aboutsummaryrefslogtreecommitdiffstats
path: root/config
Commit message (Collapse)AuthorAgeFilesLines
...
* config: prepare for choice of SELinux policyDaniel Golle2020-09-291-1/+12
| | | | | | Only 'targeted' from refpolicy is supported for now. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* config: add KERNEL_LSM symbolPaul Spooren2020-09-031-11/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The LSM (Linux security mechanism) list is the successor of the now legacy *major LSM*. Instead of defining a single security mechanism the LSM symbol is a comma separated list of mechanisms to load. Until recently OpenWrt would only support DAC (Unix discretionary access controls) which don't require an additional entry in the LSM list. With the newly introduced SELinux support the LSM needs to be extended else only a manual modified Kernel cmdline (`security=selinux`) would activate SELinux. As the default OpenWrt Kernel config sets DAC as default security mechanism, SELinux is stripped from the LSM list, even if `KERNEL_DEFAULT_SECURITY_SELINUX` is activated. To allow SELinux without a modified cmdline this commit sets a specific LSM list if `KERNEL_SECURITY_SELINUX` is enabled. The upstream Kconfig adds even more mechanisms (smack,selinux,tomoyo,apparmor), but until they're ported to OpenWrt, these can be ignored. To compile SELinux Kernel support but disable it from loading, the already present options `KERNEL_SECURITY_SELINUX_DISABLE` or `KERNEL_SECURITY_SELINUX_BOOTPARAM` (with custom cmdline `selinux=0`) can be used. Further it's possible to edit `/etc/selinux/config`. Signed-off-by: Paul Spooren <mail@aparcar.org>
* kernel: remove obsolete kernel version switches for 4.14Adrian Schmutzler2020-09-021-1/+1
| | | | | | | | | | This removes switches dependent on kernel version 4.14 as well as several packages/modules selected only for that version. This also removes sched-cake-virtual, which is not required anymore now that we have only one variant of cake. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* rb532: drop targetAdrian Schmutzler2020-09-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This target is still on kernel 4.14, and recent attempts to move it to kernel 5.4 have not led to success. The device tester reported that it wouldn't boot with the following messages: From sysupgrade: Press any key within 4 seconds to enter setup.... loading kernel from nand... OK setting up elf image... OK jumping to kernel code At this point the system hangs. From CompactFlash: Press any key within 4 seconds to enter setup.... Booting CF Loading kernel... done setting up elf image... kernel out of range kernel loading failed The tester reported that the same was observed with current master (kernel 4.14) as well. This looks like some kernel size restriction. Since this target is quite old and only supports one device, and since nobody else seemed interested in working on this for quite some time, I decided to not put further work into analyzing the problem and drop this together with the other 4.14-only targets. Patchwork series: https://patchwork.ozlabs.org/project/openwrt/list/?series=197066&state=* Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* kernel: add options needed for SELinuxThomas Petazzoni2020-08-311-0/+55
| | | | | | | | | | This adds a number of options to config/Config-kernel.in so that packages related to SELinux support can enable the appropriate Linux kernel support. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [rebase; add ext4, F2FS, UBIFS, and JFFS2 support; add commit message] Signed-off-by: W. Michael Petullo <mike@flyn.org>
* build: add support for SELinux to include/image.mkThomas Petazzoni2020-08-311-0/+10
| | | | | | | | | This allows the build process to prepare a squashfs filesystem for use with SELinux. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [rebase, add commit message] Signed-off-by: W. Michael Petullo <mike@flyn.org>
* ar71xx: drop targetAdrian Schmutzler2020-08-301-1/+0
| | | | | | | | | | This target has been mostly replaced by ath79 and won't be included in the upcoming release anymore. Finally put it to rest. This also removes all references in packages, tools, etc. as well as the uboot-ar71xx and vsc73x5-ucode packages. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* config: kernel: fix missed CGROUP_HUGETLB symbolYuan Tao2020-08-241-2/+2
| | | | | | | The symbol KERNEL_CGROUP_HUGETLB is always used whenever KERNEL_CGROUPS is enabled. The absence of this notation will cause the user to be asked to enter this parameter the first time it is compiled. Signed-off-by: Yuan Tao <ty@wevs.org>
* kernel: further clean-up options and defaultsDaniel Golle2020-08-101-11/+11
