From 27caf1f2351a1b48fa3307cb3b3dc2ee3b1c8efc Mon Sep 17 00:00:00 2001 From: Abhishek Mishra Date: Wed, 15 Jul 2026 15:44:37 +0000 Subject: [PATCH 1/3] !tools/mkpasswd: PBKDF2 host tool and ROMFS passwd build integration Add standalone host PBKDF2-HMAC-SHA256 mkpasswd, board_romfs_mkpasswd.sh, and promptpasswd.sh with confirm-password support. Integrate ROMFS passwd generation in Board.mk and CMake. Drop TEA key checks from passwd_keys.mk. Signed-off-by: Abhishek Mishra --- boards/Board.mk | 16 +- cmake/nuttx_add_romfs.cmake | 91 +--- cmake/savedefconfig.cmake | 5 +- tools/Makefile.host | 2 +- tools/Unix.mk | 4 +- tools/board_romfs_mkpasswd.sh | 62 +++ tools/configure.sh | 2 +- tools/mkpasswd.c | 831 +++++++++++++++++++-------------- tools/passwd_keys.mk | 71 +-- tools/promptpasswd.sh | 180 +++++++ tools/update_romfs_password.sh | 2 +- 11 files changed, 784 insertions(+), 482 deletions(-) create mode 100755 tools/board_romfs_mkpasswd.sh create mode 100755 tools/promptpasswd.sh diff --git a/boards/Board.mk b/boards/Board.mk index a882433aa8279..aee2a13aef50e 100644 --- a/boards/Board.mk +++ b/boards/Board.mk @@ -36,18 +36,16 @@ $(ETCSRC): $(foreach raw,$(RCRAWS), $(if $(wildcard $(BOARD_DIR)$(DELIM)src$(DEL $(shell mkdir -p $(dir $(ETCDIR)$(DELIM)$(raw))) \ $(shell cp -rfp $(if $(wildcard $(BOARD_DIR)$(DELIM)src$(DELIM)$(raw)), $(BOARD_DIR)$(DELIM)src$(DELIM)$(raw), $(if $(wildcard $(BOARD_COMMON_DIR)$(DELIM)$(raw)), $(BOARD_COMMON_DIR)$(DELIM)$(raw), $(BOARD_DIR)$(DELIM)src$(DELIM)$(raw))) $(ETCDIR)$(DELIM)$(raw))) ifeq ($(CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE),y) - $(Q) mkdir -p $(ETCDIR)$(DELIM)$(CONFIG_ETC_ROMFSMOUNTPT) - $(Q) $(TOPDIR)$(DELIM)tools$(DELIM)mkpasswd$(HOSTEXEEXT) \ + $(Q) set -e; \ + mkdir -p $(ETCDIR)$(DELIM)$(CONFIG_ETC_ROMFSMOUNTPT); \ + $(TOPDIR)$(DELIM)tools$(DELIM)board_romfs_mkpasswd.sh \ + $(TOPDIR) $(ETCDIR)$(DELIM).romfs_passwd.txt \ + $(TOPDIR)$(DELIM)tools$(DELIM)mkpasswd$(HOSTEXEEXT) \ + $(ETCDIR)$(DELIM)$(CONFIG_ETC_ROMFSMOUNTPT)$(DELIM)passwd \ --user $(CONFIG_BOARD_ETC_ROMFS_PASSWD_USER) \ - --password $(CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD) \ --uid $(CONFIG_BOARD_ETC_ROMFS_PASSWD_UID) \ --gid $(CONFIG_BOARD_ETC_ROMFS_PASSWD_GID) \ - --home $(CONFIG_BOARD_ETC_ROMFS_PASSWD_HOME) \ - --key1 $(CONFIG_FSUTILS_PASSWD_KEY1) \ - --key2 $(CONFIG_FSUTILS_PASSWD_KEY2) \ - --key3 $(CONFIG_FSUTILS_PASSWD_KEY3) \ - --key4 $(CONFIG_FSUTILS_PASSWD_KEY4) \ - -o $(ETCDIR)$(DELIM)$(CONFIG_ETC_ROMFSMOUNTPT)$(DELIM)passwd + --home $(CONFIG_BOARD_ETC_ROMFS_PASSWD_HOME) endif $(Q) genromfs -f romfs.img -d $(ETCDIR)$(DELIM)$(CONFIG_ETC_ROMFSMOUNTPT) -V "NSHInitVol" $(Q) echo "#include " > $@ diff --git a/cmake/nuttx_add_romfs.cmake b/cmake/nuttx_add_romfs.cmake index 49cfc51524213..404cbd7638ece 100644 --- a/cmake/nuttx_add_romfs.cmake +++ b/cmake/nuttx_add_romfs.cmake @@ -322,10 +322,10 @@ function(process_all_directory_romfs) message( FATAL_ERROR "\n" - " BUILD ERROR: Admin password not set.\n" + " BUILD ERROR: Root password not set.\n" "\n" " Run make menuconfig and set:\n" - " Board Selection -> Auto-generate /etc/passwd -> Admin password\n" + " Board Selection -> Auto-generate /etc/passwd -> Root password\n" "\n" " For TEA keys, either enable random generation in the same menu,\n" " or set CONFIG_FSUTILS_PASSWD_KEY1..4 under Application Configuration\n" @@ -334,6 +334,12 @@ function(process_all_directory_romfs) " Password and keys are not saved in defconfig.\n") endif() + if(CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS) + set(MKPASSWD_ITERATIONS ${CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS}) + else() + set(MKPASSWD_ITERATIONS 10000) + endif() + # Determine host executable suffix (.exe on Windows, empty elsewhere) if(CMAKE_HOST_WIN32) set(HOST_EXE_SUFFIX .exe) @@ -360,79 +366,6 @@ function(process_all_directory_romfs) endif() set(GENPASSWD_OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/etc/passwd) - - # Delegate detection and generation to the shell helpers so the logic is - # testable outside of cmake. check_passwd_keys.sh prints "yes" when keys - # are absent or at insecure defaults; gen_passwd_keys.sh writes fresh - # /dev/urandom values in-place. - # - # RANDOMIZE_KEYS — single-invocation path: 1. gen_passwd_keys.sh writes new - # keys to .config at configure time. 2. We re-read .config below so - # CONFIG_FSUTILS_PASSWD_KEY1..4 carry the new values for the rest of this - # cmake configure run. 3. add_custom_command is registered with the updated - # key values, so both mkpasswd (passwd hash) and the firmware use the same - # keys — login works without a second cmake invocation. - # - # Note: config.h is regenerated at build time from .config (its dependency), - # so the firmware uses the correct keys automatically. - - execute_process( - COMMAND ${NUTTX_POSIX_SHELL} "${NUTTX_DIR}/tools/check_passwd_keys.sh" - "${NUTTX_DIR}/.config" - OUTPUT_VARIABLE _passwd_keys_need_setup - OUTPUT_STRIP_TRAILING_WHITESPACE - RESULT_VARIABLE _check_rc) - if(NOT _check_rc EQUAL 0) - message( - FATAL_ERROR - "check_passwd_keys.sh failed — check ${NUTTX_DIR}/tools/check_passwd_keys.sh" - ) - endif() - - if(_passwd_keys_need_setup STREQUAL "yes") - if(CONFIG_BOARD_ETC_ROMFS_PASSWD_RANDOMIZE_KEYS) - # Generate keys and write to .config (no key values printed here) - execute_process( - COMMAND ${NUTTX_POSIX_SHELL} "${NUTTX_DIR}/tools/gen_passwd_keys.sh" - "${NUTTX_DIR}/.config" - RESULT_VARIABLE _gen_rc - OUTPUT_QUIET ERROR_QUIET) - if(NOT _gen_rc EQUAL 0) - message( - FATAL_ERROR - "gen_passwd_keys.sh failed — check ${NUTTX_DIR}/.config permissions" - ) - endif() - message( - WARNING "[passwd] TEA keys auto-generated in .config. " - "View: search .config for CONFIG_FSUTILS_PASSWD_KEY. " - "Change: menuconfig -> Application Configuration -> " - "File System Utilities -> Password file support.") - - # Re-read .config so the new key values are live for this configure run - # (mirrors Board.mk's second -include). - file(STRINGS "${NUTTX_DIR}/.config" _fresh_config - REGEX "^CONFIG_FSUTILS_PASSWD_KEY[1-4]=") - foreach(_line ${_fresh_config}) - if(_line MATCHES "^CONFIG_FSUTILS_PASSWD_KEY([1-4])=(.+)$") - set(CONFIG_FSUTILS_PASSWD_KEY${CMAKE_MATCH_1} "${CMAKE_MATCH_2}") - endif() - endforeach() - else() - message( - FATAL_ERROR - "\n" - " BUILD ERROR: TEA encryption keys not configured.\n" - "\n" - " Run make menuconfig and either:\n" - " - enable Generate random TEA keys automatically, or\n" - " - set CONFIG_FSUTILS_PASSWD_KEY1..4 under Application Configuration\n" - " -> File System Utilities -> Password file support\n") - endif() - endif() - - # At this point KEY1..4 are guaranteed to be correct (either freshly - # generated above, or manually set by the user). add_custom_command( OUTPUT ${GENPASSWD_OUTPUT} COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/etc @@ -441,12 +374,10 @@ function(process_all_directory_romfs) --password "${CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD}" --uid ${CONFIG_BOARD_ETC_ROMFS_PASSWD_UID} --gid ${CONFIG_BOARD_ETC_ROMFS_PASSWD_GID} --home - "${CONFIG_BOARD_ETC_ROMFS_PASSWD_HOME}" --key1 - ${CONFIG_FSUTILS_PASSWD_KEY1} --key2 ${CONFIG_FSUTILS_PASSWD_KEY2} - --key3 ${CONFIG_FSUTILS_PASSWD_KEY3} --key4 - ${CONFIG_FSUTILS_PASSWD_KEY4} -o ${GENPASSWD_OUTPUT} + "${CONFIG_BOARD_ETC_ROMFS_PASSWD_HOME}" --iterations + ${MKPASSWD_ITERATIONS} -o ${GENPASSWD_OUTPUT} DEPENDS ${MKPASSWD_BIN} ${NUTTX_DIR}/.config - COMMENT "Generating /etc/passwd from .config TEA keys") + COMMENT "Generating /etc/passwd with PBKDF2 hash") add_custom_target(generate_passwd DEPENDS ${GENPASSWD_OUTPUT}) add_dependencies(generate_passwd build_host_mkpasswd) diff --git a/cmake/savedefconfig.cmake b/cmake/savedefconfig.cmake index 692a5f1b2d87d..db6742a3621b5 100644 --- a/cmake/savedefconfig.cmake +++ b/cmake/savedefconfig.cmake @@ -76,7 +76,7 @@ list(SORT LINES) foreach(LINE IN LISTS LINES) decode_brackets(LINE) decode_semicolon(LINE) - if(NOT "${LINE}" MATCHES "^CONFIG_FSUTILS_PASSWD_KEY[0-9]" + if(NOT "${LINE}" MATCHES "^CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS=" AND NOT "${LINE}" MATCHES "^CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD=") file(APPEND ${OUTPUT_FILE} "${LINE}\n") endif() @@ -85,7 +85,8 @@ endforeach() if(PASSWD_AUTOGEN_ENABLED) message( WARNING - "CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD and CONFIG_FSUTILS_PASSWD_KEY1-4 " + "CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD and " + "CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS " "were intentionally excluded from defconfig by savedefconfig. Add them " "manually in local defconfig if needed.") endif() diff --git a/tools/Makefile.host b/tools/Makefile.host index 410dca776ad2f..3a2926cd659ed 100644 --- a/tools/Makefile.host +++ b/tools/Makefile.host @@ -107,7 +107,7 @@ ifdef HOSTEXEEXT mkversion: mkversion$(HOSTEXEEXT) endif -# mkpasswd - Generate a NuttX /etc/passwd entry with TEA-encrypted password +# mkpasswd - Generate a NuttX /etc/passwd entry with PBKDF2-HMAC-SHA256 hash mkpasswd$(HOSTEXEEXT): mkpasswd.c $(Q) $(HOSTCC) $(HOSTCFLAGS) -o mkpasswd$(HOSTEXEEXT) mkpasswd.c diff --git a/tools/Unix.mk b/tools/Unix.mk index d421205c1e6be..8424763d8d832 100644 --- a/tools/Unix.mk +++ b/tools/Unix.mk @@ -780,7 +780,7 @@ savedefconfig: apps_preconfig $(Q) ${KCONFIG_ENV} ${KCONFIG_SAVEDEFCONFIG} $(Q) $(call kconfig_tweak_disable,defconfig.tmp,CONFIG_APPS_DIR) $(Q) $(call kconfig_tweak_disable,defconfig.tmp,CONFIG_BASE_DEFCONFIG) - $(Q) sed -i.bak -e '/^CONFIG_FSUTILS_PASSWD_KEY[0-9]/d' defconfig.tmp + $(Q) sed -i.bak -e '/^CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS=/d' defconfig.tmp $(Q) sed -i.bak -e '/^CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD=/d' defconfig.tmp $(Q) grep "CONFIG_ARCH=" .config >> defconfig.tmp $(Q) grep "^CONFIG_ARCH_CHIP_" .config >> defconfig.tmp; true @@ -803,7 +803,7 @@ savedefconfig: apps_preconfig $(Q) rm -f sortedconfig.tmp $(Q) if grep -q '^CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y' .config; then \ echo "WARNING: CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD was not saved in defconfig."; \ - echo "WARNING: CONFIG_FSUTILS_PASSWD_KEY1-4 were not saved in defconfig."; \ + echo "WARNING: CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS was not saved in defconfig."; \ echo "WARNING: This is intentional to avoid leaking credentials. Add them manually in local defconfig if needed."; \ fi diff --git a/tools/board_romfs_mkpasswd.sh b/tools/board_romfs_mkpasswd.sh new file mode 100755 index 0000000000000..2256bf91c988c --- /dev/null +++ b/tools/board_romfs_mkpasswd.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash +# tools/board_romfs_mkpasswd.sh +# +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. The +# ASF licenses this file to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance with the +# License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Ensure the ROMFS root password is configured, then run mkpasswd. +# Arguments: +# board_romfs_mkpasswd.sh [mkpasswd args...] + +set -e + +TOPDIR=$1 +PASSFILE=$2 +MKPASSWD=$3 +OUTPUT=$4 +shift 4 + +CONFIG_FILE="${TOPDIR}/.config" + +read_int_config() { + local symbol=$1 + local default=$2 + local value + + value=$(grep "^${symbol}=" "${CONFIG_FILE}" 2>/dev/null | cut -d= -f2- | tr -d '"') + if [ -z "${value}" ]; then + echo "${default}" + else + echo "${value}" + fi +} + +ITERATIONS=$(read_int_config CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS 10000) + +"${TOPDIR}/tools/promptpasswd.sh" \ + --min 8 \ + --config CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD \ + --config-file "${CONFIG_FILE}" \ + --update-config \ + --prompt "ROMFS root password (min 8 characters): " \ + --output-file "${PASSFILE}" + +PASSWORD=$(cat "${PASSFILE}") +"${MKPASSWD}" --password "${PASSWORD}" \ + --iterations "${ITERATIONS}" \ + "$@" -o "${OUTPUT}" +rm -f "${PASSFILE}" diff --git a/tools/configure.sh b/tools/configure.sh index 47a53e4176e1c..1fdaeabae80e6 100755 --- a/tools/configure.sh +++ b/tools/configure.sh @@ -356,7 +356,7 @@ echo "CONFIG_BASE_DEFCONFIG=\"$posboardconfig\"" >> "${dest_config}" ${TOPDIR}/tools/sethost.sh $host $* -# Supply ROMFS admin password from NUTTX_ROMFS_PASSWD_PASSWORD when absent +# Supply ROMFS root password from NUTTX_ROMFS_PASSWD_PASSWORD when absent "${TOPDIR}/tools/update_romfs_password.sh" "${dest_config}" # Save the original configuration file without CONFIG_BASE_DEFCONFIG diff --git a/tools/mkpasswd.c b/tools/mkpasswd.c index 9eb2fe555251e..bd5a9f8fc7598 100644 --- a/tools/mkpasswd.c +++ b/tools/mkpasswd.c @@ -22,46 +22,28 @@ /**************************************************************************** * Description: - * Host tool that writes one NuttX /etc/passwd line with a TEA-encrypted - * password hash. The plaintext password is never stored in the output. + * Host build tool that generates a NuttX /etc/passwd entry with a + * PBKDF2-HMAC-SHA256 password hash. This is a pure C replacement for the + * former tools/mkpasswd.py, removing the Python dependency from the build. * - * Build integration: - * When ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y``, ``boards/Board.mk`` - * invokes this program during the ROMFS etc/ image build. The password - * and TEA keys are taken from ``.config`` (see ``tools/passwd_keys.mk``, - * ``tools/update_romfs_password.sh``, and - * Documentation/components/tools/index.rst). + * The hash format is identical to that used at runtime by: + * apps/fsutils/passwd/passwd_encrypt.c + * apps/fsutils/passwd/passwd_verify.c * - * Runtime compatibility: - * The encryption algorithm and base64 encoding match: - * libs/libc/misc/lib_tea_encrypt.c - * apps/fsutils/passwd/passwd_encrypt.c - * - * Security (enforced before writing output): - * - Password must be non-empty and at least 8 characters. - * - Password ``Administrator`` is rejected (legacy insecure default). - * - The published default TEA key set (0x12345678 / 0x9abcdef0) - * is rejected. Use Kconfig keys or explicit --key options. - * - * Standalone usage (advanced / debugging only): - * mkpasswd --user --password \\ - * --key1 --key2 --key3 --key4 \\ - * [-o ] + * Usage: + * mkpasswd --user --password [options] [-o ] * * Options: - * --user Username (required) - * --password Plaintext password (required, min 8 characters) - * --uid User ID (default: 0) - * --gid Group ID (default: 0) - * --home Home directory (default: /) - * --key1 TEA key word 1 (required for standalone use) - * --key2 TEA key word 2 (required for standalone use) - * --key3 TEA key word 3 (required for standalone use) - * --key4 TEA key word 4 (required for standalone use) - * -o Output file (default: stdout) + * --user Username (required) + * --password Plaintext password (required, not stored in output) + * --uid User ID (default: 0) + * --gid Group ID (default: 0) + * --home Home directory (default: /) + * --iterations PBKDF2 iterations (default: 10000) + * -o Output file (default: stdout) * - * Output format: - * username:encrypted_hash:uid:gid:home + * Output format (matches NuttX passwd file format): + * username:$pbkdf2-sha256$$$:uid:gid:home * ****************************************************************************/ @@ -69,11 +51,6 @@ * Included Files ****************************************************************************/ -/* Expose strdup(), mkdir() and other POSIX.1-2008 extensions when - * compiling with strict C99 