* [Buildroot] [PATCH 1/5] linux: automatically set CONFIG_PERF_EVENTS when perf is enabled
2018-07-04 7:07 [Buildroot] [PATCH 0/5] misc. patches from Nokia Thomas De Schampheleire
@ 2018-07-04 7:07 ` Thomas De Schampheleire
2018-07-04 19:52 ` Thomas Petazzoni
2018-07-04 7:07 ` [Buildroot] [PATCH 2/5] pigz: new package Thomas De Schampheleire
` (3 subsequent siblings)
4 siblings, 1 reply; 14+ messages in thread
From: Thomas De Schampheleire @ 2018-07-04 7:07 UTC (permalink / raw)
To: buildroot
From: Jan Heylen <jan.heylen@nokia.com>
Perf profiling cannot be used if CONFIG_PERF_EVENTS is not enabled in the
kernel configuration. Similar to other tools, like ktap, we can enable the
right options automatically.
Signed-off-by: Jan Heylen <jan.heylen@nokia.com>
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
---
linux/linux.mk | 2 ++
package/linux-tools/Config.in | 8 +++++---
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/linux/linux.mk b/linux/linux.mk
index 6b5f5344ed..7f4c916671 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -292,6 +292,8 @@ define LINUX_KCONFIG_FIXUP_CMDS
$(call KCONFIG_ENABLE_OPT,CONFIG_ENABLE_DEFAULT_TRACERS,$(@D)/.config)
$(call KCONFIG_ENABLE_OPT,CONFIG_PERF_EVENTS,$(@D)/.config)
$(call KCONFIG_ENABLE_OPT,CONFIG_FUNCTION_TRACER,$(@D)/.config))
+ $(if $(BR2_PACKAGE_LINUX_TOOLS_PERF),
+ $(call KCONFIG_ENABLE_OPT,CONFIG_PERF_EVENTS,$(@D)/.config))
$(if $(BR2_PACKAGE_SYSTEMD),
$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUPS,$(@D)/.config)
$(call KCONFIG_ENABLE_OPT,CONFIG_INOTIFY_USER,$(@D)/.config)
diff --git a/package/linux-tools/Config.in b/package/linux-tools/Config.in
index 2527c90257..349dc6bf0d 100644
--- a/package/linux-tools/Config.in
+++ b/package/linux-tools/Config.in
@@ -47,9 +47,11 @@ config BR2_PACKAGE_LINUX_TOOLS_PERF
code), single CPU or severals threads.
This will build and install the userspace 'perf'
- command. It is up to the user to ensure that the kernel
- configuration has all the suitable options enabled to allow a
- proper operation of 'perf'.
+ command.
+
+ Your kernel must have CONFIG_PERF_EVENTS enabled to use perf
+ profiling. Buildroot automatically enables this in the kernel
+ configuration.
https://perf.wiki.kernel.org/
--
2.16.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 1/5] linux: automatically set CONFIG_PERF_EVENTS when perf is enabled
2018-07-04 7:07 ` [Buildroot] [PATCH 1/5] linux: automatically set CONFIG_PERF_EVENTS when perf is enabled Thomas De Schampheleire
@ 2018-07-04 19:52 ` Thomas Petazzoni
0 siblings, 0 replies; 14+ messages in thread
From: Thomas Petazzoni @ 2018-07-04 19:52 UTC (permalink / raw)
To: buildroot
Hello,
On Wed, 4 Jul 2018 09:07:35 +0200, Thomas De Schampheleire wrote:
> From: Jan Heylen <jan.heylen@nokia.com>
>
> Perf profiling cannot be used if CONFIG_PERF_EVENTS is not enabled in the
> kernel configuration. Similar to other tools, like ktap, we can enable the
> right options automatically.