| | | | | | | | | | | | Remove `if !SMALL_FLASH` in places which are anyway already augmented by `if !SMALL_FLASH`. Always enable CONFIG_BLK_DEV_THROTTLING on !SMALL_FLASH devices rather than just enabling it on bcm27xx. Enabled CPU bandwidth provisioning for FAIR_GROUP_SCHED on !SMALL_FLASH devices as CONFIG_FAIR_GROUP_SCHED is already enabled and becomes more useful for cgroups with that option enbled as well. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* build: make prefix mapping of debug information optionalFelix Fietkau2020-08-061-0/+9
| | | | | | | | | | | | | | Remapping the local build path in debug information makes debugging using ./scripts/remote-gdb harder, because files no longer refer to the full path on the build host. For local builds, debug information does not need to be reproducible, since it will be stripped out of packages anyway. For buildbot builds, it makes sense to keep debug information reproducible, since the full path is not needed (nor desired) anywhere. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: fix missing TRANSPARENT_HUGEPAGE symbolsStijn Tintel2020-08-011-0/+12
| | | | | | | | | | | | | | | | Enabling KERNEL_TRANSPARENT_HUGEPAGE exposes 2 missing symbols: * CONFIG_READ_ONLY_THP_FOR_FS * TRANSPARENT_HUGEPAGE_ALWAYS * TRANSPARENT_HUGEPAGE_MADVISE The first one was added in 5.4, and is marked experimental there so just disable it in the generic config. For the latter two, we should not force the user to use either of them, so add them as build-configurable kernel options. Fixes: d1a8217d87bf ("kernel: clean-up build-configurable kernel config symbols") Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* kernel: add menuconfig entry for kernel CONFIG_CGROUP_NET_CLASSIDDaniel Golle2020-07-311-0/+4
| | | | | | | | It was removed from target defaults though it didn't exist in the build-systems kernel configuration options. Add it there. Fixes: d1a8217d87 ("kernel: clean-up build-configurable kernel config symbols") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* build: add option to mark devices as BROKENAdrian Schmutzler2020-07-301-1/+1
| | | | | | | | | | | By specifying "BROKEN := 1" or "BROKEN := y" for a device, it will be hidden (and deselected) by default. By that, it provides a stronger option to "disable" a device beyond just using DEFAULT := n. To make these devices visible, just enable the BROKEN option in developer settings as already implemented for targets and packages. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* kernel: clean-up build-configurable kernel config symbolsDaniel Golle2020-07-301-10/+39
| | | | | | | | | Don't explicitely disable options in target/linux/generic/config-* if they are already controlled in config/Config-kernel.in. Add a bunch of new symbols and prepare defaults for using only unified hierarchy (ie. cgroup2). Update symbol dependencies while at it Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* build: Remove dependency of user space stack cookies from kernelHauke Mehrtens2020-07-241-2/+0
| | | | | | | | | | | | Currently the user space stack cookies work well also when the kernel stack cookies are not activated. This is handled completely in user space and does not need kernel support. This dependency was probably needed some years ago when the libc did not support stack cookies. Reviewed-by: Ian Cooper <iancooper@hotmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* build: improve ccache supportRoman Yeryomin2020-07-111-0/+7
| | | | | | | | | | | | | | | | | | Set CCACHE_DIR to $(TOPDIR)/.ccache and CCACHE_BASEDIR to $(TOPDIR). This allows to do clean and dirclean. Cache hit rate for test build after dirclean is ~65%. If CCACHE is enabled stats are printed out at the end of building process. CCACHE_DIR config variable allows to override default, which could be useful when sharing cache with many builds. cacheclean make target allows to clean the cache. Changes from v1: - remove ccache directory using CCACHE_DIR variable - remove ccache leftovers from sdk and toolchain make files - introduce CONFIG_CCACHE_DIR variable - introduce cacheclean make target Signed-off-by: Roman Yeryomin <roman@advem.lv>
* kernel: rename CONFIG_NETPRIO_CGROUP to CONFIG_CGROUP_NET_PRIOJavier Marcet2020-06-271-1/+1
| | | | | | This has been changed in kernel 3.14. Signed-off-by: Javier Marcet <javier@marcet.info>
* toolchain: remove gcc libssp and use libc variantIan Cooper2020-06-171-4/+0
| | | | | | | | | | | | | | | Removes the standalone implementation of stack smashing protection in gcc's libssp in favour of the native implementation available in glibc and uclibc. Musl libc already uses its native ssp, so this patch does not affect musl-based toolchains. Stack smashing protection configuration options are now uniform across all supported libc variants. This also makes kernel-level stack smashing protection available for x86_64 and i386 builds using non-musl libc. Signed-off-by: Ian Cooper <iancooper@hotmail.com>
