Linux - IPSec log 解析

libreswan 的連線訊息解析 (或是 freeswan、openswan)

Main Mode 連線關卡順序是:
    [IKEv1 or IKEV2]   =>   [phase1加密方式]   =>   [加密金鑰(Pre-Shared Key)]   =>
    [ID or FQDN]   =>   [網段參數]   =>   [phase2加密方式] => 
    [本機下連線成功的規則 (_updown)]
註:
    1. 以前是 [phase2加密方式] 會優先於 [網段參數]
    2. 看log連線是建立成功的,但是事實上卻是失敗的。很有可能是_updown的問題
    3. Aggressive Mode 一開始就會先比對 ID


連線訊息

被動連線 phase 1

pluto[
32031]: "test" #31: responding to Main Mode
pluto[
32031]: "test" #31: WARNING: connection vigor PSK length of 10 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[
32031]: "test" #31: sent Main Mode R1
pluto[
32031]: "test" #31: sent Main Mode R2
pluto[
32031]: "test" #31: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
pluto[32031]: "test" #31: Peer ID is ID_IPV4_ADDR: 'XX.XX.XX.XX'
(↑對方的連線IP,如果對方是NAT後才出來的,也在這看↑)
pluto[
32031]: "test" #31: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP1024}
(↑對方設定的 phase 1 加密方式 & 建立成功↑)
pluto[
32031]: "test" #31: the peer proposed: 192.168.200.0/24 -<all>-> 192.168.100.0/24


被動連線 phase 2

pluto[
32031]: "test" #32: responding to Quick Mode proposal {msgid:6fb993a9}
pluto[
32031]: "test" #32: us: 192.168.200.0/24===XX.XX.XX.XX[+S?C] them: XX.XX.XX.XX[+S?C]===192.168.100.0/24
(↑對方的網段設定↑)
pluto[
32031]: "test" #32: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation tunnel mode {ESP=>0x9d188d43 <0xaa47b62d xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}
(↑對方 phase 2 的加密設定↑)
pluto[
32031]: "test" #32: IPsec SA established tunnel mode {ESP=>0x9d188d43 <0xaa47b62d xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}
(↑建立成功↑)


主動連線 phase 1

pluto[
2219]: "test" #194: initiating IKEv1 Main Mode connection
pluto[
2219]: "test" #194: sent Main Mode request
pluto[
2219]: "test" #194: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[
2219]: "test" #194: sent Main Mode I2
pluto[
2219]: "test" #194: sent Main Mode I3
pluto[
2219]: "test" #194: Peer ID is ID_IPV4_ADDR: '對方ip'
(↑對方的連線IP,如果對方是NAT後才出來的,也在這看↑)
pluto[
2219]: "test" #194: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP1024}
(↑建立成功 & 加密方式↑)


主動連線 phase 2

pluto[
2219]: "test" #199: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+UP+ESN_NO+ESN_YES {using isakmp#198 msgid:72ade70d proposal=AES_CBC_128-HMAC_SHA2_256_128 pfsgroup=no-pfs}
pluto[
2219]: "test" #199: sent Quick Mode request
pluto[
2219]: "test" #199: IPsec SA established tunnel mode {ESP=>0xd6a277d1 <0x10fd9e2a xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}
    (↑建立成功 & 加密方式↑)



ikev2 連線 
(19570是主動phase1,19571是被動phase1)
(19572是主動phase2,19574是被動phase2)