>
> Signed-off-by: Jan Heylen <jan.heylen@nokia.com>
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> ---
> linux/linux.mk | 2 ++
> package/linux-tools/Config.in | 8 +++++---
> 2 files changed, 7 insertions(+), 3 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 2/5] pigz: new package
2018-07-04 7:07 [Buildroot] [PATCH 0/5] misc. patches from Nokia Thomas De Schampheleire
2018-07-04 7:07 ` [Buildroot] [PATCH 1/5] linux: automatically set CONFIG_PERF_EVENTS when perf is enabled Thomas De Schampheleire
@ 2018-07-04 7:07 ` Thomas De Schampheleire
2018-07-04 9:51 ` Thomas Petazzoni
2018-07-04 20:30 ` Thomas Petazzoni
2018-07-04 7:07 ` [Buildroot] [PATCH 3/5] host zstd: additionally build binary and make selectable Thomas De Schampheleire
` (2 subsequent siblings)
4 siblings, 2 replies; 14+ messages in thread
From: Thomas De Schampheleire @ 2018-07-04 7:07 UTC (permalink / raw)
To: buildroot
From: Alfredo Alvarez Fernandez <alfredo.alvarez_fernandez@nokia.com>
A parallel implementation of gzip for modern
multi-processor, multi-core machines.
Signed-off-by: Alfredo Alvarez Fernandez <alfredo.alvarez_fernandez@nokia.com>
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
---
package/Config.in | 1 +
package/pigz/Config.in | 14 ++++++++++++++
package/pigz/pigz.hash | 2 ++
package/pigz/pigz.mk | 21 +++++++++++++++++++++
4 files changed, 38 insertions(+)
create mode 100644 package/pigz/Config.in
create mode 100644 package/pigz/pigz.hash
create mode 100644 package/pigz/pigz.mk
diff --git a/package/Config.in b/package/Config.in
index e94a6a8c12..20fe5ad8ff 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -70,6 +70,7 @@ menu "Compressors and decompressors"
source "package/lzip/Config.in"
source "package/lzop/Config.in"
source "package/p7zip/Config.in"
+ source "package/pigz/Config.in"
source "package/pixz/Config.in"
source "package/unrar/Config.in"
source "package/unzip/Config.in"
diff --git a/package/pigz/Config.in b/package/pigz/Config.in
new file mode 100644
index 0000000000..af229060cf
--- /dev/null
+++ b/package/pigz/Config.in
@@ -0,0 +1,14 @@
+config BR2_PACKAGE_PIGZ
+ bool "pigz"
+ depends on BR2_TOOLCHAIN_HAS_THREADS
+ select BR2_PACKAGE_ZLIB
+ help
+ pigz, which stands for parallel implementation of gzip, is a
+ fully functional replacement for gzip that exploits multiple
+ processors and multiple cores to the hilt when compressing
+ data.
+
+ http://www.zlib.net/pigz/
+
+comment "pigz needs a toolchain w/ threads"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS
diff --git a/package/pigz/pigz.hash b/package/pigz/pigz.hash
new file mode 100644
index 0000000000..510db9affa
--- /dev/null
+++ b/package/pigz/pigz.hash
@@ -0,0 +1,2 @@
+# From https://zlib.net/pigz/
+sha256 a4f816222a7b4269bd232680590b579ccc72591f1bb5adafcd7208ca77e14f73 pigz-2.4.tar.gz
diff --git a/package/pigz/pigz.mk b/package/pigz/pigz.mk
new file mode 100644
index 0000000000..82f3049519
--- /dev/null
+++ b/package/pigz/pigz.mk
@@ -0,0 +1,21 @@
+################################################################################
+#
+# pigz
+#
+################################################################################
+
+PIGZ_VERSION = 2.4
+PIGZ_SITE = http://www.zlib.net/pigz
+PIGZ_DEPENDENCIES = zlib
+PIGZ_LICENSE = Zlib
+PIGZ_LICENSE_FILES = README
+
+define PIGZ_BUILD_CMDS
+ $(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D)
+endef
+
+define PIGZ_INSTALL_TARGET_CMDS
+ $(INSTALL) -D -m 0755 $(@D)/pigz $(TARGET_DIR)/usr/bin/pigz
+endef
+
+$(eval $(generic-package))
--
2.16.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 2/5] pigz: new package
2018-07-04 7:07 ` [Buildroot] [PATCH 2/5] pigz: new package Thomas De Schampheleire
@ 2018-07-04 9:51 ` Thomas Petazzoni
2018-07-04 20:30 ` Thomas Petazzoni
1 sibling, 0 replies; 14+ messages in thread
From: Thomas Petazzoni @ 2018-07-04 9:51 UTC (permalink / raw)
To: buildroot
Hello,
On Wed, 4 Jul 2018 09:07:36 +0200, Thomas De Schampheleire wrote:
> From: Alfredo Alvarez Fernandez <alfredo.alvarez_fernandez@nokia.com>
>
> A parallel implementation of gzip for modern
> multi-processor, multi-core machines.