mode (-std=c99). Has no effect on C11/GNU - * builds or MSVC. - */ - #ifndef _POSIX_C_SOURCE # define _POSIX_C_SOURCE 200809L #endif @@ -82,9 +59,13 @@ #include #include #include +#include #include #ifndef CONFIG_WINDOWS_NATIVE +# include +# include # include +# include #else # include #endif @@ -93,266 +74,503 @@ * Pre-processor Definitions ****************************************************************************/ -/* TEA key schedule constant (derived from the golden ratio) */ - -#define TEA_KEY_SCHEDULE_CONSTANT 0x9e3779b9u - -/* Password size limits - must match apps/fsutils/passwd/passwd.h */ - -#define MAX_ENCRYPTED 48 /* Max size of encrypted password (ASCII) */ -#define MAX_PASSWORD (3 * MAX_ENCRYPTED / 4) /* Max plaintext length */ -#define MIN_PASSWORD 8 /* Minimum plaintext length for security */ - -/* Known-insecure TEA key values from legacy NuttX releases. Used only to - * detect and reject the published default set in main(); normal builds pass - * keys from CONFIG_FSUTILS_PASSWD_KEY1..4 via boards/Board.mk. - */ +#define MKPASSWD_NL "\n\n" +#define PASSWD_MCF_PREFIX "$pbkdf2-sha256$" +#define PASSWD_SALT_BYTES 16 +#define PASSWD_HASH_BYTES 32 +#define MAX_ENCRYPTED 96 +#define MAX_PASSWORD 256 +#define MIN_PASSWORD 8 +#define DEFAULT_ITERATIONS 10000 +#define MIN_ITERATIONS 1000 +#define MAX_ITERATIONS 200000 -#define DEFAULT_KEY1 0x12345678u -#define DEFAULT_KEY2 0x9abcdef0u -#define DEFAULT_KEY3 0x12345678u -#define DEFAULT_KEY4 0x9abcdef0u +static const char g_base64url[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"; /**************************************************************************** - * Private Types + * Private Types (minimal SHA-256) ****************************************************************************/ -/* 8-byte block interpreted as bytes, 16-bit halves, or 32-bit words */ - -union block_u +struct sha256_ctx { - char b[8]; - uint16_t h[4]; - uint32_t l[2]; + uint32_t state[8]; + uint64_t bitlen; + uint8_t data[64]; + uint32_t datalen; }; /**************************************************************************** - * Private Functions + * Private Functions (SHA-256 + HMAC-SHA256 + PBKDF2) ****************************************************************************/ -/**************************************************************************** - * Name: tea_encrypt - * - * Description: - * Encrypt two 32-bit words in-place using the Tiny Encryption Algorithm. - * This is an exact copy of the algorithm in - * libs/libc/misc/lib_tea_encrypt.c (public-domain TEA by Wheeler & - * Needham), inlined here so that the host tool has no NuttX dependencies. - * - * Input Parameters: - * value - Two-element array [v0, v1] to encrypt (modified in-place) - * key - Four-element 128-bit key array - * - ****************************************************************************/ +static uint32_t rotr32(uint32_t x, uint32_t n) +{ + return (x >> n) | (x << (32 - n)); +} -static void tea_encrypt(uint32_t *value, const uint32_t *key) +static void sha256_transform(struct sha256_ctx *ctx, + const uint8_t data[64]) { - uint32_t v0 = value[0]; - uint32_t v1 = value[1]; - uint32_t sum = 0; + static const uint32_t k[64] = + { + 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, + 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, + 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, + 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, + 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, + 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, + 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, + 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, + 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, + 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, + 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, + 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, + 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, + 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, + 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, + 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 + }; + + uint32_t m[64]; + uint32_t a; + uint32_t b; + uint32_t c; + uint32_t d; + uint32_t e; + uint32_t f; + uint32_t g; + uint32_t h; + uint32_t t1; + uint32_t t2; + uint32_t s0; + uint32_t s1; int i; - for (i = 0; i < 32; i++) + for (i = 0; i < 16; i++) { - sum += TEA_KEY_SCHEDULE_CONSTANT; - v0 += ((v1 << 4) + key[0]) ^ (v1 + sum) ^ ((v1 >> 5) + key[1]); - v1 += ((v0 << 4) + key[2]) ^ (v0 + sum) ^ ((v0 >> 5) + key[3]); + m[i] = ((uint32_t)data[i * 4] << 24) | + ((uint32_t)data[i * 4 + 1] << 16) | + ((uint32_t)data[i * 4 + 2] << 8) | + ((uint32_t)data[i * 4 + 3]); + } + + for (i = 16; i < 64; i++) + { + s0 = rotr32(m[i - 15], 7) ^ rotr32(m[i - 15], 18) ^ + (m[i - 15] >> 3); + s1 = rotr32(m[i - 2], 17) ^ rotr32(m[i - 2], 19) ^ + (m[i - 2] >> 10); + + m[i] = m[i - 16] + s0 + m[i - 7] + s1; } - value[0] = v0; - value[1] = v1; + a = ctx->state[0]; + b = ctx->state[1]; + c = ctx->state[2]; + d = ctx->state[3]; + e = ctx->state[4]; + f = ctx->state[5]; + g = ctx->state[6]; + h = ctx->state[7]; + + for (i = 0; i < 64; i++) + { + t1 = h + (rotr32(e, 6) ^ rotr32(e, 11) ^ rotr32(e, 25)) + + ((e & f) ^ ((~e) & g)) + k[i] + m[i]; + t2 = (rotr32(a, 2) ^ rotr32(a, 13) ^ rotr32(a, 22)) + + ((a & b) ^ (a & c) ^ (b & c)); + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + } + + ctx->state[0] += a; + ctx->state[1] += b; + ctx->state[2] += c; + ctx->state[3] += d; + ctx->state[4] += e; + ctx->state[5] += f; + ctx->state[6] += g; + ctx->state[7] += h; } -/**************************************************************************** - * Name: passwd_base64 - * - * Description: - * Encode the low 6 bits of a byte as a custom base64 character. - * Alphabet: A-Z (0-25), a-z (26-51), 0-9 (52-61), + (62), / (63). - * The colon ':' is deliberately absent so it never collides with the - * passwd field separator. - * - * This matches passwd_base64() in apps/fsutils/passwd/passwd_encrypt.c. - * - ****************************************************************************/ +static void sha256_init(struct sha256_ctx *ctx) +{ + ctx->datalen = 0; + ctx->bitlen = 0; + ctx->state[0] = 0x6a09e667; + ctx->state[1] = 0xbb67ae85; + ctx->state[2] = 0x3c6ef372; + ctx->state[3] = 0xa54ff53a; + ctx->state[4] = 0x510e527f; + ctx->state[5] = 0x9b05688c; + ctx->state[6] = 0x1f83d9ab; + ctx->state[7] = 0x5be0cd19; +} -static char passwd_base64(uint8_t binary) +static void sha256_update(struct sha256_ctx *ctx, + const uint8_t *data, size_t len) { - binary &= 63; + size_t i; - if (binary < 26) + for (i = 0; i < len; i++) { - return (char)('A' + binary); + ctx->data[ctx->datalen] = data[i]; + ctx->datalen++; + if (ctx->datalen == 64) + { + sha256_transform(ctx, ctx->data); + ctx->bitlen += 512; + ctx->datalen = 0; + } } +} + +static void sha256_final(struct sha256_ctx *ctx, uint8_t hash[32]) +{ + uint32_t i; + uint32_t j; + + i = ctx->datalen; - binary -= 26; - if (binary < 26) + if (ctx->datalen < 56) + { + ctx->data[i++] = 0x80; + while (i < 56) + { + ctx->data[i++] = 0x00; + } + } + else { - return (char)('a' + binary); + ctx->data[i++] = 0x80; + while (i < 64) + { + ctx->data[i++] = 0x00; + } + + sha256_transform(ctx, ctx->data); + memset(ctx->data, 0, 56); } - binary -= 26; - if (binary < 10) + ctx->bitlen += (uint64_t)ctx->datalen * 8; + ctx->data[63] = (uint8_t)(ctx->bitlen); + ctx->data[62] = (uint8_t)(ctx->bitlen >> 8); + ctx->data[61] = (uint8_t)(ctx->bitlen >> 16); + ctx->data[60] = (uint8_t)(ctx->bitlen >> 24); + ctx->data[59] = (uint8_t)(ctx->bitlen >> 32); + ctx->data[58] = (uint8_t)(ctx->bitlen >> 40); + ctx->data[57] = (uint8_t)(ctx->bitlen >> 48); + ctx->data[56] = (uint8_t)(ctx->bitlen >> 56); + sha256_transform(ctx, ctx->data); + + for (i = 0; i < 4; i++) { - return (char)('0' + binary); + for (j = 0; j < 8; j++) + { + hash[i + (j * 4)] = (uint8_t)((ctx->state[j] >> + (24 - i * 8)) & 0xff); + } } +} - binary -= 10; - if (binary == 0) +static void hmac_sha256(const uint8_t *key, size_t keylen, + const uint8_t *data, size_t datalen, + uint8_t mac[32]) +{ + struct sha256_ctx ctx; + uint8_t k_ipad[64]; + uint8_t k_opad[64]; + uint8_t tk[32]; + size_t i; + + if (keylen > 64) { - return '+'; + sha256_init(&ctx); + sha256_update(&ctx, key, keylen); + sha256_final(&ctx, tk); + key = tk; + keylen = 32; } - return '/'; -} + memset(k_ipad, 0, sizeof(k_ipad)); + memset(k_opad, 0, sizeof(k_opad)); + memcpy(k_ipad, key, keylen); + memcpy(k_opad, key, keylen); -/**************************************************************************** - * Name: passwd_encrypt - * - * Description: - * Encrypt a plaintext password string and store the result as a - * NUL-terminated base64 string in `encrypted`. - * - * Algorithm (identical to apps/fsutils/passwd/passwd_encrypt.c): - * 1. Process the password in 8-byte gulps, padding short gulps with - * ASCII spaces. - * 2. TEA-encrypt each 8-byte gulp as two uint32_t words. - * 3. Interpret the result as four uint16_t half-words. - * 4. Stream-encode those half-words 6 bits at a time using the custom - * base64 alphabet above. - * - * Input Parameters: - * password - NUL-terminated plaintext password - * key - Four-element 128-bit TEA key - * encrypted - Output buffer (at least MAX_ENCRYPTED + 1 bytes) - * - * Returned Value: - * 0 on success, -1 on error (password too long). - * - ****************************************************************************/ + for (i = 0; i < 64; i++) + { + k_ipad[i] ^= 0x36; + k_opad[i] ^= 0x5c; + } + + sha256_init(&ctx); + sha256_update(&ctx, k_ipad, 64); + sha256_update(&ctx, data, datalen); + sha256_final(&ctx, mac); + + sha256_init(&ctx); + sha256_update(&ctx, k_opad, 64); + sha256_update(&ctx, mac, 32); + sha256_final(&ctx, mac); +} -static int passwd_encrypt(const char *password, - const uint32_t *key, - char encrypted[MAX_ENCRYPTED + 1]) +static int pbkdf2_hmac_sha256(const uint8_t *pass, size_t passlen, + const uint8_t *salt, size_t saltlen, + uint32_t iterations, + uint8_t *out, size_t outlen) { - union block_u value; - const char *src; - char *dest; - uint32_t tmp; - uint8_t remainder; - int remaining; - int gulpsize; - int nbits; - int i; - - remaining = (int)strlen(password); - if (remaining > MAX_PASSWORD) - { - fprintf(stderr, "mkpasswd: password too long (max %d characters)\n", - MAX_PASSWORD); + uint8_t u[32]; + uint8_t t[32]; + uint8_t saltblk[64]; + size_t generated = 0; + uint32_t block; + uint32_t i; + uint32_t j; + + if (iterations == 0 || outlen == 0 || saltlen + 4 > sizeof(saltblk)) + { return -1; } - src = password; - dest = encrypted; - *dest = '\0'; - remainder = 0; - nbits = 0; - - for (; remaining > 0; remaining -= gulpsize) + for (block = 1; generated < outlen; block++) { - /* Copy up to 8 bytes into the block, padding the rest with spaces */ + memcpy(saltblk, salt, saltlen); + saltblk[saltlen + 0] = (uint8_t)((block >> 24) & 0xff); + saltblk[saltlen + 1] = (uint8_t)((block >> 16) & 0xff); + saltblk[saltlen + 2] = (uint8_t)((block >> 8) & 0xff); + saltblk[saltlen + 3] = (uint8_t)(block & 0xff); + + hmac_sha256(pass, passlen, saltblk, saltlen + 4, u); + memcpy(t, u, sizeof(t)); - gulpsize = 8; - if (gulpsize > remaining) + for (i = 1; i < iterations; i++) { - gulpsize = remaining; + hmac_sha256(pass, passlen, u, sizeof(u), u); + for (j = 0; j < 32; j++) + { + t[j] ^= u[j]; + } } - for (i = 0; i < gulpsize; i++) + if (outlen - generated >= 32) { - value.b[i] = *src++; + memcpy(out + generated, t, 32); + generated += 32; } - - for (; i < 8; i++) + else { - value.b[i] = ' '; + memcpy(out + generated, t, outlen - generated); + generated = outlen; } + } + + return 0; +} + +static int fill_random(uint8_t *buf, size_t len) +{ +#ifndef CONFIG_WINDOWS_NATIVE + ssize_t nread; + int fd; - /* TEA-encrypt the block in-place */ +# ifdef SYS_getrandom + nread = getrandom(buf, len, 0); + if (nread == (ssize_t)len) + { + return 0; + } +# endif - tea_encrypt(value.l, key); + fd = open("/dev/urandom", O_RDONLY); + if (fd < 0) + { + return -1; + } - /* Stream-encode the four 16-bit half-words into base64 */ + nread = read(fd, buf, len); + close(fd); - tmp = remainder; + return nread == (ssize_t)len ? 0 : -1; +#else + (void)buf; + (void)len; + return -1; +#endif +} - for (i = 0; i < 4; i++) - { - tmp = ((uint32_t)value.h[i] << nbits) | tmp; - nbits += 16; +static int base64url_encode(const uint8_t *in, size_t inlen, + char *out, size_t outlen) +{ + uint32_t acc = 0; + size_t i; + size_t o = 0; + int bits = 0; + + for (i = 0; i < inlen; i++) + { + acc = (acc << 8) | in[i]; + bits += 8; - while (nbits >= 6) + while (bits >= 6) + { + if (o + 1 >= outlen) { - *dest++ = passwd_base64((uint8_t)(tmp & 0x3f)); - tmp >>= 6; - nbits -= 6; + return -1; } - } - remainder = (uint8_t)tmp; - *dest = '\0'; + bits -= 6; + out[o++] = g_base64url[(acc >> bits) & 0x3f]; + } } - /* Flush any remaining bits */ + if (bits > 0) + { + if (o + 1 >= outlen) + { + return -1; + } - if (nbits > 0) + out[o++] = g_base64url[(acc << (6 - bits)) & 0x3f]; + } + + if (o >= outlen) { - *dest++ = passwd_base64(remainder); - *dest = '\0'; + return -1; } + out[o] = '\0'; return 0; } -/**************************************************************************** - * Name: parse_uint32_hex - * - * Description: - * Parse a hex string (with or without leading "0x"/"0X") into a uint32_t. - * Returns 0 on success, -1 on parse error. - * - ****************************************************************************/ - -static int parse_uint32_hex(const char *str, uint32_t *out) +static int validate_password_complexity(const char *password) { - char *endptr; - unsigned long val; + const char *specials = "!@#$%^&*()_+-=[]{}|;:,.<>?"; + const char *p; + int has_upper = 0; + int has_lower = 0; + int has_digit = 0; + int has_special = 0; + + if (strlen(password) < MIN_PASSWORD) + { + fprintf(stderr, "\nError: password must be at least 8 characters\n\n"); + return -1; + } + + if (strlen(password) > MAX_PASSWORD) + { + fprintf(stderr, "\nError: password must be at most %d characters\n\n", + MAX_PASSWORD); + return -1; + } + + for (p = password; *p; p++) + { + if (isupper((unsigned char)*p)) + { + has_upper = 1; + } + else if (islower((unsigned char)*p)) + { + has_lower = 1; + } + else if (isdigit((unsigned char)*p)) + { + has_digit = 1; + } + else if (strchr(specials, *p)) + { + has_special = 1; + } + } + + if (!has_upper) + { + fprintf(stderr, + "\nError: password must contain at least one uppercase " + "letter (A-Z)\n\n"); + return -1; + } - if (str == NULL || *str == '\0') + if (!has_lower) { + fprintf(stderr, + "\nError: password must contain at least one lowercase " + "letter (a-z)\n\n"); return -1; } - errno = 0; - val = strtoul(str, &endptr, 0); /* base 0: auto-detect 0x prefix */ - if (errno != 0 || *endptr != '\0') + if (!has_digit) { + fprintf(stderr, + "\nError: password must contain at least one digit " + "(0-9)\n\n"); + return -1; + } + + if (!has_special) + { + fprintf(stderr, + "\nError: password must contain at least one special " + "character (!@#$%%^&*()_+-=[]{}|;:,.<>?)