pluto[
25600]: "test": IKE SA proposals (connection add):
pluto[
25600]: "test": 1:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP1024
pluto[
25600]: "test": Child SA proposals (connection add):
pluto[
25600]: "test": 1:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[
25600]: "test": added IKEv2 connection
pluto[
25600]: "test" #19570: initiating IKEv2 connection
pluto[
25600]: "test" #19570: sent IKE_SA_INIT request to 對方的ip:500
pluto[25600]: "test" #19571: proposal 1:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP1024 chosen from remote proposals 1:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024[first-match]
pluto[
25600]: "test" #19570: WARNING: '自己的ip' PSK length of 10 bytes is too short for PRF HMAC_SHA2_256 in FIPS mode (16 bytes required)
pluto[
25600]: "test" #19570: sent IKE_AUTH request {cipher=AES_CBC_128 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP1024}
(phase 1 的加密方式)
pluto[
25600]: "test" #19571: sent IKE_SA_INIT reply {cipher=AES_CBC_128 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP1024}
(phase 1 的加密方式)
pluto[
25600]: "test" #19570: WARNING: '自己的ip' PSK length of 10 bytes is too short for PRF HMAC_SHA2_256 in FIPS mode (16 bytes required)
pluto[
25600]: "test" #19570: initiator established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '對方的ip'
(phase 1 建立成功)
pluto[
25600]: "test" #19572: initiator established Child SA using #19570; IPsec tunnel [192.168.16.0-192.168.16.255:0-65535 0] -> [192.168.161.0-192.168.161.255:0-65535 0] {ESP/ESN=>0x97a0fd13 <0x58707730 xfrm=AES_CBC_128-HMA
(phase 2 建立成功,並有網段資訊,也有加密方式)
pluto[
25600]: "test" #19571: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr}
pluto[
25600]: "test" #19571: WARNING: '自己的ip' PSK length of 10 bytes is too short for PRF HMAC_SHA2_256 in FIPS mode (16 bytes required)
pluto[
25600]: "test" #19571: responder established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '對方的ip'
pluto[25600]: "test" #19571: WARNING: '自己的ip' PSK length of 10 bytes is too short for PRF HMAC_SHA2_256 in FIPS mode (16 bytes required)
pluto[
25600]: "test" #19574: proposal 1:ESP=AES_CBC_128-HMAC_SHA2_256_128-ENABLED SPI=f4cb0b42 chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;ESN=ENABLED;ESN=DISABLED[first-match]
pluto[
25600]: "test" #19574: responder established Child SA using #19571; IPsec tunnel [192.168.16.0-192.168.16.255:0-65535 0] -> [192.168.161.0-192.168.161.255:0-65535 0] {ESP/ESN=>0xf4cb0b42 <0xe01e4f1d xfrm=AES_CBC_128-HMA



主動斷線

pluto[2219]: "test": terminating SAs using this connection



換 key 訊息 

主動換 phase 1 key

pluto[2219]: "test" #233: initiating IKEv1 Main Mode connection to replace #232
pluto[2219]: "test" #233: sent Main Mode request, replacing #232
pluto[2219]: "test" #233: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[2219]: "test" #233: sent Main Mode I2
pluto[2219]: "test" #233: sent Main Mode I3
pluto[2219]: "test" #233: Peer ID is ID_IPV4_ADDR: '對方ip'
pluto[2219]: "test" #233: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP1024}


主動換 phase 2 key

pluto[2219]: "test" #234: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+UP+ESN_NO+ESN_YES to replace #231 {using isakmp#233 msgid:22b65fd2 proposal=AES_CBC_128-HMAC_SHA2_256_128 pfsgroup=no-pfs}
pluto[2219]: "test" #234: sent Quick Mode request, to replace #231
pluto[2219]: "test" #234: IPsec SA established tunnel mode {ESP=>0xa4c3f9f2 <0x32a86927 xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}


被動換 phase 1 key

pluto[1677]: "test" #224: responding to Main Mode
pluto[1677]: "test" #224: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[1677]: "test" #224: sent Main Mode R1
pluto[1677]: "test" #224: sent Main Mode R2
pluto[1677]: "test" #224: Peer ID is ID_IPV4_ADDR: '對方ip'
pluto[1677]: "test" #224: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP1024}


被動換 phase 2 key

pluto[
1677]: "test" #225: the peer proposed: 192.168.83.0/24 -<all>-> 192.168.22.0/24
pluto[1677]: "test" #226: responding to Quick Mode proposal {msgid:0fada115}
pluto[
1677]: "test" #226: us: 192.168.83.0/24===自己ip[+S?C] them: 對方ip[+S?C]===192.168.22.0/24
pluto[1677]: "test" #226: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation tunnel mode {ESP=>0xae86187a <0x786e6b10 xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}
pluto[
1677]: "test" #226: IPsec SA established tunnel mode {ESP=>0xae86187a <0x786e6b10 xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}