>
> Signed-off-by: Alfredo Alvarez Fernandez <alfredo.alvarez_fernandez@nokia.com>
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> ---
> package/Config.in | 1 +
> package/pigz/Config.in | 14 ++++++++++++++
> package/pigz/pigz.hash | 2 ++
> package/pigz/pigz.mk | 21 +++++++++++++++++++++
Missing entry to the DEVELOPERS file.
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 2/5] pigz: new package
2018-07-04 7:07 ` [Buildroot] [PATCH 2/5] pigz: new package Thomas De Schampheleire
2018-07-04 9:51 ` Thomas Petazzoni
@ 2018-07-04 20:30 ` Thomas Petazzoni
2018-07-05 8:00 ` Thomas De Schampheleire
1 sibling, 1 reply; 14+ messages in thread
From: Thomas Petazzoni @ 2018-07-04 20:30 UTC (permalink / raw)
To: buildroot
Hello,
On Wed, 4 Jul 2018 09:07:36 +0200, Thomas De Schampheleire wrote:
> From: Alfredo Alvarez Fernandez <alfredo.alvarez_fernandez@nokia.com>
>
> A parallel implementation of gzip for modern
> multi-processor, multi-core machines.
>
> Signed-off-by: Alfredo Alvarez Fernandez <alfredo.alvarez_fernandez@nokia.com>
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> ---
> package/Config.in | 1 +
> package/pigz/Config.in | 14 ++++++++++++++
> package/pigz/pigz.hash | 2 ++
> package/pigz/pigz.mk | 21 +++++++++++++++++++++
> 4 files changed, 38 insertions(+)
> create mode 100644 package/pigz/Config.in
> create mode 100644 package/pigz/pigz.hash
> create mode 100644 package/pigz/pigz.mk
I've applied, with the following changes:
[Thomas: add entry to DEVELOPERS file, add hash for license file.]
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 2/5] pigz: new package
2018-07-04 20:30 ` Thomas Petazzoni
@ 2018-07-05 8:00 ` Thomas De Schampheleire
0 siblings, 0 replies; 14+ messages in thread
From: Thomas De Schampheleire @ 2018-07-05 8:00 UTC (permalink / raw)
To: buildroot
2018-07-04 22:30 GMT+02:00 Thomas Petazzoni <thomas.petazzoni@bootlin.com>:
> Hello,
>
> On Wed, 4 Jul 2018 09:07:36 +0200, Thomas De Schampheleire wrote:
>> From: Alfredo Alvarez Fernandez <alfredo.alvarez_fernandez@nokia.com>
>>
>> A parallel implementation of gzip for modern
>> multi-processor, multi-core machines.
>>
>> Signed-off-by: Alfredo Alvarez Fernandez <alfredo.alvarez_fernandez@nokia.com>
>> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
>> ---
>> package/Config.in | 1 +
>> package/pigz/Config.in | 14 ++++++++++++++
>> package/pigz/pigz.hash | 2 ++
>> package/pigz/pigz.mk | 21 +++++++++++++++++++++
>> 4 files changed, 38 insertions(+)
>> create mode 100644 package/pigz/Config.in
>> create mode 100644 package/pigz/pigz.hash
>> create mode 100644 package/pigz/pigz.mk
>
> I've applied, with the following changes:
>
> [Thomas: add entry to DEVELOPERS file, add hash for license file.]
