Merge "velia: read-only network monitoring via IETF models"
diff --git a/board/czechlight/common/busybox-config b/board/czechlight/common/busybox-config
index 174c853..1a4f03d 100644
--- a/board/czechlight/common/busybox-config
+++ b/board/czechlight/common/busybox-config
@@ -8,3 +8,6 @@
# initial flashing
CONFIG_BLKDISCARD=y
+
+# velia-system password change
+CONFIG_CHPASSWD=y
diff --git a/board/czechlight/epia_geode/genimage.cfg b/board/czechlight/epia_geode/genimage.cfg
deleted file mode 100644
index d346949..0000000
--- a/board/czechlight/epia_geode/genimage.cfg
+++ /dev/null
@@ -1,24 +0,0 @@
-image hdimage.img {
- hdimage {
- align = 1M
- }
- partition mbr {
- in-partition-table = "no"
- image = "boot.img"
- offset = 0
- size = 512
- }
- partition grub {
- in-partition-table = "no"
- image = "grub.img"
- offset = 512
- }
- partition rootfs {
- partition-type = 0x83
- image = "rootfs.ext4"
- }
- partition sysrepo {
- partition-type = 0x83
- size = 32M
- }
-}
diff --git a/board/czechlight/epia_geode/linux.fragment b/board/czechlight/epia_geode/linux.fragment
deleted file mode 100644
index 59f49ca..0000000
--- a/board/czechlight/epia_geode/linux.fragment
+++ /dev/null
@@ -1,22 +0,0 @@
-# Epia on-board devices
-CONFIG_SATA_VIA=y
-CONFIG_PATA_VIA=y
-CONFIG_VIA_RHINE=y
-CONFIG_VIA_VELOCITY=y
-CONFIG_I2C_VIA=y
-CONFIG_I2C_VIAPRO=y
-CONFIG_VIA_WDT=y
-
-# Geode LX
-CONFIG_SCx200_ACB=y
-CONFIG_MFD_CS5535=y
-CONFIG_CS5535_MFGPT=y
-CONFIG_GEODE_WDT=y
-CONFIG_GPIOLIB=y
-CONFIG_GPIO_CS5535=y
-CONFIG_MTD=y
-CONFIG_MTD_NAND=y
-CONFIG_MTD_NAND_CS553X=y
-
-# QEMU
-CONFIG_I6300ESB_WDT=y
diff --git a/board/czechlight/epia_geode/overlay/boot/grub/grub.cfg b/board/czechlight/epia_geode/overlay/boot/grub/grub.cfg
deleted file mode 100644
index 243cd75..0000000
--- a/board/czechlight/epia_geode/overlay/boot/grub/grub.cfg
+++ /dev/null
@@ -1,6 +0,0 @@
-set default="0"
-set timeout="3"
-
-menuentry "CzechLight" {
- linux /boot/bzImage root=/dev/sda1
-}
diff --git a/board/czechlight/epia_geode/overlay/usr/lib/systemd/network/enp0s13.network b/board/czechlight/epia_geode/overlay/usr/lib/systemd/network/enp0s13.network
deleted file mode 100644
index bcfc7d1..0000000
--- a/board/czechlight/epia_geode/overlay/usr/lib/systemd/network/enp0s13.network
+++ /dev/null
@@ -1,4 +0,0 @@
-[Match]
-Name=enp0s13
-[Network]
-DHCP=yes
diff --git a/board/czechlight/epia_geode/overlay/usr/lib/systemd/network/enp0s14.network b/board/czechlight/epia_geode/overlay/usr/lib/systemd/network/enp0s14.network
deleted file mode 100644
index 0560540..0000000
--- a/board/czechlight/epia_geode/overlay/usr/lib/systemd/network/enp0s14.network
+++ /dev/null
@@ -1,4 +0,0 @@
-[Match]
-Name=enp0s14
-[Network]
-DHCP=yes
diff --git a/board/czechlight/epia_geode/prepare-grub.sh b/board/czechlight/epia_geode/prepare-grub.sh
deleted file mode 100755
index 43a0014..0000000
--- a/board/czechlight/epia_geode/prepare-grub.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-cp $HOST_DIR/usr/lib/grub/i386-pc/boot.img $BINARIES_DIR
diff --git a/board/czechlight/i686_container/overlay/usr/lib/systemd/network/eth0.network b/board/czechlight/i686_container/overlay/usr/lib/systemd/network/eth0.network
deleted file mode 100644
index 16ac288..0000000
--- a/board/czechlight/i686_container/overlay/usr/lib/systemd/network/eth0.network
+++ /dev/null
@@ -1,4 +0,0 @@
-[Match]
-Name=eth0
-[Network]
-DHCP=yes
diff --git a/configs/czechlight_epia_geode_defconfig b/configs/czechlight_epia_geode_defconfig
deleted file mode 100644
index 07792dc..0000000
--- a/configs/czechlight_epia_geode_defconfig
+++ /dev/null
@@ -1,66 +0,0 @@