錯誤訊息

對方過來的連線,沒有相符的設定

pluto[
1677]: packet from 對方ip:500: initial Aggressive Mode message from 對方ip:500 but no (wildcard) connection has been configured with authby PSK


主動換 phase 1 key,但對方無回應

pluto[
32031]: "test" #26: initiating IKEv1 Main Mode connection to replace #19
pluto[32031]: "test" #26: sent Main Mode request, replacing #19
pluto[32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
pluto[
32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 1 seconds for response
pluto[
32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 2 seconds for response
pluto[
32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 4 seconds for response
pluto[
32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 8 seconds for response
pluto[
32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 16 seconds for response
pluto[
32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 32 seconds for response
pluto[
32031]: "test" #26: STATE_MAIN_I1: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKEv1 message
pluto[
32031]: "test" #26: starting keying attempt 2 of an unlimited number


主動換 phase 2 key,但對方無回應

pluto[
32031]: "test" #34: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+UP+ESN_NO+ESN_YES to replace #33 {using isakmp#31 msgid:4cd7380f proposal=AES_CBC_128-HMAC_SHA2_256_128 pfsgroup=no-pfs}
pluto[32031]: "test" #34: sent Quick Mode request, to replace #33
pluto[32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
pluto[
32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
pluto[
32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
pluto[
32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
pluto[
32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
pluto[
32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 16 seconds for response
pluto[
32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 32 seconds for response
pluto[
32031]: "test" #34: STATE_QUICK_I1: 60 second timeout exceeded after 7 retransmits
pluto[
32031]: "test" #34: starting keying attempt 3 of an unlimited number


DPD 找不到 phase 1 的資料 (會導致斷線)

pluto[
32031]: "test" #25: DPD: could not find newest phase 1 state - initiating a new one
pluto[
32031]: "test" #25: DPD action - clearing connection kind CK_PERMANENT
pluto[
32031]: "test" #25: deleting state (STATE_QUICK_R2) aged 620.985747s and NOT sending notification
pluto[
32031]: "test" #25: ESP traffic information: in=0B out=0B


IPSec 金鑰不符 或 太短(密碼長度至少 16 個字元)

pluto[
3617]: "test" #552: responding to Main Mode from unknown peer XX.XX.XX.XX:500 (被動)
pluto[3617]: "test" #552: sent Main Mode R1
pluto[
3617]: "test" #552: sent Main Mode R2
pluto[
3617]: "test" #552: 35129-byte length of ISAKMP Identification Payload is larger than can fit
pluto[
3617]: "test" #552: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
pluto[
3617]: "test" #552: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response
pluto[
3617]: "test" #552: 35129-byte length of ISAKMP Identification Payload is larger than can fit
pluto[
3617]: "test" #552: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
pluto[
3617]: "test" #552: STATE_MAIN_R2: retransmission; will wait 1 seconds for response
pluto[
3617]: "test" #552: STATE_MAIN_R2: retransmission; will wait 2 seconds for response
pluto[
3617]: "test" #552: 35129-byte length of ISAKMP Identification Payload is larger than can fit
pluto[
3617]: "test" #552: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
pluto[
3617]: "test" #552: STATE_MAIN_R2: retransmission; will wait 4 seconds for response
pluto[
3617]: "test" #552: 35129-byte length of ISAKMP Identification Payload is larger than can fit
pluto[
3617]: "test" #552: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet


phase 1 加密方式錯誤 (主動連線) (無法看出需要什麼加密方式)

pluto[
2219]: "test" #14: initiating IKEv1 Main Mode connection
pluto[
2219]: "test" #14: sent Main Mode request
pluto[
2219]: "test" #14: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
pluto[2219]: "test" #14: received and ignored notification payload: NO_PROPOSAL_CHOSEN


phase 1 加密方式錯誤 (被動連線) (可以看出需要什麼加密方式)

pluto[
2219]: "test" #13: responding to Main Mode
pluto[
2219]: "test" #13: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[
2219]: "test" #13: Oakley Transform [AES_CBC (128), HMAC_SHA2_256, MODP1024] refused
pluto[
2219]: "test" #13: no acceptable Oakley Transform
pluto[
2219]: "test" #13: sending notification NO_PROPOSAL_CHOSEN to 172.19.100.83:500