\n\n"); return -1; } - *out = (uint32_t)val; return 0; } -/**************************************************************************** - * Name: mkdir_p - * - * Description: - * Create all directory components in `path`, like "mkdir -p". - * Returns 0 on success, -1 on error. - * - ****************************************************************************/ +static int passwd_hash(const char *password, + uint32_t iterations, + char encrypted[MAX_ENCRYPTED + 1]) +{ + uint8_t salt[PASSWD_SALT_BYTES]; + uint8_t hash[PASSWD_HASH_BYTES]; + char salt_b64[32]; + char hash_b64[48]; + size_t passlen; + int ret; + + passlen = strlen(password); + + if (fill_random(salt, sizeof(salt)) < 0) + { + fputs(MKPASSWD_NL, stderr); + fprintf(stderr, "mkpasswd: cannot obtain random salt\n"); + return -1; + } + + if (pbkdf2_hmac_sha256((const uint8_t *)password, passlen, + salt, sizeof(salt), iterations, + hash, sizeof(hash)) < 0) + { + return -1; + } + + if (base64url_encode(salt, sizeof(salt), salt_b64, + sizeof(salt_b64)) < 0 || + base64url_encode(hash, sizeof(hash), hash_b64, + sizeof(hash_b64)) < 0) + { + return -1; + } + + ret = snprintf(encrypted, MAX_ENCRYPTED + 1, + PASSWD_MCF_PREFIX "%u$%s$%s", + iterations, salt_b64, hash_b64); + if (ret < 0 || (size_t)ret > MAX_ENCRYPTED) + { + return -1; + } + + return 0; +} static int mkdir_p(const char *path) { @@ -368,8 +586,6 @@ static int mkdir_p(const char *path) len = strlen(tmp); - /* Strip trailing slash */ - if (len > 0 && tmp[len - 1] == '/') { tmp[len - 1] = '\0'; @@ -398,35 +614,22 @@ static int mkdir_p(const char *path) return 0; } -/**************************************************************************** - * Name: show_usage - ****************************************************************************/ - static void show_usage(const char *progname) { fprintf(stderr, - "Usage: %s --user --password \n" - " --key1 --key2 --key3 --key4 \n" - " [options] [-o ]\n" + "Usage: %s --user --password [options] [-o ]\n" "\n" "Options:\n" - " --user Username (required)\n" - " --password Plaintext password (required, min %d chars)\n" - " --uid User ID (default: 0)\n" - " --gid Group ID (default: 0)\n" - " --home Home directory (default: /)\n" - " --key1 TEA key word 1\n" - " --key2 TEA key word 2 (all four required;\n" - " --key3 TEA key word 3 legacy defaults rejected)\n" - " --key4 TEA key word 4\n" - " -o Output file (default: stdout)\n" - "\n" - "Rejected: empty password, \"Administrator\", default TEA keys.\n" - "See Documentation/components/tools/index.rst for normal builds.\n" + " --user Username (required)\n" + " --password Plaintext password (required)\n" + " --uid User ID (default: 0)\n" + " --gid Group ID (default: 0)\n" + " --home Home directory (default: /)\n" + " --iterations PBKDF2 iterations (default: %d)\n" + " -o Output file (default: stdout)\n" "\n" - "Output format: username:encrypted_hash:uid:gid:home\n", - progname, - MIN_PASSWORD); + "Output format: username:$pbkdf2-sha256$...:uid:gid:home\n", + progname, DEFAULT_ITERATIONS); } /**************************************************************************** @@ -435,23 +638,25 @@ static void show_usage(const char *progname) int main(int argc, char **argv) { - const char *user = NULL; - const char *password = NULL; - const char *home = "/"; - const char *outpath = NULL; - int uid = 0; - int gid = 0; - uint32_t key[4] = - { - DEFAULT_KEY1, DEFAULT_KEY2, DEFAULT_KEY3, DEFAULT_KEY4 - }; - - char encrypted[MAX_ENCRYPTED + 1]; + const char *user; + const char *password; + const char *home; + const char *outpath; FILE *out; - int i; - int ret; + char encrypted[MAX_ENCRYPTED + 1]; + int uid; + int gid; + uint32_t iterations; + int i; + int ret; - /* Simple long-option parser (avoids getopt_long portability concerns) */ + user = NULL; + password = NULL; + home = "/"; + outpath = NULL; + uid = 0; + gid = 0; + iterations = DEFAULT_ITERATIONS; for (i = 1; i < argc; i++) { @@ -475,41 +680,9 @@ int main(int argc, char **argv) { home = argv[++i]; } - else if (strcmp(argv[i], "--key1") == 0 && i + 1 < argc) - { - if (parse_uint32_hex(argv[++i], &key[0]) < 0) - { - fprintf(stderr, "mkpasswd: invalid --key1 value: %s\n", - argv[i]); - return 1; - } - } - else if (strcmp(argv[i], "--key2") == 0 && i + 1 < argc) - { - if (parse_uint32_hex(argv[++i], &key[1]) < 0) - { - fprintf(stderr, "mkpasswd: invalid --key2 value: %s\n", - argv[i]); - return 1; - } - } - else if (strcmp(argv[i], "--key3") == 0 && i + 1 < argc) + else if (strcmp(argv[i], "--iterations") == 0 && i + 1 < argc) { - if (parse_uint32_hex(argv[++i], &key[2]) < 0) - { - fprintf(stderr, "mkpasswd: invalid --key3 value: %s\n", - argv[i]); - return 1; - } - } - else if (strcmp(argv[i], "--key4") == 0 && i + 1 < argc) - { - if (parse_uint32_hex(argv[++i], &key[3]) < 0) - { - fprintf(stderr, "mkpasswd: invalid --key4 value: %s\n", - argv[i]); - return 1; - } + iterations = (uint32_t)strtoul(argv[++i], NULL, 10); } else if ((strcmp(argv[i], "-o") == 0 || strcmp(argv[i], "--output") == 0) && i + 1 < argc) @@ -524,16 +697,16 @@ int main(int argc, char **argv) } else { + fputs(MKPASSWD_NL, stderr); fprintf(stderr, "mkpasswd: unknown option: %s\n", argv[i]); show_usage(argv[0]); return 1; } } - /* Validate required arguments */ - if (user == NULL) { + fputs(MKPASSWD_NL, stderr); fprintf(stderr, "mkpasswd: --user is required\n"); show_usage(argv[0]); return 1; @@ -541,78 +714,39 @@ int main(int argc, char **argv) if (password == NULL) { + fputs(MKPASSWD_NL, stderr); fprintf(stderr, "mkpasswd: --password is required\n"); show_usage(argv[0]); return 1; } - if (password[0] == '\0') - { - fprintf(stderr, - "mkpasswd: ERROR: password must not be empty.\n" - " Set it in menuconfig: Board Selection -> " - "Auto-generate /etc/passwd -> Admin password\n"); - return 1; - } - - if (strlen(password) < MIN_PASSWORD) + if (validate_password_complexity(password) < 0) { - fprintf(stderr, - "mkpasswd: --password must be at least %d characters\n", - MIN_PASSWORD); return 1; } - /* Reject the well-known default password. The build system should have - * caught this already; mkpasswd is the last line of defence. - */ - - if (strcmp(password, "Administrator") == 0) + if (iterations < MIN_ITERATIONS || iterations > MAX_ITERATIONS) { + fputs(MKPASSWD_NL, stderr); fprintf(stderr, - "mkpasswd: ERROR: password \"Administrator\" is not allowed.\n" - " Set a unique password in menuconfig: Board Selection -> " - "Auto-generate /etc/passwd -> Admin password\n"); + "mkpasswd: --iterations must be between %d and %d\n", + MIN_ITERATIONS, MAX_ITERATIONS); return 1; } - /* Reject the default TEA keys. Using the published defaults means any - * attacker who has a copy of the NuttX source can decrypt the password - * hash directly from the firmware image (CWE-321). - */ - - if (key[0] == DEFAULT_KEY1 && key[1] == DEFAULT_KEY2 && - key[2] == DEFAULT_KEY3 && key[3] == DEFAULT_KEY4) - { - fprintf(stderr, - "mkpasswd: ERROR: default TEA encryption keys " - "are not allowed.\n" - " Set keys in menuconfig: Application Configuration -> " - "File System Utilities -> Password file support\n" - " Or enable random key generation under Board Selection -> " - "Auto-generate /etc/passwd\n"); - return 1; - } - - /* Encrypt the password using TEA + custom base64. - * Only the hash is written to the output file; the plaintext is never - * stored in firmware. - */ - - ret = passwd_encrypt(password, key, encrypted); + ret = passwd_hash(password, iterations, encrypted); if (ret < 0) { return 1; } - /* Open the output stream */ - if (outpath != NULL) { - /* Create parent directory if it does not exist */ + char *dir; + char *last; - char *dir = strdup(outpath); - char *last = strrchr(dir, '/'); + dir = strdup(outpath); + last = strrchr(dir, '/'); if (last != NULL && last != dir) { @@ -625,6 +759,7 @@ int main(int argc, char **argv) out = fopen(outpath, "w"); if (out == NULL) { + fputs(MKPASSWD_NL, stderr); fprintf(stderr, "mkpasswd: cannot open output file '%s': %s\n", outpath, strerror(errno)); return 1; @@ -635,12 +770,6 @@ int main(int argc, char **argv) out = stdout; } - /* Write the passwd entry. - * Format: username:encrypted_hash:uid:gid:home - * This matches the format expected by apps/fsutils/passwd/passwd_find.c - * and the existing NuttX /etc/passwd files. - */ - fprintf(out, "%s:%s:%d:%d:%s\n", user, encrypted, uid, gid, home); if (outpath != NULL) diff --git a/tools/passwd_keys.mk b/tools/passwd_keys.mk index e91e945fa3861..2042c19653dd7 100644 --- a/tools/passwd_keys.mk +++ b/tools/passwd_keys.mk @@ -3,13 +3,9 @@ # # SPDX-License-Identifier: Apache-2.0 # -# Passwd / TEA-key validation and generation. Included from the top-level -# Makefile immediately after .config is loaded, BEFORE tools/Unix.mk builds -# include/nuttx/config.h. This ordering guarantees that freshly generated -# keys are present in .config when config.h is created, so the firmware and -# mkpasswd always agree on the same key values in a single make invocation. -# -# Board.mk only consumes CONFIG_FSUTILS_PASSWD_KEY1..4 in the ROMFS recipe. +# ROMFS password validation. Included from the top-level Makefile +# immediately after .config is loaded, BEFORE tools/Unix.mk builds +# include/nuttx/config.h. ############################################################################ TOPDIR ?= . @@ -28,6 +24,30 @@ else _PASSWD_ENFORCE := $(if $(filter-out $(PASSWD_SKIP_GOALS),$(MAKECMDGOALS)),y,) endif +ifeq ($(_PASSWD_ENFORCE),y) + +# Reject removed fixed-login symbols left in stale .config or defconfig files. +ifneq ($(shell grep -c '^CONFIG_NSH_LOGIN_FIXED=y' $(TOPDIR)/.config 2>/dev/null),0) +$(error CONFIG_NSH_LOGIN_FIXED was removed. Enable CONFIG_FSUTILS_PASSWD and CONFIG_NSH_LOGIN_PASSWD, or use CONFIG_NSH_LOGIN_PLATFORM with platform_user_verify().) +endif +ifneq ($(shell grep -c '^CONFIG_NSH_LOGIN_PASSWORD=' $(TOPDIR)/.config 2>/dev/null),0) +$(error CONFIG_NSH_LOGIN_PASSWORD was removed. Set CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD in menuconfig or export NUTTX_ROMFS_PASSWD_PASSWORD.) +endif + +ifeq ($(CONFIG_NSH_CONSOLE_LOGIN),y) +ifeq ($(CONFIG_FSUTILS_PASSWD),) +$(error NSH console login requires CONFIG_FSUTILS_PASSWD. Fixed login was removed; enable password file support and CONFIG_NSH_LOGIN_PASSWD.) +endif +endif + +ifeq ($(CONFIG_NSH_TELNET_LOGIN),y) +ifeq ($(CONFIG_FSUTILS_PASSWD),) +$(error NSH telnet login requires CONFIG_FSUTILS_PASSWD. Fixed login was removed; enable password file support and CONFIG_NSH_LOGIN_PASSWD.) +endif +endif + +endif + ifeq ($(CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE),y) ifeq ($(_PASSWD_ENFORCE),y) @@ -35,43 +55,24 @@ ifeq ($(_PASSWD_ENFORCE),y) $(shell $(TOPDIR)/tools/update_romfs_password.sh $(TOPDIR)/.config >/dev/null 2>&1) include $(TOPDIR)/.config -# --- password check --- ifeq ($(strip $(patsubst "%",%,$(CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD))),) +_PASSWD_HAS_TTY := $(shell test -r /dev/tty && test -w /dev/tty && echo 1) +ifneq ($(_PASSWD_HAS_TTY),1) $(info ) -$(info BUILD ERROR: Admin password not set.) +$(info BUILD ERROR: Root password not set.) $(info ) $(info Run make menuconfig and set:) -$(info Board Selection -> Auto-generate /etc/passwd -> Admin password) +$(info Board Selection -> Auto-generate /etc/passwd -> Root password) $(info ) -$(info For TEA keys, either enable random generation in the same menu,) -$(info or set CONFIG_FSUTILS_PASSWD_KEY1..4 under Application Configuration) -$(info -> File System Utilities -> Password file support.) +$(info For CI or scripted builds, export NUTTX_ROMFS_PASSWD_PASSWORD) +$(info (see tools/update_romfs_password.sh).) $(info ) -$(info Password and keys are not saved in defconfig.) +$(info Password is not saved in defconfig.) $(info ) $(error Aborting: CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD is not set) endif - -# --- TEA key check / generation --- -_PASSWD_KEYS_NEED_SETUP := $(shell \ - $(TOPDIR)/tools/check_passwd_keys.sh $(TOPDIR)/.config 2>/dev/null) - -ifneq ($(_PASSWD_KEYS_NEED_SETUP),no) -ifeq ($(CONFIG_BOARD_ETC_ROMFS_PASSWD_RANDOMIZE_KEYS),y) -$(shell $(TOPDIR)/tools/gen_passwd_keys.sh $(TOPDIR)/.config >/dev/null) -include $(TOPDIR)/.config -else -$(info ) -$(info BUILD ERROR: TEA encryption keys not configured.) -$(info ) -$(info Run make menuconfig and either:) -$(info - enable Generate random TEA keys automatically, or) -$(info - set CONFIG_FSUTILS_PASSWD_KEY1..4 under Application Configuration) -$(info -> File System Utilities -> Password file support) -$(info ) -$(error Aborting: CONFIG_FSUTILS_PASSWD_KEY1..4 must be set to non-default values) -endif -endif +# Interactive builds: board_romfs_mkpasswd.sh / promptpasswd.sh will prompt. endif endif +endif diff --git a/tools/promptpasswd.sh b/tools/promptpasswd.sh new file mode 100755 index 0000000000000..bb4f24fa19dac --- /dev/null +++ b/tools/promptpasswd.sh @@ -0,0 +1,180 @@ +#!/usr/bin/env bash +# tools/promptpasswd.sh +# +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. The +# ASF licenses this file to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance with the +# License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Prompt for a Kconfig password when it is unset or invalid. If no +# terminal is available, print an error and exit. +# +# Usage: +# promptpasswd.sh --min [--config ] [--config-file ] +# [--update-config] [--prompt ] [--output-file ] + +set -e + +MIN=8 +VALUE="" +PROMPT="Password: " +CONFIG_SYMBOL="" +CONFIG_FILE=".config" +UPDATE_CONFIG=0 +OUTPUT_FILE="" + +while [ $# -gt 0 ]; do + case "$1" in + --min) + MIN=$2 + shift 2 + ;; + --value) + VALUE=$2 + shift 2 + ;; + --prompt) + PROMPT=$2 + shift 2 + ;; + --config) + CONFIG_SYMBOL=$2 + shift 2 + ;; + --config-file) + CONFIG_FILE=$2 + shift 2 + ;; + --update-config) + UPDATE_CONFIG=1 + shift + ;; + --output-file) + OUTPUT_FILE=$2 + shift 2 + ;; + *) + echo "promptpasswd.sh: unknown option: $1" >&2 + exit 1 + ;; + esac +done + +validate_password() { + local pw="$1" + local ok=0 + + if [ ${#pw} -lt "${MIN}" ]; then + echo "Error: password must be at least ${MIN} characters" >&2 + ok=1 + fi + + if ! printf '%s' "$pw" | grep -q '[A-Z]'; then + echo "Error: password must contain at least one uppercase letter (A-Z)" >&2 + ok=1 + fi + + if ! printf '%s' "$pw" | grep -q '[a-z]'; then + echo "Error: password must contain at least one lowercase letter (a-z)" >&2 + ok=1 + fi + + if ! printf '%s' "$pw" | grep -q '[0-9]'; then + echo "Error: password must contain at least one digit (0-9)" >&2 + ok=1 + fi + + if ! printf '%s' "$pw" | grep -q '[^a-zA-Z0-9]'; then + echo "Error: password must contain at least one special character" \ + "(!@#\$%^&*()_+-=[]{}|;:,.