dan
/
liminix
1
0
Fork 5
Code Issues 3 Pull Requests 2 Projects Releases Wiki Activity

Compare commits

merge into: dan:main
Branches Tags
dan:main
dan:gateway-profile
dan:tftpboot-append-dtb
dan:mainline-omnia-wip
dan:armv7
dan:hark-how-all-the-belkin-rings
dan:first-do-no-arm
dan:doc-do-over
dan:module-based-network
...
pull from: dan:mainline-omnia-wip
Branches Tags
dan:main
dan:gateway-profile
dan:tftpboot-append-dtb
dan:mainline-omnia-wip
dan:armv7
dan:hark-how-all-the-belkin-rings
dan:first-do-no-arm
dan:doc-do-over
dan:module-based-network

10 Commits
main ... mainline-o

Author SHA1 Message Date
Daniel Barlow 3792ec1f39 allow lan dns queries (ipv6) 2024-02-11 23:31:15 +00:00
Daniel Barlow f71e8d5710 rotuer: network debugging tools 2024-02-11 23:30:46 +00:00
Daniel Barlow d3bde4533b rotuer: don't forward queries for local domain 2024-02-11 23:30:12 +00:00
Daniel Barlow 0e941a8686 deep thoughts 2024-02-11 15:46:18 +00:00
Daniel Barlow f023f7a0de deep thoughts 2024-02-11 15:46:18 +00:00
Daniel Barlow 6c61d88a3a deep thoughts 2024-02-11 15:46:18 +00:00
Daniel Barlow bbce605a14 WIP-but-works: mainline kernel for Turris Omnia 2024-02-11 15:46:18 +00:00
Daniel Barlow e6705c4d06 rotuer: make domainName configurable 2024-02-11 15:40:28 +00:00
Daniel Barlow 6684d34a43 add wifi ssid to secrets 2024-02-11 15:40:17 +00:00
Daniel Barlow a8c6d5d8a4 remove root_password secret, is dup of root.passwd 2024-02-11 15:40:11 +00:00
10 changed files with 160 additions and 32 deletions
Show Stats Expand all files Collapse all files

61
THOUGHTS.txt
View File

@ -3952,3 +3952,64 @@ I can actually use it as a CPE. This means
- would be quite cool to run sniproxy instead of forwarding to
loaclhost (extra credit)
Sat Feb 10 12:41:12 GMT 2024
s6-linux-init version 1.1.2.0
nfnetlink: module verification failed: signature and/or required key missing - tainting kernel
------------[ cut here ]------------
kernel BUG at net/wireless/core.h:125!
Internal error: Oops - BUG: 0 [#1] SMP ARM
Modules linked in: cfg80211(E+) nfnetlink(E)
CPU: 0 PID: 197 Comm: insmod Tainted: G E 6.7.4 #1
Hardware name: Marvell Armada 380/385 (Device Tree)
PC is at cfg80211_netdev_notifier_call+0x2cc/0x3e0 [cfg80211]
LR is at call_netdevice_register_net_notifiers+0x4c/0xec
pc : [<bf010024>] lr : [<c0672e30>] psr: 60000013
sp : f0ba5c10 ip : fffffffb fp : c328df00
r10: c15c4170 r9 : c328df00 r8 : 00000000
r7 : 00000000 r6 : bf04c620 r5 : c10c9000 r4 : c11ff414
r3 : 00000000 r2 : f0ba5df4 r1 : 00000005 r0 : bf04c620
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: 0320804a DAC: 00000051
R
cfg80211_netdev_notifier_call [cfg80211] from call_netdevice_register_net_notifiers+0x4c/0xec
setenv omnia_reset 1; run bootcmd_rescue
Sat Feb 10 18:23:54 GMT 2024
ARGH KERNEL
You can't define CONFIG_NETFILTER=y in a monolithic kernel and expect
later to separately build some modules that use it, because there are
a bunch of symbols that only get defined if certain other CONFIG
options are set at the time that the monolithic kernel is built.
https://github.com/torvalds/linux/blob/master/net/netfilter/core.c#L689
Another example is
https://github.com/torvalds/linux/blob/master/include/linux/netdevice.h#L160
- if you decide after building the kernel that you're going to build
some wireless modules, you can't do that without rebuilding the kernel
so that it knows to expect them
The moral of the story seems to be: if you have a compiled Linux kernel source tree and you change some symbol from "is not set" to m and then run make modules, you cannot in general expect that newly compiled module to work.
AP advertised VHT without HT, disabling HT/VHT/HE
TODO
- support kernel version as parameter to builder pkgs/kernel/default.nix
- extract the change in how module loading works from omnia device config,
and fix the other thing that uses it
- wlan module to take 'backported' as a parameter
half of the omnia conditionalConfig can go into the module
- upgrade omnia to kernel v6
- figure out what mdns we need for local hostname resolution
(maybe bridging lan/wlan)?
- [DONE] slow wifi because "AP advertised VHT without HT, disabling HT/VHT/HE"
- [DONE] add local domain to secrets
- run sniproxy instead of forwarding
- forward some port to loaclhost 22 for inbound ipv4 ssh

