
utils/audit/files/audit.init | 16 +++
...tue-functions-for-strndupa-rawmemchr.patch | 133 ++
3 files changed, 274 insertions(+)
create mode 100644 utils
This commit adds a small number of options to config/Config-kernel.in
so that packages related to SELinux support can enable the appropriate
Linux kernel support.
Signed-off-by: Thomas Petazzoni
---
config/Config-kernel.in | 12
1 file changed, 12 insertions(+)
diff --git a/config
machine, but that requires root
access. So this tool adds support for fakeroot, which will be used to
run the SELinux security context creation and the image creation.
Signed-off-by: Thomas Petazzoni
---
tools/Makefile | 2 +-
tools/fakeroot/Makefile | 20
2 files
Extended attribute support is needed to run a SELinux-enabled system,
as SELinux security contexts are stored as extended attributes.
Signed-off-by: Thomas Petazzoni
---
config/Config-kernel.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config/Config-kernel.in b/config/Config
repository rather than
have it in OpenWrt itself.
[1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/020070.html
Signed-off-by: Thomas Petazzoni
---
package/system/procd/Makefile | 5 +-
...inimal-SELinux-policy-loading-suppor.patch | 110 ++
2 files
xattr support in mksquashfs is needed to be able to store SELinux
security contexts.
Signed-off-by: Thomas Petazzoni
---
tools/squashfskit4/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/squashfskit4/Makefile b/tools/squashfskit4/Makefile
index 4808c5607f
egards,
Thomas Petazzoni
Thomas Petazzoni (11):
libs/pcre: add host variant of libpcre
libs/libsepol: new package
libs/libselinux: new package
utils/audit: new package
libs/libcap-ng: new package
libs/libsemanage: new package
utils/policycoreutils: new package
utils/checkpolicy: new
egards,
Thomas Petazzoni
Thomas Petazzoni (7):
package/utils/busybox: add optional selinux support
package/system/procd: add SELinux support
tools/fakeroot: new tool
include/image.mk: implement SELinux squashfs image generation
config/Config-kernel.in: add option to enable squashfs xattr s
Signed-off-by: Thomas Petazzoni
---
include/image.mk | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/include/image.mk b/include/image.mk
index 8592c19b99..86b3edeb87 100644
--- a/include/image.mk
+++ b/include/image.mk
@@ -239,13 +239,26 @@ endef
$(eval
cryptsetup for the host will be needed to create the hash tree of a
dm-verity volume.
Signed-off-by: Thomas Petazzoni
---
tools/Makefile| 1 +
tools/cryptsetup/Makefile | 28 +++
.../patches/0001-dont-use-c89.patch
erated for dm-verity is generated without
-no-pad, as it needs to be properly aligned to a block size.
Signed-off-by: Thomas Petazzoni
---
config/Config-images.in | 8 +
include/image.mk | 17 --
scripts/prepare-dm-verity-
The new DM_INIT functionality, merged in upstream Linux 5.1, allows to
setup a device mapper target at boot time. It avoids the need to use
an initramfs to setup a device mapper target. This is useful in the
context of supporting dm-verity in OpenWRT.
Signed-off-by: Thomas Petazzoni
---
...-to
popt for the host will be needed as a dependency of cryptsetup for the
host.
Signed-off-by: Thomas Petazzoni
---
tools/popt/Makefile | 22 ++
1 file changed, 22 insertions(+)
create mode 100644 tools/popt/Makefile
diff --git a/tools/popt/Makefile b/tools/popt/Makefile
new
P platform, make sure a FIT
image containing the dm-verity related U-Boot script is produced when
CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED is enabled.
Signed-off-by: Thomas Petazzoni
---
target/linux/mvebu/image/cortex-a9.mk | 14 ++
1 file changed, 14 insertions(+)
diff --git a/target/l
intend to
work on.
Thomas Petazzoni
Thomas Petazzoni (12):
tools/libaio: new package
tools/lvm2: new package
tools/popt: new package
tools/libjson-c: new package
tools/cryptsetup: new package
scripts/mkits.sh: extend with -s option to include a U-Boot script
config/Config-kern
lvm2 for the host will be needed as a dependency to build cryptsetup
for the host.
