turris omnia: upgrade to mainline 6.7.4 kernel

On this device we don't need the openwrt kernel or patches. The newer kernel also fixes the weird one minute pause at boot when it was doing something with either mmc or switch.
use regular kernel not backports for mac80211
2024-02-12 20:43:01 +00:00 · 2024-02-12 20:41:10 +00:00 · 2024-02-12 14:56:12 +00:00 · 2024-02-12 13:56:56 +00:00 · 2024-02-11 23:47:11 +00:00 · 2024-02-11 23:32:46 +00:00
17 changed files with 182 additions and 151 deletions
--- a/devices/belkin-rt3200/default.nix
+++ b/devices/belkin-rt3200/default.nix
@ -149,6 +149,13 @@
        WATCHDOG = "y";
        MEDIATEK_WATCHDOG = "y";
      };
+      conditionalConfig = {
+        WLAN= {
+          MT7615E = "m";
+          MT7622_WMAC = "y";
+          MT7915E = "m";
+        };
+      };
    };
    boot = {
      commandLine = [ "console=ttyS0,115200" ];
@ -169,12 +176,9 @@
    hardware =
      let
        openwrt = pkgs.openwrt;
-        mac80211 =  pkgs.mac80211.override {
-          drivers = [
-            "mt7615e"
-            "mt7915e"
-          ];
-          klibBuild = config.system.outputs.kernel.modulesupport;
+        mac80211 =  pkgs.kmodloader.override {
+          targets = ["mt7615e" "mt7915e"];
+          inherit (config.system.outputs) kernel;
        };
      in {
        ubi = {
--- a/devices/gl-ar750/default.nix
+++ b/devices/gl-ar750/default.nix
@ -71,9 +71,9 @@
          cp $blobdir/board.bin  $out/ath10k/QCA9887/hw1.0/
        '';
      };
-      mac80211 = pkgs.mac80211.override {
-        drivers = ["ath9k" "ath10k_pci"];
-        klibBuild = config.system.outputs.kernel.modulesupport;
+      mac80211 = pkgs.kmodloader.override {
+        targets = ["ath9k" "ath10k_pci"];
+        inherit (config.system.outputs) kernel;
      };
      ath10k_cal_data =
        let
@ -211,14 +211,21 @@
          WATCHDOG = "y";
          ATH79_WDT = "y";  # watchdog timer

-          # this is all copied from nixwrt ath79 config. Clearly not all
-          # of it is device config, some of it is wifi config or
-          # installation method config or ...
-
          EARLY_PRINTK = "y";

          PRINTK_TIME = "y";
        };
+        conditionalConfig = {
+          WLAN = {
+            WLAN_VENDOR_ATH = "y";
+            ATH_COMMON = "m";
+            ATH9K = "m";
+            ATH9K_AHB = "y";
+            ATH10K = "m";
+            ATH10K_PCI = "y";
+            ATH10K_DEBUG = "y";
+          };
+        };
      };
    };
 }
--- a/devices/gl-mt300a/default.nix
+++ b/devices/gl-mt300a/default.nix
@ -47,9 +47,9 @@
    let
      inherit (pkgs.liminix.networking) interface;
      inherit (pkgs) openwrt;
-      mac80211 = pkgs.mac80211.override {
-        drivers = ["rt2800soc"];
-        klibBuild = config.system.outputs.kernel.modulesupport;
+      mac80211 = pkgs.kmodloader.override {
+        targets = ["rt2800soc"];
+        inherit (config.system.outputs) kernel;
      };
    in {
      imports = [
@ -178,6 +178,14 @@
        } // lib.optionalAttrs (config.system.service ? vlan) {
          SWCONFIG = "y";
        };
+        conditionalConfig = {
+          WLAN = {
+            WLAN_VENDOR_RALINK = "y";
+            RT2800SOC = "m";
+            RT2X00 = "m";
+          };
+        };
+
      };
    };
 }
--- a/devices/gl-mt300n-v2/default.nix
+++ b/devices/gl-mt300n-v2/default.nix
@ -43,9 +43,9 @@
      inherit (pkgs.pseudofile) dir symlink;
      inherit (pkgs) openwrt;

