Add support for UnifiOS

Based on the work of Carlos Talbot (@tusc) in tusc/wireguard-kmod A lot of improvements have been contributed by @peacey For the full commit history, see the branch udm-support in fossoreslp/wireguard-vyatta-ubnt Signed-off-by: Pascal Vorwerk <info@fossores.de>
WireGuard · Sep 12, 2021 · 6354cef · 6354cef
1 parent 988ef6c
commit 6354cef
Show file tree

Hide file tree

Showing 29 changed files with 23,225 additions and 9 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,7 +4,9 @@ on:
   push:
     branches:
       - "master"
+      - "udm-support"
   pull_request:
+  workflow_dispatch:
 
 env:
   MODULE_VERSION: "1.0.20210606"
@@ -241,17 +243,168 @@ jobs:
           name: release_${{ matrix.device }}-v${{ matrix.version }}
           path: ${{ matrix.device }}-v${{ matrix.version }}-v${{ env.MODULE_VERSION }}-v${{ env.TOOLS_VERSION }}.deb
 
+  udm-prepare-buildroot:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v2
+      - name: Download buildroot-2017.11.1
+        run: |
+          curl -o buildroot.tar.bz2 https://buildroot.org/downloads/buildroot-2017.11.1.tar.bz2
+          tar -xf buildroot.tar.bz2
+      - name: Download WireGuard module source
+        run: |
+          curl -L -o wireguard-linux-compat-$MODULE_VERSION.tar.xz https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-$MODULE_VERSION.tar.xz
+          curl -L -o wireguard-linux-compat-$MODULE_VERSION.tar.asc https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-$MODULE_VERSION.tar.asc
+          unxz wireguard-linux-compat-$MODULE_VERSION.tar.xz
+          gpgv --keyring ci/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.gpg wireguard-linux-compat-$MODULE_VERSION.tar.asc wireguard-linux-compat-$MODULE_VERSION.tar
+      - name: Download WireGuard tools source
+        run: |
+          curl -L -o wireguard-tools-$TOOLS_VERSION.tar.xz https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-$TOOLS_VERSION.tar.xz
+          curl -L -o wireguard-tools-$TOOLS_VERSION.tar.asc https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-$TOOLS_VERSION.tar.asc
+          unxz wireguard-tools-$TOOLS_VERSION.tar.xz
+          gpgv --keyring ci/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.gpg wireguard-tools-$TOOLS_VERSION.tar.asc wireguard-tools-$TOOLS_VERSION.tar
+      - name: Copy packages
+        run: cp -pr unifios/packages/* buildroot-2017.11.1/package
+      - name: Copy WireGuard source
+        run: |
+          cp wireguard-linux-compat-$MODULE_VERSION.tar buildroot-2017.11.1/package/wireguard-linux-compat/
+          cp wireguard-tools-$TOOLS_VERSION.tar buildroot-2017.11.1/package/wireguard-tools/
+      - name: Set package versions
+        run: |
+          sed -i "s/PACKAGE_VERSION/$MODULE_VERSION/g" buildroot-2017.11.1/package/wireguard-linux-compat/wireguard-linux-compat.mk
+          sed -i "s/PACKAGE_VERSION/$TOOLS_VERSION/g" buildroot-2017.11.1/package/wireguard-tools/wireguard-tools.mk
+      - name: Patches
+        run: |
+          patch -p0 <unifios/patches/wireguard-packages.patch
+          patch -p0 <unifios/patches/openresolv-package.patch
+          patch -d buildroot-2017.11.1 -p1 <unifios/patches/add-kernel-4-19.patch
+          cp unifios/patches/0001-m4-glibc-change-work-around.patch buildroot-2017.11.1/package/m4
+          cp unifios/patches/0001-bison-glibc-change-work-around.patch buildroot-2017.11.1/package/bison
+          cp unifios/patches/944-mpc-relative-literal-loads-logic-in-aarch64_classify_symbol.patch buildroot-2017.11.1/package/gcc/6.4.0
+      - name: Generate artifacts
+        run: tar -cf buildroot.tar buildroot-2017.11.1
+      - name: Store headers
+        uses: actions/upload-artifact@v2
+        with:
+          name: buildroot
+          path: buildroot.tar
+  udm-build-modules:
+    needs: [udm-prepare-buildroot]
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        base: [1.9.0-10, 1.10.0-8, 1.10.0-12]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Restore buildroot
+        uses: actions/download-artifact@v2
+        with:
+          name: buildroot
+      - name: Extract buildroot
