From 2db09e485d62c4839427a17eb528cd749a389cb1 Mon Sep 17 00:00:00 2001 From: xSmurf Date: Tue, 22 Sep 2015 01:13:54 +0000 Subject: [PATCH] [...] --- board/coreboot/busybox.config | 2 +- board/coreboot/linux-4.1.config | 93 ++------ board/coreboot/post-build.sh | 15 -- board/coreboot/post_build.sh | 17 ++ .../rootfs-additions/etc/default/crda | 1 + .../etc/init.d/S10setregulatorydomain | 25 ++ .../etc/network/if-pre-up.d/00macchanger | 5 + .../ssl/local/certs/sks-keyservers.netCA.pem | 32 +++ .../rootfs-additions/root/.gnupg/gpg.conf | 223 ++++++++++++++++++ configs/coreboot_defconfig | 2 +- package/Config.in | 4 + package/tlsdate/Config.in | 14 ++ package/tlsdate/tlsdate.mk | 25 ++ 13 files changed, 372 insertions(+), 86 deletions(-) delete mode 100755 board/coreboot/post-build.sh create mode 100755 board/coreboot/post_build.sh create mode 100644 board/coreboot/rootfs-additions/etc/default/crda create mode 100755 board/coreboot/rootfs-additions/etc/init.d/S10setregulatorydomain create mode 100755 board/coreboot/rootfs-additions/etc/network/if-pre-up.d/00macchanger create mode 100644 board/coreboot/rootfs-additions/etc/ssl/local/certs/sks-keyservers.netCA.pem create mode 100644 board/coreboot/rootfs-additions/root/.gnupg/gpg.conf create mode 100644 package/tlsdate/Config.in create mode 100644 package/tlsdate/tlsdate.mk diff --git a/board/coreboot/busybox.config b/board/coreboot/busybox.config index 062ead7..b39e662 100644 --- a/board/coreboot/busybox.config +++ b/board/coreboot/busybox.config @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit # Busybox version: 1.23.2 -# Mon Sep 21 20:54:45 2015 +# Mon Sep 21 23:48:31 2015 # CONFIG_HAVE_DOT_CONFIG=y diff --git a/board/coreboot/linux-4.1.config b/board/coreboot/linux-4.1.config index 76365aa..9a381b3 100644 --- a/board/coreboot/linux-4.1.config +++ b/board/coreboot/linux-4.1.config @@ -314,20 +314,20 @@ CONFIG_BLK_DEV_BSG=y CONFIG_PARTITION_ADVANCED=y # CONFIG_ACORN_PARTITION is not set # CONFIG_AIX_PARTITION is not set -CONFIG_OSF_PARTITION=y -CONFIG_AMIGA_PARTITION=y +# CONFIG_OSF_PARTITION is not set +# CONFIG_AMIGA_PARTITION is not set # CONFIG_ATARI_PARTITION is not set -CONFIG_MAC_PARTITION=y +# CONFIG_MAC_PARTITION is not set CONFIG_MSDOS_PARTITION=y CONFIG_BSD_DISKLABEL=y -CONFIG_MINIX_SUBPARTITION=y -CONFIG_SOLARIS_X86_PARTITION=y -CONFIG_UNIXWARE_DISKLABEL=y +# CONFIG_MINIX_SUBPARTITION is not set +# CONFIG_SOLARIS_X86_PARTITION is not set +# CONFIG_UNIXWARE_DISKLABEL is not set # CONFIG_LDM_PARTITION is not set -CONFIG_SGI_PARTITION=y +# CONFIG_SGI_PARTITION is not set # CONFIG_ULTRIX_PARTITION is not set -CONFIG_SUN_PARTITION=y -CONFIG_KARMA_PARTITION=y +# CONFIG_SUN_PARTITION is not set +# CONFIG_KARMA_PARTITION is not set CONFIG_EFI_PARTITION=y # CONFIG_SYSV68_PARTITION is not set # CONFIG_CMDLINE_PARTITION is not set @@ -1815,7 +1815,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_BATTERY_GAUGE_LTC2941 is not set CONFIG_POWER_RESET=y CONFIG_POWER_RESET_RESTART=y -# CONFIG_POWER_AVS is not set +CONFIG_POWER_AVS=y CONFIG_HWMON=y # CONFIG_HWMON_VID is not set # CONFIG_HWMON_DEBUG_CHIP is not set @@ -1922,8 +1922,6 @@ CONFIG_SENSORS_CORETEMP=y # CONFIG_SENSORS_SMSC47M192 is not set # CONFIG_SENSORS_SMSC47B397 is not set # CONFIG_SENSORS_SCH56XX_COMMON is not set -# CONFIG_SENSORS_SCH5627 is not set -# CONFIG_SENSORS_SCH5636 is not set # CONFIG_SENSORS_SMM665 is not set # CONFIG_SENSORS_ADC128D818 is not set # CONFIG_SENSORS_ADS1015 is not set @@ -1968,65 +1966,13 @@ CONFIG_THERMAL_GOV_USER_SPACE=y # CONFIG_THERMAL_EMULATION is not set CONFIG_INTEL_POWERCLAMP=y