Signed-off-by: Thomas Petazzoni
---
tools/Makefile | 1 +
tools/lvm2/Makefile | 47 +
2 files changed, 48 insertions(+)
create mode 100644 tools/lvm2/Makefile
The Armada XP GP has a NAND storage device, so it makes sense to
generate the UBI-based factory image for this platform.
Signed-off-by: Thomas Petazzoni
---
target/linux/mvebu/image/cortex-a9.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/target/linux/mvebu/image/cortex-a9.mk
b/target
libaio for the host will be needed as a dependency of lvm2, itself a
dependency of cryptsetup.
Signed-off-by: Thomas Petazzoni
---
tools/libaio/Makefile | 30 ++
1 file changed, 30 insertions(+)
create mode 100644 tools/libaio/Makefile
diff --git a/tools/libaio
e in tools/libjson-c/.
Signed-off-by: Thomas Petazzoni
---
tools/libjson-c/Makefile | 25 +
1 file changed, 25 insertions(+)
create mode 100644 tools/libjson-c/Makefile
diff --git a/tools/libjson-c/Makefile b/tools/libjson-c/Makefile
new file mode 100644
index 00
provides the details of the dm-verity
volume (salt, root hash, number of data blocks, start of hash blocks,
etc.).
Signed-off-by: Thomas Petazzoni
---
scripts/mkits.sh | 22 --
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/scripts/mkits.sh b/scripts/mkits.sh
index
ion to add in the
FIT image a U-Boot script that provides the details of the dm-verity
volume (salt, root hash, number of data blocks, start of hash blocks,
etc.).
Signed-off-by: Thomas Petazzoni
---
include/image-commands.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/image-com
The dm-verity support requires a number of kernel options to be
enabled. This commit adds the corresponding options to
config/Config-kernel.in, so that they can be selected by other OpenWrt
options when needed.
Signed-off-by: Thomas Petazzoni
---
Note: I sometimes encounter an issue at build
rt wants to make a decision on one solution to use, but provide
something that is seamlessly integrated for users.
> > Do you have more details about entering failsafe mode ? How do you do that
> > ?
>
> It's usually triggered by the button during the boot process[1], but it should
ns
> flashing of factory image. Halting doesn't provide any feedback to the user,
> if we don't consider stuck-in-the-bootlop as a proper feedback. Probably
> entering failsafe(has LED feedback) or such would make more sense here?
Do you have more details about entering
policy in place and enforced.
Signed-off-by: Thomas Petazzoni
---
I have patches ready to add some minimal SELinux support to OpenWRT,
which I intend to send in the near future.
---
CMakeLists.txt | 9 -
initd/init.c | 41 +
2 files changed, 49
Hello Hauke,
On Thu, 25 Jul 2019 15:07:50 +0200
Thomas Petazzoni wrote:
> > Indeed, what CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED=y really needs is
> > cryptsetup, the rest are mere build dependencies to build cryptsetup.
>
> Do you have some feedback on this particular quest
Hello Hauke,
I'm finally getting back to this dm-verity work, and I have a question below.
On Mon, 25 Mar 2019 18:20:09 +0100
Thomas Petazzoni wrote:
> > > diff --git a/tools/Makefile b/tools/Makefile
> > > index 9a354f6c70..9702b4df25 100644
> > > --- a/
e next LTS kernel we can just remove the patches.
OK, I'll see if the upstream version is reasonable enough to be
backported.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
___
openwrt-
case. It looks at the squashfs filesystem size, and then
creates a loop device that starts right after the squashfs filesystem,
and uses it as a f2fs filesystem to store the overlay information.
As explained above, I've worked-around this stuff for now with a hacky
patch in fstools to
, you'll be able to drop the patches anyway, as the
feature is in upstream now.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
ting SOURCE_DATE_EPOCH is not needed any more.