+        run: tar -xf buildroot.tar
+      - name: Build wireguard module
+        run: |
+          mkdir -p modules
+          cp unifios/udm-${{ matrix.base }}/buildroot-config.txt buildroot-2017.11.1/.config
+          cp unifios/udm-${{ matrix.base }}/UDM-config.txt buildroot-2017.11.1/UDM-config.txt
+          versions="$(cat unifios/udm-${{ matrix.base }}/versions.txt)"
+          prefix="$(cat unifios/udm-${{ matrix.base }}/prefix.txt)"
+          cd buildroot-2017.11.1
+          for ver in $versions; do
+            echo "Building version $ver"
+            make wireguard-linux-compat-dirclean
+            sed -i -e '/CONFIG_LOCALVERSION=/s/.*/CONFIG_LOCALVERSION="'$ver'"/' UDM-config.txt
+            make wireguard-linux-compat-rebuild -j$(nproc)
+            cp output/build/wireguard-linux-compat-$MODULE_VERSION/src/wireguard.ko ../modules/wireguard-${prefix}${ver}.ko
+            cp output/build/linux-custom/net/ipv4/netfilter/iptable_raw.ko ../modules/iptable_raw-${prefix}${ver}.ko
+            cp output/build/linux-custom/net/ipv6/netfilter/ip6table_raw.ko ../modules/ip6table_raw-${prefix}${ver}.ko
+          done
+      - name: Store modules
+        uses: actions/upload-artifact@v2
+        with:
+          name: modules
+          path: modules
+  udm-build-tools:
+    needs: [udm-prepare-buildroot]
+    runs-on: ubuntu-20.04
+    env:
+      BASE: 1.9.0-10
+    steps:
+      - uses: actions/checkout@v2
+      - name: Restore buildroot
+        uses: actions/download-artifact@v2
+        with:
+          name: buildroot
+      - name: Extract buildroot
+        run: tar -xf buildroot.tar
+      - name: Configure buildroot
+        run: |
+          cp unifios/udm-${{ env.BASE }}/buildroot-config.txt buildroot-2017.11.1/.config
+          cp unifios/udm-${{ env.BASE }}/UDM-config.txt buildroot-2017.11.1/UDM-config.txt
+      - name: Build WireGuard tools
+        run: cd buildroot-2017.11.1 && make wireguard-tools-rebuild # -> output/target/usr/bin/wg
+      - name: Build bash
+        run: cd buildroot-2017.11.1 && make bash-rebuild # -> output/target/bin/bash
+      - name: Build resolvconf
+        run: cd buildroot-2017.11.1 && make openresolv-rebuild # -> output/target/sbin/resolvconf
+      - name: Build qrencode
+        run: cd buildroot-2017.11.1 && make libqrencode-rebuild # -> output/target/usr/bin/qrencode
+      - name: Collect tools
+        run: |
+          mkdir -p tools/usr tools/usr/bin tools/sbin tools/etc
+          cp buildroot-2017.11.1/output/target/usr/bin/wg tools/usr/bin
+          cp buildroot-2017.11.1/output/target/bin/bash tools/usr/bin
+          cp buildroot-2017.11.1/output/target/usr/bin/qrencode tools/usr/bin
+          cp buildroot-2017.11.1/output/target/sbin/resolvconf tools/sbin
+          cp buildroot-2017.11.1/output/target/etc/resolvconf.conf tools/etc
+          cp buildroot-2017.11.1/output/build/wireguard-tools-$TOOLS_VERSION/src/wg-quick/linux.bash tools/usr/bin/wg-quick
+      - name: Store tools
+        uses: actions/upload-artifact@v2
+        with:
+          name: tools
+          path: tools
+  udm-package:
+    needs: [udm-build-tools, udm-build-modules]
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v2
+      - name: Prepare
+        run: mkdir package
+      - name: Restore modules
+        uses: actions/download-artifact@v2
+        with:
+          name: modules
+          path: package
+      - name: Restore tools
+        uses: actions/download-artifact@v2
+        with:
+          name: tools
+          path: package
+      - name: Add setup
+        run: cp unifios/setup_wireguard.sh package/
+      - name: Make binaries executable
+        run: chmod +x package/usr/bin/* package/sbin/*
+      - name: Package
+        run: tar -C package -czf UnifiOS-$MODULE_VERSION.tar.gz ./
+      - name: Store package
+        uses: actions/upload-artifact@v2
+        with:
+          name: release_unifios
+          path: UnifiOS-${{ env.MODULE_VERSION }}.tar.gz
+
   release:
     runs-on: ubuntu-20.04
-    needs: package
+    needs:
+      - package
+      - udm-package
 
