aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* kernel: kmod-tcp-scalable: add scalable tcp congestion algorithmCatalin Toda2022-03-011-0/+18
| | | | Signed-off-by: Catalin Toda <catalinii@gmail.com>
* ipset: update to 7.15Florian Eckert2022-03-012-2/+14
| | | | | | | | | Update to the latest upstream version. In this version there is a new tool with which you can convert ipsets into nftables sets. Since we are now using nftables as default firewall, this could be a useful tool for porting ipsets to nftables sets. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* tools/libressl: update to version 3.4.2Josef Schlehofer2022-03-011-2/+2
| | | | | | | | | | | | | | | Release notes: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.2-relnotes.txt ``` It includes the following security fix * In some situations the X.509 verifier would discard an error on an unverified certificate chain, resulting in an authentication bypass. Thanks to Ilya Shipitsin and Timo Steinlein for reporting. ``` Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* tools/mkimage: update to 2022.01Huangbin Zhan2022-03-013-17/+30
| | | | | | | | | | | | - enable dot config - enable openwrt verbose - add bison as dependency to avoid failure ``` bison -oscripts/kconfig/zconf.tab.c -t -l scripts/kconfig/zconf.y bison: /builder/shared-workdir/build/staging_dir/host/share/bison/m4sugar/m4sugar.m4: cannot open: No such file or directory ``` Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
* tools/fakeroot: update to 1.27Rosen Penev2022-03-015-134/+17
| | | | | | | | | | Remove macOS stuff. Upstream has fixed it in the same way. Add SOL_TCP define. Taken from elsewhere in the code. Refreshed patches. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* tools/expat: update to 2.4.6Rosen Penev2022-03-012-11/+16
| | | | | | | | | | | Switched to CMake for faster compilation and greater parallel friendliness. Added CMake options from the packages feed. This release fixes various CVEs. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* tools/findutils: update to 4.9.0Rosen Penev2022-03-012-2/+22
| | | | | | | | Add compilation fix for Ubuntu 20.04. Provided by upstream maintainer: https://github.com/openwrt/packages/issues/17912#issuecomment-1046726426 Signed-off-by: Rosen Penev <rosenp@gmail.com>
* tools/zstd: update to 1.5.2Rosen Penev2022-03-012-11/+21
| | | | | | | Switched to building with meson as it's faster and does not need a dependency on cmake, which takes a long time to build. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* tools/ccache: add cmake dependencyRosen Penev2022-03-011-1/+1
| | | | | | | This will be needed for the next commit as ccache's cmake dependency is satisfied by zstd currenly. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* tools/cmake: update to 3.22.2Rosen Penev2022-03-011-2/+2
| | | | | | Mostly random Python 3.10 fixes. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* tools/mtools: update to 4.0.37Rosen Penev2022-03-011-2/+2
| | | | | | No changelog is available. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* tools/mklibs: update to 0.1.45Rosen Penev2022-03-0110-287/+37
| | | | | | | | | | | | | Refresh 2to3 patch. Upstream partially did this against some older python version. This is still needed. Refreshed other patches to be python3 safe. Remove uClibc patches as only musl is present now. Refresh others. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* layerscape: use semantic versions for LSDKPaul Spooren2022-03-019-9/+9
| | | | | | PKG_VERSION should not contain the package name but the version only. Signed-off-by: Paul Spooren <mail@aparcar.org>