CONFIG_X86_PKG_TEMP_THERMAL=y -# CONFIG_INTEL_SOC_DTS_THERMAL is not set +CONFIG_INTEL_SOC_DTS_THERMAL=y # CONFIG_INT340X_THERMAL is not set # # Texas Instruments thermal drivers # -CONFIG_WATCHDOG=y -# CONFIG_WATCHDOG_CORE is not set -# CONFIG_WATCHDOG_NOWAYOUT is not set - -# -# Watchdog Device Drivers -# -# CONFIG_SOFT_WATCHDOG is not set -# CONFIG_XILINX_WATCHDOG is not set -# CONFIG_CADENCE_WATCHDOG is not set -# CONFIG_DW_WATCHDOG is not set -# CONFIG_ACQUIRE_WDT is not set -# CONFIG_ADVANTECH_WDT is not set -# CONFIG_ALIM1535_WDT is not set -# CONFIG_ALIM7101_WDT is not set -# CONFIG_F71808E_WDT is not set -# CONFIG_SP5100_TCO is not set -# CONFIG_SBC_FITPC2_WATCHDOG is not set -# CONFIG_EUROTECH_WDT is not set -# CONFIG_IB700_WDT is not set -# CONFIG_IBMASR is not set -# CONFIG_WAFER_WDT is not set -# CONFIG_I6300ESB_WDT is not set -# CONFIG_IE6XX_WDT is not set -# CONFIG_ITCO_WDT is not set -# CONFIG_IT8712F_WDT is not set -# CONFIG_IT87_WDT is not set -# CONFIG_HP_WATCHDOG is not set -# CONFIG_SC1200_WDT is not set -# CONFIG_PC87413_WDT is not set -# CONFIG_NV_TCO is not set -# CONFIG_60XX_WDT is not set -# CONFIG_CPU5_WDT is not set -# CONFIG_SMSC_SCH311X_WDT is not set -# CONFIG_SMSC37B787_WDT is not set -# CONFIG_VIA_WDT is not set -# CONFIG_W83627HF_WDT is not set -# CONFIG_W83877F_WDT is not set -# CONFIG_W83977F_WDT is not set -# CONFIG_MACHZ_WDT is not set -# CONFIG_SBC_EPX_C3_WATCHDOG is not set -# CONFIG_MEN_A21_WDT is not set - -# -# PCI-based Watchdog Cards -# -# CONFIG_PCIPCWATCHDOG is not set -# CONFIG_WDTPCI is not set - -# -# USB-based Watchdog Cards -# -# CONFIG_USBPCWATCHDOG is not set +# CONFIG_WATCHDOG is not set CONFIG_SSB_POSSIBLE=y # @@ -2823,11 +2769,20 @@ CONFIG_DMADEVICES=y # # DMA Devices # -# CONFIG_INTEL_IOATDMA is not set +CONFIG_INTEL_IOATDMA=y # CONFIG_DW_DMAC is not set # CONFIG_DW_DMAC_PCI is not set # CONFIG_HSU_DMA_PCI is not set +CONFIG_DMA_ENGINE=y CONFIG_DMA_ACPI=y + +# +# DMA Clients +# +# CONFIG_ASYNC_TX_DMA is not set +# CONFIG_DMATEST is not set +CONFIG_DMA_ENGINE_RAID=y +CONFIG_DCA=y # CONFIG_AUXDISPLAY is not set # CONFIG_UIO is not set # CONFIG_VFIO is not set @@ -2901,8 +2856,8 @@ CONFIG_THINKPAD_ACPI=y CONFIG_THINKPAD_ACPI_VIDEO=y CONFIG_THINKPAD_ACPI_HOTKEY_POLL=y CONFIG_SENSORS_HDAPS=y -# CONFIG_INTEL_MENLOW is not set -CONFIG_EEEPC_LAPTOP=y +CONFIG_INTEL_MENLOW=y +# CONFIG_EEEPC_LAPTOP is not set # CONFIG_ACPI_WMI is not set # CONFIG_TOPSTAR_LAPTOP is not set # CONFIG_TOSHIBA_BT_RFKILL is not set diff --git a/board/coreboot/post-build.sh b/board/coreboot/post-build.sh deleted file mode 100755 index 0a8d057..0000000 --- a/board/coreboot/post-build.sh +++ /dev/null @@ -1,15 +0,0 @@ -TARGETDIR=$1 - -# Set root password to ’root’. Password generated with -# mkpasswd, from the ’whois’ package in Debian/Ubuntu. -#sed -i ’s%^root::%root:8kfIfYHmcyQEE:%’ $TARGETDIR/etc/shadow - -# Application/log file mount point -#mkdir -p $TARGETDIR/applog -#grep -q "^/dev/mtdblock7" $TARGET_DIR/etc/fstab || echo "/dev/mtdblock7\t\t/applog\tjffs2\tdefaults\t\t0\t0" >> $TARGETDIR/etc/fstab - -# Copy the rootfs additions -if [ -d $BOARDDIR/rootfs-additions ]; then - echo "Copying rootfs additions..." - cp -a $BOARDDIR/rootfs-additions/* $TARGETDIR/ -fi diff --git a/board/coreboot/post_build.sh b/board/coreboot/post_build.sh new file mode 100755 index 0000000..d13ae7e --- /dev/null +++ b/board/coreboot/post_build.