Enabling Wi-Fi on First boot
Henrique de Moraes Holschuh
henrique at nic.br
Tue Jul 6 07:26:39 PDT 2021
On 06/07/2021 03:45, Enrico Mioso wrote:
> I would like to know your opinion on a topic I know has already been
> discussed: enabling Wi-Fi on first boot.
We had to do it here for some modified firmware we distribute (the
device with the modified openwrt firmware is then used to measure
internet connection quality in a neutral way, and works as well as a
home router when desired).
It is a fact[1] that >55% of homes in Brazil only have wireless
terminals (read: cellphones, a few might also have tablets): no laptops
or desktops. It would be utterly useless to deliver to them something
that needs an ethernet cable to enable the wireless.
However, it is *not* a simple matter to just "enable wireless" at first
boot in OpenWrt (due to a "default password" issue), except maybe in a
home-and-enthusiast setting. You cannot just do it for a device (or
firmware) you're going to deliver to third parties: it is *unsafe*, and
extremely strongly discouraged.
So, to safely and responsibly enable wireless by default in a device (or
firmware) you're delivering to a third-party, you need that "per-unit
unique wireless password" per device thing most vendors are doing.
Now, unique per-device passwords are "easy" [2] to do if you're
delivering whole devices, as you can just print a label with the
device's unique password and attach to it or to its documentation.
It is far less easy when you're delivering just the firmware
(openwrt-based), which the third-party/user will install by herself. At
least for generic devices in the general case.
> I would very very much like to see this feature present in OpenWRt:
> because I find myself in a scenario where plugging an Ethernet cable
> after a fresh sysupgrade without keeping settings (due a a major upgrade
> or just to "start clean") could be impractical.
Indeed.
> This would allow us to relax the security settings for the moment being,
> and discuss and plan them later on. It seems to me there is the general
> desire for having such a feature.
I would very much like to have a config option that allows one to
implement what I described in [2] below -- or something else that could
be likewise used. Basically, a way to append to an already-finished
sysupgrade/factory file some signed configuration data that will resist
factory-reset, so that it is easy/fast to do so at download time without
the need to run the image builder.
Around here, the ISPs call this kind of variable data that resists a
factory-reset "preseed configuration". Apparently, your typical home
user will factory-reset the device every time anything goes wrong, once
they know how to do it. So it is extremely important that the
factory-reset settings match whatever is needed for ISP connectivity and
local wireless to work. Easy to do if you're the router vendor and have
a mtd partition set aside for it, a lot more difficult otherwise.
Then, you could at least easily address the "you're shipping the device
with the label attached" case: you can do that right now using custom
code on specific devices you know of a partition you can reuse like
that, etc. But a "generic device" solution is still missing.
The solution for "you ship firmware" could then become "build once, but
at download time you append the signed variable data that resists
factory-reset, and contains any unit-specific passwords. You also
attach a PDF with the device passwords for the user to print and glue to
his unit".
[1] The reports are public, and available at https://ceptro.br.
Disclaimer: I work for a different division of the same NGO that
produced those reports.
[2] not really: openwrt sysugrade *does not help* in that there is no
way to add variable information to an already *finished* image file, to
be used on first-boot only, and which would *survive a factory reset*.
--
Henrique de Moraes Holschuh
Analista de Projetos
Centro de Estudos e Pesquisas em Tecnologias de Redes e Operações
(Ceptro.br)
+55 11 5509-3537 R.:4023
INOC 22548*625
www.nic.br
More information about the openwrt-devel
mailing list