* Configuring for secure boot @ 2020-01-20 16:38 Christian Eggers 2020-01-20 19:53 ` Sascha Hauer 0 siblings, 1 reply; 9+ messages in thread From: Christian Eggers @ 2020-01-20 16:38 UTC (permalink / raw) To: barebox Board: phytec-som-imx6 I need to configure barebox in a way, that a malicious attacker can not break into the system. It looks like I need to perform the following steps: 1. Enforce signature verification of FIT image --> CONFIG_BOOTM_FORCE_SIGNED_IMAGES 2. Prevent manipulation of the saved environment in flash --> Do not load any environment settings from flash, only use compiled in default environment. --> Remove / permanently disable "barebox,environment" node in device-tree? --> Compile without CONFIG_OF_BAREBOX_DRIVERS? 3. Prevent access to the barebox shell --> CONFIG_CMD_LOGIN? --> CONFIG_SHELL_NONE? What is the best way to prevent (offline) manipulation of the barebox environment? What is the best way to block the shell access? regards Christian ________________________________ [http://assets.arri.com/media/sign/2019-12-13a-ARRI-E-mail-Signatur-Parkstadt.jpg] <https://www.google.com/maps/place/Herbert-Bayer-Stra%C3%9Fe+10,+80807+M%C3%BCnchen/data=!4m2!3m1!1s0x479e74379489f045:0x4bbf0c7a9e893d66?sa=X&ved=2ahUKEwjjvdSlh8TmAhWIp4sKHe3vDlQQ8gEwAHoECAsQAQ> Get all the latest information from www.arri.com<https://www.arri.com/>, Facebook<https://www.facebook.com/TeamARRI>, Twitter<https://twitter.com/ARRIChannel>, Instagram<https://instagram.com/arri> and YouTube<https://www.youtube.com/user/ARRIChannel>. Arnold & Richter Cine Technik GmbH & Co. Betriebs KG Sitz: München - Registergericht: Amtsgericht München - Handelsregisternummer: HRA 57918 Persönlich haftender Gesellschafter: Arnold & Richter Cine Technik GmbH Sitz: München - Registergericht: Amtsgericht München - Handelsregisternummer: HRB 54477 Geschäftsführer: Dr. Michael Neuhäuser; Stephan Schenk; Walter Trauninger; Markus Zeiler _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Configuring for secure boot 2020-01-20 16:38 Configuring for secure boot Christian Eggers @ 2020-01-20 19:53 ` Sascha Hauer 2020-01-21 10:52 ` Ahmad Fatoum 2020-01-23 10:29 ` Configuring for secure boot / Using bootchooser Christian Eggers 0 siblings, 2 replies; 9+ messages in thread From: Sascha Hauer @ 2020-01-20 19:53 UTC (permalink / raw) To: Christian Eggers; +Cc: barebox Hi Christian, On Mon, Jan 20, 2020 at 05:38:36PM +0100, Christian Eggers wrote: > Board: phytec-som-imx6 > > I need to configure barebox in a way, that a malicious attacker can not break > into the system. It looks like I need to perform the following steps: > > 1. Enforce signature verification of FIT image > --> CONFIG_BOOTM_FORCE_SIGNED_IMAGES Yes. > > 2. Prevent manipulation of the saved environment in flash > --> Do not load any environment settings from flash, only use compiled in > default environment. > --> Remove / permanently disable "barebox,environment" node in device-tree? > --> Compile without CONFIG_OF_BAREBOX_DRIVERS? Disable CONFIG_ENV_HANDLING, that alone is sufficient. > > 3. Prevent access to the barebox shell > --> CONFIG_CMD_LOGIN? > --> CONFIG_SHELL_NONE? I wouldn't trust CONFIG_CMD_LOGIN that much. If you do, at least make sure to use a safe hash function for the password, i.e. not the default md5. Disabling the shell entirely with CONFIG_SHELL_NONE is the best you can do. This also forces you to program your boot process in C which helps you to get a well defined boot without diving into potentially unsafe shell commands. To state the obvious, you have to enable HAB support, sign your barebox images and burn the necessary fuses to forbid loading unsigned images. Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Configuring for secure boot 2020-01-20 19:53 ` Sascha Hauer @ 2020-01-21 10:52 ` Ahmad Fatoum 2020-01-21 11:11 ` Sascha Hauer 2020-01-23 10:29 ` Configuring for secure boot / Using bootchooser Christian Eggers 1 sibling, 1 reply; 9+ messages in thread From: Ahmad Fatoum @ 2020-01-21 10:52 UTC (permalink / raw) To: Sascha Hauer, Christian Eggers; +Cc: barebox Hello, On 1/20/20 8:53 PM, Sascha Hauer wrote: > Disabling the shell entirely with CONFIG_SHELL_NONE is the best you can > do. This also forces you to program your boot process in C which helps > you to get a well defined boot without diving into potentially unsafe > shell commands. > > To state the obvious, you have to enable HAB support, sign your barebox > images and burn the necessary fuses to forbid loading unsigned images. I think it would be great to have a CONFIG_LOCKDOWN option that has inverse dependencies on the stuff that should not be enabled and normal dependencies on the stuff that should be. Such a CONFIG_LOCKDOWN barebox can then be used in secure boot scenarios or for fuzzing efforts. Thoughts? > > Sascha > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Configuring for secure boot 2020-01-21 10:52 ` Ahmad Fatoum @ 2020-01-21 11:11 ` Sascha Hauer 0 siblings, 0 replies; 9+ messages in thread From: Sascha Hauer @ 2020-01-21 11:11 UTC (permalink / raw) To: Ahmad Fatoum; +Cc: barebox, Christian Eggers On Tue, Jan 21, 2020 at 11:52:02AM +0100, Ahmad Fatoum wrote: > Hello, > > On 1/20/20 8:53 PM, Sascha Hauer wrote: > > Disabling the shell entirely with CONFIG_SHELL_NONE is the best you can > > do. This also forces you to program your boot process in C which helps > > you to get a well defined boot without diving into potentially unsafe > > shell commands. > > > > To state the obvious, you have to enable HAB support, sign your barebox > > images and burn the necessary fuses to forbid loading unsigned images. > > I think it would be great to have a CONFIG_LOCKDOWN option that has inverse > dependencies on the stuff that should not be enabled and normal dependencies > on the stuff that should be. Such a CONFIG_LOCKDOWN barebox can then be used in > secure boot scenarios or for fuzzing efforts. > > Thoughts? I don't think this is feasible. There are too many different expectations what is secure and what is not. loadenv/saveenv might be desired at some point (at least when we add signing support), for others it's a no-go. Some accept the potential security risk of having a shell, others don't. You might want to build a device which can boot in a secure mode with signed kernels only, or alternatively any other kernel after dropping the security privileges in the CAAM or whatever. That's just some examples off the top of my head, there are surely more. Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Configuring for secure boot / Using bootchooser 2020-01-20 19:53 ` Sascha Hauer 2020-01-21 10:52 ` Ahmad Fatoum @ 2020-01-23 10:29 ` Christian Eggers 2020-01-27 10:07 ` Sascha Hauer 1 sibling, 1 reply; 9+ messages in thread From: Christian Eggers @ 2020-01-23 10:29 UTC (permalink / raw) To: Sascha Hauer; +Cc: barebox Hi Sascha, seems I ran into trouble (see below) with CONFIG_SHELL_NONE. Am Montag, 20. Januar 2020, 20:53:51 CET schrieb Sascha Hauer: > Hi Christian, > > On Mon, Jan 20, 2020 at 05:38:36PM +0100, Christian Eggers wrote: > > Board: phytec-som-imx6 > > > > I need to configure barebox in a way, that a malicious attacker can not > > break into the system. It looks like I need to perform the following > > steps: > > > > 3. Prevent access to the barebox shell > > --> CONFIG_CMD_LOGIN? > > --> CONFIG_SHELL_NONE? > > I wouldn't trust CONFIG_CMD_LOGIN that much. If you do, at least make > sure to use a safe hash function for the password, i.e. not the default > md5. > Disabling the shell entirely with CONFIG_SHELL_NONE is the best you can > do. This also forces you to program your boot process in C which helps > you to get a well defined boot without diving into potentially unsafe > shell commands. I've tried to implement my boot process in C. Attaching the MTD partition to UBI and directly calling bootm_data() looks straightforward and seems to work. bootm_data_init_defaults(&data); data.os_file = "/dev/nand0.root.ubi.kernel"; ret = bootm_boot(&data); if (ret) { printf("handler failed with: %s\n", strerror(-ret)); goto error_return; } Now I'm trying to integrate bootchooser. My first attempt was to call bootchooser directly from my barebox_main: bc = bootchooser_get(); if (IS_ERR(bc)) return PTR_ERR(bc); ret = bootchooser_boot(bc); bootchooser_put(bc); Unfortunately