-      mac80211 = pkgs.mac80211.override {
-        drivers = ["mt7603e"];
-        klibBuild = config.system.outputs.kernel.modulesupport;
+      mac80211 = pkgs.kmodloader.override {
+        targets = ["mt7603e"];
+        inherit (config.system.outputs) kernel;
      };
      wlan_firmware = pkgs.fetchurl {
        url = "https://github.com/openwrt/mt76/raw/f24b56f935392ca1d35fae5fd6e56ef9deda4aad/firmware/mt7628_e2.bin";
@ -185,6 +185,15 @@
          RALINK_WDT = "y";  # watchdog
          MT7621_WDT = "y";  # or it might be this one
        };
+        conditionalConfig = {
+          WLAN = {
+            WLAN_VENDOR_RALINK = "y";
+            WLAN_VENDOR_MEDIATEK = "y";
+            MT7603E = "m";
+          };
+        };
+
      };
+
    };
 }
--- a/devices/tp-archer-ax23/default.nix
+++ b/devices/tp-archer-ax23/default.nix
@ -322,9 +322,14 @@
            ZSTD_COMPRESS="y";
            ZSTD_DECOMPRESS="y";
          } // lib.optionalAttrs (config.system.service ? watchdog) {
-          RALINK_WDT = "y";  # watchdog
-          MT7621_WDT = "y";  # or it might be this one
-        };
+            RALINK_WDT = "y";  # watchdog
+            MT7621_WDT = "y";  # or it might be this one
+          };
+          conditionalConfig = {
+            WLAN = {
+              MT7915E = "m";
+            };
+          };
        };
        tplink-safeloader.board = "ARCHER-AX23-V1";
        boot = {
@ -353,11 +358,11 @@
      hardware =
        let
          openwrt = pkgs.openwrt;
-          mac80211 =  pkgs.mac80211.override {
-            drivers = [
+          mac80211 =  pkgs.kmodloader.override {
+            targets = [
              "mt7915e"
            ];
-            klibBuild = config.system.outputs.kernel.modulesupport;
+            inherit (config.system.outputs) kernel;
          };
        in {
          # from OEM bootlog (openwrt wiki):
--- a/devices/turris-omnia/default.nix
+++ b/devices/turris-omnia/default.nix
@ -182,12 +182,10 @@
        kernel = {
          src = pkgs.pkgsBuildBuild.fetchurl {
            name = "linux.tar.gz";
-            url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-            hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
+            url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.7.4.tar.gz";
+            hash = "sha256-wIrmL0BS63nRwWfm4nw+dRNVPUzGh9M4X7LaHzAn5tU=";
          };
-          extraPatchPhase = ''
-            ${pkgs.openwrt.applyPatches.mvebu}
-          '';
+          version = "6.7.4";
          config = {
            PCI = "y";
            OF = "y";
@ -203,6 +201,10 @@
            RTC_CLASS = "y";
            RTC_DRV_ARMADA38X = "y"; # this may be useful anyway?

+            EXPERT = "y";
+            ALLOW_DEV_COREDUMP = "n";
+
+
            # dts has a compatible for this but dmesg is not
            # showing it
            EEPROM_AT24 = "y"; # atmel,24c64
@ -213,9 +215,9 @@

            MACH_ARMADA_38X = "y";
            SMP = "y";
-	          # this is disabled for the moment because it relies on a GCC
-            # plugin that requires gmp.h to build, and I can't see right now
-            # how to confgure it to find gmp
+	          # this is disabled for the moment because it relies on a
+            # GCC plugin that requires gmp.h to build, and I can't see
+            # right now how to confgure it to find gmp
            STACKPROTECTOR_PER_TASK = "n";
            NR_CPUS = "4";
            VFP = "y";
@ -227,7 +229,7 @@
            PSTORE = "y";
            PSTORE_RAM = "y";
            PSTORE_CONSOLE = "y";
-            PSTORE_DEFLATE_COMPRESS = "n";
+#            PSTORE_DEFLATE_COMPRESS = "n";

