Add NanoKVM support #44
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…r file based usb disk
This reverts commit 2373dd2.
…tition or file based usb disk" This reverts commit 5d0d4d0.
This reverts commit 97cd8f7.
Fixes the following CVEs: CVE-2024-24783: crypto/x509: Verify panics on certificates with an unknown public key algorithm CVE-2023-45290: net/http: memory exhaustion in Request.ParseMultipartForm CVE-2023-45289: net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect CVE-2024-24785: html/template: errors returned from MarshalJSON methods may break template escaping CVE-2024-24784: net/mail: comments in display names are incorrectly handled https://go.dev/doc/devel/release#go1.21.8 Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Peter Korsgaard <[email protected]>
Update to the latest 1.19.x version available. Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Arnout Vandecappelle <[email protected]>
Add a third bootstrap stage with Go1.21.x necessary for go1.22 bootstrap. go-bootstrap-stage1 is Go1.4.x, the final version to support bootstrap using a C compiler (later versions require the Go compiler for bootstrapping). See: https://go.dev/doc/install/source#bootstrapFromSource go-bootstrap-stage2 is Go 1.19.13, the last version to support bootstrap using the Go1.4.x compiler. go-bootstrap-stage3 is Go 1.21.8, the last version to support bootstrap using the Go1.19.13 compiler. Go 1.20 requires a minimum of go 1.17.13 to bootstrap. See: https://go.dev/doc/go1.20#bootstrap This patch is in preparation for bumping the host-go package to >go1.22.x, which requires a minimum of Go1.20.x for bootstrap. See: https://go.dev/doc/go1.22#bootstrap Signed-off-by: Christian Stewart <[email protected]> [Arnout: add GOCACHE definition] Signed-off-by: Arnout Vandecappelle <[email protected]>
Upgrade Go to the latest v1.22.x point release, go1.22.1. This requires go-bootstrap-stage3 at version go1.21.8: See: https://go.dev/doc/go1.22#bootstrap https://go.dev/doc/devel/release#go1.22.1 Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Arnout Vandecappelle <[email protected]>
CVE-2023-45288: http2: close connections when receiving too many headers https://go.dev/doc/devel/release#go1.22.2 Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Peter Korsgaard <[email protected]>
Fixes CVEs: CVE-2024-24787: cmd/go: arbitrary code execution during build on darwin CVE-2024-24788: net: malformed DNS message can cause infinite loop https://go.dev/doc/devel/release#go1.22.3 Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Thomas Petazzoni <[email protected]>
…s invalid .git Since go-bootstrap-stage3 package has been added to Buildroot [1], all tests using go are failing only on Gitlab-ci jobs. The build succeed if we use docker-run script. Since the issue is only trigged by Gitlab-ci environment, the issue is related to the ownership of the (buildroot) git tree, see [2]. go seems to ignore the .gitconfig set by before_script. Anyway, go should not try to use git to retrieve some info since we are not building it from the go repository. go package was already patched for a similar issue when building host-go within docker [3]. Apply the same patch to go-bootstrap-stage3 to disable VCS support. See http://lists.busybox.net/pipermail/buildroot/2024-May/691273.html [1] f00eb37de9b4b0ddbdeb5c7ebae48c883c27e132 [2] a016b693f7830f3c8ae815851d3204b8b6e99821 [3] bc8e70a08ba083d978c828e31442a7645c9099d7 Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/6833307649 (tests.fs.test_oci.TestOci) https://gitlab.com/buildroot.org/buildroot/-/jobs/6833307823 (tests.package.test_docker_compose.TestDockerCompose) https://gitlab.com/buildroot.org/buildroot/-/jobs/6833308175 (tests.package.test_mender.TestMender) Runtime tested: https://gitlab.com/kubu93/buildroot/-/jobs/6860670292 Signed-off-by: Romain Naour <[email protected]> Cc: Christian Stewart <[email protected]> Signed-off-by: Yann E. MORIN <[email protected]>
Fixes the following CVEs: CVE-2024-24789: archive/zip: mishandling of corrupt central directory record CVE-2024-24790: net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses View the release notes for more information: https://go.dev/doc/devel/release#go1.22.4 Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Peter Korsgaard <[email protected]>
Fixes CVE: CVE-2024-24791: net/http: denial of service due to improper 100-continue handling https://go.dev/doc/devel/release#go1.22.5 Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Thomas Petazzoni <[email protected]> (cherry picked from commit 5d02277884e406625c0142e7c3e68dfe30bdf6c4) Signed-off-by: Peter Korsgaard <[email protected]>
Fixes the following CVEs: CVE-2024-34155: go/parser: stack exhaustion in all Parse* functions CVE-2024-34156: encoding/gob: stack exhaustion in Decoder.Decode CVE-2024-34158: go/build/constraint: stack exhaustion in Parse https://go.dev/doc/devel/release#go1.22.7 Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Thomas Petazzoni <[email protected]>
Expose the host-go in the menuconfig, so that user can select what go compiler to use, without having to first enable a go package, or to have it in the SDK without having a go package enabled. Signed-off-by: Athaariq Ardhiansyah <[email protected]> [[email protected]: rewrite commit log] Signed-off-by: Yann E. MORIN <[email protected]>