* u-boot.mk: add LOCALVERSION (explicitly specify OpenWrt build)Josef Schlehofer2022-02-281-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For debugging purposes, we need to know if users are using modified U-boot versions or not. Currently, the U-boot version is somehow stripped. This is a little bit problematic when there are backported/wip/to-upstream patches. To make it more confusing, there was (before this commit) two U-boot versioning. U-boot compiled by OpenWrt build bots are missing ``Build:`` This is also the case when the U-boot is compiled locally. Example: ``` U-Boot SPL 2022.01 (Jan 27 2022 - 00:24:34 +0000) U-Boot 2022.01 (Jan 27 2022 - 00:24:34 +0000) ``` On the other hand, if you run full build, you can at least see, where it was compiled. Notice added ``Build:``. Example: ``` U-Boot 2022.01 (Jan 27 2022 - 00:24:34 +0000), Build: jenkins-turris-os-packages-burstlab-omnia-216 ``` In both cases, it is not clear to U-boot developers if it is an unmodified build. This is also caused that there is a missing ``.git`` file from U-boot folder, and so there is no history. It leads to that it can not contain suffix ``-dirty`` (uncommitted modifications) or even something else like number of commits, etc. [1] When U-boot is compiled as it should be, the version should look like this: ``U-Boot 2022.04-rc1-01173-g278195ea1f (Feb 11 2022 - 14:46:50 +0100)`` The date is not changed daily when there are new OpenWrt builds. This commit adds OpenWrt specific version, which could be verified by using strings. ``` $ strings bin/targets/mvebu/cortexa9/u-boot-omnia/u-boot-spl.kwb | grep -E "OpenWrt*" U-Boot SPL 2022.01-OpenWrt-r18942+54-cbfce92367 (Feb 21 2022 - 13:17:34 +0000) arm-openwrt-linux-muslgnueabi-gcc (OpenWrt GCC 11.2.0 r18942+54-cbfce92367) 11.2.0 2022.01-OpenWrt-r18942+54-cbfce92367 U-Boot 2022.01-OpenWrt-r18942+54-cbfce92367 (Feb 21 2022 - 13:17:34 +0000) ``` [1] https://u-boot.readthedocs.io/en/latest/develop/version.html Reported-by: Pali Rohár <pali@kernel.org> Suggested-by: Karel Kočí <karel.koci@nic.cz> Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* image-commands.mk: Use ERROR_MESSAGE for imagesize failsPaul Spooren2022-02-281-1/+1
| | | | | | | | | | | | | If a image is bigger than the device can handle, an error message is printed. This is usually silenced and silently ignored, making it harder to debug. While it's possible to run the build in verbose mode (via `make V=s`) and grep for *is too big*, it's more intuitive to print the error message directly. For that use the newly unlocked `$(call ERROR_MESSAGE,...)` definition which now also print in non-verbose mode. Fixes: FS#50 (aka #7604) Signed-off-by: Paul Spooren <mail@aparcar.org>
* verbose.mk: print ERROR messages in non-verbosePaul Spooren2022-02-281-5/+4
| | | | | | | | | | | | | | | | | | | Using `make -j9` only prints a subset of messages to follow the build process progressing. However this silently skips over errors which might be of interested. Using `make V=s` easily floods the terminal making it hard to find error messages between the lines. A compromise is the usage of `$(call ERROR_MESSAGE,...)` which prints a message in red. This function is silenced in the non-verbose mode, even if only used at a single place in `package/Makefile` where it notifies about a OPKG corner case. This commit moves the `ERROR_MESSAGE` definition outside of the `OPENWRT_VERBOSE` condition and print error messages in every mode. With this in place further error messages are possible. Signed-off-by: Paul Spooren <mail@aparcar.org>
* bcm27xx: bcm2710: update defconfigJohn Audia2022-02-281-2/+0
| | | | | | | | | | | | Ran `make kernel_menuconfig CONFIG_TARGET=bcm2710` having used the snapshot config for bcm2710[1]. Manually added back two symbols that the make target removed, namely: * # CONFIG_SND_SOC_AD193X_I2C is not set * # CONFIG_SND_SOC_AD193X_SPI is not set 1. https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2710/config.buildinfo Signed-off-by: John Audia <graysky@archlinux.us>