phase 2 加密方式錯誤 (主動連線)

pluto[
2219]: "test" #195: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+UP+ESN_NO+ESN_YES {using isakmp#194 msgid:c06ac5a5 proposal=3DES_CBC-HMAC_SHA2_256_128 pfsgroup=no-pfs}
pluto[
2219]: "test" #195: sent Quick Mode request
pluto[
2219]: "test" #194: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
pluto[2219]: "test" #194: received and ignored notification payload: NO_PROPOSAL_CHOSEN
pluto[
2219]: "test" #195: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
pluto[
2219]: "test" #194: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
pluto[2219]: "test" #194: received and ignored notification payload: NO_PROPOSAL_CHOSEN
pluto[
2219]: "test" #195: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
pluto[
2219]: "test" #194: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
pluto[2219]: "test" #194: received and ignored notification payload: NO_PROPOSAL_CHOSEN
pluto[
2219]: "test" #195: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
pluto[
2219]: "test" #194: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
pluto[2219]: "test" #194: received and ignored notification payload: NO_PROPOSAL_CHOSEN


phase 2 加密方式錯誤 (被動連線)

pluto[
1677]: "test" #186: no acceptable Proposal in IPsec SA
pluto[
1677]: "test" #186: sending encrypted notification NO_PROPOSAL_CHOSEN to 172.19.100.22:500
pluto[1677]: "test" #186: deleting state (STATE_QUICK_R0) aged 0.010324s and NOT sending notification


網段設定錯誤 (主動連線)

pluto[2219]: "test" #205: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+UP+ESN_NO+ESN_YES {using isakmp#204 msgid:5200adf4 proposal=AES_CBC_128-HMAC_SHA2_256_128 pfsgroup=no-pfs}
pluto[2219]: "test" #205: sent Quick Mode request
pluto[2219]: "test" #204: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
pluto[2219]: "test" #204: received and ignored notification payload: INVALID_ID_INFORMATION
pluto[2219]: "test" #205: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response


網段設定錯誤 (被動連線) (可以看出需要什麼網段)

pluto[1677]: "test" #195: the peer proposed: 192.168.84.0/24 -<all>-> 192.168.22.0/24
(↑可看出對方 網設的設定↑)
pluto[1677]: "test" #195: cannot respond to IPsec SA request because no connection is known for 192.168.84.0/24===XX.XX.XX.XX[+S?C]...XX.XX.XX.XX[+S?C]===192.168.22.0/24
pluto[1677]: "test" #195: sending encrypted notification INVALID_ID_INFORMATION to 對方ip:500


ID 錯誤 (主動連線)

Nov
7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: initiating IKEv1 Main Mode connection
Nov
7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: sent Main Mode request
Nov
7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
Nov
7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: sent Main Mode I2
Nov
7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: sent Main Mode I3
Nov
7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Nov 7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: received and ignored notification payload: INVALID_ID_INFORMATION
Nov
7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response


ID 錯誤 (被動連線)  (可以看出需要什麼ID)

pluto[
1677]: "test" #196: responding to Main Mode
pluto[
1677]: "test" #196: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[
1677]: "test" #196: sent Main Mode R1
pluto[
1677]: "test" #196: sent Main Mode R2
pluto[
1677]: "test" #196: Peer ID is ID_FQDN: '@111'
(對方的ID)
pluto[
1677]: "test" #196: Peer ID '@111' mismatched on first found connection and no better connection found
pluto[
1677]: "test" #196: sending encrypted notification INVALID_ID_INFORMATION to 172.19.100.22:500
pluto[1677]: "test" #196: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response



其他訊息

刪除 phase 1 的 key (被動連線)

pluto[32031]: "test" #26: deleting state (STATE_MAIN_R3) aged 3600.013651s and sending notification


刪除 phase 2 的 key (被動連線)

pluto[32031]: "test" #20: deleting state (STATE_QUICK_R2) aged 3599.763442s and sending notification


刪除 phase 1 的 key (主動連線)

pluto[32031]: "test" #28: deleting state (STATE_MAIN_I1) aged 64.016067s and NOT sending notification


刪除 phase 2 的 key (主動連線)

pluto[32031]: "test" #33: deleting state (STATE_QUICK_I1) aged 64.011057s and NOT sending notification


