webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 11:05:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
c2058ff641deb106fae99ff53ca2c4f36b87f665
bpfire/lfs/Config
Peter Müller 9a7e4d8506 Switch checksums from MD5 to BLAKE2 
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.

While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.

Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.

In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
2022-04-02 14:19:25 +00:00

445 lines
14 KiB
Plaintext
Raw Blame History

###############################################################################
# LFSMake #
# by Rod Roark <rod@sunsetsystems.com> #
# #
# Copyright (C) 2002 Rod Roark #
# #
# See http://www.lfsmake.org/ for the most current standard version. #
# #
# These Makefiles are made available under the terms of the Artistic License, #
# found at http://www.opensource.org/licenses/artistic-license.html. #
###############################################################################
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
# Cleanup environment from any variables
unexport BUILD_ARCH BUILD_PLATFORM BUILDTARGET CROSSTARGET TOOLCHAIN TOOLS_DIR
unexport XZ_OPT
# Basic Variables
EMPTY :=
COMMA := ,
SPACE := $(EMPTY) $(EMPTY)
define NEWLINE
endef
# Basic Functions
join-with = $(subst $(SPACE),$(1),$(strip $(2)))
PARALLELISM = $(shell echo $$( \
if [ -n "$(MAX_PARALLELISM)" ] && [ $(MAX_PARALLELISM) -lt 1 ]; then \
echo 1 ; \
elif [ -n "$(MAX_PARALLELISM)" ] && [ $(MAX_PARALLELISM) -lt $(DEFAULT_PARALLELISM) ]; then \
echo $(MAX_PARALLELISM); \
else \
echo $(DEFAULT_PARALLELISM); \
fi) \
)
MAKETUNING = -j$(PARALLELISM)
ifeq "$(BUILD_ARCH)" "aarch64"
IS_64BIT = 1
endif
ifeq "$(BUILD_ARCH)" "armv7hl"
IS_32BIT = 1
endif
ifeq "$(BUILD_ARCH)" "armv6l"
IS_32BIT = 1
endif
ifeq "$(BUILD_ARCH)" "x86_64"
IS_64BIT = 1
endif
ifeq "$(BUILD_ARCH)" "riscv64"
IS_64BIT = 1
endif
ifeq "$(TOOLCHAIN)" "1"
PREFIX = $(TOOLS_DIR)
else
PREFIX = /usr
endif
# Permit building with 32 bit time_t on 32 bit architectures
ifeq "$(IS_32BIT)" "1"
export TIME_T_32_BIT_OK = yes
endif
TAR_OPTIONS = \
--format=pax \
--acls \
--xattrs --xattrs-include='*'