* bcm27xx: bcm2711: update defconfigJohn Audia2022-02-281-2/+0
| | | | | | | | | | | | | | | | | | Ran `make kernel_menuconfig CONFIG_TARGET=bcm2711` having used the snapshot config for bcm2711[1]. Manually added back two symbols that the make target removed, namely: * # CONFIG_SND_SOC_AD193X_I2C is not set * # CONFIG_SND_SOC_AD193X_SPI is not set Without adding these back, the build fails due to unsatisfied deps[2]. Build system: x86_64 Build-tested: bcm2711/multidevices 1. https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2711/config.buildinfo 2. https://github.com/openwrt/openwrt/commit/a478202d74b66c3da17d57442649eb4f131fc7b2#commitcomment-67096592 Signed-off-by: John Audia <graysky@archlinux.us>
* kernel: move CONFIG_ASN1 to generic configJohn Audia2022-02-281-0/+1
| | | | | | | Rather than populating this symbol in the individual configs, move it to the generic config. Signed-off-by: John Audia <graysky@archlinux.us>
* iptables: bump PKG_RELEASEEtienne Champetier2022-02-281-1/+1
| | | | | | Following dependencies rework, bump PKG_RELEASE Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: move libiptext* to their own packagesEtienne Champetier2022-02-282-20/+46
| | | | | | | | iptables-nft doesn't depend on libip{4,6}tc, so move libiptext* libs in their own packages to clean up dependencies Rename libxtables-nft to libiptext-nft Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: rename to ip(6)tables-legacy, add PROVIDESEtienne Champetier2022-02-281-8/+12
| | | | | | | | Using PROVIDES allows to have other packages continue to depend on iptables and users to pick between legacy and nft version. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: move IPTABLES_{CONNLABEL,NFTABLES} to libxtablesEtienne Champetier2022-02-281-15/+15
| | | | | | Those 2 configs are not specific to iptables(-legacy) Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: make mod depend on libxtablesEtienne Champetier2022-02-281-4/+3
| | | | | | | | | 'iptables-mod-' can be used directly by firewall3, by iptables and by iptables-nft. They are not linked to iptables but to libxtables, so fix the dependencies to allow to remove iptables(-legacy) Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: fix libnftnl/IPTABLES_NFTABLES dependencyEtienne Champetier2022-02-281-5/+3
| | | | | | | | | libxtables doesn't depend on libnftnl, iptables-nft does, so move the dependency to not pull libnftnl with firewall3/iptables-legacy Also libxtables-nft depends on IPTABLES_NFTABLES Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* mt7620: fix missing kernel config symbolPetr Štetiar2022-02-281-0/+1
| | | | | | | | | | | Fixes following missing kernel config symbol after adding GPIO watchdog: Software watchdog (SOFT_WATCHDOG) [M/n/y/?] m Watchdog device controlled through GPIO-line (GPIO_WATCHDOG) [Y/n/m/?] y Register the watchdog as early as possible (GPIO_WATCHDOG_ARCH_INITCALL) [N/y/?] (NEW) Fixes: 1a97c03d864e ("rampis: feed zbt-we1026 external watchdog") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* ubus: bump to git HEADStijn Tintel2022-02-281-3/+3
| | | | | | | | 66baa44 libubus: introduce new status messages b3cd5ab cli: use UBUS_STATUS_PARSE_ERROR 584f56a cli: improve error logging for call command Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* ipq806x: base-files: asrock: fix bootcount includePetr Štetiar2022-02-281-1/+1
| | | | | | | | | | | | | | | Fixes following warning message during image building process: Finalizing root filesystem... root-ipq806x/lib/upgrade/asrock.sh: line 1: /lib/functions.sh: No such file or directory Enabling boot root-ipq806x/lib/upgrade/asrock.sh: line 1: /lib/functions.sh: No such file or directory Enabling bootcount Fixes #9350 Fixes: 98b86296e67d ("ipq806x: add support for ASRock G10") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* rampis: feed zbt-we1026 external watchdogArvid E. Picciani2022-02-282-0/+9
