Host Tools
This page discusses the tools/ directory containing miscellaneous scripts
and host C programs that are important parts of the NuttX build system:
Tool documentation pages
abi_check.pybdf-convert.ccheckkconfig.pycheckpatch.shcmpconfig.cconfigure.sh,configure.bat,configure.c,cfgparser.c,cfgparser.hconvert-comments.cdefine.sh,define.batdetab.cdiscover.pyflash_writer.pygencromfs.cide_exporter.pyincdir.sh,incdir.bat,incdir.cindent.shinitialconfig.ckconfig.batkconfig2html.cLibraries.mk,FlatLibs.mk,ProtectedLibs.mk,KernelLib.mklink.[sh|bat],copydir.[sh|bat],unlink.[sh|bat]lowhex.cMakefile.hostMakefile.[unix|win]mkconfig.c,cfgdefine.c,cfgdefine.hmkconfigvars.shmkctags.shmkdeps.c,cnvwindeps.c,mkwindeps.sh,mknulldeps.shmkexport.sh,Export.mkmkfsdata.plmkromfsimg.shmksymtab.c,cvsparser.c,cvsparser.hmksyscall.c,cvsparser.c,cvsparser.hmkversion.c,cfgdefine.c,cfgdefine.hnetusb.shnxstyle.cnxtagspkgsfetch.shparsetrace.py- pic32mx
refresh.shrmcr.csethost.shshowsize.shsimbridge.shsimhostroute.shtestbuild.shuncrustify.cfg- zds
zipme.sh
mkpasswd — Build-time /etc/passwd Generation
tools/mkpasswd is a C host tool (compiled from tools/mkpasswd.c) that
generates a single /etc/passwd entry at build time. It is invoked
automatically by the ROMFS build step when
CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y is set.
Why build-time generation?
Shipping a hard-coded default password in firmware is a well-known security
weakness (CWE-798). By generating the /etc/passwd entry from a
user-supplied plaintext password at build time, each firmware image carries
unique credentials. The build will fail if the password is left empty,
preventing accidental deployments with no credentials.
For improved baseline security, the configured password must be at least 8 characters long.
How it works
The host tool reads the plaintext password from
CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD.The password is hashed using the Tiny Encryption Algorithm (TEA) — the same implementation used at runtime in
libs/libc/misc/lib_tea_encrypt.c— with custom base64 encoding matchingapps/fsutils/passwd/passwd_encrypt.c.The resulting hashed entry is written to
etctmp/<mountpoint>/passwdand then embedded into the ROMFS image.The plaintext password is never stored in the firmware image.
Kconfig options
Enable the feature and configure credentials via make menuconfig:
CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y
CONFIG_NSH_CONSOLE_LOGIN=y # required to enforce login prompt
CONFIG_BOARD_ETC_ROMFS_PASSWD_USER="root" # default: root
CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD="<secret>" # required, min length 8
CONFIG_BOARD_ETC_ROMFS_PASSWD_UID=0
CONFIG_BOARD_ETC_ROMFS_PASSWD_GID=0
CONFIG_BOARD_ETC_ROMFS_PASSWD_HOME="/"
The TEA encryption keys can be changed from their defaults via
CONFIG_FSUTILS_PASSWD_KEY1..4.
/etc/passwd file format
user:x:uid:gid:home
Where:
user— user namex— TEA-hashed, base64-encoded passworduid— numeric user IDgid— numeric group IDhome— login directory
Verifying the generated entry
After enabling CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE and setting a
password, rebuild and verify:
Configure and build:
$ make menuconfig # enable BOARD_ETC_ROMFS_PASSWD_ENABLE and set password $ make
Inspect the generated passwd line (written to the board build tree):
$ cat boards/<arch>/<chip>/<board>/src/etctmp/etc/passwd root:8Tv+Hbmr3pLVb5HHZgd26D:0:0:/
Verify the plaintext is absent from firmware:
$ grep <your-password> boards/<arch>/<chip>/<board>/src/etctmp.c # must print nothing
Notes on savedefconfig
To avoid leaking credentials into board defconfigs, make savedefconfig
does not save the following options in the generated defconfig:
CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORDCONFIG_FSUTILS_PASSWD_KEY1CONFIG_FSUTILS_PASSWD_KEY2CONFIG_FSUTILS_PASSWD_KEY3CONFIG_FSUTILS_PASSWD_KEY4
If you need these values for local development, add them manually to your
local defconfig after running make savedefconfig.