<>?)" >&2 + ok=1 + fi + + return "${ok}" +} + +if [ -n "${CONFIG_SYMBOL}" ] && [ -z "${VALUE}" ] && [ -f "${CONFIG_FILE}" ]; then + VALUE=$(grep "^${CONFIG_SYMBOL}=" "${CONFIG_FILE}" 2>/dev/null | cut -d= -f2- | tr -d '"') +fi + +if [ -n "${VALUE}" ] && validate_password "${VALUE}"; then + if [ -n "${OUTPUT_FILE}" ]; then + umask 077 + printf '%s' "${VALUE}" > "${OUTPUT_FILE}" + else + printf '%s' "${VALUE}" + fi + exit 0 +fi + +# Make recipe shells are not connected to the terminal on stdin, so test /dev/tty +# instead of [ -t 0 ] when deciding whether an interactive prompt is possible. + +INTERACTIVE=0 +if [ -r /dev/tty ] && [ -w /dev/tty ]; then + INTERACTIVE=1 +fi + +if [ "${INTERACTIVE}" -eq 0 ]; then + echo "" >&2 + if [ -n "${CONFIG_SYMBOL}" ]; then + echo "ERROR: ${CONFIG_SYMBOL} must be at least ${MIN} characters and" >&2 + echo "contain uppercase, lowercase, digit, and special character." >&2 + else + echo "ERROR: Password must be at least ${MIN} characters and contain" >&2 + echo "uppercase, lowercase, digit, and special character." >&2 + fi + echo "Set it with 'make menuconfig' or edit .config, then rebuild." >&2 + exit 1 +fi + +PASSWORD="" +while true; do + printf '%s' "${PROMPT}" >/dev/tty + IFS= read -r -s PASSWORD /dev/tty + if ! validate_password "${PASSWORD}"; then + echo "Please try again." >&2 + PASSWORD="" + continue + fi + + while true; do + printf 'Confirm password: ' >/dev/tty + IFS= read -r -s PASSWORD2 /dev/tty + if [ "${PASSWORD}" = "${PASSWORD2}" ]; then + break + fi + echo "Passwords do not match. Please try again." >&2 + PASSWORD="" + break + done + + if [ -n "${PASSWORD}" ]; then + break + fi +done + +if [ "${UPDATE_CONFIG}" -eq 1 ] && [ -n "${CONFIG_SYMBOL}" ]; then + kconfig-tweak --file "${CONFIG_FILE}" --set-str "${CONFIG_SYMBOL}" "${PASSWORD}" +fi + +if [ -n "${OUTPUT_FILE}" ]; then + umask 077 + printf '%s' "${PASSWORD}" > "${OUTPUT_FILE}" +else + printf '%s' "${PASSWORD}" +fi diff --git a/tools/update_romfs_password.sh b/tools/update_romfs_password.sh index 8b246094263c7..8e8be3ae42b8e 100755 --- a/tools/update_romfs_password.sh +++ b/tools/update_romfs_password.sh @@ -19,7 +19,7 @@ # Usage: # update_romfs_password.sh # -# When CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y and the admin password is not +# When CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y and the root password is not # set in .config, copy NUTTX_ROMFS_PASSWD_PASSWORD into .config. This is the # supported way to supply build-time credentials that must not live in defconfig # (CI, automation, local scripts). No-op when the password is already set or From b1887862548eeb6200ebf9e4fdf3548d4061333f Mon Sep 17 00:00:00 2001 From: Abhishek Mishra Date: Wed, 15 Jul 2026 15:44:37 +0000 Subject: [PATCH 2/3] !boards/moxart: Use ROMFS PBKDF2 passwd login Migrate moxa:nsh from fixed telnet password to build-time ROMFS /etc/passwd with PBKDF2-HMAC-SHA256 and cryptodev. Signed-off-by: Abhishek Mishra --- boards/arm/moxart/moxa/configs/nsh/defconfig | 10 +++++++- boards/arm/moxart/moxa/src/Makefile | 5 ++++ boards/arm/moxart/moxa/src/etc/group | 1 + .../arm/moxart/moxa/src/etc/init.d/rc.sysinit | 25 +++++++++++++++++++ boards/arm/moxart/moxa/src/etc/init.d/rcS | 25 +++++++++++++++++++ 5 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 boards/arm/moxart/moxa/src/etc/group create mode 100644 boards/arm/moxart/moxa/src/etc/init.d/rc.sysinit create mode 100644 boards/arm/moxart/moxa/src/etc/init.d/rcS diff --git a/boards/arm/moxart/moxa/configs/nsh/defconfig b/boards/arm/moxart/moxa/configs/nsh/defconfig index df5dc3a01aa90..bd4315e2a50bf 100644 --- a/boards/arm/moxart/moxa/configs/nsh/defconfig +++ b/boards/arm/moxart/moxa/configs/nsh/defconfig @@ -43,13 +43,22 @@ CONFIG_ARCH_INTERRUPTSTACK=1024 CONFIG_ARCH_STACKDUMP=y CONFIG_BOARDCTL_APP_SYMTAB=y CONFIG_BOARDCTL_RESET=y +CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y CONFIG_BOARD_LOOPSPERMSEC=6965 CONFIG_BOOT_RUNFROMISRAM=y CONFIG_BUILTIN=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y +CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO=y +CONFIG_CRYPTO_SW_AES=y CONFIG_DEFAULT_SMALL=y +CONFIG_ETC_ROMFS=y +CONFIG_ETC_ROMFSDEVNO=0 CONFIG_FS_BINFS=y CONFIG_FS_ROMFS=y CONFIG_FS_UNIONFS=y +CONFIG_FSUTILS_PASSWD=y +CONFIG_FSUTILS_PASSWD_READONLY=y CONFIG_FTMAC100_BASE=0x90900000 CONFIG_FTMAC100_IRQ=25 CONFIG_FTMAC100_MAC0_ENV_ADDR=0x80000050 @@ -69,7 +78,6 @@ CONFIG_NET_SOCKOPTS=y CONFIG_NET_TCP=y CONFIG_NET_TCP_WRITE_BUFFERS=y CONFIG_NSH_BUILTIN_APPS=y -CONFIG_NSH_LOGIN_PASSWORD="nuttx" CONFIG_NSH_TELNET=y CONFIG_NSH_TELNET_LOGIN=y CONFIG_RAM_SIZE=2097152 diff --git a/boards/arm/moxart/moxa/src/Makefile b/boards/arm/moxart/moxa/src/Makefile index 11ceee4b22b14..d377615684dbe 100644 --- a/boards/arm/moxart/moxa/src/Makefile +++ b/boards/arm/moxart/moxa/src/Makefile @@ -28,4 +28,9 @@ ifeq ($(CONFIG_BOARDCTL_RESET),y) CSRCS += moxart_reset.c endif +ifeq ($(CONFIG_ETC_ROMFS),y) + RCSRCS = etc/init.d/rc.sysinit etc/init.d/rcS + RCRAWS = etc/group +endif + include $(TOPDIR)/boards/Board.mk diff --git a/boards/arm/moxart/moxa/src/etc/group b/boards/arm/moxart/moxa/src/etc/group new file mode 100644 index 0000000000000..f0565ff64b431 --- /dev/null +++ b/boards/arm/moxart/moxa/src/etc/group @@ -0,0 +1 @@ +root:*:0:root diff --git a/boards/arm/moxart/moxa/src/etc/init.d/rc.sysinit b/boards/arm/moxart/moxa/src/etc/init.d/rc.sysinit new file mode 100644 index 0000000000000..21741f6ebfae1 --- /dev/null +++ b/boards/arm/moxart/moxa/src/etc/init.d/rc.sysinit @@ -0,0 +1,25 @@ +/**************************************************************************** + * boards/arm/moxart/moxa/src/etc/init.d/rc.sysinit + * + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. The + * ASF licenses this file to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the + * License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + * + ****************************************************************************/ + +#include + +/* ROMFS /etc system-init script (no board-specific init commands yet). */ diff --git a/boards/arm/moxart/moxa/src/etc/init.d/rcS b/boards/arm/moxart/moxa/src/etc/init.d/rcS new file mode 100644 index 0000000000000..cf55be5520ca7 --- /dev/null +++ b/boards/arm/moxart/moxa/src/etc/init.d/rcS @@ -0,0 +1,25 @@ +/**************************************************************************** + * boards/arm/moxart/moxa/src/etc/init.d/rcS + * + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. The + * ASF licenses this file to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the + * License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + * + ****************************************************************************/ + +#include + +/* ROMFS /etc start-up script (no board-specific start-up commands yet). */ From 5856e38d99c55adcb5c00146786d2fd6b7280c66 Mon Sep 17 00:00:00 2001 From: Abhishek Mishra Date: Wed, 15 Jul 2026 15:44:37 +0000 Subject: [PATCH 3/3] Documentation: PBKDF2 login docs, board Kconfig, and CI password Enable CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO and CONFIG_CRYPTO_SW_AES on dropbear defconfigs so /dev/crypto provides the swcr_pbkdf2 backend required for PBKDF2 login at runtime. Signed-off-by: Abhishek Mishra --- .github/workflows/build.yml | 4 +- Documentation/applications/nsh/commands.rst | 3 +- Documentation/applications/nsh/login.rst | 240 ++++++++++++------ Documentation/components/tools/index.rst | 164 +++++------- .../arm/moxart/boards/moxa/index.rst | 24 ++ .../rx65n/boards/rx65n-grrose/index.rst | 25 +- .../boards/esp32c3-legacy-devkit/ROMFS.txt | 15 +- .../platforms/sim/sim/boards/sim/index.rst | 49 ++-- boards/Kconfig | 81 +++--- .../u-blox-c027/configs/nsh/defconfig | 9 + boards/arm/moxart/moxa/configs/nsh/defconfig | 8 +- .../configs/ihm07m1_b16/defconfig | 1 + .../esp32c3-legacy-devkit/src/etc/group | 2 +- .../esp32c3-devkit/configs/dropbear/defconfig | 7 + boards/sim/sim/sim/configs/adb/defconfig | 9 + boards/sim/sim/sim/configs/alsa/defconfig | 5 + boards/sim/sim/sim/configs/bastest/defconfig | 5 + .../sim/sim/sim/configs/bluetooth/defconfig | 4 + .../sim/sim/sim/configs/bthcisock/defconfig | 4 + boards/sim/sim/sim/configs/citest/defconfig | 5 + boards/sim/sim/sim/configs/crypto/defconfig | 2 + boards/sim/sim/sim/configs/dropbear/defconfig | 7 + boards/sim/sim/sim/configs/duktape/defconfig | 5 + boards/sim/sim/sim/configs/dynconns/defconfig | 4 + boards/sim/sim/sim/configs/elf/defconfig | 5 + boards/sim/sim/sim/configs/foc/defconfig | 5 + .../sim/sim/sim/configs/ipforward/defconfig | 4 + .../sim/sim/sim/configs/libcxxtest/defconfig | 5 + boards/sim/sim/sim/configs/login/defconfig | 8 +- boards/sim/sim/sim/configs/lua/defconfig | 5 + boards/sim/sim/sim/configs/matter/defconfig | 4 + .../sim/sim/sim/configs/minibasic/defconfig | 5 + boards/sim/sim/sim/configs/minmea/defconfig | 5 + boards/sim/sim/sim/configs/mnemofs/defconfig | 4 + boards/sim/sim/sim/configs/module/defconfig | 5 + boards/sim/sim/sim/configs/module32/defconfig | 5 + boards/sim/sim/sim/configs/nand/defconfig | 4 + boards/sim/sim/sim/configs/nimble/defconfig | 4 + .../sim/sim/sim/configs/nshcromfs/defconfig | 5 + .../sim/sim/sim/configs/posix_spawn/defconfig | 5 + .../sim/sim/sim/configs/posix_test/defconfig | 5 + boards/sim/sim/sim/configs/rc/defconfig | 5 + boards/sim/sim/sim/configs/romfs/defconfig | 5 + boards/sim/sim/sim/configs/rust/defconfig | 5 + boards/sim/sim/sim/configs/segger/defconfig | 5 + boards/sim/sim/sim/configs/sensor/defconfig | 5 + boards/sim/sim/sim/configs/smartfs/defconfig | 5 + boards/sim/sim/sim/configs/sotest/defconfig | 5 + boards/sim/sim/sim/configs/sotest32/defconfig | 5 + boards/sim/sim/sim/configs/sqlite/defconfig | 5 + boards/sim/sim/sim/configs/tcploop/defconfig | 4 + boards/sim/sim/sim/configs/toywasm/defconfig | 5 + boards/sim/sim/sim/configs/userfs/defconfig | 5 + boards/sim/sim/sim/configs/vpnkit/defconfig | 5 + boards/sim/sim/sim/configs/wakaama/defconfig | 5 + boards/sim/sim/sim/configs/wamr/defconfig | 4 + boards/sim/sim/sim/configs/zipfs/defconfig | 5 + boards/sim/sim/sim/src/etc/group | 2 +- 58 files changed, 580 insertions(+), 265 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 77c3abe603751..a00cd8c193191 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -148,7 +148,7 @@ jobs: # Documented sim/login CI test credential (not a production secret). # Used when CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y and defconfig omits # the password. See tools/update_romfs_password.sh. - NUTTX_ROMFS_PASSWD_PASSWORD: NuttXSimLogin1 + NUTTX_ROMFS_PASSWD_PASSWORD: NuttXSim1! strategy: max-parallel: 12 @@ -316,7 +316,7 @@ jobs: needs: macOS-Arch if: ${{ needs.macOS-Arch.outputs.skip_all_builds != '1' }} env: - NUTTX_ROMFS_PASSWD_PASSWORD: NuttXSimLogin1 + NUTTX_ROMFS_PASSWD_PASSWORD: NuttXSim1! strategy: max-parallel: 2 matrix: diff --git a/Documentation/applications/nsh/commands.rst b/Documentation/applications/nsh/commands.rst index 2c3aa546ec657..dc8559d441740 100644 --- a/Documentation/applications/nsh/commands.rst +++ b/Documentation/applications/nsh/commands.rst @@ -1745,8 +1745,7 @@ This command is available only when ``CONFIG_SCHED_USER_IDENTITY`` is enabled. It may be disabled with ``CONFIG_NSH_DISABLE_SU``. User names are looked up from the passwd database when ``CONFIG_LIBC_PASSWD_FILE`` is enabled. Password verification requires one of the NSH login options -(``CONFIG_NSH_LOGIN_PASSWD``, ``CONFIG_NSH_LOGIN_PLATFORM``, or -``CONFIG_NSH_LOGIN_FIXED``). +(``CONFIG_NSH_LOGIN_PASSWD`` or ``CONFIG_NSH_LOGIN_PLATFORM``). **Related configuration** diff --git a/Documentation/applications/nsh/login.rst b/Documentation/applications/nsh/login.rst index b499a0ff4b40f..a8f9f0aaa7235 100644 --- a/Documentation/applications/nsh/login.rst +++ b/Documentation/applications/nsh/login.rst @@ -18,13 +18,33 @@ Logins for Telnet sessions can be enabled separately with:: Logins can be enabled for either or both session types. On a successful login, the user will have access to the NSH session:: - login: admin + login: root password: User Logged-in! NuttShell (NSH) nsh> +ROMFS password file (recommended) +================================== + +Boards with ROMFS ``/etc`` should auto-generate ``/etc/passwd`` at build time:: + + CONFIG_ETC_ROMFS=y + CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y + CONFIG_CRYPTO_CRYPTODEV=y + CONFIG_FSUTILS_PASSWD=y + CONFIG_FSUTILS_PASSWD_READONLY=y + CONFIG_NSH_CONSOLE_LOGIN=y + +``CONFIG_FSUTILS_PASSWD`` depends on ``CONFIG_CRYPTO_CRYPTODEV``. The +``sim:login`` defconfig also enables software cryptodev +(``CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO`` and ``CONFIG_CRYPTO_SW_AES``). + +Set **Board Selection → Auto-generate /etc/passwd at build time → Root password** +in menuconfig, in a local defconfig, or at the ``make`` prompt +(:ref:`mkpasswd_autogen`). Only a PBKDF2-HMAC-SHA256 hash is stored in flash. + When ``CONFIG_NSH_LOGIN_SETUID`` is enabled (the default when ``CONFIG_SCHED_USER_IDENTITY`` is selected), NSH looks up the authenticated user name in the passwd database and sets the session @@ -90,66 +110,43 @@ will be closed. That number is controlled by:: CONFIG_NSH_LOGIN_FAILCOUNT=3 +.. _nsh_login_verification: + Verification of Credentials =========================== -There are three ways that NSH can be configured to verify user -credentials at login time: - - #. The simplest implementation simply uses fixed login credentials and - is selected with:: - - CONFIG_NSH_LOGIN_FIXED=y - - The fixed login credentials are selected via:: - - CONFIG_NSH_LOGIN_USERNAME=admin - CONFIG_NSH_LOGIN_PASSWORD="Administrator" - - This is not very flexible since there can be only one user and the - password is fixed in the FLASH image. This option is also not very - secure because a malicious user could get the password by just - looking at the ``.text`` strings in the flash image. +There are two ways to verify credentials at login: - #. NSH can also be configured to defer the entire user credential - verification to platform-specific logic with this setting:: +.. list-table:: NSH credential verification methods + :header-rows: 1 + :widths: 20 15 65 - CONFIG_NSH_LOGIN_PLATFORM=y + * - Method + - Kconfig + - Summary + * - Password file (recommended) + - ``CONFIG_NSH_LOGIN_PASSWD=y`` + - Verifies against ``/etc/passwd`` using PBKDF2-HMAC-SHA256 hashes. + Use with ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE`` for ROMFS boards. + * - Platform callback + - ``CONFIG_NSH_LOGIN_PLATFORM=y`` + - Board-specific ``platform_user_verify()`` function. - In this case, NSH will call a platform-specific function to perform - the verification of user credentials. The platform-specific logic - must provide a function with the following prototype: +When ``CONFIG_FSUTILS_PASSWD=y`` is enabled, NSH defaults to +``CONFIG_NSH_LOGIN_PASSWD=y`` automatically. Console and telnet login +require ``CONFIG_FSUTILS_PASSWD``; the removed fixed-login options +``CONFIG_NSH_LOGIN_FIXED`` and ``CONFIG_NSH_LOGIN_PASSWORD`` are rejected +at build time if still present in ``.config``. - .. code-block:: c - - int platform_user_verify(FAR const char *username, FAR const char *password); - - which is prototyped an described in ``apps/include/nsh.h`` and which - may be included like: - - .. code-block:: c - - #include - - An appropriate place to implement this function might be in the - directory ``apps/platform/``. - - #. A final option is to use a password file contained encrypted password - information. This final option is selected with the following and - described in more detail in the following paragraph:: - - CONFIG_NSH_LOGIN_PASSWD=y + #. **Platform-specific verification.