| | | | | | Without feeding the gpio watchdog, the board will reset after 90 seconds Signed-off-by: Arvid E. Picciani <aep@exys.org>
* check-toolchain-clean.sh: workaround stray rebuildsPetr Štetiar2022-02-281-2/+7
| | | | | | | | | | | | | | | | It seems, that there are currently some unhandled corner cases in which `.toolchain_build_ver` results in empty file and thus forcing rebuilds, even if the toolchain was build correctly just a few moments ago. Until proper fix is found, workaround that by checking for this corner case and simply populate `.toolchain_build_ver` file. While at it, improve the UX and display version mismatch, so it's more clear what has forced the rebuild: "Toolchain build version changed (11.2.0-1 != ), running make targetclean" References: https://gitlab.com/ynezz/openwrt/-/jobs/2133332533/raw Signed-off-by: Petr Štetiar <ynezz@true.cz>
* check-toolchain-clean.sh: fix shellcheck warningsPetr Štetiar2022-02-281-1/+1
| | | | | | | | | | | Fixes following complaints and suggestions: In scripts/check-toolchain-clean.sh line 2: eval `grep CONFIG_GCC_VERSION .config` ^-- SC2046 (warning): Quote this to prevent word splitting. ^-- SC2006 (style): Use $(...) notation instead of legacy backticks `...`. Signed-off-by: Petr Štetiar <ynezz@true.cz>
* firmware-utils: bump to git HEADStijn Tintel2022-02-281-3/+3
| | | | | | 002cfaf firmware-utils: fix compilation with macOS Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* netfilter: add kmod-nft-tproxyYousong Zhou2022-02-282-0/+13
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* netfilter: add kmod-nft-socketYousong Zhou2022-02-282-0/+13
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxyYousong Zhou2022-02-282-7/+45
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* ath79: add support for TP-Link Archer A9 v6Piotr Dymacz2022-02-274-0/+265
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link Archer A9 v6 (FCCID: TE7A9V6) is an AC1900 Wave-2 gigabit home router based on a combination of Qualcomm QCN5502 (most likely a 4x4:4 version of the QCA9563 WiSOC), QCA9984 and QCA8337N. The vendor's firmware content reveals that the same device might be available on the US market under name 'Archer C90 v6'. Due to lack of access to such hardware, support introduced in this commit was tested only on the EU version (sold under 'Archer A9 v6' name). Based on the information on the PL version of the vendor website, this device has been already phased out and is no longer available. Specifications: - Qualcomm QCN5502 (775 MHz) - 128 MB of RAM (DDR2) - 16 MB of flash (SPI NOR) - 5x Gbps Ethernet (Qualcomm QCA8337N over SGMII) - Wi-Fi: - 802.11b/g/n on 2.4 GHz: Qualcomm QCN5502* in 4x4:4 mode - 802.11a/n/ac on 5 GHz: Qualcomm QCA9984 in 3x3:3 mode - 3x non-detachable, dual-band external antennas (~3.5 dBi for 5 GHz, ~2.2 dBi for 2.4 GHz, IPEX/U.FL connectors) - 1x internal PCB antenna for 2.4 GHz (~1.8 dBi) - 1x USB 2.0 Type-A - 11x LED (4x connected to QCA8337N, 7x connected to QCN5502) - 2x button (reset, WPS) - UART (4-pin, 2.54 mm pitch) header on PCB (not populated) - 1x mechanical power switch - 1x DC jack (12 V) *) unsupported due to missing support for QCN550x in ath9k UART system serial console notice: The RX signal of the main SOC's UART on this device is shared with the WPS button's GPIO. The first-stage U-Boot by default disables the RX, resulting in a non-functional UART input. If you press and keep 'ENTER' on the serial console during early boot-up, the first-stage U-Boot will enable RX input. Vendor firmware allows password-less access to the system over serial. Flash instruction (vendor GUI): 1. It is recommended to first upgrade vendor firmware to the latest version (1.1.1 Build 20210315 rel.40637 at the time of writing). 