* ath79: add support for MikroTik RouterBOARD 493G (rb4xx series)Christopher Hill2020-06-151-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for the MikroTik RouterBOARD RB493G, ported from the ar71xx target. See https://routerboard.com/RB493G for details Specification: - SoC Qualcomm Atheros AR7161 - RAM: 256 MiB - Storage: 128MiB NAND - Ethernet: 9x 1000/100/10 Mbps - USB 1x 2.0 / 1.0 type A - PCIe: 3x Mini slot - MicroSD slot Working: - Board/system detection - Ethernet - SPI - NAND - LEDs - USB - Sysupgrade Enabled (but untested due to lack of hardware): - PCIe - ath79_pci_irq struct has the slot/pin/IRQ mappings if needed Installation methods: - tftp boot initramfs image, scp then flash via "sysupgrade -n" - nand boot existing OpenWrt, scp then flash via "sysupgrade -n" Notes: - initramfs image will not work if uncompressed image size over ~8.5Mb - The "rb4xx" drivers have been enabled Signed-off-by: Christopher Hill <ch6574@gmail.com>
* build: refactor JSON info files to `profiles.json`Paul Spooren2020-04-031-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | JSON info files contain machine readable information of built profiles and resulting images. These files were added in commit 881ed09ee6e2 ("build: create JSON files containing image info"). They are useful for firmware wizards and script checking for reproducibility. Currently all JSON files are stored next to the built images, resulting in up to 168 individual files for the ath79/generic target. This patch refactors the JSON creation to store individual per image (not per profile) files in $(BUILD_DIR)/json_info_files and create an single overview file called `profiles.json` in the target directory. Storing per image files and not per profile solves the problem of parallel file writes. If a profiles sysupgrade and factory image are finished at the same time both processes would write to the same JSON file, resulting in randomly broken outputs. Some target like x86/64 do not use the image code yet, resulting in missing JSON files. If no JSON info files were created, no `profiles.json` files is created as it would be empty anyway. As before, this creation is enabled by default only if `BUILDBOT` is set. Tested via buildroot & ImageBuilder on ath79/generic, imx6 and x86/64. Signed-off-by: Paul Spooren <mail@aparcar.org> [json_info_files dir handling in Make, if case refactoring] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* x86: generate EFI platform bootable images李国2020-03-311-10/+19
| | | | | | | | | | | | | | | | | Add EFI platform bootable images for x86 platforms. These images can also boot from legacy BIOS platform. EFI System Partition need to be fat12/fat16/fat32 (not need to load filesystem drivers), so the first partition of EFI images are not ext4 filesystem any more. GPT partition table has an alternate partition table, we did not generate it. This may cause problems when use these images as qemu disk (kernel can not find rootfs), we pad enough sectors will be ok. Signed-off-by: 李国 <uxgood.org@gmail.com> [part_magic_* refactoring, removed genisoimage checks] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* x86: switch image generation to new codePaul Spooren2020-03-211-10/+8
| | | | | | | | | | | | | | | | | | | | | | | | This commit introduces few related changes which need to be done in single commit to keep images buildable between git revisions. In result it retains all previous image creation possibilities with slight name change of generated images. Brief summary of the commit: * Split up image generation recipe to smaller chunks to make it more generic and reusable. * Make iso images x86 specific and drop their definition as root filesystem. * Convert image creation process to generic code specified in image.mk. * Make geode subtarget inherit features from the main target instead of redefining them. * For subtargets create device definitions with basic packages set. Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl> [rebased] Signed-off-by: Paul Spooren <mail@aparcar.org>
* x86: make crashdump worksChen Minqiang2020-03-201-0/+4
| | | | | | | | | | | | | | | 1. KERNEL_CRASH_DUMP should depends on KERNEL_PROC_KCORE (kexec use it) 2. select crashkernel mem size by totalmem mem <= 256M disable crashkernel by default mem >= 4G use 256M for crashkernel mem >= 8G use 512M for crashkernel default use 128M 3. set BOOT_IMAGE in kdump.init 4. resolve a "Unhandled rela relocation: R_X86_64_PLT32" error Tested on x86_64 Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
* kernel: Use new symbol to deactivate MIPS FPU supportHauke Mehrtens2020-02-281-0/+5