     steps:
       - uses: actions/checkout@v2
       - name: Create Release
         id: create_release
         uses: fossoreslp/release-artifacts@v1
         with:
-          title: Wireguard ${{ env.MODULE_VERSION }} ${{ env.TOOLS_VERSION }}
+          title: WireGuard ${{ env.MODULE_VERSION }} ${{ env.TOOLS_VERSION }}
           template: ci/release_body.md
           token: ${{ secrets.GITHUB_TOKEN }}
           variables: ${{ toJSON(env) }}
diff --git a/ci/release_body.md b/ci/release_body.md
@@ -4,13 +4,13 @@ Changelog
 
 Versions
 ---------
-| Name | Version |
-|--------|---------|
-| Module | {{MODULE_VERSION}} |
-| Tools | {{TOOLS_VERSION}} |
-| EdgeOS v1 | {{FIRMWARE_ER_v1}} |
-| EdgeOS v2 | {{FIRMWARE_ER_v2}} |
-| USG firmware | {{FIRMWARE_UGW}} |
+| Name         | Version            |
+| ------------ | ------------------ |
+| Module       | {{MODULE_VERSION}} |
+| Tools        | {{TOOLS_VERSION}}  |
+| EdgeOS v1    | {{FIRMWARE_ER_v1}} |
+| EdgeOS v2    | {{FIRMWARE_ER_v2}} |
+| USG firmware | {{FIRMWARE_UGW}}   |
 
 See below for binaries.
 
@@ -49,3 +49,7 @@ UGW4:
 