2. Use the 'factory' image directly in the vendor's GUI. Flash instruction (TFTP based recovery in second-stage U-Boot): 1. Rename 'factory' image to 'ArcherA9v6_tp_recovery.bin' 2. Setup a TFTP server on your PC with IP 192.168.0.66/24. 3. Press and hold the reset button for ~5 sec while turning on power. 4. The device will download image, flash it and reboot. Flash instruction (web based recovery in first-stage U-Boot): 1. Use 'CTRL+C' during power-up to enable CLI in first-stage U-Boot. 2. Connect a PC with IP set to 192.168.0.1 to one of the LAN ports. 3. Issue 'httpd' command and visit http://192.168.0.1 in browser. 4. Use the 'factory' image. If you would like to restore vendor's firmware, follow one of the recovery methods described above. Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* uboot-envtools: ath79: add support for ALFA Network Tube-2HQPiotr Dymacz2022-02-271-0/+1
| | | | Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* ath79: add support for ALFA Network Tube-2HQPiotr Dymacz2022-02-274-0/+85
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ALFA Network Tube-2HQ is a successor of the Tube-2H/P series (EOL) which was based on the Atheros AR9331. The new version uses Qualcomm QCA9531. Specifications: - Qualcomm/Atheros QCA9531 v2 - 650/400/200 MHz (CPU/DDR/AHB) - 64 or 128 MB of RAM (DDR2) - 16+ MB of flash (SPI NOR) - 1x 10/100 Mbps Ethernet with passive PoE input (24 V) (802.3at/af PoE support with optional module) - 1T1R 2.4 GHz Wi-Fi with external PA (SE2623L, up to 27 dBm) and LNA - 1x Type-N (male) antenna connector - 6x LED (5x driven by GPIO) - 1x button (reset) - external h/w watchdog (EM6324QYSP5B, enabled by default) - UART (4-pin, 2.00 mm pitch) header on PCB Flash instruction: You can use sysupgrade image directly in vendor firmware which is based on LEDE/OpenWrt. Alternatively, you can use web recovery mode in U-Boot: 1. Configure PC with static IP 192.168.1.2/24. 2. Connect PC with one of RJ45 ports, press the reset button, power up device, wait for first blink of all LEDs (indicates network setup), then keep button for 3 following blinks and release it. 3. Open 192.168.1.1 address in your browser and upload sysupgrade image. Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* ath79: utilize ath9k 'nvmem-cells' on ALFA Network boardsPiotr Dymacz2022-02-273-30/+49
| | | | | | | Drop custom 'mtd-cal-data' and switch to 'nvmem-cells' based solution for fetching radio calibration data and its MAC address. Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* ath79: reduce 'nvmem-cells' definitions on ALFA Network QCA9531 boardsPiotr Dymacz2022-02-274-30/+8
| | | | | | | | | | All the QCA9531 based boards from ALFA Network are based on the same design and share a common DTSI: 'qca9531_alfa-network_r36a.dtsi'. Instead of defining 'nvmem-cells' for the MAC address in every device's DTS, move definition to the common DTSI file. Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* bcm63xx: switch to Kernel 5.10Paul Spooren2022-02-271-2/+2
| | | | | | | | Bump the last missing target to Kernel 5.10. While this requires a work around to boot it will allow more people to test the new Kernel before the upcomming release. Signed-off-by: Paul Spooren <mail@aparcar.org>
* bcm63xx: fix booting with Kernel 5.10Paul Spooren2022-02-271-0/+18
| | | | | | | | This is a workaround to make the target overall bootable. With this more people should be able to test the Kernel 5.10 and report further issues. Suggested-by: Daniel González Cabanelas <dgcbueu@gmail.com> Signed-off-by: Paul Spooren <mail@aparcar.org>