** NSH calls ``platform_user_verify()`` + when ``CONFIG_NSH_LOGIN_PLATFORM=y``. Prototype in ``apps/include/nsh.h``. Password Files ============== -NuttX can also be configured to support a password file, by default at -``/etc/passwd``. This option enables support for a password file:: - - CONFIG_NSH_LOGIN_PASSWD=y - -This options requires that you have selected ``CONFIG_FSUTILS_PASSWD=y`` -to enable the access methods of ``apps/fsutils/passwd``:: +When ``CONFIG_NSH_LOGIN_PASSWD=y`` is selected, NSH reads user names and +password hashes from a passwd file (default ``/etc/passwd``). Enable the +file-access layer with:: CONFIG_FSUTILS_PASSWD=y @@ -176,34 +173,127 @@ specifically disabled. The password file logic requires a few additional settings: - #. The size of dynamically allocated and freed buffer that is used for + #. **Kernel cryptodev**: ``CONFIG_FSUTILS_PASSWD`` requires + ``CONFIG_CRYPTO_CRYPTODEV`` (PBKDF2 via ``/dev/crypto`` at runtime). + + #. **I/O buffer size**: size of the dynamically allocated buffer used for file access:: CONFIG_FSUTILS_PASSWD_IOBUFFER_SIZE=512 - #. And the 128-bit encryption key. The password file currently uses the - Tiny Encryption Algorithm (TEA), but could be extended to use - something more powerful. + #. **PBKDF2 iteration count**: applied when **setting** new passwords + (via ``useradd``, ``passwd``, or build-time ``mkpasswd``):: + + CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS=10000 + + Valid range: 1000 to 200000. Higher values resist brute-force attacks + but increase login latency on low-MHz MCUs. The iteration count is + stored inside each hash string, so changing this option only affects + newly-created passwords. + + #. **Random salt source**: new salts require random bytes. Enable a + platform random source such as:: + + CONFIG_DEV_URANDOM=y - CONFIG_FSUTILS_PASSWD_KEY1=0x12345678 - CONFIG_FSUTILS_PASSWD_KEY2=0x9abcdef0 - CONFIG_FSUTILS_PASSWD_KEY3=0x12345678 - CONFIG_FSUTILS_PASSWD_KEY4=0x9abcdef0 + ``passwd_encrypt()`` uses ``getrandom()`` or ``/dev/urandom`` when + generating salts for ``useradd`` and ``passwd``. -Password can only be decrypted with access to this key. Note that this -key could potentially be fished out of your FLASH image, but without any -symbolic information, that would be a difficult job since the TEA KEY is -binary data and not distinguishable from other binary data in the FLASH -image. +Password complexity rules +~~~~~~~~~~~~~~~~~~~~~~~~~ -If the password file is enabled (``CONFIG_NSH_LOGIN_PASSWD=y``), then -the fixed user credentials will not be used for the NSH session login. -Instead, the password file will be consulted to verify the user -credentials. +The same rules are enforced everywhere a **new** password is set: + +* Build-time ``tools/mkpasswd`` (ROMFS autogen) +* NSH commands ``useradd`` and ``passwd`` +* Runtime API ``passwd_encrypt()`` in ``apps/fsutils/passwd`` + +Rules: + +* At least **8** characters +* At least one **uppercase** letter (``A`` to ``Z``) +* At least one **lowercase** letter (``a`` to ``z``) +* At least one **digit** (``0`` to ``9``) +* At least one **special** character from:: + + ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ; : , . < > ? + +If ``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` is missing or does not meet +these rules, an interactive ``make`` prompts via ``tools/promptpasswd.sh`` +(root password, then confirm password). Non-interactive builds must set the +password in menuconfig or export ``NUTTX_ROMFS_PASSWD_PASSWORD`` first. + +Password hash format +~~~~~~~~~~~~~~~~~~~~ + +Each password field uses **PBKDF2-HMAC-SHA256** in modular crypt format +(MCF). The hash string is self-contained: it stores the iteration count +and salt, so verification does not depend on separate key material in +firmware:: + + $pbkdf2-sha256$$$ + +Where: + +* ````: PBKDF2 round count (parsed at verify time) +* ````: 16-byte random salt (RFC 4648 section 5, no padding) +* ````: 32-byte PBKDF2-HMAC-SHA256 output (same encoding) + +Example ``/etc/passwd`` line:: + + root:$pbkdf2-sha256$10000$zhoo4phwEzyNFUAkB7asfw$P8qsjd9RQmZBLfM5zugiJeE5gKjI-CmTxyaVyOX2mE4:0:0:/ + +Full ``/etc/passwd`` record format:: + + user:hash:uid:gid:home + +.. note:: + + **Breaking change:** this replaces the former TEA-based password storage. + Existing TEA-encoded entries will **not** verify. Regenerate every entry + with ``mkpasswd``, NSH ``passwd``, or ``useradd`` after upgrading. + +``passwd_verify()`` returns ``0`` on match, ``-1`` on mismatch or invalid +hash format, and a negated ``errno`` on I/O errors. + +When ``CONFIG_NSH_LOGIN_PASSWD=y`` is enabled, NSH verifies logins against +the password file rather than compile-time credentials. + +Notes on ``savedefconfig`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To avoid leaking credentials into board defconfigs, ``make savedefconfig`` +**omits** these options from the generated defconfig: + +* ``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` +* ``CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS`` + +Add them manually to a local defconfig after ``make savedefconfig`` if +needed for development. Creating a Password File for a ROMFS File System ================================================ +Boards with ``CONFIG_ETC_ROMFS`` can auto-generate ``/etc/passwd`` at +**build time** when ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y``. + +Build-time flow +~~~~~~~~~~~~~~~ + +1. You configure the root password in menuconfig, at the interactive + ``make`` prompt, or via ``NUTTX_ROMFS_PASSWD_PASSWORD``. +2. The build runs ``tools/mkpasswd`` (Makefile builds use + ``tools/board_romfs_mkpasswd.sh`` as a wrapper). +3. Only the **hash** is written into the ROMFS image at ``/etc/passwd``. +4. At boot, NSH login verifies the password through kernel cryptodev + (``/dev/crypto``). + +See :ref:`mkpasswd_autogen` in :doc:`/components/tools/index` for the full +tool description, Kconfig list, and verification steps. + +The following describes the **manual** approach for creating or updating a +password file when build-time autogen is **not** used. + What we want to accomplish is a ROMFS file system, mounted at ``/etc`` and containing the password file, ``passwd`` like:: @@ -220,10 +310,10 @@ and containing the password file, ``passwd`` like:: nsh> Where ``/etc/init.d/rc.sysinit`` is the system init script and -``/etc/init.d/rcS`` is the start-up script; ``/etc/passwd`` is a -the password file. Note that here we assume that you are already using a +``/etc/init.d/rcS`` is the start-up script; ``/etc/passwd`` is the +password file. Note that here we assume that you are already using a start-up script. We can then piggyback the passwd file into the ``/etc`` -file system already mounted for the NSH start up file as described above +file system already mounted for the NSH start up file as described `above <#custinit>`__. The sim/nsh configuration can be used to create a new password file, but other @@ -267,7 +357,7 @@ new user passwords like:: nsh> useradd Do this as many times as you would like. Each time that you do this a -new entry with an encrypted password will be added to the ``passwd`` +new entry with a hashed password will be added to the ``passwd`` file at ``/tmp/passwd``. You can see the content of the password file like:: @@ -286,9 +376,10 @@ Then create/re-create the ``nsh_romfsimg.h`` file as described below. mkdir etc mkdir etc/init.d - And copy your existing startup script into ``etc/init.c`` as ``rcS``. + And copy your existing startup script into ``etc/init.d/`` as ``rcS``. #. Save your new password file in the ``etc/`` directory as ``passwd``. + Each line must use the PBKDF2 MCF format described above. #. Create the new ROMFS image:: @@ -298,12 +389,9 @@ Then create/re-create the ``nsh_romfsimg.h`` file as described below. xxd -i romfs_img >nsh_romfsimg.h - #. Edit ``nsh_romfsimg.h``: Mark both data definitions as ``const`` so + #. Edit ``nsh_romfsimg.h``: mark both data definitions as ``const`` so that the data will be stored in FLASH. - #. Edit nsh_romfsimg.h, mark both data definitions as ``const`` so that - that will be stored in FLASH. - There is a good example of how to do this in the NSH simulation configuration at `boards/sim/sim/sim/configs/nsh `__. diff --git a/Documentation/components/tools/index.rst b/Documentation/components/tools/index.rst index 3e0686481643e..a3c5a446eb18f 100644 --- a/Documentation/components/tools/index.rst +++ b/Documentation/components/tools/index.rst @@ -14,60 +14,55 @@ and host C programs that are important parts of the NuttX build system: .. _mkpasswd_autogen: -mkpasswd — Build-time ``/etc/passwd`` Generation -------------------------------------------------- +mkpasswd: Build-time ``/etc/passwd`` generation +=============================================== -``tools/mkpasswd`` (``tools/mkpasswd.c``) is a host program that writes a -single ``/etc/passwd`` entry with a TEA-encrypted password hash. The -plaintext password is **not** stored in the firmware image. +``tools/mkpasswd`` (``tools/mkpasswd.c``) writes one ``/etc/passwd`` line at +build time when ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y``. -When ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y``, the build invokes -``mkpasswd`` automatically from ``boards/Board.mk`` (Make) or -``cmake/nuttx_add_romfs.cmake`` (CMake). You normally configure the -password and keys in menuconfig; you do not run ``mkpasswd`` by hand. +Quick start +~~~~~~~~~~~ -Prerequisites -~~~~~~~~~~~~~ +.. code:: kconfig -Enable all of the following (via ``make menuconfig``): + CONFIG_ETC_ROMFS=y + CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y + CONFIG_FSUTILS_PASSWD=y + CONFIG_FSUTILS_PASSWD_READONLY=y + CONFIG_NSH_CONSOLE_LOGIN=y -* **Board Selection** → **Auto-generate /etc/passwd at build time** - (``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE``) -* **Application Configuration** → **NSH Library** → **Console Login** - (``CONFIG_NSH_CONSOLE_LOGIN``) with verification method **Encrypted - password file** (``CONFIG_NSH_LOGIN_PASSWD``) -* **Application Configuration** → **File System Utilities** → **Password file - support** (``CONFIG_FSUTILS_PASSWD``) +Set **Board Selection → Auto-generate /etc/passwd at build time → Root password** +in menuconfig or at the ``make`` prompt, then build and log in as ``root``. -Setup workflow -~~~~~~~~~~~~~~ +See :doc:`/applications/nsh/login` for NSH login details. -1. ``tools/configure.sh :`` -2. ``make menuconfig``: +Build flow +~~~~~~~~~~ - * **Board Selection** → Auto-generate /etc/passwd +**Makefile builds** use ``tools/board_romfs_mkpasswd.sh``, which validates the +password (``tools/promptpasswd.sh`` if needed) and invokes ``tools/mkpasswd``. - * **Admin password** — required, at least 8 characters. There is no - Kconfig default (the legacy ``Administrator`` password is rejected). - * **Generate random TEA encryption keys automatically** — recommended; - or disable this and set keys manually (see below). +**CMake builds** invoke ``tools/mkpasswd`` directly; set +``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` in ``.config`` (configure fails if +it is missing). - * Confirm NSH uses **Encrypted password file** verification (above). +In both cases: -3. ``make`` — on the first build, ``tools/passwd_keys.mk`` validates the - password and keys, may generate TEA keys, then ``mkpasswd`` runs before - ``config.h`` is created so the hash and firmware always agree. +1. ``tools/mkpasswd`` hashes with PBKDF2-HMAC-SHA256 (same algorithm as + ``apps/fsutils/passwd``, which uses kernel cryptodev at runtime). +2. The hash is written to ``etctmp/.../passwd`` and embedded in ROMFS. + +The plaintext password is used on the host during ``make`` only. On an +interactive terminal, ``make`` prompts for the root password (and confirmation) +when it is not already configured; non-interactive builds must set +``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` or ``NUTTX_ROMFS_PASSWD_PASSWORD``. Build-time credentials (CI / automation) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -These values are **not** written to defconfig by ``make savedefconfig``: - -* ``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` -* ``CONFIG_FSUTILS_PASSWD_KEY1`` … ``CONFIG_FSUTILS_PASSWD_KEY4`` - -For scripted or CI builds, export the admin password before ``configure.sh`` -or ``make``: +``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` is **not** written to defconfig by +``make savedefconfig``. For scripted or CI builds, export the root password +before ``configure.sh`` or ``make``: .. code:: bash @@ -75,83 +70,48 @@ or ``make``: ``tools/update_romfs_password.sh`` copies this into ``.config`` when ROMFS passwd generation is enabled and the password field is still empty. NuttX -CI sets ``NuttXSimLogin1`` for the ``sim/login`` configuration (a documented -sim-only test credential, not a product secret). - -TEA encryption keys -~~~~~~~~~~~~~~~~~~~ - -``mkpasswd`` and the firmware must use the **same** four 32-bit key words -(``CONFIG_FSUTILS_PASSWD_KEY1`` … ``KEY4``). Choose one approach: +CI sets ``NuttXSim1!`` for the ``sim/login`` configuration (a documented +sim-only test credential, not a product secret). The password must meet the +complexity rules below. -**Random generation** (``CONFIG_BOARD_ETC_ROMFS_PASSWD_RANDOMIZE_KEYS=y``): - - On the first ``make`` when keys are missing or still placeholders, - ``tools/gen_passwd_keys.sh`` writes random values to ``.config``. A - build warning explains where to view or change them in menuconfig. Key - values are never printed in the build log. - -**Manual keys** (``CONFIG_BOARD_ETC_ROMFS_PASSWD_RANDOMIZE_KEYS`` disabled): - - Set ``CONFIG_FSUTILS_PASSWD_KEY1`` … ``KEY4`` under **Application - Configuration** → **File System Utilities** → **Password file support**. - Each must be a unique non-zero value. The legacy published defaults - ``0x12345678`` / ``0x9abcdef0`` are rejected. - -If random generation is enabled but keys are already present in ``.config``, -they are **not** regenerated (subsequent builds stay consistent). +Password rules +~~~~~~~~~~~~~~ -How the build enforces security -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Minimum 8 characters; at least one uppercase, lowercase, digit, and special +character from ``!@#$%^&*()_+-=[]{}|;:,.<>?