jim.lai/OpenBMC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-phosphor/recipes-core/dropbear/dropbear/dropbear-migrate-key-location.service
+12
View File
@@ -0,0 +1,12 @@
[Unit]
Description=Migrate dropbear keys from /var/lib to /etc
Before=dropbearkey.service
ConditionPathExists=/var/lib/dropbear/dropbear_rsa_host_key
[Service]
RemainAfterExit=yes
Type=oneshot
ExecStart=/usr/libexec/dropbear/migrate-key-location
[Install]
WantedBy=dropbearkey.service
meta-phosphor/recipes-core/dropbear/dropbear/dropbear.default
+1
View File
@@ -0,0 +1 @@
DROPBEAR_EXTRA_ARGS="-G priv-admin"
meta-phosphor/recipes-core/dropbear/dropbear/dropbearkey.service
+18
View File
@@ -0,0 +1,18 @@
[Unit]
Description=SSH Key Generation
[Service]
# Set the default RSA key path then load environment variables from the
# environment file, which might override the default RSA key path.
Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear"
EnvironmentFile=-/etc/default/dropbear
Type=oneshot
ExecStart=@BASE_BINDIR@/sh -c \
"if [[ ! -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key ]]; then \
@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR}; \
@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key; \
fi"
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h
+6
View File
@@ -0,0 +1,6 @@
// Disable CBC ciphers for modern security.
#define DROPBEAR_ENABLE_CBC_MODE 0
#define DROPBEAR_SHA1_96_HMAC 0
#define DROPBEAR_SHA2_256_HMAC 1
#define DROPBEAR_SHA2_512_HMAC 1
meta-phosphor/recipes-core/dropbear/dropbear/migrate-key-location
+11
View File
@@ -0,0 +1,11 @@
#!/bin/sh
if [ ! -e /etc/dropbear/dropbear_rsa_host_key ]; then
if [ -e /var/lib/dropbear/dropbear_rsa_host_key ]; then
echo "Migrating Dropbear key from /var/lib to /etc."
mkdir -p /etc/dropbear
mv /var/lib/dropbear/dropbear_rsa_host_key /etc/dropbear
else
echo "No Dropbear key found in /var/lib."
fi
fi
meta-phosphor/recipes-core/dropbear/dropbear/options.patch
+33
View File
@@ -0,0 +1,33 @@
diff --git a/options.h b/options.h
index 0c51bb1..3df2d67 100644
--- a/options.h
+++ b/options.h
@@ -95,12 +95,12 @@ much traffic. */
#define DROPBEAR_AES256
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
/*#define DROPBEAR_BLOWFISH*/
-#define DROPBEAR_TWOFISH256
-#define DROPBEAR_TWOFISH128
+/*#define DROPBEAR_TWOFISH256*/
+/*#define DROPBEAR_TWOFISH128*/
/* Enable CBC mode for ciphers. This has security issues though
* is the most compatible with older SSH implementations */
-#define DROPBEAR_ENABLE_CBC_MODE
+/*#define DROPBEAR_ENABLE_CBC_MODE*/
/* Enable "Counter Mode" for ciphers. This is more secure than normal
* CBC mode against certain attacks. It is recommended for security
@@ -131,10 +131,10 @@ If you test it please contact the Dropbear author */
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */
#define DROPBEAR_SHA1_HMAC
-#define DROPBEAR_SHA1_96_HMAC
+/*#define DROPBEAR_SHA1_96_HMAC*/
#define DROPBEAR_SHA2_256_HMAC
#define DROPBEAR_SHA2_512_HMAC
-#define DROPBEAR_MD5_HMAC
+/*#define DROPBEAR_MD5_HMAC*/
/* You can also disable integrity. Don't bother disabling this if you're
* still using a cipher, it's relatively cheap. If you disable this it's dead
meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend
+26
View File
@@ -0,0 +1,26 @@
# 0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch
# has been upstreamed. This patch can be removed once we upgrade
# to yocto 2.5 or later which will pull in the latest dropbear code.
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://dropbearkey.service \
file://localoptions.h \
file://dropbear.default \
file://dropbear-migrate-key-location.service \
file://migrate-key-location \
"
# pull in OpenSSH's /usr/libexec/sftp-server so we don't have to rely
# on the crufty old scp protocol for file transfer
RDEPENDS:${PN} += "openssh-sftp-server"
# Add service to migrate the dropbear keys from /var/lib to /etc.
do_install:append() {
install -d ${D}${base_libdir}/systemd/system
install -m 0644 ${WORKDIR}/dropbear-migrate-key-location.service \
${D}${base_libdir}/systemd/system
install -d ${D}${libexecdir}/${BPN}
install -m 0755 ${WORKDIR}/migrate-key-location ${D}${libexecdir}/${BPN}
}
SYSTEMD_SERVICE:${PN}:append = " dropbear-migrate-key-location.service"