Ah, indeed, it has been dropped from Image/mkfs/squashfs. Allowed me to
discover the squashfskit fork of squashfs-tools, which I wasn't aware
of.
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineer
Hello Hauke,
Thanks for the review!
On Mon, 25 Mar 2019 18:13:50 +0100
Hauke Mehrtens wrote:
> On 3/11/19 5:20 PM, Thomas Petazzoni wrote:
> > From: Thomas Petazzoni
>
> Does this email address still exists?
It does exist and work, but I'm not supposed to use it. I&#
mand line. This
allows to avoid the need for an initramfs just to set up a DM device
at boot time.
Signed-off-by: Thomas Petazzoni
---
...-to-directly-boot-to-a-mapped-device.patch | 633 ++
...l-add-a-device-mapper-ioctl-function.patch | 98 +++
2 files changed, 731 insertions(
P platform, make sure a FIT
image containing the dm-verity related U-Boot script is produced when
CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED is enabled.
Signed-off-by: Thomas Petazzoni
---
target/linux/mvebu/image/cortex-a9.mk | 14 ++
1 file changed, 14 insertions(+)
diff --git a/target/l
filesystem.
Signed-off-by: Thomas Petazzoni
---
config/Config-images.in | 4 +++
include/image.mk | 12 +++
scripts/prepare-dm-verity-uboot-script.sh | 41 +++
3 files changed, 57 insertions(+)
create mode 100755 scripts/pre
This commit updates the Linux kernel configuration used on Marvell
platforms to support dm-verity.
Signed-off-by: Thomas Petazzoni
---
target/linux/mvebu/config-4.14 | 11 +++
1 file changed, 11 insertions(+)
diff --git a/target/linux/mvebu/config-4.14 b/target/linux/mvebu/config-4.14
popt for the host will be needed as a dependency of cryptsetup for the
host.
Signed-off-by: Thomas Petazzoni
---
tools/Makefile | 2 +-
tools/popt/Makefile | 22 ++
2 files changed, 23 insertions(+), 1 deletion(-)
create mode 100644 tools/popt/Makefile
diff --git a
provides the details of the dm-verity
volume (salt, root hash, number of data blocks, start of hash blocks,
etc.).
Signed-off-by: Thomas Petazzoni
---
scripts/mkits.sh | 21 +++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/scripts/mkits.sh b/scripts/mkits.sh
index
The Armada XP GP has a NAND storage device, so it makes sense to
generate the UBI-based factory image for this platform.
Signed-off-by: Thomas Petazzoni
---
target/linux/mvebu/image/cortex-a9.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/target/linux/mvebu/image/cortex-a9.mk
b/target
lvm2 for the host will be needed as a dependency to build cryptsetup
for the host.
Signed-off-by: Thomas Petazzoni
---
tools/Makefile | 3 ++-
tools/lvm2/Makefile | 47 +
2 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644 tools
cryptsetup for the host will be needed to create the hash tree of a
dm-verity volume.
Signed-off-by: Thomas Petazzoni
---
tools/Makefile| 3 +-
tools/cryptsetup/Makefile | 28 +++
.../patches/0001-dont-use-c89.patch
e have the
hash tree after the squashfs filesystem. This is something I intend to
work on.
Thanks in advance for your feedback,
Thomas Petazzoni
Thomas Petazzoni (11):
tools/libaio: new package
tools/lvm2: new package
tools/popt: new package
tools/cryptsetup: new package
scripts/mkits.sh:
ion to add in the
FIT image a U-Boot script that provides the details of the dm-verity
volume (salt, root hash, number of data blocks, start of hash blocks,
etc.).
Signed-off-by: Thomas Petazzoni
---
include/image-commands.mk | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/image-com
From: Thomas Petazzoni
libaio for the host will be needed as a dependency of lvm2, itself a
dependency of cryptsetup.
Signed-off-by: Thomas Petazzoni
---
tools/Makefile| 1 +
tools/libaio/Makefile | 33 +
2 files changed, 34 insertions(+)
create mode
63 matches
Mail list logo
