Enabling Wi-Fi on First boot

Henrique de Moraes Holschuh henrique at nic.br
Tue Jul 6 07:26:39 PDT 2021


On 06/07/2021 03:45, Enrico Mioso wrote:
> I would like to know your opinion on a topic I know has already been 
> discussed: enabling Wi-Fi on first boot.

We had to do it here for some modified firmware we distribute (the 
device with the modified openwrt firmware is then used to measure 
internet connection quality in a neutral way, and works as well as a 
home router when desired).

It is a fact[1] that >55% of homes in Brazil only have wireless 
terminals (read: cellphones, a few might also have tablets): no laptops 
or desktops.  It would be utterly useless to deliver to them something 
that needs an ethernet cable to enable the wireless.

However, it is *not* a simple matter to just "enable wireless" at first 
boot in OpenWrt (due to a "default password" issue), except maybe in a 
home-and-enthusiast setting.  You cannot just do it for a device (or 
firmware) you're going to deliver to third parties: it is *unsafe*, and 
extremely strongly discouraged.

So, to safely and responsibly enable wireless by default in a device (or 
firmware) you're delivering to a third-party, you need that "per-unit 
unique wireless password" per device thing most vendors are doing.

Now, unique per-device passwords are "easy" [2] to do if you're 
delivering whole devices, as you can just print a label with the 
device's unique password and attach to it or to its documentation.

It is far less easy when you're delivering just the firmware 
(openwrt-based), which the third-party/user will install by herself.  At 
least for generic devices in the general case.

> I would very very much like to see this feature present in OpenWRt: 
> because I find myself in a scenario where plugging an Ethernet cable 
> after a fresh sysupgrade without keeping settings (due a a major upgrade 
> or just to "start clean") could be impractical.

Indeed.

> This would allow us to relax the security settings for the moment being, 
> and discuss and plan them later on. It seems to me there is the general 
> desire for having such a feature.

I would very much like to have a config option that allows one to 
implement what I described in [2] below -- or something else that could 
be likewise used.  Basically, a way to append to an already-finished 
sysupgrade/factory file some signed configuration data that will resist 
factory-reset, so that it is easy/fast to do so at download time without 
the need to run the image builder.

Around here, the ISPs call this kind of variable data that resists a 
factory-reset "preseed configuration".  Apparently, your typical home 
user will factory-reset the device every time anything goes wrong, once 
they know how to do it.  So it is extremely important that the 
factory-reset settings match whatever is needed for ISP connectivity and 
local wireless to work.  Easy to do if you're the router vendor and have 
a mtd partition set aside for it, a lot more difficult otherwise.


Then, you could at least easily address the "you're shipping the device 
with the label attached" case: you can do that right now using custom 
code on specific devices you know of a partition you can reuse like 
that, etc.  But a "generic device" solution is still missing.

The solution for "you ship firmware" could then become "build once, but 
at download time you append the signed variable data that resists 
factory-reset, and contains any unit-specific passwords.  You also 
attach a PDF with the device passwords for the user to print and glue to 
his unit".


[1] The reports are public, and available at https://ceptro.br. 
Disclaimer: I work for a different division of the same NGO that 
produced those reports.

[2] not really: openwrt sysugrade *does not help* in that there is no 
way to add variable information to an already *finished* image file, to 
be used on first-boot only, and which would *survive a factory reset*.

-- 
Henrique de Moraes Holschuh
Analista de Projetos
Centro de Estudos e Pesquisas em Tecnologias de Redes e Operações 
(Ceptro.br)
+55 11 5509-3537 R.:4023
INOC 22548*625
www.nic.br



More information about the openwrt-devel mailing list