| | | | | | | | | | | With kernel 5.4 the upstream kernel supports deactivating the FPU support on MIPS. Use this new upstream feature instead of our older patch which was removed when porting the kernel patches to kernel 5.4. This way both options are set which should work for older kernel versions and also new ones. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* base-files: add all buildinfo with INCLUDE_CONFIGXu Wang2020-02-271-1/+1
| | | | | | | | | | CONFIG_INCLUDE_CONFIG option is helpful for being able to rebuild the exact same firmware as you see on a live OpenWRT instance, but it's crucially missing feeds information, so we can't rebuild the exact same package versions. This commit fixes this by adding the remaining feeds (and version) buildinfo files to the image. Signed-off-by: Xu Wang <xwang1498@gmx.com>
* build: Add additional kernel debug optionsHauke Mehrtens2020-02-221-0/+68
| | | | | | | | Make it possible to activate some additional kernel debug options. This can be used to debug some problems in kernel drivers. Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com> Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* build: Add KCOV kernel code coverage for fuzzingHauke Mehrtens2020-02-221-0/+33
| | | | | | | The adds an option to activate KCOV (Code coverage for fuzzing). Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com> Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* build: Add option KERNEL_KASANHauke Mehrtens2020-02-221-0/+52
| | | | | | | | The kernel kernel address sanitizer is able to detect some memory bugs in the kernel like out of range array accesses. Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com> Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* build: Add option KERNEL_UBSANHauke Mehrtens2020-02-221-0/+35
| | | | | | | | The kernel Undefined Behavior Sanitizer is able to detect some memory bugs in the kernel like out of range array accesses. Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com> Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* brcm2708: rename target to bcm27xxAdrian Schmutzler2020-02-142-2/+2
| | | | | | | | | | | | | | | | | This change makes the names of Broadcom targets consistent by using the common notation based on SoC/CPU ID (which is used internally anyway), bcmXXXX instead of brcmXXXX. This is even used for target TITLE in make menuconfig already, only the short target name used brcm so far. Despite, since subtargets range from bcm2708 to bcm2711, it seems appropriate to use bcm27xx instead of bcm2708 (again, as already done for BOARDNAME). This also renames the packages brcm2708-userland and brcm2708-gpu-fw. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> Acked-by: Álvaro Fernández Rojas <noltari@gmail.com>
* buildsystem: Make PIE ASLR option tristateHauke Mehrtens2020-01-131-4/+18
| | | | | | | | | | | | | | | | | | | | | | | | This tristate choose allows to select to build only some applications with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE is activated for the, which is a huge increase. Network exposed applications like dnsmasq should then be build with PIE enabled, but some applications which are normally not parsing data from the network do not have it activated. The regular option should give a good trade off between extra flash and RAM memory usage and security. This changes the default from building no applications with PIE to build some specifically marked applications with PIE enabled. This option is only activated for targets with bigger flash and RAM to not consume extra memory on the very small targets. On SDK builds the Regular option should always be selected, because some tiny targets share the applications with big targets and only the images for the tiny targets should contain the none PIE applications, but the images for the normal targets should use PIE. The shared packages should always use PIE when it should be normally activated. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
* libcxx: Depenency fixesRosen Penev2019-12-231-0/+1
| | | | | | | | | | | | | Don't build with uClibc-ng. It's totally unsupported as several functions are missing. Make the musl libc support conditional. Fix hash with make check FIXUP=1. Apparently I based the Makefile off of libedit and forgot to fix the hash. Signed-off-by: Rosen Penev <rosenp@gmail.com> Fixes: 856ea2bad3b3 ("libcxx: Add package")