* ramips: support TP-Link EAP615-WallStijn Tintel2022-02-273-1/+209
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for the TP-Link EAP615-Wall, an AX1800 Wall Plate WiFi 6 AP. The device is very similar to the TP-Link EAP235-Wall. Hardware: * SoC: MediaTek MT7621AT * RAM: 128MiB * Flash: 16MiB SPI-NOR * Ethernet: 4x GbE * Back: ETH0 (PoE-PD) * Bottom: ETH1, ETH2, ETH3 (PoE passthrough) * WiFi: MT7905DAN/MT7975DN 2.4/5 GHz 2T2R * LEDS: 1x white * Buttons: 1x LED, 1x reset Stock firmware uses a random MAC address for ethernet. OpenWrt uses the MAC address that is on the device label for ethernet and the wireless interfaces. MAC address must not be incremented, as this will cause MAC address conflicts in case you have two devices with consecutive MAC addresses. Instead, different locally administered addresses will be generated automatically, based on the MAC on the label. Installation via stock firmware: * Enable SSH in the TP-Link web interface * SSH to the device * Run `cliclientd stopcs` * Upload the OpenWrt factory image via the TP-Link web interface Installation via bootloader: * Solder TTL header. Pinout: 1: TX, 2: RX, 3: GND, 4: VCC, with pin 1 closest to ETH1. Baud rate 115200 * Interrupt boot process by holding a key during boot * Boot the OpenWrt initramfs: # tftpboot 0x84000000 openwrt-ramips-mt7621-tplink_eap615-wall-v1-initramfs-kernel.bin # bootm * Copy openwrt-ramips-mt7621-tplink_eap615-wall-v1-squashfs-sysupgrade.bin to /tmp and use sysupgrade to install it Thanks to Sander Vanheule for his work on the EAP235-Wall, which made adding support for the EAP615-Wall very easy. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Reviewed-by: Sander Vanheule <sander@svanheule.net> Acked-by: Arınç ÜNAL <arinc.unal@arinc9.com>
* firmware-utils: bump to git HEADStijn Tintel2022-02-271-3/+3
| | | | | | | | | | | 706e9cc tplink-safeloader: support for Archer A6 v3 JP 497726b firmware-utils: support checksum for AVM fritzbox wasp SOCs 2ca6462 iptime-crc32: add support for AX8004M 57d0e31 tplink-safeloader: TP-Link EAP615-Wall v1 support 8a8da19 tplink-safeloader: add TL-WPA8631P v3 support eea4ee7 tplink-safeloader: add TP-Link Archer A9 v6 support Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* firmware: intel-microcode: update to 20220207Christian Lamparter2022-02-261-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Debians' changelog by Henrique de Moraes Holschuh <hmh@debian.org>: * upstream changelog: new upstream datafile 20220207 * Mitigates (*only* when loaded from UEFI firmware through the FIT) CVE-2021-0146, INTEL-SA-00528: VT-d privilege escalation through debug port, on Pentium, Celeron and Atom processors with signatures 0x506c9, 0x506ca, 0x506f1, 0x706a1, 0x706a8 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145 * Mitigates CVE-2021-0127, INTEL-SA-00532: an unexpected code breakpoint may cause a system hang, on many processors. * Mitigates CVE-2021-0145, INTEL-SA-00561: information disclosure due to improper sanitization of shared resources (fast-store forward predictor), on many processors. * Mitigates CVE-2021-33120, INTEL-SA-00589: out-of-bounds read on some Atom Processors may allow information disclosure or denial of service via network access. * Fixes critical errata (functional issues) on many processors * Adds a MSR switch to enable RAPL filtering (default off, once enabled it can only be disabled by poweroff or reboot). Useful to protect SGX and other threads from side-channel info leak. Improves the mitigation for CVE-2020-8694, CVE-2020-8695, INTEL-SA-00389 on many processors. * Disables TSX in more processor models. * Fixes issue with WBINDV on multi-socket (server) systems which could cause resets and unpredictable system behavior. * Adds