收到對方要求斷線的封包

pluto[
32031]: "test" #19: received Delete SA(0x9d188d3f) payload: deleting IPsec State #20
pluto[32031]: "test" #20: deleting state (STATE_QUICK_R2) aged 3599.763442s and sending notification
pluto[
32031]: "test" #20: ESP traffic information: in=134B out=0B
pluto[32031]: "test" #19: IKE SA expired (LATEST!)
pluto[
32031]: "test" #19: deleting state (STATE_MAIN_R3) aged 3600.065787s and sending notification
pluto[
32031]: "test" #19: deleting ISAKMP SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS





嵌入式系統 - 建立 OpenWrt 的韌體更新檔案


執行命令為 /sbin/sysupgrade firmware.bin

註:
/sbin/sysupgrade 是 script 的文字檔(會 include /lib/upgrade/ 裡面的檔案)
firmware.bin 是韌體檔案


步驟一

在 /lib/upgrade/platform.sh 的 func platform_check_image() 會檢查 firmware.bin 是否合法

註:會下此命令查詢
dumpimage -l ${img} | awk '/^ Image.*(.*)/ { print gensub(/Image .* \((.*)\)/,"\\1", $0) }' 


在 platform_check_image()裡,增加判斷字串,如下:

local mandatory_kernel="kernel@1"
image_has_mandatory_section $1 ${mandatory_kernel} && {\
mandatory_section_found=1
}

或用 mkimage 建立內建支援的字串


步驟二

/lib/upgrade/common.sh 的 do_upgrade() 會再進入 platform_do_upgrade()
可能會需要在 platform_do_upgrade() 的 case "$board" in 增加板子的型號


步驟三

之後進入 flash_section() 的 case "${sec}" in
並選擇其中一項進行更新,我選擇的是 ubi*
(在 mkimage 時 .its 內容的 images 名稱字串)


步驟四

最後會進入 do_flash_ubi()
(把不需要的 Fail safe upgrade 功能關掉)




附錄:

rootfs.cfg

[kernel]
mode=ubi
image=arch/arm64/boot/Image.itb
vol_id=0
vol_type=dynamic
vol_name=kernel

[config_data]
mode=ubi
vol_size=25MiB
vol_id=1
vol_type=dynamic
vol_name=config_data


# ubinize -m 2048 -p 128KiB -o rootfs.ubi rootfs.cfg


rootfs.its

/dts-v1/;

/ {
description = "ARM64 OpenWrt FIT (Flattened Image Tree)";
#address-cells = <1>;

images {
ubi@rootfs {
description = "ARM64 OpenWrt Linux-4.4.60";
data = /incbin/("rootfs.ubi");
type = "ramdisk";
arch = "arm64";
compression = "gzip";
os = "linux";
hash@1 {
algo = "crc32";
};
hash@2 {
algo = "sha1";
};
};

};

configurations {
default = "config@1";

config@1 {
description = "ARM64 OpenWrt Linux-4.4.60";
ramdisk = "ubi@rootfs";
};
};
};


# mkimage -f rootfs.its rootfs.itb


嵌入式系統 - Python 相關




交叉編譯

下載並解壓縮後,首先在目錄中執行 (需先編譯一次PC可執行的版本)

ln -s /openssl-1.1.1w/include/openssl/ ./Include/

CPPFLAGS="$CPPFLAGS -D__ANDROID_API__=23" \
./configure --host=arm-linux-androideabi --build=x86_64-pc-linux-gnu \
LDFLAGS="-L/lib/ -lintl -lffi " \
CFLAGS="-I./Include/ -I/usr/include/" \
--prefix="/Python-3.13.0/install-local" \
--with-build-python=../Python-3.13.0.X86/python \
--with-openssl=/openssl-1.1.1w/ \
--with-mimalloc=no --disable-ipv6 --enable-shared --enable-profiling \
ac_cv_buggy_getaddrinfo=no ac_cv_file__dev_ptmx=yes ac_cv_file__dev_ptc=no ac_cv_func_gethostbyname_r=no \
ac_cv_search_login_tty=no ac_cv_func_splice=no ac_cv_libatomic_needed=yes