>
Oops, I hadn't seen that you already applied these changes and I just sent a v2.
As I added one new change related to a more stable download URL for
pigz, I'll rebase and send v3.
Please ignore the v2, sorry for the noise.
/Thomas
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 3/5] host zstd: additionally build binary and make selectable
2018-07-04 7:07 [Buildroot] [PATCH 0/5] misc. patches from Nokia Thomas De Schampheleire
2018-07-04 7:07 ` [Buildroot] [PATCH 1/5] linux: automatically set CONFIG_PERF_EVENTS when perf is enabled Thomas De Schampheleire
2018-07-04 7:07 ` [Buildroot] [PATCH 2/5] pigz: new package Thomas De Schampheleire
@ 2018-07-04 7:07 ` Thomas De Schampheleire
2018-07-04 20:00 ` Thomas Petazzoni
2018-07-04 7:07 ` [Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers Thomas De Schampheleire
2018-07-04 7:07 ` [Buildroot] [PATCH 5/5] dropbear: add option to disable weak HMAC algorithms Thomas De Schampheleire
4 siblings, 1 reply; 14+ messages in thread
From: Thomas De Schampheleire @ 2018-07-04 7:07 UTC (permalink / raw)
To: buildroot
The zstd (de)compression tool may be used in post-image scripts to compress
certain elements of the final image.
In order to allow that, make host-zstd selectable in the 'Host utilities'
menu, and build the binary in addition to the library.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
---
package/Config.in.host | 1 +
package/zstd/Config.in.host | 8 ++++++++
package/zstd/zstd.mk | 4 ++++
3 files changed, 13 insertions(+)
create mode 100644 package/zstd/Config.in.host
diff --git a/package/Config.in.host b/package/Config.in.host
index 38543e7390..7838ffc219 100644
--- a/package/Config.in.host
+++ b/package/Config.in.host
@@ -62,5 +62,6 @@ menu "Host utilities"
source "package/vboot-utils/Config.in.host"
source "package/xorriso/Config.in.host"
source "package/zip/Config.in.host"
+ source "package/zstd/Config.in.host"
endmenu
diff --git a/package/zstd/Config.in.host b/package/zstd/Config.in.host
new file mode 100644
index 0000000000..05751f8fbf
--- /dev/null
+++ b/package/zstd/Config.in.host
@@ -0,0 +1,8 @@
+config BR2_PACKAGE_HOST_ZSTD
+ bool "host zstd"
+ help
+ Zstandard, or zstd as short version, is a fast lossless
+ compression algorithm, targeting real-time compression
+ scenarios at zlib-level and better compression ratios
+
+ https://facebook.github.io/zstd
diff --git a/package/zstd/zstd.mk b/package/zstd/zstd.mk
index 4915cee07d..0b613a6da4 100644
--- a/package/zstd/zstd.mk
+++ b/package/zstd/zstd.mk
@@ -72,11 +72,15 @@ endef
define HOST_ZSTD_BUILD_CMDS
$(HOST_MAKE_ENV) $(HOST_CONFIGURE_OPTS) $(MAKE) \
-C $(@D)/lib
+ $(HOST_MAKE_ENV) $(HOST_CONFIGURE_OPTS) $(MAKE) \
+ -C $(@D) zstd
endef
define HOST_ZSTD_INSTALL_CMDS
$(HOST_MAKE_ENV) $(HOST_CONFIGURE_OPTS) $(MAKE) \
DESTDIR=$(HOST_DIR) PREFIX=/usr -C $(@D)/lib install
+ $(HOST_MAKE_ENV) $(HOST_CONFIGURE_OPTS) $(MAKE) \
+ DESTDIR=$(HOST_DIR) PREFIX=/usr -C $(@D)/programs install
endef
$(eval $(generic-package))
--
2.16.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 3/5] host zstd: additionally build binary and make selectable
2018-07-04 7:07 ` [Buildroot] [PATCH 3/5] host zstd: additionally build binary and make selectable Thomas De Schampheleire
@ 2018-07-04 20:00 ` Thomas Petazzoni
0 siblings, 0 replies; 14+ messages in thread
From: Thomas Petazzoni @ 2018-07-04 20:00 UTC (permalink / raw)
To: buildroot
Hello,
On Wed, 4 Jul 2018 09:07:37 +0200, Thomas De Schampheleire wrote:
> The zstd (de)compression tool may be used in post-image scripts to compress
> certain elements of the final image.