81
devices/turris-omnia/default.nix
View File

@ -182,12 +182,10 @@
kernel = {
src = pkgs.pkgsBuildBuild.fetchurl {
name = "linux.tar.gz";
url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.7.4.tar.gz";
hash = "sha256-wIrmL0BS63nRwWfm4nw+dRNVPUzGh9M4X7LaHzAn5tU=";
};
extraPatchPhase = ''
${pkgs.openwrt.applyPatches.mvebu}
'';
version = "6.7.4";
config = {
PCI = "y";
OF = "y";
@ -203,6 +201,10 @@
RTC_CLASS = "y";
RTC_DRV_ARMADA38X = "y"; # this may be useful anyway?
EXPERT = "y";
ALLOW_DEV_COREDUMP = "n";
# dts has a compatible for this but dmesg is not
# showing it
EEPROM_AT24 = "y"; # atmel,24c64
@ -213,9 +215,9 @@
MACH_ARMADA_38X = "y";
SMP = "y";
# this is disabled for the moment because it relies on a GCC
# plugin that requires gmp.h to build, and I can't see right now
# how to confgure it to find gmp
# this is disabled for the moment because it relies on a
# GCC plugin that requires gmp.h to build, and I can't see
# right now how to confgure it to find gmp
STACKPROTECTOR_PER_TASK = "n";
NR_CPUS = "4";
VFP = "y";
@ -227,7 +229,7 @@
PSTORE = "y";
PSTORE_RAM = "y";
PSTORE_CONSOLE = "y";
PSTORE_DEFLATE_COMPRESS = "n";
# PSTORE_DEFLATE_COMPRESS = "n";
BLOCK = "y";
MMC="y";
@ -286,9 +288,25 @@
USB_XHCI_MVEBU = "y";
USB_XHCI_HCD = "y";
};
WLAN = {
CFG80211 = "m";
MAC80211 = "m";
CFG80211_CERTIFICATION_ONUS = "y";
CFG80211_REQUIRE_SIGNED_REGDB = "n"; # depends on ONUS
CFG80211_CRDA_SUPPORT = "n";
WLAN_VENDOR_ATH = "y";
ATH_COMMON = "m";
ATH9K = "m";
ATH9K_PCI = "y";
ATH10K = "m";
ATH10K_PCI = "m";
ATH10K_DEBUG = "y";
};
};
};
boot = {
commandLine = [
"console=ttyS0,115200"
@ -328,10 +346,41 @@
};
hardware = let
mac80211 = pkgs.mac80211.override {
drivers = ["ath9k_pci" "ath10k_pci"];
klibBuild = config.system.outputs.kernel.modulesupport;
};
mac80211 =
let
targets = [
"ath9k"
"ath10k_pci"
];
kmodules = pkgs.runCommand "modules" {
nativeBuildInputs = with pkgs.pkgsBuildBuild ;[
kmod cpio gawk
];
} ''
kernel=${config.system.outputs.kernel.modulesupport}
mkdir -p lib/modules/0.0
(cd $kernel && find . -name \*.ko | cpio --verbose --make-directories -p $NIX_BUILD_TOP/lib/modules/0.0)
cp $kernel/modules.* lib/modules/0.0
depmod -b . 0.0
(for i in ${lib.concatStringsSep " " targets}; do
modprobe -S 0.0 -d $NIX_BUILD_TOP --show-depends $i | sed "s,^insmod $NIX_BUILD_TOP/lib/modules/0.0/,,g"
done) | awk '!a[$0]++' > load-order
mkdir $out
for i in $(cat load-order); do
install -v $NIX_BUILD_TOP/lib/modules/0.0/$i -D $out/$i
done
echo "O=$out" > $out/load.sh
sed "s,^,insmod \$O/,g" < load-order >> $out/load.sh
echo "O=$out" > $out/unload.sh
tac load-order | sed "s,^,rmmod \$O/,g" > $out/unload.sh
''; in
oneshot {
name = "mac80211-modules";
up = "sh ${kmodules}/load.sh";
down = "sh ${kmodules}/unload.sh";
};
in {
defaultOutput = "mtdimage";
loadAddress = lim.parseInt "0x00800000"; # "0x00008000";
@ -339,9 +388,9 @@
rootDevice = "/dev/mmcblk0p1";
dts = {
src = "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/armada-385-turris-omnia.dts";
src = "${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/marvell/armada-385-turris-omnia.dts";
includes = [
"${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/"
"${config.system.outputs.kernel.modulesupport}/arch/arm/boot/dts/marvell/"
];
};
flash.eraseBlockSize = 65536; # only used for tftpboot

2
examples/arhcive.nix
View File

@ -145,7 +145,7 @@ in rec {
};
users.root = {
passwd = lib.mkForce secrets.root_password;
passwd = lib.mkForce secrets.root.passwd;
# openssh.authorizedKeys.keys = [
# (builtins.readFile "/home/dan/.ssh/id_rsa.pub")
# ];

1
examples/demo-firewall.nix
View File

@ -107,6 +107,7 @@ in {
rules = [
(accept "udp dport 547") # dhcp, could restrict to daddr ff02::1:2
(accept "udp dport 53") # dns
(accept "tcp dport 22")
];
};