this doesn't work, because there is no boot provider available for booting the result of bootchooser (e.g. "nand0.root.ubi.kernel"). From the documentation of the "boot" command, this should be possible: ----------------8<--------------- BAREBOX_CMD_HELP_TEXT("BOOTSRC can be:") BAREBOX_CMD_HELP_TEXT("- a filename under /env/boot/") BAREBOX_CMD_HELP_TEXT("- a full path to a boot script") BAREBOX_CMD_HELP_TEXT("- a device name") BAREBOX_CMD_HELP_TEXT("- a partition name under /dev/") <---- tried this one BAREBOX_CMD_HELP_TEXT("- a full path to a directory which") BAREBOX_CMD_HELP_TEXT(" - contains boot scripts, or") BAREBOX_CMD_HELP_TEXT(" - contains a loader/entries/ directory containing bootspec entries") ---------------->8--------------- Looking into bootentry_create_from_name() I didn't find how booting from "a device name" or "a partition name" can work. Also using the shell doesn't help: ----------------8<--------------- barebox:/ boot nand0.root.ubi.kernel Nothing bootable found on 'nand0.root.ubi.kernel' Nothing bootable found ---------------->8--------------- So I'm able to run bootm_boot() directly from C, but I've not found a way to boot indirectly via bootchooser. Any hints how I can use bootchooser from my own barebox_main() with CONFIG_SHELL_NONE? _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Configuring for secure boot / Using bootchooser 2020-01-23 10:29 ` Configuring for secure boot / Using bootchooser Christian Eggers @ 2020-01-27 10:07 ` Sascha Hauer 2020-01-27 10:18 ` [RFC PATCH] bootm: Register as bootentry provider Christian Eggers 0 siblings, 1 reply; 9+ messages in thread From: Sascha Hauer @ 2020-01-27 10:07 UTC (permalink / raw) To: Christian Eggers; +Cc: barebox On Thu, Jan 23, 2020 at 11:29:41AM +0100, Christian Eggers wrote: > Hi Sascha, > > seems I ran into trouble (see below) with CONFIG_SHELL_NONE. > > Am Montag, 20. Januar 2020, 20:53:51 CET schrieb Sascha Hauer: > > Hi Christian, > > > > On Mon, Jan 20, 2020 at 05:38:36PM +0100, Christian Eggers wrote: > > > Board: phytec-som-imx6 > > > > > > I need to configure barebox in a way, that a malicious attacker can not > > > break into the system. It looks like I need to perform the following > > > steps: > > > > > > 3. Prevent access to the barebox shell > > > --> CONFIG_CMD_LOGIN? > > > --> CONFIG_SHELL_NONE? > > > > I wouldn't trust CONFIG_CMD_LOGIN that much. If you do, at least make > > sure to use a safe hash function for the password, i.e. not the default > > md5. > > Disabling the shell entirely with CONFIG_SHELL_NONE is the best you can > > do. This also forces you to program your boot process in C which helps > > you to get a well defined boot without diving into potentially unsafe > > shell commands. > > I've tried to implement my boot process in C. Attaching the MTD partition to > UBI and directly calling bootm_data() looks straightforward and seems to work. > > bootm_data_init_defaults(&data); > data.os_file = "/dev/nand0.root.ubi.kernel"; > > ret = bootm_boot(&data); > if (ret) { > printf("handler failed with: %s\n", strerror(-ret)); > goto error_return; > } > > Now I'm trying to integrate bootchooser. My first attempt was to call > bootchooser directly from my barebox_main: > > bc = bootchooser_get(); > if (IS_ERR(bc)) > return PTR_ERR(bc); > > ret = bootchooser_boot(bc); > > bootchooser_put(bc); > > Unfortunately this doesn't work, because there is no boot provider available > for booting the result of bootchooser (e.g. "nand0.root.ubi.kernel"). > > From the documentation of the "boot" command, this should be possible: > > ----------------8<--------------- > BAREBOX_CMD_HELP_TEXT("BOOTSRC can be:") > BAREBOX_CMD_HELP_TEXT("- a filename under /env/boot/") > BAREBOX_CMD_HELP_TEXT("- a full path to a boot script") > BAREBOX_CMD_HELP_TEXT("- a device name") > BAREBOX_CMD_HELP_TEXT("- a partition name under /dev/") <---- tried this one > BAREBOX_CMD_HELP_TEXT("- a full path to a directory which") > BAREBOX_CMD_HELP_TEXT(" - contains boot scripts, or") > BAREBOX_CMD_HELP_TEXT(" - contains a loader/entries/ directory containing > bootspec entries") > ---------------->8--------------- > > Looking into