            BLOCK = "y";
            MMC="y";
@ -286,9 +288,17 @@
              USB_XHCI_MVEBU = "y";
              USB_XHCI_HCD = "y";
            };
+            WLAN = {
+              WLAN_VENDOR_ATH = "y";
+              ATH_COMMON = "m";
+              ATH9K = "m";
+              ATH9K_PCI = "y";
+              ATH10K = "m";
+              ATH10K_PCI = "m";
+              ATH10K_DEBUG = "y";
+            };
          };
        };
-
        boot = {
          commandLine = [
            "console=ttyS0,115200"
@ -328,9 +338,9 @@
        };

        hardware = let
-          mac80211 = pkgs.mac80211.override {
-            drivers = ["ath9k_pci" "ath10k_pci"];
-            klibBuild = config.system.outputs.kernel.modulesupport;
+          mac80211 =  pkgs.kmodloader.override {
+            inherit (config.system.outputs) kernel;
+            targets = ["ath9k" "ath10k_pci"];
          };
        in {
          defaultOutput = "mtdimage";
@ -339,9 +349,9 @@
          rootDevice = "/dev/mmcblk0p1";

          dts = {
-            src = "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/armada-385-turris-omnia.dts";
+            src = "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/marvell/armada-385-turris-omnia.dts";
            includes =  [
-              "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/"
+              "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/marvell/"
            ];
          };
          flash.eraseBlockSize = 65536; # only used for tftpboot
--- a/examples/demo-firewall.nix
+++ b/examples/demo-firewall.nix
@ -107,6 +107,7 @@ in {

    rules = [
      (accept "udp dport 547") # dhcp, could restrict to daddr ff02::1:2
+      (accept "udp dport 53") # dns
      (accept "tcp dport 22")
    ];
  };
@ -232,9 +233,9 @@ in {
    type = "filter";
    family = "ip";
    rules = [
-      # this is where you put permitted incoming
-      # connections. Practically there's not a lot of use for this
-      # chain unless you have routable ipv4 addresses
+      # This is where you put permitted incoming connections. If
+      # you're using NAT, the rules in this chain will see the
+      # internal (RFC1918) addresses.
    ];
  };

--- a/examples/rotuer.nix
+++ b/examples/rotuer.nix
@ -123,7 +123,7 @@ in rec {
      # You can add static addresses for the DHCP server here.  I'm
      # not putting my actual MAC addresses in a public git repo ...
      hosts = { } // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
-
+      upstreams = [ "/${secrets.domainName}/" ];
      domain = secrets.domainName;
    };

@ -197,6 +197,9 @@ in rec {

  defaultProfile.packages = with pkgs; [
    min-collect-garbage
+    nftables
+    strace
+    tcpdump
  ];

  programs.busybox.applets = [
--- a/modules/base.nix
+++ b/modules/base.nix
@ -13,7 +13,7 @@ let

 in {
  imports = [
-    ./kernel.nix                # kernel is a separate module for doc purposes
+    ./kernel            # kernel is a separate module for doc purposes
  ];
  options = {
    defaultProfile = {
--- a/modules/firewall/default.nix
+++ b/modules/firewall/default.nix
@ -10,45 +10,8 @@ let
  inherit (pkgs) liminix;
  inherit (pkgs.liminix.services) oneshot;