>
> In order to allow that, make host-zstd selectable in the 'Host utilities'
> menu, and build the binary in addition to the library.
>
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> ---
> package/Config.in.host | 1 +
> package/zstd/Config.in.host | 8 ++++++++
> package/zstd/zstd.mk | 4 ++++
> 3 files changed, 13 insertions(+)
> create mode 100644 package/zstd/Config.in.host
I've tweaked a bit the commit title and applied.
Note that it could have been two separate commits, as the "and" in the
commit title suggests :-)
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers
2018-07-04 7:07 [Buildroot] [PATCH 0/5] misc. patches from Nokia Thomas De Schampheleire
` (2 preceding siblings ...)
2018-07-04 7:07 ` [Buildroot] [PATCH 3/5] host zstd: additionally build binary and make selectable Thomas De Schampheleire
@ 2018-07-04 7:07 ` Thomas De Schampheleire
2018-07-04 7:30 ` Baruch Siach
2018-07-04 19:44 ` Thomas Petazzoni
2018-07-04 7:07 ` [Buildroot] [PATCH 5/5] dropbear: add option to disable weak HMAC algorithms Thomas De Schampheleire
4 siblings, 2 replies; 14+ messages in thread
From: Thomas De Schampheleire @ 2018-07-04 7:07 UTC (permalink / raw)
To: buildroot
CBC mode ciphers are considered insecure. Add an option to disable it.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
---
package/dropbear/Config.in | 7 +++++++
package/dropbear/dropbear.mk | 8 ++++++++
2 files changed, 15 insertions(+)
diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 5d6b83b6d1..d92420ac81 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -35,6 +35,13 @@ config BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS
on systems without working DNS, as connections otherwise
stall until DNS times out.
+config BR2_PACKAGE_DROPBEAR_DISABLE_CBC
+ bool "disable CBC mode ciphers"
+ help
+ Cipher Block Chaining (CBC) may allow an attacker to recover
+ plaintext messages from the ciphertext. For higher security, it is
+ recommended to disable it (and thus enable this option).
+
config BR2_PACKAGE_DROPBEAR_SMALL
bool "optimize for size"
default y
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index bb902bc7ce..dc233aab53 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -71,6 +71,10 @@ define DROPBEAR_DISABLE_STANDALONE
echo '#define NON_INETD_MODE 0' >> $(@D)/localoptions.h
endef
+define DROPBEAR_DISABLE_CBC_CIPHERS
+ echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h
+endef
+
define DROPBEAR_INSTALL_INIT_SYSTEMD
$(INSTALL) -D -m 644 package/dropbear/dropbear.service \
$(TARGET_DIR)/usr/lib/systemd/system/dropbear.service
@@ -92,6 +96,10 @@ ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS),)
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_ENABLE_REVERSE_DNS
endif
+ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_CBC),y)
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_CBC_CIPHERS
+endif
+
ifeq ($(BR2_PACKAGE_DROPBEAR_SMALL),y)
DROPBEAR_CONF_OPTS += --disable-zlib --enable-bundled-libtom
else
--
2.16.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers
2018-07-04 7:07 ` [Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers Thomas De Schampheleire
@ 2018-07-04 7:30 ` Baruch Siach
2018-07-04 8:47 ` Thomas De Schampheleire
2018-07-04 19:44 ` Thomas Petazzoni
1 sibling, 1 reply; 14+ messages in thread
From: Baruch Siach @ 2018-07-04 7:30 UTC (permalink / raw)
To: buildroot
Hi Thomas,
On Wed, Jul 04, 2018 at 09:07:38AM +0200, Thomas De Schampheleire wrote:
> CBC mode ciphers are considered insecure. Add an option to disable it.