* libcxx: Add packageRosen Penev2019-12-231-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently in OpenWrt, there are two libc++: libstdcpp and uClibc++. The former is huge and the latter supports only C++98 with some basic support for C++11. Those C++ versions seem to be specific to the compiler version libcxx supports C++11 and above while being much smaller than libstdcpp. On mt7621, these are the sizes of the ipks that I get: libstdcpp: 460786 libcxx: 182881 uClibc++:67720 libcxx is faster than uClibc++ and is under active development as part of the LLVM project while uClibc++ is effectively dead. This PR modifies uclibc++.mk to expose the make menuconfig option. Further cleanup is beyond the scope of this PR. What that means is, this is not used by default. A g++-libcxx wrapper based on the uClibc++ one was added. Works the same way. Compile tested with all packages that use uclibc++.mk in their Makefiles under mipsel_24kc. kismet fails compilation but that package needs to be cleaned up and updated. Runtime tested with gddrescue, gdisk, dcwapd, bonnie++, and aircrack-ng on a TP-Link Archer C7v2. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* config: kernel: fix typo in HFSPLUG_FS_POSIX_ACLStijn Tintel2019-11-281-1/+1
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* Revert "build: separate signing logic"John Crispin2019-10-211-10/+2
| | | | | | | | This reverts commit 4a45e69d190f72ed94878487b271ed7651dd9efa. This broke the buildbots Signed-off-by: John Crispin <john@phrozen.org>
* build: separate signing logicPaul Spooren2019-10-211-2/+10
| | | | | | | | | | | | | | | | This separates the options for signature creation and verification * SIGNED_PACKAGES create Packages.sig * SIGNED_IMAGES add ucert signature to created images * CHECK_SIGNATURE add verification capabilities to images * INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys Right now the buildbot.git contains some hacks to create images that have signature verification capabilities while not storing private keys on buildbot slaves. This commit allows to disable these steps for the buildbots and only perform signing on the master. Signed-off-by: Paul Spooren <mail@aparcar.org>
* config: remove unused GCC_VERSION_4_8 config symbolsPaul Spooren2019-10-091-2/+0
| | | | | | | | | Lets remove unused GCC_VERSION_4_8 symbol after the series of patches which has switched to target gcc-8 by default. Signed-off-by: Paul Spooren <mail@aparcar.org> [refactored into separate commit] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* build: create JSON files containing image infoPaul Spooren2019-09-291-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The JSON info files contain details about the created firmware images per device and are stored next to the created images. The JSON files are stored as "$(IMAGE_PREFIX).json" and contain some device/image meta data as well as a list of created firmware images. An example of openwrt-ramips-rt305x-aztech_hw550-3g.json { "id": "aztech_hw550-3g", "image_prefix": "openwrt-ramips-rt305x-aztech_hw550-3g", "images": [ { "name": "openwrt-ramips-rt305x-aztech_hw550-3g-squashfs-sysupgrade.bin", "sha256": "db2b34b0ec4a83d9bf612cf66fab0dc3722b191cb9bedf111e5627a4298baf20", "type": "sysupgrade" } ], "metadata_version": 1, "supported_devices": [ "aztech,hw550-3g", "hw550-3g" ], "target": "ramips/rt305x", "titles": [ { "model": "HW550-3G", "vendor": "Aztech" }, { "model": "ALL0239-3G", "vendor": "Allnet" } ], "version_commit": "r10920+123-0cc87b3bac", "version_number": "SNAPSHOT" } Signed-off-by: Paul Spooren <mail@aparcar.org>
* rules: allow arbitrary log destinationPaul Spooren2019-09-291-0/+7
| | | | | | | | Add option BUILD_LOG_DIR to menuconfig to change log destination. The mix-up of *DIR* and *FOLDER* is confusing however. Signed-off-by: Paul Spooren <mail@aparcar.org>
* build: set TARGET_ROOTFS_PARTSIZE to make combined image fit in 128MBMatthias Schiffer2019-09-211-1/+1
| | | | | | | | | | | | Change TARGET_ROOTFS_PARTSIZE from 128 to 104 MiB, so the whole image (bootloader + boot + root) will fit on a 128MB CF card by default. With these settings, the generated images (tested on x86-generic and x86-64) have 126,353,408 bytes; the smallest CF card marketed as "128MB" that I found a datasheet for (a Transcend TS128MCF80) has 126,959,616 bytes. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* config: kernel: only enable container features if !SMALL_FLASHDaniel Golle2019-09-121-2/+2
| | | | | | | | | | | | KERNEL_DEVPTS_MULTIPLE_INSTANCES and KERNEL_POSIX_MQUEUE were previously enabled by default only if KERNEL_LXC_MISC was selected. KERNEL_LXC_MISC was enabled only if the SMALL_FLASH (anti-)feature was not selected. Now that KERNEL_LXC_MISC no longer exists, make sure that those options are also only enabled by default for !SMALL_FLASH targets. Fixes: 4f94a331 ("config: kernel: remove KERNEL_LXC_MISC") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* config: kernel: remove KERNEL_LXC_MISCYousong Zhou2019-09-121-33/+22
| | | | | | | | | | Kernel features are neutral. The two cascaded features can also be useful for other container related tools It's also less error-prone if only kconfig symbols from the kernel are prefixed KERNEL_ Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* config: kernel: add KERNEL_X86_VSYSCALL_EMULATIONYousong Zhou2019-09-121-0/+18