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -e + +TARGET_DIR=$1 +BOARD_DIR="$BR2_EXTERNAL/board/coreboot" + +# Copy the rootfs additions +if [ -d "$BOARD_DIR/rootfs-additions" ]; then + echo "Copying rootfs additions..." + rsync -va $BOARD_DIR/rootfs-additions/* $TARGET_DIR/ +else + echo "No rootfs additions found..." +fi + +# Disable dropbear server +echo "Disabling dropbear server..." +chmod a-x $TARGET_DIR/etc/init.d/S50dropbear diff --git a/board/coreboot/rootfs-additions/etc/default/crda b/board/coreboot/rootfs-additions/etc/default/crda new file mode 100644 index 0000000..9b3fe7b --- /dev/null +++ b/board/coreboot/rootfs-additions/etc/default/crda @@ -0,0 +1 @@ +REGDOMAIN=00 diff --git a/board/coreboot/rootfs-additions/etc/init.d/S10setregulatorydomain b/board/coreboot/rootfs-additions/etc/init.d/S10setregulatorydomain new file mode 100755 index 0000000..c40a738 --- /dev/null +++ b/board/coreboot/rootfs-additions/etc/init.d/S10setregulatorydomain @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Set regulatory domain +# + +do_start() { + COUNTRY=00 /sbin/crda +} + +case "$1" in + start) + do_start; + ;; + stop) + ;; + restart|reload) + do_start; + ;; + *) + echo "Usage: $0 {start}" + exit 1 +esac + +exit $? + diff --git a/board/coreboot/rootfs-additions/etc/network/if-pre-up.d/00macchanger b/board/coreboot/rootfs-additions/etc/network/if-pre-up.d/00macchanger new file mode 100755 index 0000000..46a1249 --- /dev/null +++ b/board/coreboot/rootfs-additions/etc/network/if-pre-up.d/00macchanger @@ -0,0 +1,5 @@ +#!/bin/sh + +if [ "$IFACE" != "lo" ]; then + /usr/bin/macchanger -A "$IFACE" +fi diff --git a/board/coreboot/rootfs-additions/etc/ssl/local/certs/sks-keyservers.netCA.pem b/board/coreboot/rootfs-additions/etc/ssl/local/certs/sks-keyservers.netCA.pem new file mode 100644 index 0000000..24a2ad2 --- /dev/null +++ b/board/coreboot/rootfs-additions/etc/ssl/local/certs/sks-keyservers.netCA.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV +BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u +ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw +MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP +c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr +cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I +6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj +MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F +45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS +FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx +Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4 +aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx +MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y +u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9 +p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP +fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G +A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY +TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR +OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u +gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/ +X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5 +gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB +UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04 +lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT +BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB +cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U +f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G +ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph +WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg== +-----END CERTIFICATE----- diff --git a/board/coreboot/rootfs-additions/root/.gnupg/gpg.conf b/board/coreboot/rootfs-additions/root/.gnupg/gpg.conf new file mode 100644 index 0000000..7f33029 --- /dev/null +++ b/board/coreboot/rootfs-additions/root/.gnupg/gpg.conf @@ -0,0 +1,223 @@ +# Options for GnuPG +# Copyright 1998, 1999, 2000, 2001, 2002, 2003, +# 2010 Free Software Foundation, Inc. +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Unless you specify which option file to use (with the command line +# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf +# by default. +# +# An options file can contain any long options which are available in +# GnuPG. If the first non white space character of a line is a '#', +# this line is ignored. Empty lines are also ignored. +# +# See the man page for a list of options. + +# Uncomment the following option to get rid of the copyright notice + +#no-greeting + +# If you have more than 1 secret key in your keyring, you may want to +# uncomment the following option and set your preferred keyid. + +#default-key 123AB321 + +# If you do not pass a recipient to gpg, it will ask for one. Using +# this option you can encrypt to a default key. Key validation will +# not be done in this case. The second form uses the default key as +# default recipient. + +#default-recipient some-user-id +#default-recipient-self + +# By default GnuPG creates version 4 signatures for data files as +# specified by OpenPGP. Some earlier (PGP 6, PGP 7) versions of PGP +# require the older version 3 signatures. Setting this option forces +# GnuPG to create version 3 signatures. + +#force-v3-sigs + +# Because some mailers change lines starting with "From " to ">From " +# it is good to handle such lines in a special way when creating +# cleartext signatures; all other PGP versions do it this way too. +# To enable full OpenPGP compliance you may want to use this option. + +#no-escape-from-lines + +# When verifying a signature made from a subkey, ensure that the cross +# certification "back signature" on the subkey is present and valid. +# This protects against a subtle attack against subkeys that can sign. +# Defaults to --no-require-cross-certification. However for new +# installations it should be enabled. + +require-cross-certification + + +# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell +# GnuPG which is the native character set. Please check the man page +# for supported character sets. This character set is only used for +# metadata and not for the actual message which does not undergo any +# translation. Note that future version of GnuPG will change to UTF-8 +# as default character set. + +#charset utf-8 + +# Group names may be defined like this: +# group mynames = paige 0x12345678 joe patti +# +# Any time "mynames" is a recipient (-r or --recipient), it will be +# expanded to the names "paige", "joe", and "patti", and the key ID +# "0x12345678". Note there is only one level of expansion - you +# cannot make an group that points to another group. Note also that +# if there are spaces in the recipient name, this will appear as two +# recipients. In these cases it is better to use the key ID. + +#group mynames = paige 0x12345678 joe patti + +# Some old Windows platforms require 8.3 filenames. If your system +# can handle long filenames, uncomment this. + +#no-mangle-dos-filenames + +# Lock the file only once for the lifetime of a process. If you do +# not define this, the lock will be obtained and released every time +# it is needed - normally this is not needed. + +#lock-once + +# GnuPG can send and receive keys to and from a keyserver. These +# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP +# support). +# +# Example HKP keyservers: +# hkp://keys.gnupg.net +# +# Example LDAP keyservers: +# ldap://pgp.surfnet.nl:11370 +# +# Regular URL syntax