-  kconf = isModule :
-    # setting isModule false is utterly untested and mostly
-    # unimplemented: I say this to preempt any "how on earth is this
-    # even supposed to work?" questions
-    let yes = if isModule then "m" else "y";
-    in {
-      NETFILTER = "y";
-      NETFILTER_ADVANCED = "y";
-      NETFILTER_NETLINK = yes;
-      NF_CONNTRACK = yes;
-
-      IP6_NF_IPTABLES=  yes;
-      IP_NF_IPTABLES = yes;
-      IP_NF_NAT = yes;
-      IP_NF_TARGET_MASQUERADE = yes;
-
-      NFT_CT = yes;
-      NFT_FIB_IPV4 = yes;
-      NFT_FIB_IPV6 = yes;
-      NFT_LOG = yes;
-      NFT_MASQ = yes;
-      NFT_NAT = yes;
-      NFT_REJECT = yes;
-      NFT_REJECT_INET = yes;
-
-      NF_CT_PROTO_DCCP = "y";
-      NF_CT_PROTO_SCTP = "y";
-      NF_CT_PROTO_UDPLITE = "y";
-      NF_LOG_SYSLOG = yes;
-      NF_NAT = yes;
-      NF_NAT_MASQUERADE = "y";
-      NF_TABLES = yes;
-      NF_TABLES_INET = "y";
-      NF_TABLES_IPV4 = "y";
-      NF_TABLES_IPV6 = "y";
-    };
-  kmodules = pkgs.kernel-modules.override {
-    kernelSrc = config.system.outputs.kernel.src;
-    modulesupport = config.system.outputs.kernel.modulesupport;
+  kmodules = pkgs.kmodloader.override {
+    inherit (config.system.outputs) kernel;
    targets = [
      "nft_fib_ipv4"
      "nft_fib_ipv6"
@ -82,12 +45,6 @@ let
      "xt_nat"
      "xt_tcpudp"
    ];
-    kconfig = kconf true;
-  };
-  loadModules = oneshot {
-    name = "firewall-modules";
-    up = "sh ${kmodules}/load.sh";
-    down = "sh ${kmodules}/unload.sh";
  };
 in
 {
@ -107,11 +64,41 @@ in
      in svc // {
        build = args :
          let args' = args // {
-                dependencies = (args.dependencies or []) ++ [loadModules];
+                dependencies = (args.dependencies or []) ++ [kmodules];
              };
          in svc.build args' ;
      };