| | | | | | | | | Binaries in container images may need this. E.g. nginx:1.7.9 used in k8s default deployment manifest file for demostration [1] [1] https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#creating-a-deployment Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* build: add buildinfo files for reproducibilityPaul Spooren2019-08-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | generate feeds.buildinfo and version.buildinfo in build dir after containing the feed revisions (via ./scripts/feeds list -sf) as well as the current revision of buildroot (via ./scripts/getver.sh). With this information it should be possible to reproduce any build, especially the release builds. Usage would be to move feeds.buildinfo to feeds.conf and git checkout the revision hash of version.buildinfo. Content of feeds.buildinfo would look similar to this: src-git routing https://git.openwrt.org/feed/routing.git^bf475d6 src-git telephony https://git.openwrt.org/feed/telephony.git^470eb8e ... Content of version.buildinfo would look similar to this: r10203+1-c12bd3a21b Without the exact feed revision it is not possible to determine installed package versions. Also rename config.seed to config.buildinfo to follow the recommended style of https://reproducible-builds.org/docs/recording/ Signed-off-by: Paul Spooren <mail@aparcar.org>
* config: introduce separate CONFIG_SIGNATURE_CHECK optionJo-Philipp Wich2019-08-061-0/+4
| | | | | | | | | | | | | | | | | | | Introduce a new option CONFIG_SIGNATURE_CHECK which defaults to the value of CONFIG_SIGNED_PACKAGES and thus is enabled by default. This option is needed to support building target opkg with enabled signature verification while having the signed package lists disabled. Our buildbots currently disable package signing globally in the buildroot and SDK to avoid the need to ship private signing keys to the build workers and to prevent the triggering of random key generation on the worker nodes since package signing happens off-line on the master nodes. As unintended side-effect, updated opkg packages will get built with disabled signature verification, hence the need for a new override option. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* brcm2708: add linux 4.19 supportÁlvaro Fernández Rojas2019-07-141-1/+1
| | | | | | Boot tested on Raspberry Pi B+ (BCM2708) and Raspberry Pi 2 (BCM2709) Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
* Make linux kernel builds reproducible when BUILDBOT selectedAlexander Couzens2019-07-021-0/+2
| | | | | | | | | | | The linux kernel is not reproducible because the build user and domain is included into the kernel. Set the build user to `builder` and build domain to buildhost. It's also possible to build reproducible builds by setting KERNEL_BUILD_USER KERNEL_BUILD_DOMAIN to static values. Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* build: enable gzipped images for armvirt and maltaPetr Štetiar2019-06-251-1/+1
| | | | | | | | As we're now going to pad all images by default to 128MiB let's enable compression of the images for armvirt and malta in order to save some space and bandwidth. Signed-off-by: Petr Štetiar <ynezz@true.cz>
* build: make TARGET_ROOTFS_PARTSIZE 128MiB by defaultPetr Štetiar2019-06-251-1/+1
| | | | | | | | | | | As we're now going to pad all images by default, lets decrease the default rootfs partition size from 256MiB to 128MiB in order to save some space. I'm keeping it above 100MiB in order to keep current behavior, where overlay filesystem is using F2FS. Signed-off-by: Petr Štetiar <ynezz@true.cz>
* build: remove TARGET_IMAGES_PAD optionPetr Štetiar2019-06-251-7/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | It's being used only in x86 target to produce combined images, where it's mandatory to have padded images in order to produce working squashfs combined images usable in QEMU. Currently we're producing unusable x86 combined squashfs images (18.06.1, 18.06.2 and snapshots) as we don't enable TARGET_IMAGES_PAD, thus providing very small space for the overlay filesystem, leading to the following with OpenWrt 18.06.1 r7258-5eb055306f images on x86 QEMU: root@(none):/# mount | egrep 'root|overlay' /dev/root on /rom type squashfs /dev/loop0 on /overlay type ext4 overlayfs:/overlay on / type overlay root@(none):/# df -h | egrep 'root|overlay|Size' Filesystem Size Used Available Use% Mounted on /dev/root 2.5M 2.5M 0 100% /rom /dev/loop0 113.0K 8.0K 97.0K 8% /overlay overlayfs:/overlay 113.0K 8.0K 97.0K 8% / So we should rather ensure proper image padding in image generation code and we shouldn't rely on config options in order to generate usable images. Signed-off-by: Petr Štetiar <ynezz@true.cz>