We have a patch from Stefan S?rensen to disable all weak algorithms by
default:
http://patchwork.ozlabs.org/patch/938595/
I prefer Stefan's patch over this and the next patch.
Stefan's patch doesn't deal with the MD5 HMAC as the next patch does. But I
find it highly unlikely that upstream would enable MD5 by default ever again.
Upstream commit 34ee32607598 adds this code in sysoptions.h:
/* might be needed for compatibility with very old implementations */
#ifndef DROPBEAR_MD5_HMAC
#define DROPBEAR_MD5_HMAC 0
#endif
default_options.h doesn't mention MD5 at all.
baruch
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> ---
> package/dropbear/Config.in | 7 +++++++
> package/dropbear/dropbear.mk | 8 ++++++++
> 2 files changed, 15 insertions(+)
>
> diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
> index 5d6b83b6d1..d92420ac81 100644
> --- a/package/dropbear/Config.in
> +++ b/package/dropbear/Config.in
> @@ -35,6 +35,13 @@ config BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS
> on systems without working DNS, as connections otherwise
> stall until DNS times out.
>
> +config BR2_PACKAGE_DROPBEAR_DISABLE_CBC
> + bool "disable CBC mode ciphers"
> + help
> + Cipher Block Chaining (CBC) may allow an attacker to recover
> + plaintext messages from the ciphertext. For higher security, it is
> + recommended to disable it (and thus enable this option).
> +
> config BR2_PACKAGE_DROPBEAR_SMALL
> bool "optimize for size"
> default y
> diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
> index bb902bc7ce..dc233aab53 100644
> --- a/package/dropbear/dropbear.mk
> +++ b/package/dropbear/dropbear.mk
> @@ -71,6 +71,10 @@ define DROPBEAR_DISABLE_STANDALONE
> echo '#define NON_INETD_MODE 0' >> $(@D)/localoptions.h
> endef
>
> +define DROPBEAR_DISABLE_CBC_CIPHERS
> + echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h
> +endef
> +
> define DROPBEAR_INSTALL_INIT_SYSTEMD
> $(INSTALL) -D -m 644 package/dropbear/dropbear.service \
> $(TARGET_DIR)/usr/lib/systemd/system/dropbear.service
> @@ -92,6 +96,10 @@ ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_REVERSEDNS),)
> DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_ENABLE_REVERSE_DNS
> endif
>
> +ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_CBC),y)
> +DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_CBC_CIPHERS
> +endif
> +
> ifeq ($(BR2_PACKAGE_DROPBEAR_SMALL),y)
> DROPBEAR_CONF_OPTS += --disable-zlib --enable-bundled-libtom
> else
> --
> 2.16.4
>
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers
2018-07-04 7:30 ` Baruch Siach
@ 2018-07-04 8:47 ` Thomas De Schampheleire
0 siblings, 0 replies; 14+ messages in thread
From: Thomas De Schampheleire @ 2018-07-04 8:47 UTC (permalink / raw)
To: buildroot
Hi Baruch,
On Wed, Jul 04, 2018 at 10:30:58AM +0300, Baruch Siach wrote:
> Hi Thomas,
>
> On Wed, Jul 04, 2018 at 09:07:38AM +0200, Thomas De Schampheleire wrote:
> > CBC mode ciphers are considered insecure. Add an option to disable it.
>
> We have a patch from Stefan S?rensen to disable all weak algorithms by
> default:
>
> http://patchwork.ozlabs.org/patch/938595/
>
> I prefer Stefan's patch over this and the next patch.
>
> Stefan's patch doesn't deal with the MD5 HMAC as the next patch does. But I
> find it highly unlikely that upstream would enable MD5 by default ever again.
> Upstream commit 34ee32607598 adds this code in sysoptions.h:
>
> /* might be needed for compatibility with very old implementations */
> #ifndef DROPBEAR_MD5_HMAC
> #define DROPBEAR_MD5_HMAC 0
> #endif
>
> default_options.h doesn't mention MD5 at all.
Thanks for this info. I'm perfectly fine with Stefan's patch instead of these
two.