 UGWXG:
  - UniFi Security Gateway XG 8
+
+UnifiOS:
+ - UDM
+ - UDM Pro
diff --git a/unifios/packages/openresolv/Config.in b/unifios/packages/openresolv/Config.in
@@ -0,0 +1,8 @@
+config BR2_PACKAGE_OPENRESOLV
+	bool "openresolv"
+	help
+	  openresolv is a resolvconf implementation which
+	  manages resolv.conf. This tool provides a dns management
+	  framework to track currently available nameservers.
+
+	  https://roy.marples.name/projects/openresolv
diff --git a/unifios/packages/openresolv/openresolv.hash b/unifios/packages/openresolv/openresolv.hash
@@ -0,0 +1,3 @@
+# Locally calculated
+sha256  7d74c669849183ecefdfcec30d25664b1ca24ba1ca8c2ad5de50fcaeef3b4810  openresolv-3.10.0.tar.gz
+sha256  384740bf5e19e7628d20f4dcc22925062fdc6020e9a6f074e567d4d797be57a0  LICENSE
diff --git a/unifios/packages/openresolv/openresolv.mk b/unifios/packages/openresolv/openresolv.mk
@@ -0,0 +1,25 @@
+################################################################################
+#
+# openresolv
+#
+################################################################################
+
+OPENRESOLV_VERSION = 3.10.0
+OPENRESOLV_SITE = $(call github,rsmarples,openresolv,openresolv-$(OPENRESOLV_VERSION))
+OPENRESOLV_LICENSE = BSD-2-Clause
+OPENRESOLV_LICENSE_FILES = LICENSE
+OPENRESOLV_CPE_ID_VENDOR = openresolv_project
+
+define OPENRESOLV_CONFIGURE_CMDS
+	cd $(@D) && $(TARGET_CONFIGURE_OPTS) ./configure --sysconfdir=/etc
+endef
+
+define OPENRESOLV_BUILD_CMDS
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D)
+endef
+
+define OPENRESOLV_INSTALL_TARGET_CMDS
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) DESTDIR="$(TARGET_DIR)" install
+endef
+
+$(eval $(generic-package))
diff --git a/unifios/packages/wireguard-linux-compat/Config.in b/unifios/packages/wireguard-linux-compat/Config.in
@@ -0,0 +1,26 @@
+config BR2_PACKAGE_WIREGUARD_LINUX_COMPAT
+	bool "wireguard linux-compat"
+	depends on BR2_LINUX_KERNEL
+	# kernel module requires 3.10+
+	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_10
+	# kernel module in upstream linux since 5.6
+	depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_6
+	help
+	  WireGuard is an extremely simple yet fast and modern VPN
+	  that utilizes state-of-the-art cryptography. It aims to be
+	  faster, simpler, leaner, and more useful than IPSec, while
+	  avoiding the massive headache. It intends to be considerably
+	  more performant than OpenVPN. WireGuard is designed as a
+	  general purpose VPN for running on embedded interfaces and
+	  super computers alike, fit for many different
+	  circumstances.
+
+	  Support for WireGuard is included in Linux 5.6+. This
+	  package provides a backport of the kernel support for older
+	  kernels.
+
+	  https://www.wireguard.com
+
+comment "wireguard-linux-compat needs a toolchain w/ headers >= 3.10"
+	depends on BR2_LINUX_KERNEL
+	depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_10
diff --git a/unifios/packages/wireguard-linux-compat/wireguard-linux-compat.mk b/unifios/packages/wireguard-linux-compat/wireguard-linux-compat.mk
@@ -0,0 +1,24 @@
+################################################################################
+#
+# wireguard
+#
+################################################################################
+
+WIREGUARD_LINUX_COMPAT_VERSION = PACKAGE_VERSION
+WIREGUARD_LINUX_COMPAT_SITE = $(TOPDIR)/package/wireguard-linux-compat
+WIREGUARD_LINUX_COMPAT_SITE_METHOD = file
+WIREGUARD_LINUX_COMPAT_SOURCE = wireguard-linux-compat-$(WIREGUARD_LINUX_COMPAT_VERSION).tar
+WIREGUARD_LINUX_COMPAT_LICENSE = GPL-2.0
+WIREGUARD_LINUX_COMPAT_LICENSE_FILES = COPYING
+WIREGUARD_LINUX_COMPAT_MODULE_SUBDIRS = src
+