-    kernel.config = kconf true;
+    kernel.config = {
+      NETFILTER = "y";
+      NETFILTER_ADVANCED = "y";
+      NETFILTER_NETLINK = "m";
+      NF_CONNTRACK = "m";
+
+      IP6_NF_IPTABLES=  "m";
+      IP_NF_IPTABLES = "m";
+      IP_NF_NAT = "m";
+      IP_NF_TARGET_MASQUERADE = "m";
+
+      NFT_CT = "m";
+      NFT_FIB_IPV4 = "m";
+      NFT_FIB_IPV6 = "m";
+      NFT_LOG = "m";
+      NFT_MASQ = "m";
+      NFT_NAT = "m";
+      NFT_REJECT = "m";
+      NFT_REJECT_INET = "m";
+
+      NF_CT_PROTO_DCCP = "y";
+      NF_CT_PROTO_SCTP = "y";
+      NF_CT_PROTO_UDPLITE = "y";
+      NF_LOG_SYSLOG = "m";
+      NF_NAT = "m";
+      NF_NAT_MASQUERADE = "y";
+      NF_TABLES = "m";
+      NF_TABLES_INET = "y";
+      NF_TABLES_IPV4 = "y";
+      NF_TABLES_IPV6 = "y";
+    };
  };
 }
--- a/modules/kernel/default.nix
+++ b/modules/kernel/default.nix
@ -27,6 +27,7 @@ in {
  options = {
    kernel = {
      src = mkOption { type = types.path; } ;
+      version = mkOption { type = types.str; default = "5.15.137";} ;
      modular = mkOption {
        type = types.bool;
        default = true;
@ -79,7 +80,7 @@ in {
          config.kernel.conditionalConfig;
        k = liminix.builders.kernel.override {
          config = mergedConfig;
-          inherit (config.kernel) src extraPatchPhase;
+          inherit (config.kernel) version src extraPatchPhase;
          targets = config.kernel.makeTargets;
        };
      in {
--- a/modules/wlan.nix
+++ b/modules/wlan.nix
@ -46,6 +46,14 @@ in {
        CRYPTO_SHA1 = "y";
        ENCRYPTED_KEYS = "y";
        KEYS = "y";
+
+        WLAN = "y";
+        CFG80211 = "m";
+        MAC80211 = "m";
+        EXPERT = "y";
+        CFG80211_CERTIFICATION_ONUS = "y";
+        CFG80211_REQUIRE_SIGNED_REGDB = "n"; # depends on ONUS
+        CFG80211_CRDA_SUPPORT = "n";
      };
    };
  };
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -66,7 +66,7 @@ in {
  ifwait = callPackage ./ifwait {};
  initramfs-peek = callPackage ./initramfs-peek {};
  kernel-backport = callPackage ./kernel-backport {};
-  kernel-modules  = callPackage ./kernel-modules {};
+  kmodloader = callPackage ./kmodloader {};
  levitate = callPackage ./levitate {};
  libubootenv = callPackage ./libubootenv {};
  linotify = callPackage ./linotify {};
--- a/pkgs/kernel-modules/Makefile
+++ b/pkgs/kernel-modules/Makefile
@ -1,3 +0,0 @@
-
-
-# obj-m += net/ipv4/netfilter/nft_fib_ipv4.o
--- a/pkgs/kernel-modules/default.nix
+++ b/pkgs/kernel-modules/default.nix
@ -1,50 +0,0 @@
-{
-  stdenv
-, buildPackages
-, kernelSrc  ? null
-, modulesupport ? null
-, targets ? []
-, kconfig ? {}
-, openssl
-, writeText
-, lib
-}:
-let
-  writeConfig = import ../kernel/write-kconfig.nix { inherit lib writeText; };
-  arch = stdenv.hostPlatform.linuxArch;
-in stdenv.mkDerivation {
-  name = "kernel-modules";
-
-  nativeBuildInputs = [buildPackages.stdenv.cc] ++
-                      (with buildPackages.pkgs; [
-                        bc bison flex
-                        openssl
-                        cpio
-                        kmod
-                      ]);
-  CC = "${stdenv.cc.bintools.targetPrefix}gcc";
-  HOST_EXTRACFLAGS = with buildPackages.pkgs;
-    "-I${buildPackages.openssl.dev}/include -L${buildPackages.openssl.out}/lib";
-  CROSS_COMPILE = stdenv.cc.bintools.targetPrefix;
-  ARCH = arch;
-  KBUILD_BUILD_HOST = "liminix.builder";
-
-  buildPhase = ''
-    cat ${writeConfig "kconfig" kconfig}  > .more-config
-    cat .more-config >> .config
-    make olddefconfig
-    for v in $(cat .more-config) ; do grep $v .config || (echo Missing $v && exit 1);done
-    make modules
-  '';
-  src =  modulesupport;
-  installPhase = ''
-    mkdir -p $out/lib/modules/0.0
-    find . -name \*.ko | cpio --verbose --make-directories -p $out/lib/modules/0.0
-    depmod -b $out -v 0.0
-    touch $out/load.sh
-    for i in ${lib.concatStringsSep " " targets}; do
-      modprobe -S 0.0 -d $out --show-depends $i >> $out/load.sh
-    done
-    tac < $out/load.sh | sed 's/^insmod/rmmod/g' > $out/unload.sh
-  '';
-}
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@ -6,6 +6,7 @@

 , config
 , src
+ , version ? "0"
 , extraPatchPhase ? "echo"
 , targets ? ["vmlinux"]
 } :
@ -51,9 +52,9 @@ stdenv.mkDerivation rec {

  patches = [
    ./cmdline-cookie.patch
-    ./phram-allow-cached-mappings.patch
    ./mips-malta-fdt-from-bootloader.patch
-  ];
+  ] ++ lib.optional (lib.versionOlder version "5.18.0")
+    ./phram-allow-cached-mappings.patch;