/Thomas
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers
2018-07-04 7:07 ` [Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers Thomas De Schampheleire
2018-07-04 7:30 ` Baruch Siach
@ 2018-07-04 19:44 ` Thomas Petazzoni
1 sibling, 0 replies; 14+ messages in thread
From: Thomas Petazzoni @ 2018-07-04 19:44 UTC (permalink / raw)
To: buildroot
Hello,
On Wed, 4 Jul 2018 09:07:38 +0200, Thomas De Schampheleire wrote:
> CBC mode ciphers are considered insecure. Add an option to disable it.
>
> Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Following the discussion with Baruch, I have marked this patch and
PATCH 5/5 as Rejected in patchwork.
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Buildroot] [PATCH 5/5] dropbear: add option to disable weak HMAC algorithms
2018-07-04 7:07 [Buildroot] [PATCH 0/5] misc. patches from Nokia Thomas De Schampheleire
` (3 preceding siblings ...)
2018-07-04 7:07 ` [Buildroot] [PATCH 4/5] dropbear: add option to disable CBC mode ciphers Thomas De Schampheleire
@ 2018-07-04 7:07 ` Thomas De Schampheleire
4 siblings, 0 replies; 14+ messages in thread
From: Thomas De Schampheleire @ 2018-07-04 7:07 UTC (permalink / raw)
To: buildroot
sha1-96 and md5 HMAC algorithms are considered insecure.
Add an option to disable them.
Note that the md5 HMAC algorithm seems to be disabled by default in current
dropbear, but the upstream commit in which that was done
(750ec4ec4cbed4cf5e2f3c7b9de95c90d9ebd68d - "Convert #ifdef to #if, other
build changes") does not explicitly state this change as a goal. To make
sure it is not reverted in the future, explicitly disable the algorithm.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
---
package/dropbear/Config.in | 7 +++++++
package/dropbear/dropbear.mk | 9 +++++++++
2 files changed, 16 insertions(+)
diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index d92420ac81..bb7d914c06 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -42,6 +42,13 @@ config BR2_PACKAGE_DROPBEAR_DISABLE_CBC
plaintext messages from the ciphertext. For higher security, it is
recommended to disable it (and thus enable this option).
+config BR2_PACKAGE_DROPBEAR_DISABLE_WEAK_HMAC
+ bool "disable weak HMAC algorithms"
+ help
+ Disable support for following weak HMAC algorithms:
+ - sha1-96 HMAC
+ - md5 HMAC
+
config BR2_PACKAGE_DROPBEAR_SMALL
bool "optimize for size"
default y
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index dc233aab53..17e937444f 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -75,6 +75,11 @@ define DROPBEAR_DISABLE_CBC_CIPHERS
echo '#define DROPBEAR_ENABLE_CBC_MODE 0' >> $(@D)/localoptions.h
endef
+define DROPBEAR_DISABLE_WEAK_HMAC_ALGORITHMS
+ echo '#define DROPBEAR_SHA1_96_HMAC 0' >> $(@D)/localoptions.h
+ echo '#define DROPBEAR_MD5_HMAC 0' >> $(@D)/localoptions.h
+endef
+
define DROPBEAR_INSTALL_INIT_SYSTEMD
$(INSTALL) -D -m 644 package/dropbear/dropbear.service \
$(TARGET_DIR)/usr/lib/systemd/system/dropbear.service
@@ -100,6 +105,10 @@ ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_CBC),y)
DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_CBC_CIPHERS
endif
+ifeq ($(BR2_PACKAGE_DROPBEAR_DISABLE_WEAK_HMAC),y)
+DROPBEAR_POST_EXTRACT_HOOKS += DROPBEAR_DISABLE_WEAK_HMAC_ALGORITHMS
+endif
+
ifeq ($(BR2_PACKAGE_DROPBEAR_SMALL),y)
DROPBEAR_CONF_OPTS += --disable-zlib --enable-bundled-libtom
else
--
2.16.4
^ permalink raw reply related [flat|nested] 14+ messages in thread