a MSR switch to 10th and 11th-gen (Ice Lake, Tiger Lake, Rocket Lake) processors, to control a fix for (hopefully rare) unpredictable processor behavior when HyperThreading is enabled. This MSR switch is enabled by default on *server* processors. On other processors, it needs to be explicitly enabled by an updated UEFI/BIOS (with added configuration logic). An updated operating system kernel might also be able to enable it. When enabled, this fix can impact performance. * Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2021-08-11, rev 0x0049, size 38912 sig 0x000306f4, pf_mask 0x80, 2021-05-24, rev 0x001a, size 23552 sig 0x000406e3, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 105472 sig 0x00050653, pf_mask 0x97, 2021-05-26, rev 0x100015c, size 34816 sig 0x00050654, pf_mask 0xb7, 2021-06-16, rev 0x2006c0a, size 43008 sig 0x00050656, pf_mask 0xbf, 2021-08-13, rev 0x400320a, size 35840 sig 0x00050657, pf_mask 0xbf, 2021-08-13, rev 0x500320a, size 36864 sig 0x0005065b, pf_mask 0xbf, 2021-06-04, rev 0x7002402, size 28672 sig 0x00050663, pf_mask 0x10, 2021-06-12, rev 0x700001c, size 28672 sig 0x00050664, pf_mask 0x10, 2021-06-12, rev 0xf00001a, size 27648 sig 0x00050665, pf_mask 0x10, 2021-09-18, rev 0xe000014, size 23552 sig 0x000506c9, pf_mask 0x03, 2021-05-10, rev 0x0046, size 17408 sig 0x000506ca, pf_mask 0x03, 2021-05-10, rev 0x0024, size 16384 sig 0x000506e3, pf_mask 0x36, 2021-04-29, rev 0x00ec, size 108544 sig 0x000506f1, pf_mask 0x01, 2021-05-10, rev 0x0036, size 11264 sig 0x000606a6, pf_mask 0x87, 2021-12-03, rev 0xd000331, size 291840 sig 0x000706a1, pf_mask 0x01, 2021-05-10, rev 0x0038, size 74752 sig 0x000706a8, pf_mask 0x01, 2021-05-10, rev 0x001c, size 75776 sig 0x000706e5, pf_mask 0x80, 2021-05-26, rev 0x00a8, size 110592 sig 0x000806a1, pf_mask 0x10, 2021-09-02, rev 0x002d, size 34816 sig 0x000806c1, pf_mask 0x80, 2021-08-06, rev 0x009a, size 109568 sig 0x000806c2, pf_mask 0xc2, 2021-07-16, rev 0x0022, size 96256 sig 0x000806d1, pf_mask 0xc2, 2021-07-16, rev 0x003c, size 101376 sig 0x000806e9, pf_mask 0x10, 2021-04-28, rev 0x00ec, size 104448 sig 0x000806e9, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 104448 sig 0x000806ea, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 103424 sig 0x000806eb, pf_mask 0xd0, 2021-04-28, rev 0x00ec, size 104448 sig 0x000806ec, pf_mask 0x94, 2021-04-28, rev 0x00ec, size 104448 sig 0x00090661, pf_mask 0x01, 2021-09-21, rev 0x0015, size 20480 sig 0x000906c0, pf_mask 0x01, 2021-08-09, rev 0x2400001f, size 20480 sig 0x000906e9, pf_mask 0x2a, 2021-04-29, rev 0x00ec, size 106496 sig 0x000906ea, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 102400 sig 0x000906eb, pf_mask 0x02, 2021-04-28, rev 0x00ec, size 104448 sig 0x000906ec, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424 sig 0x000906ed, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424 sig 0x000a0652, pf_mask 0x20, 2021-04-28, rev 0x00ec, size 93184 sig 0x000a0653, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 94208 sig 0x000a0655, pf_mask 0x22, 2021-04-28, rev 0x00ee, size 94208 sig 0x000a0660, pf_mask 0x80, 2021-04-28, rev 0x00ea, size 94208 sig 0x000a0661, pf_mask 0x80, 2021-04-29, rev 0x00ec, size 93184 sig 0x000a0671, pf_mask 0x02, 2021-08-29, rev 0x0050, size 102400 * Removed Microcodes: sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048 sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048 * update .gitignore and debian/.gitignore. Add some missing items from .gitignore and debian/.gitignore. * ucode-blacklist: do not late-load 0x406e3 and 0x506e3. When the BIOS microcode is older than revision 0x7f (and perhaps in some other cases as well), the latest microcode updates for 0x406e3 and 0x506e3 must be applied using the early update method. Otherwise, the system might hang. Also: there must not be any other intermediate microcode update attempts [other than the one done by the BIOS itself], either. It must go from the BIOS microcode update directly to the latest microcode update. * source: update symlinks to reflect id of the latest release, 20220207 Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* iucode-tool: fix host-compile on macos and non-x86 linuxSergey V. Lobanov2022-02-262-1/+45