  # this is here to work around what I think is a bug in nixpkgs
  # packaging of ncurses: it installs pkg-config data files which
@ -103,8 +104,7 @@ stdenv.mkDerivation rec {
    mkdir -p $headers
    cp -a include .config $headers/
    mkdir -p $modulesupport
-    cp modules.* $modulesupport
-    make clean modules_prepare
+    make modules
    cp -a . $modulesupport
  '';
 }
--- a/pkgs/kmodloader/default.nix
+++ b/pkgs/kmodloader/default.nix
@ -0,0 +1,41 @@
+{
+  liminix
+, lib
+, targets ? []
+, kernel ? null
+, runCommand
+, pkgsBuildBuild
+} :
+let
+  inherit (liminix.services) oneshot;
+  inherit (lib) concatStringsSep;
+  loader =  runCommand "modules" {
+    nativeBuildInputs = with pkgsBuildBuild ;[
+      kmod cpio gawk
+    ];
+  } ''
+    kernel=${kernel.modulesupport}
+
+    mkdir -p lib/modules/0.0
+    (cd $kernel && find . -name \*.ko | cpio --verbose --make-directories -p $NIX_BUILD_TOP/lib/modules/0.0)
+    cp $kernel/modules.* lib/modules/0.0
+    depmod -b . 0.0
+
+    (for i in ${lib.concatStringsSep " " targets}; do
+      modprobe -S 0.0 -d  $NIX_BUILD_TOP --show-depends $i | sed "s,^insmod $NIX_BUILD_TOP/lib/modules/0.0/,,g"
+    done) | awk '!a[$0]++' > load-order
+
+    mkdir $out
+    for i in $(cat load-order); do
+      install -v $NIX_BUILD_TOP/lib/modules/0.0/$i -D $out/$i
+    done
+    echo "O=$out" > $out/load.sh
+    sed "s,^,insmod \$O/,g" < load-order >> $out/load.sh
+    echo "O=$out" > $out/unload.sh
+    tac load-order | sed "s,^,rmmod \$O/,g" > $out/unload.sh
+  '';
+in oneshot {
+  name = "kmodloader-"  + (concatStringsSep "-" targets);
+  up = "sh ${loader}/load.sh";
+  down = "sh ${loader}/unload.sh";
+}
Author	SHA1	Message	Date
Daniel Barlow	c50423f689	turris omnia: upgrade to mainline 6.7.4 kernel On this device we don't need the openwrt kernel or patches. The newer kernel also fixes the weird one minute pause at boot when it was doing something with either mmc or switch.	2024-02-12 20:43:01 +00:00
Daniel Barlow	65479e206b	use regular kernel not backports for mac80211 the kernel on most devices is now newer than the version that the backported drivers were backported from	2024-02-12 20:41:10 +00:00
Daniel Barlow	79926c6fe7	remove call to deleted package	2024-02-12 14:56:12 +00:00
Daniel Barlow	ae4856ea7c	improve firewall comment	2024-02-12 13:56:56 +00:00
Daniel Barlow	b9c0d93670	build modules at same time as main kernel vmlinux This changes the practice for building kernel modules: now we expect that the appropriate Kconfig symbols are set to =m in config.kernel.config, and then use pkgs.kmodloader to create a service that loads and unloads all the modules depended on by a particular requirement. Note that modules won't be installed on the target device just by virue of having been built: only the modules that are referenced by a kmodloader package will be in the closure. An example may make this clearer: see modules/firewall/default.nix in this commit. Why? If you have a compiled Linux kernel source tree and you change some symbol from "is not set" to m and then run make modules, you cannot in general expect that newly compiled module to work. This is because there are places in the build of the main kernel where it looks to see which modules _may_ be defined and uses that information to accommodate them. For example in an in-kernel build of https://github.com/torvalds/linux/blob/master/net/netfilter/core.c#L689 some symbols are defined only if CONFIG_NF_CONNTRACK is set, meaning this code won't work if we have it unset initially then try later to enable it and build modules only. Or see https://github.com/torvalds/linux/blob/master/include/linux/netdevice.h#L160	2024-02-11 23:47:11 +00:00
Daniel Barlow	11287a8436	allow lan dns queries (ipv6)	2024-02-11 23:32:46 +00:00
Daniel Barlow	57aece0709	rotuer: don't forward queries for local domain	2024-02-11 23:32:46 +00:00
Daniel Barlow	c1d285a220	rotuer: network debugging tools	2024-02-11 23:32:46 +00:00
Daniel Barlow	dce983ec79	move kernel module to its own subdir	2024-02-11 18:15:55 +00:00
Daniel Barlow	812f497660	add kernel.version param to allow for version-specific patches default to 5.15.137 to avoid breaking the devices that don't declare it	2024-02-11 16:19:52 +00:00
				`@ -1,3 +0,0 @@`


				`# obj-m += net/ipv4/netfilter/nft_fib_ipv4.o`