+define WIREGUARD_LINUX_COMPAT_LINUX_CONFIG_FIXUPS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_INET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_FOU)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CRYPTO)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CRYPTO_MANAGER)
+endef
+
+$(eval $(kernel-module))
+$(eval $(generic-package))
diff --git a/unifios/packages/wireguard-tools/Config.in b/unifios/packages/wireguard-tools/Config.in
@@ -0,0 +1,21 @@
+config BR2_PACKAGE_WIREGUARD_TOOLS
+	bool "wireguard tools"
+	# kernel module requires 3.10+, userspace makes no sense without it
+	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_10
+	help
+	  WireGuard is an extremely simple yet fast and modern VPN
+	  that utilizes state-of-the-art cryptography. It aims to be
+	  faster, simpler, leaner, and more useful than IPSec, while
+	  avoiding the massive headache. It intends to be considerably
+	  more performant than OpenVPN. WireGuard is designed as a
+	  general purpose VPN for running on embedded interfaces and
+	  super computers alike, fit for many different
+	  circumstances.
+
+	  This package provides the userspace tooling to configure
+	  WireGuard tunnels.
+
+	  https://www.wireguard.com
+
+comment "wireguard-tools needs a toolchain w/ headers >= 3.10"
+	depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_10
diff --git a/unifios/packages/wireguard-tools/wireguard-tools.mk b/unifios/packages/wireguard-tools/wireguard-tools.mk
@@ -0,0 +1,37 @@
+################################################################################
+#
+# wireguard-tools
+#
+################################################################################
+
+WIREGUARD_TOOLS_VERSION = PACKAGE_VERSION
+WIREGUARD_TOOLS_SITE = $(TOPDIR)/package/wireguard-tools
+WIREGUARD_TOOLS_SITE_METHOD = file
+WIREGUARD_TOOLS_SOURCE = wireguard-tools-$(WIREGUARD_TOOLS_VERSION).tar
+WIREGUARD_TOOLS_LICENSE = GPL-2.0
+WIREGUARD_TOOLS_LICENSE_FILES = COPYING
+
+ifeq ($(BR2_INIT_SYSTEMD),y)
+WIREGUARD_TOOLS_MAKE_OPTS += WITH_SYSTEMDUNITS=yes
+WIREGUARD_TOOLS_DEPENDENCIES += host-pkgconf
+else
+WIREGUARD_TOOLS_MAKE_OPTS += WITH_SYSTEMDUNITS=no
+endif
+
+ifeq ($(BR2_PACKAGE_BASH),y)
+WIREGUARD_TOOLS_MAKE_OPTS += WITH_BASHCOMPLETION=yes WITH_WGQUICK=yes
+else
+WIREGUARD_TOOLS_MAKE_OPTS += WITH_BASHCOMPLETION=no WITH_WGQUICK=no
+endif
+
+define WIREGUARD_TOOLS_BUILD_CMDS
+	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) $(WIREGUARD_TOOLS_MAKE_OPTS) \
+		-C $(@D)/src
+endef
+
+define WIREGUARD_TOOLS_INSTALL_TARGET_CMDS
+	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) $(WIREGUARD_TOOLS_MAKE_OPTS) \
+		-C $(@D)/src install DESTDIR=$(TARGET_DIR)
+endef
+
+$(eval $(generic-package))
diff --git a/unifios/patches/0001-bison-glibc-change-work-around.patch b/unifios/patches/0001-bison-glibc-change-work-around.patch
@@ -0,0 +1,33 @@
+Subject: Workaround change in glibc
+
+Temporary workaround to compile with glibc 2.28, which
+deprecated some constants
+
+Based on the workaround made for the tools/m4 package
+
+--- a/lib/stdio-impl.h
++++ b/lib/stdio-impl.h
+@@ -18,6 +18,12 @@
+    the same implementation of stdio extension API, except that some fields
+    have different naming conventions, or their access requires some casts.  */
+
++/* Glibc 2.28 made _IO_IN_BACKUP private.  For now, work around this
++   problem by defining it ourselves.  FIXME: Do not rely on glibc
++   internals.  */
++#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN
++# define _IO_IN_BACKUP 0x100
++#endif
+
+ /* BSD stdio derived implementations.  */
+
+--- a/lib/fseterr.c
++++ b/lib/fseterr.c
+@@ -29,7 +29,7 @@
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   fp->_flags |= _IO_ERR_SEEN;
+ #elif defined __sferror || defined __DragonFly__ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin */
+   fp_->_flags |= __SERR;