| | | | | | | | | | | | | | | | | | | | | | | iucode-tool/host is used by intel-microcode to manipulate with microcode.bin file. iucode-tool requires cpuid.h at compile time for autodection feature, but non-x86 build hosts does not have this header file (e.g. ubuntu 20.04 aarch64) or this header generates compile time error (#error macro) (e.g. macos arm64). This patch provides compat cpuid.h to build iucode-tool/host on non-x86 linux hosts and macos. CPU autodectection is not required for intel-microcode package build so compat cpuid.h is ok for OpenWrt purposes. glibc and argp lib are not present in macos so iucode-tool/host build fails. This patch adds argp-standalone/host as build dependency if host os is macos. Generated ucode (intel-microcode package) is exactly the same on Linux x86_64 (Ubuntu 20.04), Linux aarch64 (Ubuntu 20.04) and Darwin arm64 (MacOS 11.6) build hosts. Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* argp-standalone: add host-compile abilitySergey V. Lobanov2022-02-261-1/+12
| | | | | | | | | This patch adds host-compile ability to argp-standalone for build hosts without glibc and argp lib, e.g. MacOS. iucode-tool/host can not be built on MacOS due to lack of argp. Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* at91: remove pm debug features from sama5 kernel configClaudiu Beznea2022-02-261-4/+0
| | | | | | | | | | Remove PM debug features from sama5 kernel config. It is not necessary to have it on production code. This also fixes the build for sama5 target after commit 97158fe10e60 ("kernel: package ramoops pstore-ram crash log storage) Fixes: 97158fe10e60 ("kernel: package ramoops pstore-ram crash log storage") Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
* mbedtls: update to 2.28.0 LTS branchLucian Cristian2022-02-262-24/+28
| | | | | | | | | | | | | | | | | | | | | | | | <https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0> "Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024." <https://github.com/ARMmbed/mbedtls/blob/development/BRANCHES.md> "Currently, the only supported LTS branch is: mbedtls-2.28. For a short time we also have the previous LTS, which has recently ended its support period, mbedtls-2.16. This branch will move into the archive namespace around the time of the next release." this will also add support for uacme ualpn support. size changes 221586 libmbedtls12_2.28.0-1_mips_24kc.ipk 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com> (remark about 2.16's EOS, slightly reworded) Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* ipq806x: Increase kernel size to 4 MB for EA8500/EA7500v1Hannu Nyman2022-02-263-9/+27
| | | | | | | | | | | | | | | | | | | Increase the kernel size from 3 MB to 4 MB for EA8500 and EA7500v1. * modify the common .dtsi * modify the kernel size in the image recipes Define compat-version 2.0 to force factory image usage for sysupgrade. Add explanation message. Reenable both devices. As for 4MiB (and not more): Hannu Nyman noted that: "We have lots of ipq806x devices with 4 MB kernel, so will need action at that point in future in any case. (Assuming that the bootloader did not have a 4 MB limit that has been tested...)" Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> (squashed, added 4MiB notice of support in ipq806x) Signed-off-by: Christian Lamparter <chunkeey@gmail.com>