applies, and you can set an alternate port +# through the usual method: +# hkp://keyserver.example.net:22742 +# +# If you have problems connecting to a HKP server through a buggy http +# proxy, you can use keyserver option broken-http-proxy (see below), +# but first you should make sure that you have read the man page +# regarding proxies (keyserver option honor-http-proxy) +# +# Most users just set the name and type of their preferred keyserver. +# Note that most servers (with the notable exception of +# ldap://keyserver.pgp.com) synchronize changes with each other. Note +# also that a single server name may actually point to multiple +# servers via DNS round-robin. hkp://keys.gnupg.net is an example of +# such a "server", which spreads the load over a number of physical +# servers. To see the IP address of the server actually used, you may use +# the "--keyserver-options debug". + +keyserver hkp://keys.gnupg.net +#keyserver http://http-keys.gnupg.net +#keyserver mailto:pgp-public-keys@keys.nl.pgp.net + +# Common options for keyserver functions: +# +# include-disabled = when searching, include keys marked as "disabled" +# on the keyserver (not all keyservers support this). +# +# no-include-revoked = when searching, do not include keys marked as +# "revoked" on the keyserver. +# +# verbose = show more information as the keys are fetched. +# Can be used more than once to increase the amount +# of information shown. +# +# use-temp-files = use temporary files instead of a pipe to talk to the +# keyserver. Some platforms (Win32 for one) always +# have this on. +# +# keep-temp-files = do not delete temporary files after using them +# (really only useful for debugging) +# +# honor-http-proxy = if the keyserver uses HTTP, honor the http_proxy +# environment variable +# +# broken-http-proxy = try to work around a buggy HTTP proxy +# +# auto-key-retrieve = automatically fetch keys as needed from the keyserver +# when verifying signatures or when importing keys that +# have been revoked by a revocation key that is not +# present on the keyring. +# +# no-include-attributes = do not include attribute IDs (aka "photo IDs") +# when sending keys to the keyserver. + +#keyserver-options auto-key-retrieve + +# Uncomment this line to display photo user IDs in key listings and +# when a signature from a key with a photo is verified. + +#show-photos + +# Use this program to display photo user IDs +# +# %i is expanded to a temporary file that contains the photo. +# %I is the same as %i, but the file isn't deleted afterwards by GnuPG. +# %k is expanded to the key ID of the key. +# %K is expanded to the long OpenPGP key ID of the key. +# %t is expanded to the extension of the image (e.g. "jpg"). +# %T is expanded to the MIME type of the image (e.g. "image/jpeg"). +# %f is expanded to the fingerprint of the key. +# %% is %, of course. +# +# If %i or %I are not present, then the photo is supplied to the +# viewer on standard input. If your platform supports it, standard +# input is the best way to do this as it avoids the time and effort in +# generating and then cleaning up a secure temp file. +# +# The default program is "xloadimage -fork -quiet -title 'KeyID 0x%k' stdin" +# On Mac OS X and Windows, the default is to use your regular JPEG image +# viewer. +# +# Some other viewers: +# photo-viewer "qiv %i" +# photo-viewer "ee %i" +# photo-viewer "display -title 'KeyID 0x%k'" +# +# This one saves a copy of the photo ID in your home directory: +# photo-viewer "cat > ~/photoid-for-key-%k.