我會使用到 openssl功能,所以要修改 Modules/Setup

SSL=/openssl-1.1.1w/
_ssl _ssl.c $(OPENSSL_INCLUDES) $(OPENSSL_LDFLAGS) $(SSL)libssl.a $(SSL)libcrypto.a


修改 pyconfig.h 內的參數,關掉編譯過不了的

// #define HAVE_LOGIN_TTY 1 (0無效) ### ac_cv_search_login_tty=no
// #define HAVE_SPLICE 1 (0無效) ### ac_cv_func_splice=no


修改 Makefile

LIBS 增加 -latomic
刪除 -luuid (有一個地方)
刪除 _uuid (有兩個地方)


中間遇到很多使用到沒有定義的func,在使用到的上面加對應的定義即可。
(不可全加在.c的最上面)

### Modules/posixmodule.c
extern char* ttyname(int __fd); /* unistd.h */
extern pid_t wait3(int *, int, struct rusage *);
int lockf(int, int, off_t); /* bits/lockf.h */
ssize_t preadv(int, const struct iovec*, int, off_t); /* sys/uio.h */
ssize_t pwritev(int, const struct iovec*, int, off_t); /* sys/uio.h */
extern int mkfifoat(int, const char*, mode_t); /* sys/stat.h */

### Modules/signalmodule.c
extern int sigwaitinfo(const sigset_t*, siginfo_t*); /* signal.h */
extern int sigtimedwait(const sigset_t*, siginfo_t*, const struct timespec*); /* signal.h */

### Modules/socketmodule.c
//#include <net/if.h>
struct if_nameindex {
unsigned if_index;
char* if_name;
};
char* if_indextoname(unsigned, char*);
unsigned if_nametoindex(const char*);
struct if_nameindex* if_nameindex(void);
void if_freenameindex(struct if_nameindex*);
extern int sethostname(const char *, size_t); /* bionic/libc/include/unistd.h */

### Modules/_testexternalinspection.c
//#if defined(__USE_GNU)
ssize_t process_vm_readv(pid_t, const struct iovec*, unsigned long, const struct iovec*, unsigned long, unsigned long);
ssize_t process_vm_writev(pid_t, const struct iovec*, unsigned long, const struct iovec*, unsigned long, unsigned long);
//#endif




遇到的坑

遇到下述的錯誤:

arm-linux-androideabi-gcc ...()... -o Objects/typevarobject.o Objects/typevarobject.c
In file included from ./Include/internal/pycore_unicodeobject.h:15:0,
from ./Include/internal/pycore_floatobject.h:12,
from ./Include/internal/pycore_runtime.h:15,
from ./Include/internal/pycore_pystate.h:12,
from ./Include/internal/pycore_call.h:12,
from Objects/typeobject.c:5:
./Include/internal/pycore_global_strings.h:791:40: error: 'struct <anonymous>' has no member named '_py_set'
(_Py_SINGLETON(strings.identifiers._py_ ## NAME._ascii.ob_base))
^
./Include/internal/pycore_global_objects.h:28:31: note: in definition of macro '_Py_GLOBAL_OBJECT'
_PyRuntime.static_objects.NAME
^
./Include/internal/pycore_global_strings.h:791:7: note: in expansion of macro '_Py_SINGLETON'
(_Py_SINGLETON(strings.identifiers._py_ ## NAME._ascii.ob_base))
^
Objects/typeobject.c:10164:38: note: in expansion of macro '_Py_ID'
PyDoc_STR(DOC), .name_strobj = &_Py_ID(NAME)}
^
Objects/typeobject.c:10241:5: note: in expansion of macro 'TPSLOT'
TPSLOT(__set__, tp_descr_set, slot_tp_descr_set, wrap_descr_set,
^
Makefile:3016: recipe for target 'Objects/typeobject.o' failed
make: *** [Objects/typeobject.o] Error 1
make: *** Waiting for unfinished jobs....

#### make failed to build some targets (1 seconds) ####

改法:

在下面這行的上方
TPSLOT(__set__, tp_descr_set, slot_tp_descr_set, wrap_descr_set,
"__set__($self, instance, value, /)\n--\n\nSet an attribute of instance to value."),

增加 #undef __set__ (因為__set__是保留關鍵字)