[PATCH v2] dropbear: Enable Ed25519 for normal devices

[Paul Spooren]

On 26.07.20 05:20, Hauke Mehrtens wrote:
> On 7/25/20 11:06 PM, Paul Spooren wrote:
>> The Ed25519 key pairs are much shorter than RSA pairs and are supported
>> by default in OpenSSH. Looking at websites explaining how to create new
>> SSH keys, many suggest using Ed25519 rather than RSA, however consider
>> the former as not yet widely established. OpenWrt likely has a positive
>> influence on that development.
>>
>> As enabling Ed25519 is a compile time option, it is currently not
>> possible to install the feature via `opkg` nor select that option in an
>> ImageBuilder.
>>
>> Due to the size impact of **12kB** the option should only be enabled for
>> devices with `!SMALL_FLASH`.
>>
>> This approach seems cleaner than splitting `dropbear` into two packages
>> like `dropbear` and `dropbear-ed25519`.
> Can we deactivate something else?
I think Rui Salvaterra is doing some space saving work around busybox, I 
don't see how we can safe anything within dropbear.
>> Signed-off-by: Paul Spooren <mail at aparcar.org>
>> ---
>> v2:
>> * Add storage impact to commit message
>> * Increase package release
>>
>>   package/network/services/dropbear/Config.in | 2 +-
>>   package/network/services/dropbear/Makefile  | 2 +-
>>   2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
>> index 3de4189e08..2836229043 100644
>> --- a/package/network/services/dropbear/Config.in
>> +++ b/package/network/services/dropbear/Config.in
>> @@ -51,7 +51,7 @@ config DROPBEAR_ECC_FULL
>>   
>>   config DROPBEAR_ED25519
>>   	bool "Ed25519 support"
>> -	default n
>> +	default y if !SMALL_FLASH
> Will this work reliable?
> When we build dropbear with the SDK the SMALL_FLASH option is not set
> and the resulting binary would be shared between small and normal targets.

Buildbots will create two separate ImageBuilders/SDKs, a regular one and 
a tiny one. The tiny versions either deselect it by default if 
SMALL_FLASH or contain a dropbear binary with disabled Ed25519. Because 
the ImageBuilder already contains dropbear binary, it will never 
download the Ed25519 supporting binary remotely.

The case that somebody builds a firmware without dropbear and then 
installs it via opkg into the overlayfs should be considered as an aimed 
shot in the foot and not be our problem.

>>   	help
>>   		This enables the following public key algorithm:
>>   		  ssh-ed25519
>> diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
>> index 0a9b5c0a99..e92ead2ff8 100644
>> --- a/package/network/services/dropbear/Makefile
>> +++ b/package/network/services/dropbear/Makefile
>> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
>>   
>>   PKG_NAME:=dropbear
>>   PKG_VERSION:=2020.80
>> -PKG_RELEASE:=1
>> +PKG_RELEASE:=2
>>   
>>   PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
>>   PKG_SOURCE_URL:= \
>>