ZSTD_OPTIONS = \
-T$(PARALLELISM) \
-19 \
--long
# URLs that are common sources of downloads. If you're having trouble with
# a site you should change its URL to that of a suitable mirror site.
#
URL_IPFIRE = https://source.ipfire.org/source-2.x
URL_TOOLCHAIN = https://source.ipfire.org/toolchains
URL_SOURCE = git.ipfire.org:/pub/sources/source-2.x
# Don't change this; it will be overridden by other makefiles where necessary.
#
ROOT =
# For most packages tarballs are unpacked here and then deleted after
# installation.
#
DIR_SRC = $(ROOT)/usr/src
# Files are downloaded into DIR_TMP and then moved to DIR_DL, to avoid
# messes with partially retrieved files. DIR_DL is where we will
# save all the files that are downloaded. DIR_INFO contains the
# file lists of installed packages.
#
DIR_DL = $(LFS_BASEDIR)/cache
DIR_CHK = $(LFS_BASEDIR)/cache/check
DIR_CONF = $(LFS_BASEDIR)/config
DIR_INFO = $(LFS_BASEDIR)/log
DIR_TMP = /tmp
DIR_TMP_PAK = $(DIR_TMP)/package-$(PROG)
# Add the compiler location and version and specs to the ccache hash
CCACHE_COMPILERCHECK += $(shell gcc -dumpspecs 2>/dev/null | md5sum | cut -d ' ' -f1)
# We support EFI on x86_64 and aarch64
ifeq "$(BUILD_ARCH)" "x86_64"
EFI = 1
EFI_ARCH = x64
GRUB_ARCH = $(BUILD_ARCH)
endif
ifeq "$(BUILD_ARCH)" "aarch64"
EFI = 1
EFI_ARCH = aa64
GRUB_ARCH = arm64
endif
# Go
export GOARCH
export GOOS = linux
export GOPATH = $(HOME)/gopath
ifeq "$(BUILD_ARCH)" "x86_64"
GOARCH = amd64
endif
ifeq "$(BUILD_ARCH)" "aarch64"
GOARCH = arm64
endif
# Rust
ifeq "$(BUILD_ARCH)" "riscv64"
RUST_ARCH = riscv64gc
else
RUST_ARCH = $(BUILD_ARCH)
endif
ifeq "$(BUILD_ARCH)" "armv6l"
RUST_PLATFORM = arm-unknown-linux-gnueabi
else
RUST_PLATFORM = $(RUST_ARCH)-unknown-linux-gnu
endif
CARGO_PATH = $(DIR_APP)/.cargo
CARGO_REGISTRY = /usr/share/cargo/registry
CRATE_NAME = $(patsubst rust-%,%,$(firstword $(MAKEFILE_LIST)))
CRATE_VER = $(VER)
CRATE_PATH = $(CARGO_REGISTRY)/$(CRATE_NAME)-$(CRATE_VER)
define CARGO_CONFIG
[build]
rustflags = [$(call join-with,$(COMMA)$(SPACE),$(foreach flag,$(RUSTFLAGS),"$(flag)"))]
[env]
CFLAGS = "$(CFLAGS)"
CXXFLAGS = "$(CXXFLAGS)"
LDFLAGS = "$(LDFLAGS)"
[term]
verbose = true
[source]
[source.local-registry]
directory = "$(CARGO_REGISTRY)"
[source.crates-io]
registry = "https://crates.io"
replace-with = "local-registry"
endef
export CARGO_CONFIG
# Set to false if you want to skip the binary install step
CARGO_HAS_BIN = true
CARGO = \
CARGOPATH=$(CARGO_PATH) \
RUSTC_BOOTSTRAP=1 \
cargo \
--offline
CARGO_OPTIONS = \
-Z avoid-dev-deps
# Cargo dealocks on riscv64 when building on multiple cores at the same time
ifeq "$(BUILD_ARCH)" "riscv64"
CARGO_OPTIONS += -j1
else
CARGO_OPTIONS += $(MAKETUNING)
endif
define CARGO_PREPARE
mkdir -p $(CARGO_PATH) && \
echo "$${CARGO_CONFIG}" > $(CARGO_PATH)/config && \
rm -f Cargo.lock
endef
CARGO_BUILD = \
$(CARGO) \
build \
--release \
$(CARGO_OPTIONS)
# Checks whether this crate has a right taregt
CARGO_TARGET_CHECK = $(CARGO) metadata --format-version 1 --no-deps | \
jq -e ".packages[].targets[].kind | any(. == \"$(1)\")" | grep -q "true"
define CARGO_INSTALL
mkdir -pv "$(CRATE_PATH)" && \
if $(call CARGO_TARGET_CHECK,lib) || $(call CARGO_TARGET_CHECK,rlib) || $(call CARGO_TARGET_CHECK,proc-macro); then \
awk \
'/^\\\[((.+\\\.)?((dev|build)-)?dependencies|features)/{f=1;next} /^\\\[/{f=0}; !f' \
< Cargo.toml > Cargo.toml.deps && \
$(CARGO) package -l | grep -wEv "Cargo.(lock|toml.orig)" \
| xargs -d "\n" cp -v --parents -a -t $(CRATE_PATH) && \
install -v -m 644 Cargo.toml.deps $(CRATE_PATH)/Cargo.toml && \
echo "{\"files\":{},\"package\":\"\"}" > $(CRATE_PATH)/.cargo-checksum.json; \
fi && \
if $(CARGO_HAS_BIN) && $(call CARGO_TARGET_CHECK,bin); then \
$(CARGO) install $(CARGO_OPTIONS) --no-track --path .; \
fi
endef
###############################################################################
# Common Macro Definitions
###############################################################################
# For each package we create a list of files that it installed under
# log/<TARGET> name. Modified files are not identified
#
define FIND_FILES
cd $(ROOT)/ && find -mount \
\( -path '.$(TOOLS_DIR)' -or -path './tmp' -or -path './usr/src' \
-or -path './run' -or -path './dev' -or -path './proc' \
-or -path './install' -or -path '.*/__pycache__' \) -prune -or -print | sort
endef
# This is common starting logic for builds.
#
ifeq "$(ROOT)" ""
define PREBUILD
echo "====================================== Installing $(THISAPP) ..."
@echo "Install started; saving file list to $(DIR_SRC)/lsalr ..."
@if [ ! -f $(DIR_SRC)/lsalr ]; then $(FIND_FILES) > $(DIR_SRC)/lsalr; fi
# Fix installation on partial rebuild, so modules install where they should
# and not everytime on the last compiled kernel
if [ -f $(DIR_SRC)/linux-$(KVER) ]; then \
cd $(DIR_SRC)/linux-$(KVER) && \
sed -i -e 's+^EXTRAVERSION.*$$+EXTRAVERSION\ =\ $(word 4,$(subst ., .,$(KVER)))-ipfire$(KCFG)+' Makefile; \
fi
endef
else
define PREBUILD
echo "====================================== Installing $(THISAPP) ..."
endef
endif
# Common end-of-installation logic for Stage 2 and beyond.
#
ifeq "$(ROOT)" ""
define POSTBUILD
@echo "Updating linker cache..."
@type -p ldconfig >/dev/null && ldconfig || :
@echo "Install done; saving file list to $(TARGET) ..."
@rm -rf $(GOPATH) /root/.cargo
@$(FIND_FILES) > $(DIR_SRC)/lsalrnew
@diff $(DIR_SRC)/lsalr $(DIR_SRC)/lsalrnew | grep '^> ' | sed 's/^> //' > $(TARGET)_diff
@cp -f $(DIR_SRC)/lsalrnew $(DIR_SRC)/lsalr
@rm -f $(DIR_SRC)/lsalrnew
sed -i -e 's+.\/++' $(TARGET)_diff
# compare roofile ( same name as lfs script) with the list of installed files
# special cases
# - if the corresponding rootfile is not found, touch $(TARGET)_missing_rootfile
# - on a partial rebuild without a new file inside TARGET_diff, just touch TARGET
# $(TARGET)_diff : result of the diff
# ROOTFILE : reference of include/exclude files
# $(TARGET)_rootfile : ROOTFILE with KVER replacement
# $(TARGET) : log result with {commented|include|added} files
if [ -s "$(TARGET)_diff" ]; then \
LFS_SCRIPT=$(firstword $(MAKEFILE_LIST))$(KCFG); \
echo $(LFS_SCRIPT); \
ROOTFILE=$$(find -L $(DIR_SRC)/config/rootfiles/{common,packages}/{$(BUILD_ARCH),} -maxdepth 1 -type f -name $$LFS_SCRIPT 2>/dev/null | head -1); \
if [ "$$ROOTFILE" = "" ]; then \
touch $(TARGET)_missing_rootfile; \
ROOTFILE=$(TARGET)_missing_rootfile ; \
echo "error $$LFS_SCRIPT not found in config/rootfiles"; \
fi; \
sed -e "s/BUILDTARGET/$(BUILDTARGET)/g" -e "s/KVER/$(KVER)/g" -e "s/xxxMACHINExxx/$(BUILD_ARCH)/g" $$ROOTFILE > $(TARGET)_rootfile; \
for line in `cat $(TARGET)_diff`; do \
if grep -qG "^#$$line$$" $(TARGET)_rootfile; then echo "#$$line" >> $(TARGET); \
elif grep -qG "^$$line$$" $(TARGET)_rootfile ; then echo "$$line" >> $(TARGET); \
else echo "+$$line" >> $(TARGET); \
fi; \
done; \
for line in `grep -v "^#" $(TARGET)_rootfile`; do \
if ! grep -qG "^$$line$$" $(TARGET)_diff ; then echo "-$$line" >> $(TARGET); \
fi; \
done; \
rm -f $(TARGET)_rootfile; \
else \
touch $(TARGET); \
fi
@rm -f $(TARGET)_diff
endef
else
define POSTBUILD
@echo "===================================== Install done for $(THISAPP)."
touch $(TARGET)
endef
endif
define CHECK
@echo -e "$(MESSAGE)Check: $($(notdir $@))"
wget -T 120 -t 1 --spider -nv -U "IPFireSourceGrabber/2.x" $($(notdir $@)) -O /dev/null
@touch $(DIR_CHK)/$(notdir $@)
endef
define LOAD
@echo -e "$(MESSAGE)Download: $($(notdir $@))"
wget -T 60 -t 1 -nv -U "IPFireSourceGrabber/2.x" $($(notdir $@)) -O $(DIR_TMP)/$(notdir $@)
[ "$($(notdir $@)_BLAKE2)" = "$(firstword $(shell b2sum $(DIR_TMP)/$(notdir $@))" ] # detect page not found answer
mv $(DIR_TMP)/$(notdir $@) $(DIR_DL)
endef
define B2SUM
# error mean file signature don't match the one in lfs script
[ "$($@_BLAKE2)" = "$(firstword $(shell b2sum $(DIR_DL)/$@))" ] && echo "$@ checksum OK"
endef
define PAK
# Bringing the files to their right place.
@rm -rf $(DIR_TMP_PAK) && mkdir -p $(DIR_TMP_PAK)
if [ -e "/usr/src/src/paks/$(PROG)" ]; then \
cp -f /usr/src/src/paks/$(PROG)/{,un}install.sh /usr/src/src/paks/$(PROG)/update.sh \
$(DIR_TMP_PAK); \
else \
cp -f /usr/src/src/paks/default/{,un}install.sh /usr/src/src/paks/default/update.sh \
$(DIR_TMP_PAK); \
fi
for i in $(DIR_SRC)/config/rootfiles/packages/{$(BUILD_ARCH),}/$(PROG); do \
if [ -e "$${i}" ]; then \
cp -v $${i} $(DIR_TMP_PAK)/ROOTFILES; \
break; \
fi; \
done
# Replace variables in rootfiles
sed -i $(DIR_TMP_PAK)/ROOTFILES \
-e 's/BUILDTARGET/$(BUILDTARGET)/g' \
-e 's/KVER/$(KVER)/g' \
-e 's/xxxMACHINExxx/$(BUILD_ARCH)/g'
# Replace variables in scripts
sed -i $(DIR_TMP_PAK)/install.sh \
-e 's/xxxKVERxxx/$(KVER)/g'
# Make scripts executable
chmod 754 $(DIR_TMP_PAK)/{{,un}install,update}.sh
# Collect all files
rm -rf $(DIR_TMP_PAK)/root && mkdir -p $(DIR_TMP_PAK)/root
tar -c --exclude='#*' --exclude='proc/*' --exclude='dev/pts/*' --exclude='tmp/*' \
--exclude='__pycache__' \
-C / --files-from=$(DIR_TMP_PAK)/ROOTFILES | tar -x -C $(DIR_TMP_PAK)/root; \
exit $${PIPESTATUS[0]}
# Compress tarball
cd $(DIR_TMP_PAK)/root && tar cf - * | xz $(XZ_OPT) > $(DIR_TMP_PAK)/files.tar.xz
# Cleanup temporary files
rm -rf $(DIR_TMP_PAK)/root
# Remove any commented lines
sed -i $(DIR_TMP_PAK)/ROOTFILES -e "/^#/d"
# Make package
cd $(DIR_TMP_PAK) && tar cf /install/packages/$(PROG)-$(VER)-$(PAK_VER).ipfire *
# Cleanup
rm -rf $(DIR_TMP_PAK)
# Escape SUMMARY variable and create meta file
summaryEscaped=$$(sed 's/[&/\]/\\&/g' <<< "$(SUMMARY)"); \
sed \
-e "s/NAME/$(PROG)/g" \
-e "s/SUMMARY/$$summaryEscaped/g" \
-e "s/VER/$(VER)/g" \
-e "s/RELEASE/$(PAK_VER)/g" \
-e "s/DEPS/$(DEPS)/g" \
-e "s/SIZE/$$(stat --format=%s /install/packages/$(PROG)-$(VER)-$(PAK_VER).ipfire)/g" \
-e "s/SERVICES/$(SERVICES)/g" \
< /usr/src/src/pakfire/meta > /install/packages/meta-$(PROG)
endef
define INSTALL_INITSCRIPT
install -m 754 -v $(DIR_SRC)/src/initscripts/packages/$(1) /etc/rc.d/init.d/$(1)
endef
define INSTALL_INITSCRIPTS
for initscript in $(1); do \
$(call INSTALL_INITSCRIPT,$$initscript) || exit 1; \
done
endef
ifeq "$(BUILD_ARCH)" "$(filter $(BUILD_ARCH),aarch64 riscv64)"
define UPDATE_AUTOMAKE
for i in $$(find $(DIR_APP) -name config.guess -o -name config.sub); do \
cp -vf /usr/share/automake*/$$(basename $${i}) $${i} || \
cp -vf $(TOOLS_DIR)/share/automake*/$$(basename $${i}) $${i}; \
done
endef
endif
test:
$(call INSTALL_INITSCRIPT,hostapd)
Reference in New Issue View Git Blame Copy Permalink