Signed-off-by: Yann E. MORIN <[email protected]>
This package provides a pre-built version for the host-go virtual package introduced in the previous commits: - host-go-bin installs a pre-built version of the Go compiler. By default, host-go remains built from sources to keep the same behavior as the former version. The menuconfig entry for host-go is updated to expose the host-go-bin provider. The dependencies are set as such as if host-go-src does not support the host architecture, it will automatically fall back to host-go-bin and vice versa. Signed-off-by: Thomas Perale <[email protected]> [[email protected]: - update hashes for 1.22.7 - add hash for the source tarball - set _DL_SUBDIR - don't set a prompt to BR2_PACKAGE_HOST_GO_BIN_HOST_ARCH ] Signed-off-by: Yann E. MORIN <[email protected]>
go1.22.8 (released 2024-10-01) includes fixes to cgo, maps, and syscall. https://go.dev/doc/devel/release#go1.22.8 Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Thomas Petazzoni <[email protected]>
Go 1.23.0 is a major release of Go. Most of its changes are in the implementation of the toolchain, runtime, and libraries. https://go.dev/doc/go1.23 https://go.dev/doc/devel/release#go1.23.2 Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Thomas Petazzoni <[email protected]>
Commit 7b2a164b7460 (package/go/go-bin: new host-go provider) broke the case for prompt-less, host-only go packages, as the main host-go symbol would not be selected. This very same use-case was initially broken when the first go-src provider was introduced with fa2536ec9401 (package/go: make host package a virtual package), and subsequently fixed in 99a5d51c6e9f (package/go: ensure there is a host-go provider), so 7b2a164b7460 is causing a regression of a fixed regression. Fix that the very same way it was originally fixed. Signed-off-by: Yann E. MORIN <[email protected]> Cc: Yann E. MORIN <[email protected]> Cc: Thomas Perale <[email protected]> Signed-off-by: Julien Olivain <[email protected]>
go1.23.3 (released 2024-11-06) includes fixes to the linker, the runtime, and the net/http, os, and syscall packages. https://go.dev/doc/devel/release#go1.23.minor Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Julien Olivain <[email protected]> (cherry picked from commit 47881d30dbf4977e8dd1ca54106fbb9aeaef8413) Signed-off-by: Peter Korsgaard <[email protected]>
go1.23.4 (released 2024-12-03) includes fixes to the compiler, the runtime, the trace command, and the syscall package. https://go.dev/doc/devel/release#go1.23.4 https://github.com/golang/go/issues?q=milestone%3AGo1.23.4+label%3ACherryPickApproved Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Julien Olivain <[email protected]> (cherry picked from commit ef273589633170018abe2bb20de75e11443b36a1) Signed-off-by: Peter Korsgaard <[email protected]>
go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and net/http packages, as well as bug fixes to the compiler, the runtime, and the net package. https://go.dev/doc/devel/release#go1.23.5 https://github.com/golang/go/issues?q=milestone%3AGo1.23.5+label%3ACherryPickApproved Signed-off-by: Christian Stewart <[email protected]> Signed-off-by: Peter Korsgaard <[email protected]> (cherry picked from commit 6299f479d124ebe01f12f4044e2b978463cbc3b6) Signed-off-by: Peter Korsgaard <[email protected]>
go1.23.6 (released 2025-02-04) includes security fixes to the crypto/elliptic package, as well as bug fixes to the compiler and the go command. https://go.dev/doc/devel/release#go1.23.6 https://github.com/golang/go/issues?q=milestone%3AGo1.23.6+label%3ACherryPickApproved While we are at it, drop the unused source tarball hash from the go-bin package. Signed-off-by: Peter Korsgaard <[email protected]> Signed-off-by: Thomas Petazzoni <[email protected]> (cherry picked from commit b4006287f86ad52b0f5bf929f4a7f34c1a5720b4) Signed-off-by: Peter Korsgaard <[email protected]>
The commit b4006287f8 "package/go: security bump to version 1.23.6" removed the go source from the go-bin package `.hash` file. Since that commit, a number of autobuild errors for the host-go-bin package started spawning during the 'legal-info' step. Because the package 'go-bin' defines the '_ACTUAL_SOURCE_TARBALL' variable the source hash is still required for the legal-info. Similarly to the 'nodejs' package, the hash files for both the `go-bin` and `go-src` package are shared in the `package/go` directory with the help of a symbolic link used to make the subdirectories point to that common `.hash` file. Fixes: https://autobuild.buildroot.org/results/337/33763441a065ddb07e944e26ad8f1f6d43b68592 Signed-off-by: Thomas Perale <[email protected]> Signed-off-by: Romain Naour <[email protected]> (cherry picked from commit 8b7982357728eeeaf7ce9992c5362bbfe429891e) Signed-off-by: Peter Korsgaard <[email protected]>
This reverts commit 98a3a35.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This will add the nanokvm app to the buildroot and some init script enhancements to build an image for NanoKVM.
The init scripts can be controlled by adding the files /boot.usb.hid and /boot/usb.disk0.
Currently I did not want to add an extra defconfig, I use this build script (not included in the pull request) to run the nanokvm build:
https://raw.githubusercontent.com/scpcom/LicheeRV-Nano-Build/develop/build-nanokvm.sh