``. -+---------------------------+-----------------------------------------------+ -| Check | Where | -+===========================+===============================================+ -| Password set, min 8 chars | ``tools/passwd_keys.mk`` (before ``config.h``)| -| Not ``Administrator`` | ``tools/mkpasswd.c`` (last line of defence) | -| TEA keys configured | ``tools/check_passwd_keys.sh`` | -| Not legacy default keys | ``check_passwd_keys.sh`` + ``mkpasswd.c`` | -+---------------------------+-----------------------------------------------+ +Hash format +~~~~~~~~~~~ -Standalone ``mkpasswd`` (advanced) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:: -For debugging only, you may run the host binary directly. You must pass all -four ``--key`` options with non-default values and a password of at least 8 -characters: + $pbkdf2-sha256$$$ -.. code:: bash +Example:: - ./tools/mkpasswd --user root --password 'my-secret' \ - --key1 0x11111111 --key2 0x22222222 \ - --key3 0x33333333 --key4 0x44444444 + root:$pbkdf2-sha256$10000$zhoo4phwEzyNFUAkB7asfw$P8qsjd9RQmZBLfM5zugiJeE5gKjI-CmTxyaVyOX2mE4 -Kconfig summary -~~~~~~~~~~~~~~~~~ +**Breaking change:** TEA-encoded entries are not compatible. Regenerate with +``mkpasswd`` or NSH ``passwd`` / ``useradd``. -Example ``.config`` fragment (password and keys normally **not** in defconfig): +Kconfig +~~~~~~~ .. code:: kconfig CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y - CONFIG_BOARD_ETC_ROMFS_PASSWD_RANDOMIZE_KEYS=y + CONFIG_CRYPTO_CRYPTODEV=y CONFIG_BOARD_ETC_ROMFS_PASSWD_USER="root" - CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD="" - CONFIG_NSH_CONSOLE_LOGIN=y - CONFIG_NSH_LOGIN_PASSWD=y - CONFIG_FSUTILS_PASSWD=y - -``/etc/passwd`` file format -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. code:: text + CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD="" + CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS=10000 - user:encrypted_hash:uid:gid:home +``make savedefconfig`` omits ``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` and +``CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS`` to avoid leaking credentials. -Notes on ``savedefconfig`` -~~~~~~~~~~~~~~~~~~~~~~~~~~ +Host files +~~~~~~~~~~ -``make savedefconfig`` omits the password and ``KEY1``–``KEY4`` from the -generated defconfig on purpose. ``CONFIG_BOARD_ETC_ROMFS_PASSWD_RANDOMIZE_KEYS`` -may remain in defconfig (policy, not a secret). Do not commit passwords or -key values to version control. +* ``tools/mkpasswd.c`` - PBKDF2 hash generation +* ``tools/promptpasswd.sh`` - interactive root password prompt, validation, + and confirmation +* ``tools/board_romfs_mkpasswd.sh`` - Makefile ROMFS build wrapper diff --git a/Documentation/platforms/arm/moxart/boards/moxa/index.rst b/Documentation/platforms/arm/moxart/boards/moxa/index.rst index dd10749fe6c4c..7fb52614acce1 100644 --- a/Documentation/platforms/arm/moxart/boards/moxa/index.rst +++ b/Documentation/platforms/arm/moxart/boards/moxa/index.rst @@ -2,3 +2,27 @@ moxa ==== +Configurations +============== + +nsh +--- + +This configuration enables NSH with Telnet and telnet login. Credentials +are verified against a PBKDF2-HMAC-SHA256 hash in ROMFS ``/etc/passwd``, not +a fixed plaintext password compiled into the firmware. + +Before building: + +1. ``./tools/configure.sh moxa:nsh`` +2. Set the root password in menuconfig (**Board Selection** → + **Auto-generate /etc/passwd at build time** → **Root password**), or + export ``NUTTX_ROMFS_PASSWD_PASSWORD`` before ``make``. + +The former fixed telnet password ``nuttx`` is no longer embedded in the +image. For a local test build you may use (must meet complexity rules):: + + export NUTTX_ROMFS_PASSWD_PASSWORD='NuttX1!nut' + make + +See :ref:`mkpasswd_autogen` for details. diff --git a/Documentation/platforms/renesas/rx65n/boards/rx65n-grrose/index.rst b/Documentation/platforms/renesas/rx65n/boards/rx65n-grrose/index.rst index 883b9d2a405f7..26e56b30b4e7f 100644 --- a/Documentation/platforms/renesas/rx65n/boards/rx65n-grrose/index.rst +++ b/Documentation/platforms/renesas/rx65n/boards/rx65n-grrose/index.rst @@ -495,34 +495,39 @@ start-up script; ``/etc/passwd`` is the password file. The ``/etc/passwd`` file is auto-generated at build time when ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE`` is set. See :ref:`mkpasswd_autogen` -for the full setup (admin password, TEA keys, NSH encrypted-password login). +for the full setup (root password, NSH encrypted-password login). * ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y`` * ``CONFIG_BOARD_ETC_ROMFS_PASSWD_USER`` (default: ``root``) -* Admin password and TEA keys — set in menuconfig (not saved in defconfig) +* ``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` (required; minimum 8 characters + with uppercase, lowercase, digit, and special character. See + :ref:`mkpasswd_autogen`) -The password is hashed with TEA by ``tools/mkpasswd``; the plaintext is **not** -stored in the firmware. +The password is hashed with PBKDF2-HMAC-SHA256 at build time by the host tool +``tools/mkpasswd``; the plaintext is **not** stored in the firmware. + +For the full description of the mechanism, file format, and verification +steps, see :ref:`mkpasswd_autogen`. The format of the password file is: .. code:: text - user:encrypted_hash:uid:gid:home + user:x:uid:gid:home Where: user: User name - encrypted_hash: TEA-encrypted password (base64) - uid: User ID - gid: Group ID - home: Login directory + x: PBKDF2-HMAC-SHA256 hash (modular crypt format) + uid: User ID (0 for now) + gid: Group ID (0 for now) + home: Login directory (/ for now) ``/etc/group`` is a group file. It is not currently used. .. code:: console nsh> cat /etc/group - root:*:0:root,admin + root:*:0:root The format of the group file is: diff --git a/Documentation/platforms/risc-v/esp32c3-legacy/boards/esp32c3-legacy-devkit/ROMFS.txt b/Documentation/platforms/risc-v/esp32c3-legacy/boards/esp32c3-legacy-devkit/ROMFS.txt index 2434964afdda5..2ac493a23fc22 100644 --- a/Documentation/platforms/risc-v/esp32c3-legacy/boards/esp32c3-legacy-devkit/ROMFS.txt +++ b/Documentation/platforms/risc-v/esp32c3-legacy/boards/esp32c3-legacy-devkit/ROMFS.txt @@ -31,13 +31,16 @@ README CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y CONFIG_BOARD_ETC_ROMFS_PASSWD_USER (default: root) - CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD (required, build fails if empty) + CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD (required; minimum 8 characters + with uppercase, lowercase, digit, and special character) - The password is hashed with TEA at build time by the host tool + The password is hashed with PBKDF2-HMAC-SHA256 at build time by the host tool tools/mkpasswd; the plaintext is NOT stored in the firmware image. + If the password is not set in .config, an interactive make prompts via + tools/promptpasswd.sh (root password, then confirm password). - For the full description of the mechanism, TEA key configuration, file - format, and verification steps, see Documentation/components/tools/index.rst + For the full description of the mechanism, file format, complexity rules, + and verification steps, see Documentation/components/tools/index.rst (mkpasswd section). The format of the password file is: @@ -46,7 +49,7 @@ README Where: user: User name - x: Encrypted password + x: PBKDF2-HMAC-SHA256 hash (modular crypt format) uid: User ID (0 for now) gid: Group ID (0 for now) home: Login directory (/ for now) @@ -54,7 +57,7 @@ README /etc/group is a group file. It is not currently used. nsh> cat /etc/group - root:*:0:root,admin + root:*:0:root The format of the group file is: diff --git a/Documentation/platforms/sim/sim/boards/sim/index.rst b/Documentation/platforms/sim/sim/boards/sim/index.rst index 813adabc614ee..a377260e9e4c9 100644 --- a/Documentation/platforms/sim/sim/boards/sim/index.rst +++ b/Documentation/platforms/sim/sim/boards/sim/index.rst @@ -1979,15 +1979,17 @@ This is a configuration with login password protection for NSH. .. note:: This config has password protection enabled. After configuring from - defconfig, set the admin password in menuconfig (Board Selection → + defconfig, set the root password in menuconfig (Board Selection → Auto-generate /etc/passwd) or export ``NUTTX_ROMFS_PASSWD_PASSWORD`` before building. NuttX CI uses the documented test password - ``NuttXSimLogin1`` for this configuration. + ``NuttXSim1!`` for this configuration. * USERNAME: root (default) * PASSWORD: set at build time (not stored in defconfig) - The encrypted password is retained in ``/etc/passwd``. + The password must meet complexity rules (8+ chars, upper, lower, digit, + special). Only the PBKDF2-HMAC-SHA256 hash is stored in ``/etc/passwd``. + You can disable the password protection by de-selecting ``CONFIG_NSH_CONSOLE_LOGIN=y``. @@ -2188,29 +2190,46 @@ mounted at ``/etc`` and will look like this at run-time: start-up script; ``/etc/passwd`` is the password file. The ``/etc/passwd`` file is auto-generated at build time when -``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE`` is set. Configure credentials in -``make menuconfig`` (see :ref:`mkpasswd_autogen`): +``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE`` is set. Enable the option and set +credentials via ``make menuconfig``: * ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y`` -* ``CONFIG_NSH_CONSOLE_LOGIN=y`` with **Encrypted password file** verification +* ``CONFIG_NSH_CONSOLE_LOGIN=y`` (required, otherwise login is not enforced) * ``CONFIG_BOARD_ETC_ROMFS_PASSWD_USER`` (default: ``root``) -* Admin password — required in menuconfig or via ``NUTTX_ROMFS_PASSWD_PASSWORD`` - (minimum 8 characters; not saved in defconfig) -* TEA keys — enable **Generate random TEA encryption keys automatically**, or - set ``CONFIG_FSUTILS_PASSWD_KEY1`` … ``KEY4`` manually +* ``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` (required; minimum 8 characters + with uppercase, lowercase, digit, and special character. See + :ref:`mkpasswd_autogen`) + +The password is hashed with PBKDF2-HMAC-SHA256 at build time by the host tool +``tools/mkpasswd``; the plaintext is **not** stored in the firmware. + +For the full description of the build-time password generation mechanism, +file format, and verification steps, see +:ref:`mkpasswd_autogen`. + +The format of the password file is: + +.. code:: text + + user:x:uid:gid:home + +Where: -The password is hashed with TEA by ``tools/mkpasswd``; the plaintext is **not** -stored in the firmware. +* user: User name +* x: PBKDF2-HMAC-SHA256 hash (modular crypt format) +* uid: User ID (0 for now) +* gid: Group ID (0 for now) +* home: Login directory (/ for now) -For the full build flow, CI credentials, and verification steps, see +For configuration, verification steps, and password complexity rules, see :ref:`mkpasswd_autogen`. Login test inside the simulator ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Use the admin password you set at build time (menuconfig or +Use the root password you set at build time (menuconfig or ``NUTTX_ROMFS_PASSWD_PASSWORD``). For ``sim/login``, CI uses the documented -test password ``NuttXSimLogin1``; see :ref:`mkpasswd_autogen`. +test password ``NuttXSim1!``; see :ref:`mkpasswd_autogen`. .. code:: console diff --git a/boards/Kconfig b/boards/Kconfig index dc2c9e13c3c71..7295c4e214a9b 100644 --- a/boards/Kconfig +++ b/boards/Kconfig @@ -5603,78 +5603,67 @@ config BOARD_ETC_ROMFS_PASSWD_ENABLE default n depends on ETC_ROMFS ---help--- - Generate /etc/passwd at build time. The password is hashed with TEA - by tools/mkpasswd; the plaintext is not stored in the firmware. - - Before building, set: - 1. Admin password (below) - 2. TEA keys — enable random generation below, or set - CONFIG_FSUTILS_PASSWD_KEY1..4 in Application Configuration -> - File System Utilities -> Password file support + Generate /etc/passwd at build time. The password is hashed with + PBKDF2-HMAC-SHA256 by tools/mkpasswd; the plaintext is not stored + in the firmware. + + The password is hashed at build time by the host tool + tools/mkpasswd (compiled from tools/mkpasswd.c) using + PBKDF2-HMAC-SHA256 — the same algorithm used at runtime in + apps/fsutils/passwd/passwd_encrypt.c. The plaintext password is + never stored in the firmware image. + + The iteration count is taken from + CONFIG_FSUTILS_PASSWD_PBKDF2_ITERATIONS (default 10000). Higher + values slow brute-force attacks but increase login latency on + low-MHz MCUs. + + Before building, set the root password (below) or export + NUTTX_ROMFS_PASSWD_PASSWORD for CI and scripted builds (see + tools/update_romfs_password.sh). Also enable NSH login with "Encrypted password file" verification. - Password and keys are not saved in defconfig. Do not commit them. + Password is not saved in defconfig. Do not commit it. + + See Documentation/components/tools/index.rst (mkpasswd section) for + details. if BOARD_ETC_ROMFS_PASSWD_ENABLE -comment "--- Step 1: set the admin password below ---" +comment "--- Set the root password below ---" config BOARD_ETC_ROMFS_PASSWD_USER - string "Admin username" + string "Root username" default "root" ---help--- The username for the auto-generated /etc/passwd entry. config BOARD_ETC_ROMFS_PASSWD_PASSWORD - string "Admin password (required, no default)" + string "Root password (required, no default)" ---help--- - The plaintext password for the /etc/passwd entry. No default is - provided. The build fails if this is empty or shorter than 8 - characters. + The plaintext password for the auto-generated /etc/passwd entry. + This value is hashed with PBKDF2-HMAC-SHA256 at build time; the + plaintext is NOT stored in the firmware image. There is no default; + set CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD in the board defconfig, + via menuconfig, or enter it when prompted during an interactive + build. Password must be at least 8 characters and contain: + uppercase letter, lowercase letter, digit, and special character. Not saved in defconfig. For CI or scripted builds, set the environment variable NUTTX_ROMFS_PASSWD_PASSWORD instead (see tools/update_romfs_password.sh). -comment "--- Step 2: choose how to supply the TEA encryption keys ---" - -config BOARD_ETC_ROMFS_PASSWD_RANDOMIZE_KEYS - bool "Generate random TEA encryption keys automatically" - default n - ---help--- - Generate four random TEA keys from /dev/urandom and write them - to .config on the first build. The same keys are used for the - /etc/passwd hash and the firmware. - - make menuconfig # set password, enable this option - make - - Key values are not printed in the build log. Search .config for - CONFIG_FSUTILS_PASSWD_KEY to view them. A build warning is printed - when keys are first generated. - - Do not copy keys or the password into a defconfig or commit - them to version control. CONFIG_BOARD_ETC_ROMFS_PASSWD_RANDOMIZE_KEYS - may remain in defconfig; the password and KEY1..4 may not. - - If disabled, set CONFIG_FSUTILS_PASSWD_KEY1..4 manually under - Application Configuration -> File System Utilities -> - Password file support. - -comment "If not randomizing: set KEY1..4 at App Config -> File System Utilities -> Password file support" - depends on !BOARD_ETC_ROMFS_PASSWD_RANDOMIZE_KEYS - config BOARD_ETC_ROMFS_PASSWD_UID - int "Admin user ID" + int "Root user ID" default 0 config BOARD_ETC_ROMFS_PASSWD_GID - int "Admin group ID" + int "Root group ID" default 0 config BOARD_ETC_ROMFS_PASSWD_HOME - string "Admin home directory" + string "Root home directory" default "/" endif # BOARD_ETC_ROMFS_PASSWD_ENABLE diff --git a/boards/arm/lpc17xx_40xx/u-blox-c027/configs/nsh/defconfig b/boards/arm/lpc17xx_40xx/u-blox-c027/configs/nsh/defconfig index a76e33ef2cdc3..40f5c97e1bc28 100644 --- a/boards/arm/lpc17xx_40xx/u-blox-c027/configs/nsh/defconfig +++ b/boards/arm/lpc17xx_40xx/u-blox-c027/configs/nsh/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_DISABLE_LOSMART is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="arm" CONFIG_ARCH_BOARD="u-blox-c027" CONFIG_ARCH_BOARD_U_BLOX_C027=y @@ -15,6 +16,11 @@ CONFIG_ARCH_CHIP_LPC17XX_40XX=y CONFIG_ARCH_STACKDUMP=y CONFIG_BOARD_LOOPSPERMSEC=8079 CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y +CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO=y +CONFIG_CRYPTO_SW_AES=y CONFIG_DEBUG_FULLOPT=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DISABLE_ENVIRON=y @@ -26,6 +32,8 @@ CONFIG_EXAMPLES_CHAT_PRESET2="\"\" AT+USOCR=6 OK AT+USOCO=0,\\\"195.34.89.241\\\ CONFIG_EXAMPLES_CHAT_PRESET3="\"\" AT+USOWR=0,5,\\\"NuttX\\\" PAUSE 10 OK AT+USORD=0,5 NuttX AT+USOCL=0" CONFIG_FAT_LCNAMES=y CONFIG_FAT_LFN=y +CONFIG_FSUTILS_PASSWD=y +CONFIG_FSUTILS_PASSWD_READONLY=y CONFIG_FS_FAT=y CONFIG_FS_PROCFS=y CONFIG_INIT_ENTRYPOINT="nsh_main" @@ -59,6 +67,7 @@ CONFIG_NETINIT_MACADDR_1=0x55add7e5 CONFIG_NETINIT_MACADDR_2=0xbada CONFIG_NETINIT_NOMAC=y CONFIG_NETINIT_THREAD=y +CONFIG_NETUTILS_CODECS=y CONFIG_NETUTILS_DHCPC=y CONFIG_NETUTILS_TELNETD=y CONFIG_NETUTILS_TFTPC=y diff --git a/boards/arm/moxart/moxa/configs/nsh/defconfig b/boards/arm/moxart/moxa/configs/nsh/defconfig index bd4315e2a50bf..c0e77aa504eb6 100644 --- a/boards/arm/moxart/moxa/configs/nsh/defconfig +++ b/boards/arm/moxart/moxa/configs/nsh/defconfig @@ -34,6 +34,7 @@ CONFIG_16550_UART0_CLOCK=14745600 CONFIG_16550_UART0_IRQ=31 CONFIG_16550_UART0_SERIAL_CONSOLE=y CONFIG_16550_UART=y +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="arm" CONFIG_ARCH_BOARD="moxa" CONFIG_ARCH_BOARD_MOXA=y @@ -47,18 +48,18 @@ CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y CONFIG_BOARD_LOOPSPERMSEC=6965 CONFIG_BOOT_RUNFROMISRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y CONFIG_CRYPTO=y CONFIG_CRYPTO_CRYPTODEV=y CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO=y CONFIG_CRYPTO_SW_AES=y CONFIG_DEFAULT_SMALL=y CONFIG_ETC_ROMFS=y -CONFIG_ETC_ROMFSDEVNO=0 +CONFIG_FSUTILS_PASSWD=y +CONFIG_FSUTILS_PASSWD_READONLY=y CONFIG_FS_BINFS=y CONFIG_FS_ROMFS=y CONFIG_FS_UNIONFS=y -CONFIG_FSUTILS_PASSWD=y -CONFIG_FSUTILS_PASSWD_READONLY=y CONFIG_FTMAC100_BASE=0x90900000 CONFIG_FTMAC100_IRQ=25 CONFIG_FTMAC100_MAC0_ENV_ADDR=0x80000050 @@ -68,6 +69,7 @@ CONFIG_IOB_NBUFFERS=24 CONFIG_LIBC_EXECFUNCS=y CONFIG_LINE_MAX=80 CONFIG_NET=y +CONFIG_NETUTILS_CODECS=y CONFIG_NETUTILS_TELNETD=y CONFIG_NET_ARP_IPIN=y CONFIG_NET_ETH_PKTSIZE=1500 diff --git a/boards/arm/stm32f3/nucleo-f302r8/configs/ihm07m1_b16/defconfig b/boards/arm/stm32f3/nucleo-f302r8/configs/ihm07m1_b16/defconfig index 429998371d950..a8842958da1d0 100644 --- a/boards/arm/stm32f3/nucleo-f302r8/configs/ihm07m1_b16/defconfig +++ b/boards/arm/stm32f3/nucleo-f302r8/configs/ihm07m1_b16/defconfig @@ -55,6 +55,7 @@ CONFIG_INPUT_BUTTONS=y CONFIG_INPUT_BUTTONS_LOWER=y CONFIG_INTELHEX_BINARY=y CONFIG_LIBM=y +CONFIG_LTO_FULL=y CONFIG_MOTOR=y CONFIG_MOTOR_FOC=y CONFIG_MOTOR_FOC_TRACE=y diff --git a/boards/risc-v/esp32c3-legacy/esp32c3-legacy-devkit/src/etc/group b/boards/risc-v/esp32c3-legacy/esp32c3-legacy-devkit/src/etc/group index 1eca6970c9db2..f0565ff64b431 100644 --- a/boards/risc-v/esp32c3-legacy/esp32c3-legacy-devkit/src/etc/group +++ b/boards/risc-v/esp32c3-legacy/esp32c3-legacy-devkit/src/etc/group @@ -1 +1 @@ -root:*:0:root,admin +root:*:0:root diff --git a/boards/risc-v/esp32c3/esp32c3-devkit/configs/dropbear/defconfig b/boards/risc-v/esp32c3/esp32c3-devkit/configs/dropbear/defconfig index f6df7341487fe..650119204986f 100644 --- a/boards/risc-v/esp32c3/esp32c3-devkit/configs/dropbear/defconfig +++ b/boards/risc-v/esp32c3/esp32c3-devkit/configs/dropbear/defconfig @@ -23,6 +23,12 @@ CONFIG_ARCH_RISCV=y CONFIG_ARCH_STACKDUMP=y CONFIG_BOARD_LOOPSPERMSEC=15000 CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y +CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO=y +CONFIG_CRYPTO_RANDOM_POOL=y +CONFIG_CRYPTO_SW_AES=y CONFIG_DEV_URANDOM=y CONFIG_DRIVERS_IEEE80211=y CONFIG_DRIVERS_WIRELESS=y @@ -50,6 +56,7 @@ CONFIG_NETDEV_WIRELESS_IOCTL=y CONFIG_NETINIT_DHCPC=y CONFIG_NETINIT_WAPI_PASSPHRASE="mypasswd" CONFIG_NETINIT_WAPI_SSID="myssid" +CONFIG_NETUTILS_CODECS=y CONFIG_NETUTILS_DROPBEAR=y CONFIG_NETUTILS_DROPBEAR_HOSTKEY_PATH="/data/dropbear_ecdsa_host_key" CONFIG_NETUTILS_IPERF=y diff --git a/boards/sim/sim/sim/configs/adb/defconfig b/boards/sim/sim/sim/configs/adb/defconfig index 9f3e4add2aa72..5d7593350bad1 100644 --- a/boards/sim/sim/sim/configs/adb/defconfig +++ b/boards/sim/sim/sim/configs/adb/defconfig @@ -11,6 +11,7 @@ CONFIG_ADBD_LOGCAT_SERVICE=y CONFIG_ADBD_SHELL_SERVICE=y CONFIG_ADBD_SOCKET_SERVICE=y CONFIG_ADBD_TCP_SERVER=y +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -18,7 +19,14 @@ CONFIG_ARCH_CHIP="sim" CONFIG_ARCH_SIM=y CONFIG_BOARDCTL_POWEROFF=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y +CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO=y +CONFIG_CRYPTO_SW_AES=y CONFIG_DEBUG_SYMBOLS=y +CONFIG_FSUTILS_PASSWD=y +CONFIG_FSUTILS_PASSWD_READONLY=y CONFIG_FS_PROCFS=y CONFIG_FS_TMPFS=y CONFIG_INIT_ENTRYPOINT="nsh_main" @@ -32,6 +40,7 @@ CONFIG_MM_TLSF_MANAGER=y CONFIG_NET=y CONFIG_NETDB_DNSCLIENT=y CONFIG_NETDB_DNSSERVER_IPv4ADDR=0x08080808 +CONFIG_NETUTILS_CODECS=y CONFIG_NETUTILS_TELNETD=y CONFIG_NET_LOCAL=y CONFIG_NET_USRSOCK_CUSTOM=y diff --git a/boards/sim/sim/sim/configs/alsa/defconfig b/boards/sim/sim/sim/configs/alsa/defconfig index 5c579b333e258..28beec131dfff 100644 --- a/boards/sim/sim/sim/configs/alsa/defconfig +++ b/boards/sim/sim/sim/configs/alsa/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -19,6 +20,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ETC_FATDEVNO=2 @@ -39,6 +43,7 @@ CONFIG_INIT_ENTRYPOINT="nsh_main" CONFIG_LIBC_ENVPATH=y CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_MAX_EXITFUNS=1 +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y CONFIG_NSH_READLINE=y diff --git a/boards/sim/sim/sim/configs/bastest/defconfig b/boards/sim/sim/sim/configs/bastest/defconfig index 940cacb8396d7..ce5f3334923af 100644 --- a/boards/sim/sim/sim/configs/bastest/defconfig +++ b/boards/sim/sim/sim/configs/bastest/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_ROMDISK=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ETC_FATDEVNO=2 @@ -42,6 +46,7 @@ CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_LIBC_STRERROR=y CONFIG_LIBM=y +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_CONSOLE_LOGIN=y CONFIG_NSH_FILE_APPS=y diff --git a/boards/sim/sim/sim/configs/bluetooth/defconfig b/boards/sim/sim/sim/configs/bluetooth/defconfig index ee833a5d1804f..9948df3a0d9ad 100644 --- a/boards/sim/sim/sim/configs/bluetooth/defconfig +++ b/boards/sim/sim/sim/configs/bluetooth/defconfig @@ -21,6 +21,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_DRIVERS_BLUETOOTH=y @@ -46,6 +49,7 @@ CONFIG_NET=y CONFIG_NETDEV_LATEINIT=y CONFIG_NETDEV_WIRELESS_IOCTL=y CONFIG_NETINIT_NETLOCAL=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_BLUETOOTH=y CONFIG_NET_STATISTICS=y CONFIG_NSH_BUILTIN_APPS=y diff --git a/boards/sim/sim/sim/configs/bthcisock/defconfig b/boards/sim/sim/sim/configs/bthcisock/defconfig index d691d28a0fe53..4135a5c7b18a3 100644 --- a/boards/sim/sim/sim/configs/bthcisock/defconfig +++ b/boards/sim/sim/sim/configs/bthcisock/defconfig @@ -22,6 +22,9 @@ CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BTSAK=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_DRIVERS_BLUETOOTH=y @@ -47,6 +50,7 @@ CONFIG_NET=y CONFIG_NETDEV_LATEINIT=y CONFIG_NETDEV_WIRELESS_IOCTL=y CONFIG_NETINIT_NETLOCAL=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_BLUETOOTH=y CONFIG_NET_STATISTICS=y CONFIG_NSH_BUILTIN_APPS=y diff --git a/boards/sim/sim/sim/configs/citest/defconfig b/boards/sim/sim/sim/configs/citest/defconfig index 8844a44d40f9b..d7a4b029224d8 100644 --- a/boards/sim/sim/sim/configs/citest/defconfig +++ b/boards/sim/sim/sim/configs/citest/defconfig @@ -8,6 +8,7 @@ # CONFIG_NET_ARP is not set # CONFIG_NSH_CMDOPT_HEXDUMP is not set # CONFIG_NSH_NETINIT is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ALLOW_MIT_COMPONENTS=y CONFIG_ALLSYMS=y CONFIG_ARCH="sim" @@ -27,6 +28,9 @@ CONFIG_CM_MM_TEST=y CONFIG_CM_PTHREAD_TEST=y CONFIG_CM_SCHED_TEST=y CONFIG_CM_TIME_TEST=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_CXX_LOCALIZATION=y CONFIG_CXX_WCHAR=y CONFIG_DEBUG_ASSERTIONS=y @@ -96,6 +100,7 @@ CONFIG_MQ_MAXMSGSIZE=128 CONFIG_NET=y CONFIG_NETDEV_IFINDEX=y CONFIG_NETDEV_LATEINIT=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_LOCAL=y CONFIG_NET_USRSOCK=y CONFIG_NSH_BUILTIN_APPS=y diff --git a/boards/sim/sim/sim/configs/crypto/defconfig b/boards/sim/sim/sim/configs/crypto/defconfig index 359d4c56e34ca..f56bb4d5cfdfa 100644 --- a/boards/sim/sim/sim/configs/crypto/defconfig +++ b/boards/sim/sim/sim/configs/crypto/defconfig @@ -16,6 +16,7 @@ CONFIG_ARCH_SIM=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y CONFIG_CRYPTO=y CONFIG_CRYPTO_CRYPTODEV=y CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO=y @@ -56,6 +57,7 @@ CONFIG_MBEDTLS_MD5_ALT=y CONFIG_MBEDTLS_SHA1_ALT=y CONFIG_MBEDTLS_SHA256_ALT=y CONFIG_MBEDTLS_SHA512_ALT=y +CONFIG_NETUTILS_CODECS=y CONFIG_PATH_INITIAL="/bin" CONFIG_PSEUDOFS_ATTRIBUTES=y CONFIG_PSEUDOFS_SOFTLINKS=y diff --git a/boards/sim/sim/sim/configs/dropbear/defconfig b/boards/sim/sim/sim/configs/dropbear/defconfig index e5990f622ce1d..3905398c47c01 100644 --- a/boards/sim/sim/sim/configs/dropbear/defconfig +++ b/boards/sim/sim/sim/configs/dropbear/defconfig @@ -16,7 +16,13 @@ CONFIG_ARCH_SIM=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y +CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO=y CONFIG_CRYPTO_MBEDTLS=y +CONFIG_CRYPTO_RANDOM_POOL=y +CONFIG_CRYPTO_SW_AES=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_GPIO=y CONFIG_DEV_LOOP=y @@ -55,6 +61,7 @@ CONFIG_NET=y CONFIG_NETDEV_LATEINIT=y CONFIG_NETINIT_DRIPADDR=0x0a000101 CONFIG_NETINIT_IPADDR=0x0a000102 +CONFIG_NETUTILS_CODECS=y CONFIG_NETUTILS_DROPBEAR=y CONFIG_NETUTILS_DROPBEAR_HOSTKEY_PATH="/tmp/dropbear_ecdsa_host_key" CONFIG_NET_BROADCAST=y diff --git a/boards/sim/sim/sim/configs/duktape/defconfig b/boards/sim/sim/sim/configs/duktape/defconfig index e9e2a0bd01ea5..bb29332e72bde 100644 --- a/boards/sim/sim/sim/configs/duktape/defconfig +++ b/boards/sim/sim/sim/configs/duktape/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -16,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ETC_FATDEVNO=2 @@ -38,6 +42,7 @@ CONFIG_LIBC_ENVPATH=y CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_LIBM=y +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_CONSOLE_LOGIN=y CONFIG_NSH_FILE_APPS=y diff --git a/boards/sim/sim/sim/configs/dynconns/defconfig b/boards/sim/sim/sim/configs/dynconns/defconfig index 34223b6c914c8..f70c70e7efaef 100644 --- a/boards/sim/sim/sim/configs/dynconns/defconfig +++ b/boards/sim/sim/sim/configs/dynconns/defconfig @@ -19,6 +19,9 @@ CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y CONFIG_CAN_ALLOC_CONNS=1 +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEV_LOOP=y CONFIG_FSUTILS_PASSWD=y CONFIG_FSUTILS_PASSWD_READONLY=y @@ -41,6 +44,7 @@ CONFIG_NETDEV_PHY_IOCTL=y CONFIG_NETDOWN_NOTIFIER=y CONFIG_NETLINK_ALLOC_CONNS=1 CONFIG_NETLINK_ROUTE=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_6LOWPAN=y CONFIG_NET_6LOWPAN_EXTENDEDADDR=y CONFIG_NET_6LOWPAN_MAXADDRCONTEXT_PREINIT_1=y diff --git a/boards/sim/sim/sim/configs/elf/defconfig b/boards/sim/sim/sim/configs/elf/defconfig index bcec7bf16db41..0ca40839a8bec 100644 --- a/boards/sim/sim/sim/configs/elf/defconfig +++ b/boards/sim/sim/sim/configs/elf/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_ROMDISK=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ELF=y @@ -38,6 +42,7 @@ CONFIG_INIT_ENTRYPOINT="nsh_main" CONFIG_LIBC_ENVPATH=y CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_LIBC_STRERROR=y +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y CONFIG_NSH_MOTD=y diff --git a/boards/sim/sim/sim/configs/foc/defconfig b/boards/sim/sim/sim/configs/foc/defconfig index 97eee196dcbd8..f2f270c39e246 100644 --- a/boards/sim/sim/sim/configs/foc/defconfig +++ b/boards/sim/sim/sim/configs/foc/defconfig @@ -7,6 +7,7 @@ # # CONFIG_NSH_CMDOPT_HEXDUMP is not set # CONFIG_NSH_DISABLE_DATE is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_ASSERTIONS=y CONFIG_DEBUG_FEATURES=y CONFIG_DEBUG_SYMBOLS=y @@ -77,6 +81,7 @@ CONFIG_MOTOR=y CONFIG_MOTOR_FOC=y CONFIG_MOTOR_FOC_DUMMY=y CONFIG_MOTOR_FOC_INST=4 +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y CONFIG_NSH_MOTD=y diff --git a/boards/sim/sim/sim/configs/ipforward/defconfig b/boards/sim/sim/sim/configs/ipforward/defconfig index 459451ebd545e..af6244cee5c26 100644 --- a/boards/sim/sim/sim/configs/ipforward/defconfig +++ b/boards/sim/sim/sim/configs/ipforward/defconfig @@ -19,6 +19,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ETC_FATDEVNO=2 @@ -39,6 +42,7 @@ CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_HOSTNAME="IP-Forward" CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_NET=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_IPFORWARD=y CONFIG_NET_IPv6=y CONFIG_NET_IPv6_NCONF_ENTRIES=4 diff --git a/boards/sim/sim/sim/configs/libcxxtest/defconfig b/boards/sim/sim/sim/configs/libcxxtest/defconfig index b343cdd2ff5a7..e838d70a38d86 100644 --- a/boards/sim/sim/sim/configs/libcxxtest/defconfig +++ b/boards/sim/sim/sim/configs/libcxxtest/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -16,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_CXX_EXCEPTION=y CONFIG_CXX_LOCALIZATION=y CONFIG_CXX_RTTI=y @@ -55,6 +59,7 @@ CONFIG_NETDB_DNSCLIENT=y CONFIG_NETDEV_PHY_IOCTL=y CONFIG_NETDOWN_NOTIFIER=y CONFIG_NETINIT_DHCPC=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_BROADCAST=y CONFIG_NET_ICMP_SOCKET=y CONFIG_NET_ICMPv6=y diff --git a/boards/sim/sim/sim/configs/login/defconfig b/boards/sim/sim/sim/configs/login/defconfig index 3021775d333be..972b05ba1f242 100644 --- a/boards/sim/sim/sim/configs/login/defconfig +++ b/boards/sim/sim/sim/configs/login/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -14,10 +15,14 @@ CONFIG_ARCH_SIM=y CONFIG_BOARDCTL_APP_SYMTAB=y CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y -CONFIG_BOARD_ETC_ROMFS_PASSWD_RANDOMIZE_KEYS=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y +CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO=y +CONFIG_CRYPTO_SW_AES=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_GPIO=y CONFIG_DEV_LOOP=y @@ -47,6 +52,7 @@ CONFIG_LIBC_LOCALE_CATALOG=y CONFIG_LIBC_LOCALE_GETTEXT=y CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_LIBC_NUMBERED_ARGS=y +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_CONSOLE_LOGIN=y CONFIG_NSH_FILE_APPS=y diff --git a/boards/sim/sim/sim/configs/lua/defconfig b/boards/sim/sim/sim/configs/lua/defconfig index 20571ae2c6039..b343d85df177e 100644 --- a/boards/sim/sim/sim/configs/lua/defconfig +++ b/boards/sim/sim/sim/configs/lua/defconfig @@ -7,6 +7,7 @@ # # CONFIG_INTERPRETERS_LUA_32BIT is not set # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ETC_FATDEVNO=2 @@ -50,6 +54,7 @@ CONFIG_LUA_LSYSLOG_MODULE=y CONFIG_LUA_LUV_MODULE=y CONFIG_NET=y CONFIG_NETDEV_IFINDEX=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_SOCKOPTS=y CONFIG_NET_TCP=y CONFIG_NET_UDP=y diff --git a/boards/sim/sim/sim/configs/matter/defconfig b/boards/sim/sim/sim/configs/matter/defconfig index 5d41be8ff1a08..900cbe1737668 100644 --- a/boards/sim/sim/sim/configs/matter/defconfig +++ b/boards/sim/sim/sim/configs/matter/defconfig @@ -17,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_CRYPTO_MBEDTLS=y CONFIG_CXX_LOCALIZATION=y CONFIG_CXX_WCHAR=y @@ -63,6 +66,7 @@ CONFIG_NETDB_DNSSERVER_IPv4ADDR=0x771d1d1d CONFIG_NETINIT_DRIPADDR=0x0a000101 CONFIG_NETINIT_IPADDR=0x0a000102 CONFIG_NETLINK_ROUTE=y +CONFIG_NETUTILS_CODECS=y CONFIG_NETUTILS_JSONCPP=y CONFIG_NET_6LOWPAN=y CONFIG_NET_BINDTODEVICE=y diff --git a/boards/sim/sim/sim/configs/minibasic/defconfig b/boards/sim/sim/sim/configs/minibasic/defconfig index 0bdacd42e569c..6ff24cb7c8ab0 100644 --- a/boards/sim/sim/sim/configs/minibasic/defconfig +++ b/boards/sim/sim/sim/configs/minibasic/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -15,6 +16,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ETC_FATDEVNO=2 @@ -36,6 +40,7 @@ CONFIG_LIBC_ENVPATH=y CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_LIBM=y +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y CONFIG_NSH_READLINE=y diff --git a/boards/sim/sim/sim/configs/minmea/defconfig b/boards/sim/sim/sim/configs/minmea/defconfig index 10664d38e3d52..b9dd4dd0b6567 100644 --- a/boards/sim/sim/sim/configs/minmea/defconfig +++ b/boards/sim/sim/sim/configs/minmea/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ALLSYMS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_GPIO=y CONFIG_DEV_LOOP=y @@ -47,6 +51,7 @@ CONFIG_LIBC_LOCALE_CATALOG=y CONFIG_LIBC_LOCALE_GETTEXT=y CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_LIBC_NUMBERED_ARGS=y +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_CONSOLE_LOGIN=y CONFIG_NSH_FILE_APPS=y diff --git a/boards/sim/sim/sim/configs/mnemofs/defconfig b/boards/sim/sim/sim/configs/mnemofs/defconfig index 1743d0b688afe..7732caec0c567 100644 --- a/boards/sim/sim/sim/configs/mnemofs/defconfig +++ b/boards/sim/sim/sim/configs/mnemofs/defconfig @@ -17,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_GPIO=y CONFIG_DEV_LOOP=y @@ -56,6 +59,7 @@ CONFIG_MTD_NAND_RAM_DEBUG=y CONFIG_MTD_NAND_RAM_STATUS=5 CONFIG_MTD_NAND_WRAPPER=y CONFIG_MTD_NAND_WRAPPER_DEBUG_LEVEL=3 +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_CONSOLE_LOGIN=y CONFIG_NSH_FILE_APPS=y diff --git a/boards/sim/sim/sim/configs/module/defconfig b/boards/sim/sim/sim/configs/module/defconfig index 04416d40d2498..3f68420844f0b 100644 --- a/boards/sim/sim/sim/configs/module/defconfig +++ b/boards/sim/sim/sim/configs/module/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_ROMDISK=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEV_LOOP=y CONFIG_EXAMPLES_LIBTEST=y CONFIG_EXAMPLES_MODULE=y @@ -39,6 +43,7 @@ CONFIG_NETDB_DNSCLIENT=y CONFIG_NETDEV_IFINDEX=y CONFIG_NETDEV_PHY_IOCTL=y CONFIG_NETDOWN_NOTIFIER=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_BROADCAST=y CONFIG_NET_ICMP_SOCKET=y CONFIG_NET_ICMPv6=y diff --git a/boards/sim/sim/sim/configs/module32/defconfig b/boards/sim/sim/sim/configs/module32/defconfig index 2a7f78f84de85..2770d19e9be42 100644 --- a/boards/sim/sim/sim/configs/module32/defconfig +++ b/boards/sim/sim/sim/configs/module32/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_ROMDISK=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEV_LOOP=y CONFIG_EXAMPLES_MODULE=y CONFIG_EXAMPLES_MODULE_DEVMINOR=4 @@ -37,6 +41,7 @@ CONFIG_NET=y CONFIG_NETDB_DNSCLIENT=y CONFIG_NETDEV_PHY_IOCTL=y CONFIG_NETDOWN_NOTIFIER=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_BROADCAST=y CONFIG_NET_ICMP_SOCKET=y CONFIG_NET_ICMPv6=y diff --git a/boards/sim/sim/sim/configs/nand/defconfig b/boards/sim/sim/sim/configs/nand/defconfig index 90225d3b6393d..94e94949c4d03 100644 --- a/boards/sim/sim/sim/configs/nand/defconfig +++ b/boards/sim/sim/sim/configs/nand/defconfig @@ -17,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_GPIO=y CONFIG_DEV_LOOP=y @@ -55,6 +58,7 @@ CONFIG_MTD_NAND_RAM_DEBUG=y CONFIG_MTD_NAND_RAM_STATUS=5 CONFIG_MTD_NAND_WRAPPER=y CONFIG_MTD_NAND_WRAPPER_DEBUG_LEVEL=3 +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_CONSOLE_LOGIN=y CONFIG_NSH_FILE_APPS=y diff --git a/boards/sim/sim/sim/configs/nimble/defconfig b/boards/sim/sim/sim/configs/nimble/defconfig index 8ba91fe9567e2..a7c0fa7b0acdd 100644 --- a/boards/sim/sim/sim/configs/nimble/defconfig +++ b/boards/sim/sim/sim/configs/nimble/defconfig @@ -24,6 +24,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_DRIVERS_BLUETOOTH=y @@ -50,6 +53,7 @@ CONFIG_NET=y CONFIG_NETDEV_LATEINIT=y CONFIG_NETDEV_WIRELESS_IOCTL=y CONFIG_NETINIT_NETLOCAL=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_BLUETOOTH=y CONFIG_NET_STATISTICS=y CONFIG_NIMBLE=y diff --git a/boards/sim/sim/sim/configs/nshcromfs/defconfig b/boards/sim/sim/sim/configs/nshcromfs/defconfig index 4356609e3c2e6..1ec754aa276ed 100644 --- a/boards/sim/sim/sim/configs/nshcromfs/defconfig +++ b/boards/sim/sim/sim/configs/nshcromfs/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_ROMDISK=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_EXAMPLES_CROMFS=y @@ -33,6 +37,7 @@ CONFIG_INIT_ENTRYPOINT="nsh_main" CONFIG_LIBC_ENVPATH=y CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_MAX_EXITFUNS=1 +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y CONFIG_NSH_READLINE=y diff --git a/boards/sim/sim/sim/configs/posix_spawn/defconfig b/boards/sim/sim/sim/configs/posix_spawn/defconfig index acc2562cca532..ae40b8e522540 100644 --- a/boards/sim/sim/sim/configs/posix_spawn/defconfig +++ b/boards/sim/sim/sim/configs/posix_spawn/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_ROMDISK=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ELF=y @@ -39,6 +43,7 @@ CONFIG_LIBC_ENVPATH=y CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_LIBC_STRERROR=y +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y CONFIG_NSH_MOTD=y diff --git a/boards/sim/sim/sim/configs/posix_test/defconfig b/boards/sim/sim/sim/configs/posix_test/defconfig index e1f89f739d9e7..26589a4ebd06a 100644 --- a/boards/sim/sim/sim/configs/posix_test/defconfig +++ b/boards/sim/sim/sim/configs/posix_test/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ALLOW_MIT_COMPONENTS=y CONFIG_ALLSYMS=y CONFIG_ARCH="sim" @@ -19,6 +20,9 @@ CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y CONFIG_CANCELLATION_POINTS=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_ASSERTIONS=y CONFIG_DEBUG_FEATURES=y CONFIG_DEBUG_SYMBOLS=y @@ -60,6 +64,7 @@ CONFIG_LIBC_PASSWD_FILE=y CONFIG_MQ_MAXMSGSIZE=64 CONFIG_NDEBUG=y CONFIG_NET=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_SOCKOPTS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y diff --git a/boards/sim/sim/sim/configs/rc/defconfig b/boards/sim/sim/sim/configs/rc/defconfig index b4a979550376b..a68bb3c40e3c2 100644 --- a/boards/sim/sim/sim/configs/rc/defconfig +++ b/boards/sim/sim/sim/configs/rc/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -16,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_DRIVERS_RC=y @@ -29,6 +33,7 @@ CONFIG_LIBC_ENVPATH=y CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_FLOATINGPOINT=y CONFIG_LIBC_MAX_EXITFUNS=1 +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y CONFIG_NSH_READLINE=y diff --git a/boards/sim/sim/sim/configs/romfs/defconfig b/boards/sim/sim/sim/configs/romfs/defconfig index 17e7579f9fcb8..53583b184889e 100644 --- a/boards/sim/sim/sim/configs/romfs/defconfig +++ b/boards/sim/sim/sim/configs/romfs/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_ROMDISK=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ETC_FATDEVNO=2 @@ -38,6 +42,7 @@ CONFIG_LIBC_ENVPATH=y CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_LIBC_STRERROR=y +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_CONSOLE_LOGIN=y CONFIG_NSH_FILE_APPS=y diff --git a/boards/sim/sim/sim/configs/rust/defconfig b/boards/sim/sim/sim/configs/rust/defconfig index c40d8dd6b50b1..a9691c0ab306b 100644 --- a/boards/sim/sim/sim/configs/rust/defconfig +++ b/boards/sim/sim/sim/configs/rust/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -16,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_GPIO=y CONFIG_DEV_LOOP=y @@ -44,6 +48,7 @@ CONFIG_LIBC_LOCALE=y CONFIG_LIBC_LOCALE_CATALOG=y CONFIG_LIBC_LOCALE_GETTEXT=y CONFIG_LIBC_MAX_EXITFUNS=1 +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_CONSOLE_LOGIN=y CONFIG_NSH_FILE_APPS=y diff --git a/boards/sim/sim/sim/configs/segger/defconfig b/boards/sim/sim/sim/configs/segger/defconfig index 18821221117aa..27251f3052de6 100644 --- a/boards/sim/sim/sim/configs/segger/defconfig +++ b/boards/sim/sim/sim/configs/segger/defconfig @@ -7,6 +7,7 @@ # # CONFIG_NSH_CMDOPT_HEXDUMP is not set # CONFIG_SERIAL_RTT_CONSOLE is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_GPIO=y CONFIG_DEV_LOOP=y @@ -47,6 +51,7 @@ CONFIG_LIBC_LOCALE=y CONFIG_LIBC_LOCALE_CATALOG=y CONFIG_LIBC_LOCALE_GETTEXT=y CONFIG_LIBC_MAX_EXITFUNS=1 +CONFIG_NETUTILS_CODECS=y CONFIG_NOTE_RTT=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y diff --git a/boards/sim/sim/sim/configs/sensor/defconfig b/boards/sim/sim/sim/configs/sensor/defconfig index b1310c1c65366..a33da4926d419 100644 --- a/boards/sim/sim/sim/configs/sensor/defconfig +++ b/boards/sim/sim/sim/configs/sensor/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -16,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_EXAMPLES_HELLO=y @@ -29,6 +33,7 @@ CONFIG_LIBC_ENVPATH=y CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_FLOATINGPOINT=y CONFIG_LIBC_MAX_EXITFUNS=1 +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y CONFIG_NSH_READLINE=y diff --git a/boards/sim/sim/sim/configs/smartfs/defconfig b/boards/sim/sim/sim/configs/smartfs/defconfig index 08377bac0e0df..d03a09417dfbb 100644 --- a/boards/sim/sim/sim/configs/smartfs/defconfig +++ b/boards/sim/sim/sim/configs/smartfs/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -16,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_ASSERTIONS=y CONFIG_DEBUG_FEATURES=y CONFIG_DEBUG_FS=y @@ -41,6 +45,7 @@ CONFIG_MTD_M25P=y CONFIG_MTD_N25QXXX=y CONFIG_MTD_PARTITION=y CONFIG_MTD_SMART=y +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_CONSOLE_LOGIN=y CONFIG_NSH_DISABLE_LOSMART=y diff --git a/boards/sim/sim/sim/configs/sotest/defconfig b/boards/sim/sim/sim/configs/sotest/defconfig index 5c79de61d7958..477f12704d93c 100644 --- a/boards/sim/sim/sim/configs/sotest/defconfig +++ b/boards/sim/sim/sim/configs/sotest/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_ROMDISK=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEV_LOOP=y CONFIG_EXAMPLES_SOTEST=y CONFIG_FSUTILS_PASSWD=y @@ -35,6 +39,7 @@ CONFIG_NET=y CONFIG_NETDB_DNSCLIENT=y CONFIG_NETDEV_PHY_IOCTL=y CONFIG_NETDOWN_NOTIFIER=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_BROADCAST=y CONFIG_NET_ICMP_SOCKET=y CONFIG_NET_ICMPv6=y diff --git a/boards/sim/sim/sim/configs/sotest32/defconfig b/boards/sim/sim/sim/configs/sotest32/defconfig index ea21faf6d5082..b85ce4a388779 100644 --- a/boards/sim/sim/sim/configs/sotest32/defconfig +++ b/boards/sim/sim/sim/configs/sotest32/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_ROMDISK=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEV_LOOP=y CONFIG_EXAMPLES_SOTEST=y CONFIG_FSUTILS_PASSWD=y @@ -35,6 +39,7 @@ CONFIG_NET=y CONFIG_NETDB_DNSCLIENT=y CONFIG_NETDEV_PHY_IOCTL=y CONFIG_NETDOWN_NOTIFIER=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_BROADCAST=y CONFIG_NET_ICMP_SOCKET=y CONFIG_NET_ICMPv6=y diff --git a/boards/sim/sim/sim/configs/sqlite/defconfig b/boards/sim/sim/sim/configs/sqlite/defconfig index 766373b33530c..a74f0350048c9 100644 --- a/boards/sim/sim/sim/configs/sqlite/defconfig +++ b/boards/sim/sim/sim/configs/sqlite/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -15,6 +16,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ETC_FATDEVNO=2 @@ -40,6 +44,7 @@ CONFIG_LIBC_ENVPATH=y CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_LIB_SQLITE=y +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y CONFIG_NSH_READLINE=y diff --git a/boards/sim/sim/sim/configs/tcploop/defconfig b/boards/sim/sim/sim/configs/tcploop/defconfig index ab4e6130709f3..8d6e14ed87329 100644 --- a/boards/sim/sim/sim/configs/tcploop/defconfig +++ b/boards/sim/sim/sim/configs/tcploop/defconfig @@ -19,6 +19,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ETC_FATDEVNO=2 @@ -40,6 +43,7 @@ CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_HOSTNAME="IP-Forward" CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_NET=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_IPv6=y CONFIG_NET_IPv6_NCONF_ENTRIES=4 CONFIG_NET_LOOPBACK=y diff --git a/boards/sim/sim/sim/configs/toywasm/defconfig b/boards/sim/sim/sim/configs/toywasm/defconfig index 36d6a990749be..028c0d888f259 100644 --- a/boards/sim/sim/sim/configs/toywasm/defconfig +++ b/boards/sim/sim/sim/configs/toywasm/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -16,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_ASSERTIONS=y CONFIG_DEBUG_FEATURES=y CONFIG_DEBUG_SYMBOLS=y @@ -41,6 +45,7 @@ CONFIG_NETDB_DNSCLIENT=y CONFIG_NETDEV_PHY_IOCTL=y CONFIG_NETDOWN_NOTIFIER=y CONFIG_NETINIT_DHCPC=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_BROADCAST=y CONFIG_NET_ICMP_SOCKET=y CONFIG_NET_ICMPv6=y diff --git a/boards/sim/sim/sim/configs/userfs/defconfig b/boards/sim/sim/sim/configs/userfs/defconfig index 342b672a03342..30d10be64b4bb 100644 --- a/boards/sim/sim/sim/configs/userfs/defconfig +++ b/boards/sim/sim/sim/configs/userfs/defconfig @@ -8,6 +8,7 @@ # CONFIG_NET_ETHERNET is not set # CONFIG_NSH_CMDOPT_HEXDUMP is not set # CONFIG_NSH_NETINIT is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -17,6 +18,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_LOOP=y CONFIG_ETC_FATDEVNO=2 @@ -37,6 +41,7 @@ CONFIG_LIBC_ENVPATH=y CONFIG_LIBC_EXECFUNCS=y CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_NET=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_LOCAL=y CONFIG_NET_LOOPBACK=y CONFIG_NET_UDP=y diff --git a/boards/sim/sim/sim/configs/vpnkit/defconfig b/boards/sim/sim/sim/configs/vpnkit/defconfig index 0a88c72ce4884..60eb24225ce7a 100644 --- a/boards/sim/sim/sim/configs/vpnkit/defconfig +++ b/boards/sim/sim/sim/configs/vpnkit/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -16,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_ASSERTIONS=y CONFIG_DEBUG_FEATURES=y CONFIG_DEBUG_SYMBOLS=y @@ -42,6 +46,7 @@ CONFIG_NETDB_DNSCLIENT=y CONFIG_NETDEV_PHY_IOCTL=y CONFIG_NETDOWN_NOTIFIER=y CONFIG_NETINIT_DHCPC=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_BROADCAST=y CONFIG_NET_ICMP_SOCKET=y CONFIG_NET_ICMPv6=y diff --git a/boards/sim/sim/sim/configs/wakaama/defconfig b/boards/sim/sim/sim/configs/wakaama/defconfig index c9b1e86a9c638..095211faf621b 100644 --- a/boards/sim/sim/sim/configs/wakaama/defconfig +++ b/boards/sim/sim/sim/configs/wakaama/defconfig @@ -8,6 +8,7 @@ # CONFIG_NET_ETHERNET is not set # CONFIG_NSH_CMDOPT_HEXDUMP is not set # CONFIG_NSH_DISABLE_DATE is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ALLOW_ECLIPSE_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" @@ -19,6 +20,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_CRYPTO_TINYDTLS=y CONFIG_DEBUG_ASSERTIONS=y CONFIG_DEBUG_FEATURES=y @@ -41,6 +45,7 @@ CONFIG_INIT_ENTRYPOINT="nsh_main" CONFIG_NET=y CONFIG_NETDB_DNSCLIENT=y CONFIG_NETDB_DNSSERVER_IPv4ADDR=0x08080808 +CONFIG_NETUTILS_CODECS=y CONFIG_NETUTILS_WAKAAMA=y CONFIG_NETUTILS_WEBCLIENT=y CONFIG_NET_USRSOCK_ICMP=y diff --git a/boards/sim/sim/sim/configs/wamr/defconfig b/boards/sim/sim/sim/configs/wamr/defconfig index 9c59cc357bbd1..05c67151455b1 100644 --- a/boards/sim/sim/sim/configs/wamr/defconfig +++ b/boards/sim/sim/sim/configs/wamr/defconfig @@ -19,6 +19,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_GPIO=y CONFIG_DEV_LOOP=y @@ -61,6 +64,7 @@ CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_LIBC_NUMBERED_ARGS=y CONFIG_LIBM=y CONFIG_NET=y +CONFIG_NETUTILS_CODECS=y CONFIG_NET_BINDTODEVICE=y CONFIG_NET_SOCKOPTS=y CONFIG_NET_TUN=y diff --git a/boards/sim/sim/sim/configs/zipfs/defconfig b/boards/sim/sim/sim/configs/zipfs/defconfig index cb5d5f058984c..9ef98a3122627 100644 --- a/boards/sim/sim/sim/configs/zipfs/defconfig +++ b/boards/sim/sim/sim/configs/zipfs/defconfig @@ -6,6 +6,7 @@ # modifications. # # CONFIG_NSH_CMDOPT_HEXDUMP is not set +CONFIG_ALLOW_BSD_COMPONENTS=y CONFIG_ARCH="sim" CONFIG_ARCH_BOARD="sim" CONFIG_ARCH_BOARD_SIM=y @@ -16,6 +17,9 @@ CONFIG_BOARDCTL_POWEROFF=y CONFIG_BOARD_LOOPSPERMSEC=0 CONFIG_BOOT_RUNFROMEXTSRAM=y CONFIG_BUILTIN=y +CONFIG_CODECS_BASE64=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_CRYPTODEV=y CONFIG_DEBUG_SYMBOLS=y CONFIG_DEV_GPIO=y CONFIG_DEV_LOOP=y @@ -48,6 +52,7 @@ CONFIG_LIBC_LOCALE_GETTEXT=y CONFIG_LIBC_MAX_EXITFUNS=1 CONFIG_LIBC_NUMBERED_ARGS=y CONFIG_LIB_ZLIB=y +CONFIG_NETUTILS_CODECS=y CONFIG_NSH_BUILTIN_APPS=y CONFIG_NSH_FILE_APPS=y CONFIG_NSH_MOTD=y diff --git a/boards/sim/sim/sim/src/etc/group b/boards/sim/sim/sim/src/etc/group index 1eca6970c9db2..f0565ff64b431 100644 --- a/boards/sim/sim/sim/src/etc/group +++ b/boards/sim/sim/sim/src/etc/group @@ -1 +1 @@ -root:*:0:root,admin +root:*:0:root