%t" +# +# Use your MIME handler to view photos: +# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" + +# General +no-greeting +fixed-list-mode +keyid-format 0xlong +charset utf-8 +no-emit-version +no-comments +with-fingerprint +list-options show-uid-validity +verify-options show-uid-validity +use-agent +require-cross-certification + +# Ciphers +default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed +personal-cipher-preferences AES256 TWOFISH AES192 AES CAST5 +personal-digest-preferences SHA512 SHA384 SHA256 SHA224 +sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g +cert-digest-algo SHA512 + +# Key server +keyserver hkps://hkps.pool.sks-keyservers.net +keyserver-options ca-cert-file=/etc/ssl/local/certs/sks-keyservers.netCA.pem +keyserver-options no-honor-keyserver-url +#keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050 +keyserver-options no-try-dns-srv +keyserver-options include-revoked diff --git a/configs/coreboot_defconfig b/configs/coreboot_defconfig index b093860..1cebdef 100644 --- a/configs/coreboot_defconfig +++ b/configs/coreboot_defconfig @@ -6,7 +6,7 @@ BR2_ENABLE_LOCALE_PURGE=y BR2_ENABLE_LOCALE_WHITELIST="C" BR2_TARGET_GENERIC_HOSTNAME="rescue" BR2_TARGET_GENERIC_ISSUE="Welcome to Coreboot Rescue" -BR2_ROOTFS_POST_BUILD_SCRIPT="$(BR2_EXTERNAL)/board/coreboot/post-build.sh" +BR2_ROOTFS_POST_BUILD_SCRIPT="$(BR2_EXTERNAL)/board/coreboot/post_build.sh" BR2_LINUX_KERNEL=y BR2_LINUX_KERNEL_SAME_AS_HEADERS=y BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL)/board/coreboot/linux-patches" diff --git a/package/Config.in b/package/Config.in index 998713f..ea5c01e 100644 --- a/package/Config.in +++ b/package/Config.in @@ -1,3 +1,7 @@ +menu "Networking applications" + source "$BR2_EXTERNAL/package/tlsdate/Config.in" +endmenu + menu "Coreboot" source "$BR2_EXTERNAL/package/coreboot/cbfstool/Config.in" source "$BR2_EXTERNAL/package/coreboot/ifdtool/Config.in" diff --git a/package/tlsdate/Config.in b/package/tlsdate/Config.in new file mode 100644 index 0000000..2694f4c --- /dev/null +++ b/package/tlsdate/Config.in @@ -0,0 +1,14 @@ +config BR2_PACKAGE_TLSDATE + bool "tlsdate" + depends on BR2_i386 || BR2_x86_64 + help + tlsdate: secure parasitic rdate replacement + + tlsdate sets the local clock by securely connecting with TLS to remote + servers and extracting the remote time out of the secure handshake. Unlike + ntpdate, tlsdate uses TCP, for instance connecting to a remote HTTPS or TLS + enabled service, and provides some protection against adversaries that try to + feed you malicious time information. + + https://github.com/ioerror/tlsdate + diff --git a/package/tlsdate/tlsdate.mk b/package/tlsdate/tlsdate.mk new file mode 100644 index 0000000..0f843aa --- /dev/null +++ b/package/tlsdate/tlsdate.mk @@ -0,0 +1,25 @@ +################################################################################ +# +# tlsdate +# +################################################################################ + +TLSDATE_VERSION = master +TLSDATE_SITE = https://github.com/ioerror/tlsdate/archive/master.zip +TLSDATE_LICENSE = Other +TLSDATE_LICENSE_FILES = LICENSE +TLSDATE_CFLAGS = $(TARGET_CFLAGS) -I$(@D) +TLSDATE_CXXFLAGS = $(TARGET_CXXFLAGS) -I$(@D) + +define TLSDATE_BUILD_CMDS + $(MAKE) $(TARGET_CONFIGURE_OPTS) HOSTCC="$(TARGET_CC)" CXXFLAGS="$(TLSDATE_CXXFLAGS)" CFLAGS="$(TLSDATE_CFLAGS)" -C $(@D) +endef + +define TLSDATE_INSTALL_TARGET_CMDS + $(INSTALL) -m 0755 -D $(@D)/tlsdate $(TARGET_DIR)/usr/sbin/tlsdate + $(INSTALL) -m 0755 -D $(@D)/etc/tlsdated.conf $(TARGET_DIR)/etc/tlsdated.conf +# $(INSTALL) -m 0755 -D $(@D)/init/tlsdated-cros.conf $(TARGET_DIR)/etc/init.d/tlsdate +endef + +$(eval $(generic-package)) +