bootentry_create_from_name() I didn't find how booting from "a > device name" or "a partition name" can work. > > Also using the shell doesn't help: > ----------------8<--------------- > barebox:/ boot nand0.root.ubi.kernel > Nothing bootable found on 'nand0.root.ubi.kernel' > Nothing bootable found > ---------------->8--------------- > So I'm able to run bootm_boot() directly from C, but I've not found a way to > boot indirectly via bootchooser. > > Any hints how I can use bootchooser from my own barebox_main() with > CONFIG_SHELL_NONE? Obviously anything involving shell scripts cannot work when no shell is enabled. I suggest using bootloader spec (CONFIG_BLSPEC) to boot a kernel. This works without shell support. Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 9+ messages in thread
* [RFC PATCH] bootm: Register as bootentry provider 2020-01-27 10:07 ` Sascha Hauer @ 2020-01-27 10:18 ` Christian Eggers 2020-01-27 12:49 ` Sascha Hauer 0 siblings, 1 reply; 9+ messages in thread From: Christian Eggers @ 2020-01-27 10:18 UTC (permalink / raw) To: barebox; +Cc: Christian Eggers, ceggers > Obviously anything involving shell scripts cannot work when no shell is > enabled. I suggest using bootloader spec (CONFIG_BLSPEC) to boot a > kernel. This works without shell support. I would like to avoid using bootloader spec. The patch below works fine for me. Do you think that this (or something similar) can be added to barebox? Support for "boot <device>". This is required for using bootchooser with CONFIG_SHELL_NONE. In this case no boot scripts can be used, so the device name of the flash partition containing the kernel image has to provided. Only enabled if CONFIG_BLSPEC is disabled. Example: bootchooser.system0.boot=nand0.root.ubi.kernel0 Signed-off-by: Christian Eggers <ceggers@arri.de> --- common/bootm.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) diff --git a/common/bootm.c b/common/bootm.c index 366f31455..e880d3cab 100644 --- a/common/bootm.c +++ b/common/bootm.c @@ -12,6 +12,7 @@ */ #include <common.h> +#include <boot.h> #include <bootm.h> #include <fs.h> #include <malloc.h> @@ -721,6 +722,74 @@ err_out: return ret; } +#ifndef CONFIG_BLSPEC +static int bootm_entry_boot(struct bootentry *entry, int verbose, int dryrun) +{ + struct bootm_data data = {}; + + bootm_data_init_defaults(&data); + data.os_file = entry->title; + + return bootm_boot(&data); +} + +static void bootm_release(struct bootentry *entry) +{ + free(entry); +} + +/* + * bootm_scan_devicename - scan a hardware device for child cdevs + * + * Given a name of a hardware device this functions checks whether the device + * exists and add one booentries entry. + * Returns the number of entries found or a negative error code if some unexpected + * error occured. + */ +static int bootm_scan_devicename(struct bootentries *bootentries, const char *devname) +{ + struct cdev *cdev; + + pr_debug("%s: %s\n", __func__, devname); + + device_detect_by_name(devname); + + cdev = cdev_by_name(devname); + if (cdev || get_device_by_name(devname)) { + struct bootentry *entry = xzalloc(sizeof(*entry)); + + entry->boot = bootm_entry_boot; + entry->release = bootm_release; + entry->title = basprintf("/dev/%s", devname); + entry->description = xstrdup(entry->title); + + bootentries_add_entry(bootentries, entry); + + return 1; + } + + return -ENODEV; +} + +static int bootm_bootentry_provider(struct bootentries *bootentries, + const char *name) +{ + int ret, found = 0; + + ret = bootm_scan_devicename(bootentries, name); + if (ret > 0) + found += ret; + + return found; +} +#else /* CONFIG_BLSPEC */ +static int bootm_bootentry_provider(struct bootentries *bootentries, + const char *name) +{ + return 0; +} +#endif /* CONFIG_BLSPEC */ + static int bootm_init(void) { globalvar_add_simple("bootm.image", NULL); @@ -742,7 +811,7 @@ static int bootm_init(void) globalvar_add_simple_enum("bootm.verify", (unsigned int *)&bootm_verify_mode, bootm_verify_names, ARRAY_SIZE(bootm_verify_names)); - return 0; + return bootentry_register_provider(bootm_bootentry_provider); } late_initcall(bootm_init); -- Christian Eggers Embedded software developer Arnold & Richter Cine Technik GmbH & Co. Betriebs KG Sitz: Muenchen - Registergericht: Amtsgericht Muenchen - Handelsregisternummer: HRA 57918 Persoenlich haftender Gesellschafter: Arnold & Richter Cine Technik GmbH Sitz: Muenchen - Registergericht: Amtsgericht Muenchen - Handelsregisternummer: HRB 54477 Geschaeftsfuehrer: Dr. Michael Neuhaeuser; Stephan Schenk; Walter Trauninger; Markus Zeiler _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC PATCH] bootm: Register as bootentry provider 2020-01-27 10:18 ` [RFC PATCH] bootm: Register as bootentry provider Christian Eggers @ 2020-01-27 12:49 ` Sascha Hauer 2020-01-27 19:26 ` Christian Eggers 0 siblings, 1 reply; 9+ messages in thread From: Sascha Hauer @ 2020-01-27 12:49 UTC (permalink / raw) To: Christian Eggers; +Cc: barebox, ceggers On Mon, Jan 27, 2020 at 11:18:31AM +0100, Christian Eggers wrote: > > Obviously anything involving shell scripts cannot work when no shell is > > enabled. I suggest using bootloader spec (CONFIG_BLSPEC) to boot a > > kernel. This works without shell support. > > I would like to avoid using bootloader spec. The patch below works fine > for me. Do you think that this (or something similar) can be added to > barebox? > > > Support for "boot <device>". This is required for using bootchooser with > CONFIG_SHELL_NONE. In this case no boot scripts can be used, so the > device name of the flash partition containing the kernel image has to > provided. > > Only enabled if CONFIG_BLSPEC is disabled. > > Example: bootchooser.system0.boot=nand0.root.ubi.kernel0 you could leave bootchooser.system0.boot empty in which case bootchooser tries to boot something called "system0". Like in your patch below call bootentry_register_provider() from your boardcode and put behind "system0" whatever you want. I don't like interpreting a device name as a kernel image very much, given that there's no possibility to also specify the devicetree and commandline. Another thing is that just enabling CONFIG_BLSPEC in a config shouldn't prevent a board from booting. the "Only enabled if CONFIG_BLSPEC is disabled" is not an option here. Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC PATCH] bootm: Register as bootentry provider 2020-01-27 12:49 ` Sascha Hauer @ 2020-01-27 19:26 ` Christian Eggers 0 siblings, 0 replies; 9+ messages in thread From: Christian Eggers @ 2020-01-27 19:26 UTC (permalink / raw) To: Sascha Hauer; +Cc: barebox, Christian Eggers Hi Sascha, Am Montag, 27. Januar 2020, 13:49:38 CET schrieb Sascha Hauer: > On Mon, Jan 27, 2020 at 11:18:31AM +0100, Christian Eggers wrote: > > > Obviously anything involving shell scripts cannot work when no shell is > > > enabled. I suggest using bootloader spec (CONFIG_BLSPEC) to boot a > > > kernel. This works without shell support. > > > > I would like to avoid using bootloader spec. The patch below works fine > > for me. Do you think that this (or something similar) can be added to > > barebox? > > > > > you could leave bootchooser.system0.boot empty in which case bootchooser > tries to boot something called "system0". > > Like in your patch below call bootentry_register_provider() from your > boardcode and put behind "system0" whatever you want. works fine, thanks. > I don't like interpreting a device name as a kernel image very much, > given that there's no possibility to also specify the devicetree and > commandline. > > Another thing is that just enabling CONFIG_BLSPEC in a config shouldn't > prevent a board from booting. the "Only enabled if CONFIG_BLSPEC is > disabled" is not an option here. Agreed. > > Sascha regards Christian _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-01-27 19:27 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-01-20 16:38 Configuring for secure boot Christian Eggers 2020-01-20 19:53 ` Sascha Hauer 2020-01-21 10:52 ` Ahmad Fatoum 2020-01-21 11:11 ` Sascha Hauer 2020-01-23 10:29 ` Configuring for secure boot / Using bootchooser Christian Eggers 2020-01-27 10:07 ` Sascha Hauer 2020-01-27 10:18 ` [RFC PATCH] bootm: Register as bootentry provider Christian Eggers 2020-01-27 12:49 ` Sascha Hauer 2020-01-27 19:26 ` Christian Eggers
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox