<biboc>
Hi, could you show me in the src code where/when procd launch /sbin/askfirst /bin/ash --login? And how does it choose which serial port to use? Thanks
goliath has quit [Quit: SIGSEGV]
mzvd has quit [Ping timeout: 480 seconds]
mzvd has joined #openwrt-devel
<Ansuel>
biboc the serial port should be the one declared in the dts
mzvd has quit [Read error: Connection reset by peer]
<Ansuel>
rmilecki it was just a theory... agree that it's strange providing ethtool as a default package for the target
<biboc>
Ansuel And if I want to change the serial port without changing the dts? Can I pass as argument tty to askfirst?
<Ansuel>
biboc think you will have to implemented that... (I assume it's not supported)
mzvd has joined #openwrt-devel
mzvd has quit [Read error: Connection reset by peer]
<biboc>
Ansuel Ok thanks, but if I comment askconsole in inittab, it should not start askfirst? Or is it launch somewhere else? Can I enable/disable the launch of askfirst?
<rmilecki>
blogic: why do we have ethtool in DEFAULT_PACKAGES, see 2b88563ee5aa ("realtek: update the tree to the latest refactored version") ?
mzvd has joined #openwrt-devel
frwol has quit [Quit: leaving]
<biboc>
Ansuel seems to work by commenting/uncommenting askconsole, at reboot, askfirst is not launched
<Ansuel>
biboc curious any reason why you need that?
<biboc>
I would like to disable the console by default and when needed, enable it by sending a message over HTTP
<ynezz>
biboc: then look at /usr/libexec/login.sh
<ynezz>
you can control that behavior with uci and system.ttylogin variable
mzvd has quit [Read error: Connection reset by peer]
mzvd has joined #openwrt-devel
<lblyth>
hello, I am working on building an image for the clearfog GT-8K, it uses a marvel switch chip, and DSA. According to the device tree file the "cpu" ethernet port is eth2. When I build the image openwrt assigns eth0 as the cpu port. Can someone point me in the right direction to modify this default? I have tried to modify target/linux/mvebu/cortexa72/base-files/etc/board.d/02_network by setting ucidef_set_interface_lan
<lblyth>
"eth2" but that didn't work.
<lblyth>
or I did it wrong
<biboc>
I see, askconsole tries to read console in /proc/cmdline or /dev/console and run over configured serial. It can't be run without one of these config and these config can't be changed at runtime?
<biboc>
ynezz
<ynezz>
AFAIK it's possible to change DT in runtime using DT overlays
<ynezz>
I'm not sure if you can change console that way
<ynezz>
ttyS0::askfirst:/usr/libexec/login.sh doesn't work for you?
<ynezz>
replace that ttyS0 with the serial port of your choice
<biboc>
ynezz I'll try
<biboc>
thanks
mzvd has quit [Read error: Connection reset by peer]
bluew_ has quit [Remote host closed the connection]
bluew_ has joined #openwrt-devel
<lblyth>
tmn505, thank you. I will take a look. I hadn't seen this attempted PR before
<biboc>
ynezz I think I understand why ttylogin does not work. The firmware is 19.7.2 but (because of multiple upgrade) /etc/inittab contains ::askconsole:/bin/ash --login instead of ::askconsole:/usr/libexec/login.sh and ::askconsole:/bin/ash --login does not ask for login (in my firmware)
goliath has joined #openwrt-devel
<biboc>
ynezz who's printing "Press the [f] key and hit [enter] to enter failsafe mode" on kernel console?
mzvd has quit [Read error: Connection reset by peer]
mzvd has joined #openwrt-devel
<Ansuel>
biboc (consider that is printed before rootfs mounting so any change will be ignored)
bluew_ has quit [Read error: Connection reset by peer]
bluew_ has joined #openwrt-devel
<biboc>
ynezz Ansuel thanks. If I comment ::askconsole: in inittab, and I enter failsafe mode, can you confirm that the user can't access the serial console?
<Ansuel>
mhhhhh i think it will since failsafe won't mount rootfs so it will use the image without any modification
<Ansuel>
aka you have to compile your own image for this kind of tweak
mzvd has quit [Remote host closed the connection]
Borromini has joined #openwrt-devel
<biboc>
I compile my own image but for security reason, I don't want anyone who access the router to be able to use serial
<biboc>
So the easy way I found was to set console=null in dts so no console at all but for development purpose, it is better to have console :)
<Ansuel>
ok then just mod your base-files and you are safe :D
<biboc>
ok, yes, easy, I'll patch to remove 30_failsafe_wait :)
<Ansuel>
things is that failsafe is a recovery procedure... wonder if a better approach would be adding a specific private key or something like that
<Ansuel>
i mean i assume your problem is that someone can have access to your system by using the failsafe thing... but you can keep both thing by using a private key to login
mzvd has joined #openwrt-devel
valku has joined #openwrt-devel
<Borromini>
hardcode an SSH key in the failsafe?
danitool has joined #openwrt-devel
<Ansuel>
ok i'm stupid serial would bypass any type of login anyway...
<f00b4r0>
well when you have physical access to a device, you're already pretty badly compromised anyway ;P
<Borromini>
:P
ekathva has joined #openwrt-devel
<Ansuel>
f00b4r0 you can follow the oem way disable serial disable bootloader access and encrypt partition :D have fun
<f00b4r0>
Ansuel: you sound like Mikrotik already :D
<neggles>
Ansuel: it wouldn't be too hard to make failsafe prompt for a password :P
<dwfreed>
neggles: what if overlay isn't mountable?
<neggles>
dwfreed: you'd have to bake the changes into the kernel/initramfs
<biboc>
Security is based of security layers, the more layers you add, the more security you have
<neggles>
it depends on what your goal is - if it's "stop a mischevious user from shooting themselves in the foot" then a password or u-boot env var check baked into the initramfs is probably fine
<neggles>
if you want to prevent them from being able to get access under any circumstances, well, first of all, fuuuuuuuuuuuck you! and second, you are practically guaranteed to fail unless you're willing to go Full Cisco
<neggles>
nothing keeps neggles out forever.
<f00b4r0>
;)
<neggles>
in related news i have broken into both halves of the fastmile, not that they made it very hard
<neggles>
didn't even program the secure boot key into the efuses... left root adb shell on the android wide open...
<neggles>
broadcom router side's web interface is just absolutely loaded with arbitrary root code execution exploits
Harm_ has joined #openwrt-devel
<neggles>
it also has a GUI running...
<neggles>
i hope they tried a little harder on the 2nd gen
<dwfreed>
you know they didn't
Ansuel has quit [Ping timeout: 480 seconds]
srslypascal is now known as Guest1425
srslypascal has joined #openwrt-devel
Guest1425 has quit [Ping timeout: 480 seconds]
Ansuel has joined #openwrt-devel
Tapper has quit [Ping timeout: 480 seconds]
borek has quit [Ping timeout: 480 seconds]
<Ansuel>
neggles currently to notch security i encounter are technicolor firmware signed with the key store in the broadcome trustzone
<Ansuel>
never mange to hack their bootloader to load a custom firmware...
Tapper has joined #openwrt-devel
<Ansuel>
(they have all sort of stuff like specially crafted packet to entert in a factory mode and do all sort of recovery thing)
<nlowe>
Because of this poor/nonexistent entropy, it takes ~90-120 seconds for the kernel to initialize crng, and this causes many issues with services that depend on proper entry (cryptmounts, ssh, etc.)
<nlowe>
# dmesg | grep -i crng
<nlowe>
[ 0.159387] random: get_random_u64 called from __kmem_cache_create+0x3e/0x520 with crng_init=0
<nlowe>
[ 103.325998] random: crng init done
<nlowe>
Not good!
<mangix>
nlowe: that is...strange
mzvd has joined #openwrt-devel
mzvd has quit [Read error: Connection reset by peer]
<mangix>
if using ath9k cards, those could also be used as an rng source
<nlowe>
So if you only have CCP, then you get all bits high - FFFFFFF etc
<nlowe>
Which is shit
mzvd has joined #openwrt-devel
<mangix>
that meltdown/spectre thing is also weird. I would think newer microcode would fix that.
<nlowe>
It's not built in to the firmware that pcengines/3mdeb ship because AMD won't officially supply the firmware
<nlowe>
*supply the microcode
mzvd has quit [Remote host closed the connection]
<nlowe>
So you have to build it in yourself, which is also crap
<nlowe>
But, the reality is - for what openwrt does, it's of less interest - if somebody is in the position this is a concern, you already have bigger problems
<nlowe>
I see the hwrng being broken in older BIOSes as being a bigger issue
nlowe has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
mzvd has joined #openwrt-devel
dansan has joined #openwrt-devel
<mangix>
I see they used seabios
<mangix>
wonder why not some uefi thing
<mrnuke>
because uefi is garbage
mzvd has quit [Read error: Connection reset by peer]
mzvd has joined #openwrt-devel
mzvd has quit [Read error: Connection reset by peer]