Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
Since more processes depend on good randomness, we need to
make sure that the kernel's PRNG is initialized as early as
possible.
For systems without a HWRNG, we will need to fall back to our
noisy loop and wait until we have enough randomness.
This patch also removes saving and restoring the seed. This
is no longer useful because the kernel's PRNG only takes any
input after it has successfully been seeded from other sources.
Hence adding this seed does not increase its randomness.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
We should initialise the kernel's PRNG as early as we can.
Starting rngd very early will seed the random number generator
when RDRAND or other hardware random number generators are available.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
When using a swap file, it is not being activated correctly
when the filesystem it is residing on is not mounted, yet.
The root file system is mounted read-only here before
S40mountfs is being executed.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The cgi support only rfcomm modem dialup. This is not used by modern hardware.
Also the used bluez stack version is outdated long time.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This daemon needs to be launched in order to use LVM
devices in IPFire.
It will run on all installations after this patch has been
merged but only consumes very little memory.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
this remove a bunch of unbound errors at shutdown because
network down try to reconfigure unbond. (e.g. disable forwarders)
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
SMT can be forced on.
By default, all systems that are vulnerable to RIDL/Fallout
will have SMT disabled by default.
Systems that are not vulnerable to that will keep SMT enabled.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The helper script will be automatically called when the red interface gets up
and will re-generate the HOME_NET file, to take care if the IP-address of this
interface has changed.
Fixes#11989
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This is useful when the user-data script is installing
packages. For that it will need valid keys for course.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is done at boot time and doesn't normally need to be done again.
On AWS or in the setup, renaming any network interfaces is being
handled automatically.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
the script wait until crng is correct initialized before restore the
random seed and make some disc io to work around low entropy at boot
on some machines. Not really a fix but it should be better than reverting
CVE-2018-1108 fixes from kernel.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This didn't build and run in ages and has been removed from
the repositories quite a while ago.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The build environment is using a number of variables which
occasionally conflicted with some other build systems.
This patch cleans that up by renaming some variables and
later unexporting them in the lfs files.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Till now all init scripts going into src/initscripts/init.d so they are
installed by the lfs file initscripts. Because of that they also appear
in the rootfile of the "package" initscripts.
This has some disadvantages:
- the initscripts of the packages appear in the 3 rootfiles (one for
each arch) which are annoying because for every package with an
initscript 4 rootfiles (the 3 of the initscript package + the rootfile
of the package) are important.
- The rootfiles for a package are installed by lfs/initscripts but this
should happen only in the build of the package
To solve this issues all rootfiles for the core system are moved into
src/initscripts/init.d/common. Only the initscript in this directory are
installed by lfs/initscripts. So all initscripts for packages are
located in src/initscripts/init.d and are not installed by
lfs/initscripts.
So only the initscripts of the system appear in the 3 rootfiles of the
initscripts package. The initscript of a package appear only in the
rootfile of the package. This makes the maintaining of initscript
easier.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
the file update the bootdevice to uuid in fstab and grub1 config.
this is not needed since we use uuid at default and grub2
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Ramdisks are very limited in space and as new graphs
are generated for OpenVPN N2N connections, etc. more
space is necessary.
This patch will enable ramdisks for all systems with more
than 490M of memory and allows the user to force using
a ramdisk on systems with less memory.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Acked-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Instead of creating a copy of the configuration values and
for better extensibility, we will have udev execute a script
that parses /var/ipfire/ethernet/settings and will return the
correct name of the corresponding device (green0, blue0, ...).