-BR2_x86_i686=y
-BR2_SSP_STRONG=y
-BR2_TOOLCHAIN_EXTERNAL=y
-BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
-BR2_TOOLCHAIN_EXTERNAL_URL="https://toolchains.bootlin.com/downloads/releases/toolchains/x86-i686/tarballs/x86-i686--glibc--bleeding-edge-2018.02-1.tar.bz2"
-BR2_TOOLCHAIN_EXTERNAL_CUSTOM_PREFIX="i686-buildroot-linux-gnu"
-BR2_TOOLCHAIN_EXTERNAL_GCC_7=y
-BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_9=y
-BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC=y
-BR2_TOOLCHAIN_EXTERNAL_CXX=y
-BR2_TARGET_GENERIC_HOSTNAME="czechlight"
-BR2_TARGET_GENERIC_ISSUE="Welcome to CzechLight"
-BR2_TARGET_GENERIC_PASSWD_SHA512=y
-BR2_TARGET_GENERIC_GETTY_PORT="tty1"
-BR2_INIT_SYSTEMD=y
-# BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW is not set
-BR2_ENABLE_LOCALE_WHITELIST="C en_US en_US.utf8"
-BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_CZECHLIGHT_PATH)/board/czechlight/common/overlay/ $(BR2_EXTERNAL_CZECHLIGHT_PATH)/board/czechlight/epia_geode/overlay/"
-BR2_ROOTFS_POST_BUILD_SCRIPT="$(BR2_EXTERNAL_CZECHLIGHT_PATH)/board/czechlight/epia_geode/prepare-grub.sh"
-BR2_ROOTFS_POST_IMAGE_SCRIPT="support/scripts/genimage.sh"
-BR2_ROOTFS_POST_SCRIPT_ARGS="-c $(BR2_EXTERNAL_CZECHLIGHT_PATH)/board/czechlight/epia_geode/genimage.cfg"
-BR2_LINUX_KERNEL=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.14.4"
-BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
-BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_CZECHLIGHT_PATH)/board/czechlight/common/linux.fragment $(BR2_EXTERNAL_CZECHLIGHT_PATH)/board/czechlight/epia_geode/linux.fragment"
-BR2_LINUX_KERNEL_INSTALL_TARGET=y
-BR2_PACKAGE_LINUX_TOOLS_GPIO=y
-BR2_PACKAGE_LINUX_TOOLS_PERF=y
-BR2_PACKAGE_BUSYBOX_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_CZECHLIGHT_PATH)/board/czechlight/common/busybox-config"
-BR2_PACKAGE_LSOF=y
-BR2_PACKAGE_STRACE=y
-BR2_PACKAGE_E2FSPROGS=y
-BR2_PACKAGE_SQUASHFS=y
-BR2_PACKAGE_I2C_TOOLS=y
-BR2_PACKAGE_SPI_TOOLS=y
-BR2_PACKAGE_LIBGPIOD_TOOLS=y
-# BR2_PACKAGE_NETSNMP_SERVER is not set
-# BR2_PACKAGE_NETSNMP_CLIENTS is not set
-# BR2_PACKAGE_NETSNMP_ENABLE_MIBS is not set
-BR2_PACKAGE_OPENSSH=y
-BR2_PACKAGE_BASH=y
-BR2_PACKAGE_INOTIFY_TOOLS=y
-BR2_PACKAGE_DDRESCUE=y
-BR2_PACKAGE_RAUC=y
-BR2_PACKAGE_RAUC_NETWORK=y
-BR2_PACKAGE_SYSTEMD_COREDUMP=y
-# BR2_PACKAGE_SYSTEMD_HWDB is not set
-BR2_PACKAGE_SYSTEMD_LOGIND=y
-# BR2_PACKAGE_SYSTEMD_MYHOSTNAME is not set
-BR2_PACKAGE_UTIL_LINUX_AGETTY=y
-BR2_PACKAGE_VIM=y
-# BR2_PACKAGE_VIM_RUNTIME is not set
-BR2_TARGET_ROOTFS_CPIO=y
-BR2_TARGET_ROOTFS_CPIO_GZIP=y
-BR2_TARGET_ROOTFS_CPIO_UIMAGE=y
-BR2_TARGET_ROOTFS_EXT2=y
-BR2_TARGET_ROOTFS_EXT2_4=y
-BR2_TARGET_ROOTFS_EXT2_SIZE="256M"
-# BR2_TARGET_ROOTFS_TAR is not set
-BR2_TARGET_GRUB2=y
-BR2_PACKAGE_HOST_DOSFSTOOLS=y
-BR2_PACKAGE_HOST_GENIMAGE=y
-BR2_PACKAGE_HOST_MTOOLS=y
-BR2_PACKAGE_HOST_RAUC=y
-CZECHLIGHT_NETCONF=y
diff --git a/configs/czechlight_i686_container_defconfig b/configs/czechlight_i686_container_defconfig
deleted file mode 100644
index 0b38511..0000000
--- a/configs/czechlight_i686_container_defconfig
+++ /dev/null
@@ -1,37 +0,0 @@
-BR2_x86_i686=y
-BR2_CCACHE=y
-BR2_OPTIMIZE_2=y
-BR2_SSP_STRONG=y
-BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
-BR2_KERNEL_HEADERS_3_10=y
-BR2_GLIBC_VERSION_2_25=y
-BR2_BINUTILS_VERSION_2_28_X=y
-BR2_GCC_VERSION_6_X=y
-BR2_TOOLCHAIN_BUILDROOT_CXX=y
-BR2_GCC_ENABLE_LTO=y
-BR2_GCC_ENABLE_GRAPHITE=y
-BR2_TARGET_GENERIC_HOSTNAME="czechlight"
-BR2_TARGET_GENERIC_ISSUE="Welcome to CzechLight"
-BR2_TARGET_GENERIC_PASSWD_SHA256=y
-BR2_INIT_SYSTEMD=y
-BR2_ENABLE_LOCALE_WHITELIST="C en_US en_US.utf8"
-BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_CZECHLIGHT_PATH)/board/czechlight/common/overlay/ $(BR2_EXTERNAL_CZECHLIGHT_PATH)/board/czechlight/i686_container/overlay/"
-BR2_PACKAGE_BUSYBOX_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_CZECHLIGHT_PATH)/board/czechlight/common/busybox-config"
-BR2_PACKAGE_LSOF=y
-BR2_PACKAGE_STRACE=y
-BR2_PACKAGE_NETOPEER2_CLI=y
-# BR2_PACKAGE_NETSNMP_SERVER is not set
-# BR2_PACKAGE_NETSNMP_CLIENTS is not set
-# BR2_PACKAGE_NETSNMP_ENABLE_MIBS is not set
-BR2_PACKAGE_OPENSSH=y
-BR2_PACKAGE_BASH=y
-BR2_PACKAGE_SCREEN=y
-BR2_PACKAGE_SYSTEMD_COREDUMP=y
-BR2_PACKAGE_SYSTEMD_LOGIND=y
-BR2_PACKAGE_SYSTEMD_RANDOMSEED=y
-BR2_PACKAGE_SYSTEMD_SYSUSERS=y
-BR2_PACKAGE_UTIL_LINUX_AGETTY=y
-BR2_PACKAGE_VIM=y
-# BR2_PACKAGE_VIM_RUNTIME is not set
-BR2_TARGET_ROOTFS_TAR_XZ=y
-CZECHLIGHT_NETCONF=y
diff --git a/crypto/README.md b/crypto/README.md
new file mode 100644
index 0000000..2a7b937
--- /dev/null
+++ b/crypto/README.md
@@ -0,0 +1,25 @@
+# Isn't this horribly insecure?
+
+Yes, there is a private key in a publicly accessible git repository.
+We have decided that this is not a security problem for us.
+
+These keys control signing of FW images which might be -- eventually -- deployed to devices.
+Now that the key has been effectively leaked, that implies that anyone can produce a malicious FW image which will still be accepted via RAUC.
+We are not relying on signature verification for FW image installations; we're just using that as a better checksum control.
+We're using RAUC and we've ensured that only root can invoke a `rauc install ...`, which means that nobody but root can install a malicious image.
+Root can already do *anything* on these devices, and that's by design, we are not using signed boot images verified by the boot loader, or anything like that, really.
+So what we've lost is a safeguard from RAUC saying "hey, that FW image that you're downloading, that has not been produced by CESNET".
+
+If we used a "real setup" with a proper CA and key management, we would probably have one certificate chain for "development builds" in the CI, and some re-signing for images that have been "approved" (merged patches).
+We would also require something for developers' local workflow with transient keys, probably short-lived ones.
+We would have to set up some key management.
+We would have also needed to define a process on how to configure a device to accept the development images.
+
+However, any developer is allowed to propose patches, and these patches would get auto-signed by the CI anyway.
+Granted, it would not be the "production signature", but these boxes will *have* to accept these devel signatures anyway.
+We would also have to deal with the back-and-forth of key signing and certificate renewal.
+
+What we chose instead is to "disable" RAUC signature verification.
+Now that anyone in the world can build an image and have it signed, we have downgraded RAUC's signature checking to a glorified checksum.
+
+TL;DR: this means that we are effectively not using RAUC's image verification.
diff --git a/package/velia/velia.mk b/package/velia/velia.mk
index 41ee75e..8a6be0e 100644
--- a/package/velia/velia.mk
+++ b/package/velia/velia.mk
@@ -12,7 +12,7 @@
-DVELIA_AUTHORIZED_KEYS_FORMAT="/cfg/ssh-user-auth/{USER}" \
-DNFT_EXECUTABLE=/usr/sbin/nft \
-DSSH_KEYGEN_EXECUTABLE=/usr/bin/ssh-keygen \
- -DCHPASSWD_EXECUTABLE=/usr/bin/chpasswd \
+ -DCHPASSWD_EXECUTABLE=/usr/sbin/chpasswd \
-DSYSTEMCTL_EXECUTABLE=/usr/bin/systemctl \
-DNETWORKCTL_EXECUTABLE=/usr/bin/networkctl \
-DHOSTNAMECTL_EXECUTABLE=/usr/bin/hostnamectl