2
examples/extneder.nix
View File

@ -131,6 +131,6 @@ in rec {
dependencies = [services.dhcpc];
};
users.root.passwd = lib.mkForce secrets.root_password;
users.root.passwd = lib.mkForce secrets.root.passwd;
defaultProfile.packages = with pkgs; [nftables strace tcpdump swconfig];
}

7
examples/rotuer-secrets.example.nix
View File

@ -1,5 +1,6 @@
rec {
{
wpa_passphrase = "you bring light in";
ssid = "liminix";
l2tp = {
name = "abcde@a.1";
password = "NotMyIspPassword";
@ -10,9 +11,9 @@ rec {
openssh.authorizedKeys.keys = [
];
};
root_password = root.passwd;
lan = {
prefix = "10.8.0"; # "192.168.8";
prefix = "10.8.0";
};
}

20
examples/rotuer.nix
View File

@ -8,7 +8,10 @@
{ config, pkgs, lib, ... } :
let
secrets = import ./rotuer-secrets.nix;
secrets = {
domainName = "fake.liminix.org";
firewallRules = {};
} // (import ./rotuer-secrets.nix);
inherit (pkgs.liminix.services) oneshot longrun bundle;
inherit (pkgs) serviceFns;
svc = config.system.service;
@ -23,6 +26,7 @@ let
wmm_enabled = 1;
};
in rec {
boot = {
tftp = {
@ -55,7 +59,7 @@ in rec {
services.hostap = svc.hostapd.build {
interface = config.hardware.networkInterfaces.wlan;
params = {
ssid = "liminix";
ssid = secrets.ssid;
hw_mode="g";
channel = "2";
ieee80211n = 1;
@ -65,7 +69,7 @@ in rec {
services.hostap5 = svc.hostapd.build {
interface = config.hardware.networkInterfaces.wlan5;
params = rec {
ssid = "liminix_5";
ssid = "${secrets.ssid}5";
hw_mode="a";
channel = 36;
ht_capab = "[HT40+]";
@ -84,7 +88,8 @@ in rec {
services.bridge = svc.bridge.members.build {
primary = services.int;
members = with config.hardware.networkInterfaces;
[ wlan
[
wlan
wlan5
lan0
lan1
@ -120,8 +125,8 @@ in rec {
# You can add static addresses for the DHCP server here. I'm
# not putting my actual MAC addresses in a public git repo ...
hosts = { } // lib.optionalAttrs (builtins.pathExists ./static-leases.nix) (import ./static-leases.nix);
domain = "fake.liminix.org";
upstreams = [ "/${secrets.domainName}/" ];
domain = secrets.domainName;
};
services.wan = svc.pppoe.build {
@ -194,6 +199,9 @@ in rec {
defaultProfile.packages = with pkgs; [
min-collect-garbage
nftables
strace
tcpdump
];
programs.busybox.applets = [

4
modules/kernel.nix
View File

@ -27,6 +27,7 @@ in {
options = {
kernel = {
src = mkOption { type = types.path; } ;
version = mkOption { type = types.str; default = "5.15.137";} ;
modular = mkOption {
type = types.bool;
default = true;
@ -79,7 +80,8 @@ in {
config.kernel.conditionalConfig;
k = liminix.builders.kernel.override {
config = mergedConfig;
inherit (config.kernel) src extraPatchPhase;
version = builtins.trace config.kernel.version config.kernel.version;
inherit (config.kernel) src extraPatchPhase;
targets = config.kernel.makeTargets;
};
in {

4
modules/wlan.nix
View File

@ -46,6 +46,10 @@ in {
CRYPTO_SHA1 = "y";
ENCRYPTED_KEYS = "y";
KEYS = "y";
# see note in include/linux/netdevice.h re LL_MAX_HEADER
WLAN = "y";
};
};
};

10
pkgs/kernel/default.nix
View File

@ -6,6 +6,7 @@
, config
, src
, version ? "1"
, extraPatchPhase ? "echo"
, targets ? ["vmlinux"]
} :
@ -23,6 +24,7 @@ stdenv.mkDerivation rec {
(with buildPackages.pkgs; [
rsync bc bison flex pkg-config
openssl ncurses.all perl
cpio
]);
CC = "${stdenv.cc.bintools.targetPrefix}gcc";
HOSTCC = with buildPackages.pkgs;
@ -51,9 +53,9 @@ stdenv.mkDerivation rec {
patches = [
./cmdline-cookie.patch
./phram-allow-cached-mappings.patch
./mips-malta-fdt-from-bootloader.patch
];
] ++ lib.optional (lib.versionOlder version "6.0")
./phram-allow-cached-mappings.patch;
# this is here to work around what I think is a bug in nixpkgs
# packaging of ncurses: it installs pkg-config data files which
@ -103,8 +105,8 @@ stdenv.mkDerivation rec {
mkdir -p $headers
cp -a include .config $headers/
mkdir -p $modulesupport
cp modules.* $modulesupport
make clean modules_prepare
cp modules.* vmlinux.o $modulesupport
make modules
cp -a . $modulesupport
'';
}