Add CDC based tethering over USB (CDC NCM/ECM compatible phones only)

[tlaurion]

This PR adds on-demand network connectivity through CDC NCM/ECM compatible phones tethering over USB cable (and therefore, permits phone to tether its actual network config (let it be what is configured on the phone: VPN/Tor + Mobile/Wifi -> USB).

• UX showed at Add CDC based tethering over USB (CDC NCM/ECM compatible phones only) #1384 (comment)
• Compatibility example at Add CDC based tethering over USB (CDC NCM/ECM compatible phones only) #1384 (comment)
• Additional ROM consumed space by this PR: ~25Kb analysis under Add CDC based tethering over USB (CDC NCM/ECM compatible phones only) #1384 (comment)

It also fixes a bug where DNS name was wrong for NTP sync over ntp.pool.org.

• NO RNDIS SUPPORT since security risks and planned upstream deprecation.
• NO APPLE TETHERING SUPPORT since Apple requires additional tools and footprint is too expensive. Sorry.
• Boards have kernel modules added in initrd when CONFIG_MOBILE_TETHERING=y (here on all maximized and Librem boards )
• As of current PR, the only way to enable network is through network-recovery-init script AND from recovery shell. (Should be guarded by authentication by oem-factory-reset)
• network-recovery-init tries to sync time first against DNS server returned from DHCP server answer and if failed, against NTP pool.
• We could tell when TOTP is out of sync to call network-recovery-init as of now in further PR, manual guidance required per this PR alone. @JonathonHall-Purism ?

[JonathonHall-Purism]

For comparison, Librem 5 uses CDC-NCM, not RNDIS.

The Gentoo wiki notes that RNDIS is deprectated and may be removed in the future. The actual LKML thread linked from the wiki sounds like there are different opinions about the host and gadget side modules (here we need the host, phone is the gadget), not sure what will end up happening.

The Gentoo wiki and the LKML thread both sound like most Android phones still require RNDIS though.

[tlaurion]

@JonathonHall-Purism had a little insightful adventure with android recently and can tell this implementation is not going away on android-13 or anytime soon.

Want to propose PR for librem phone?

[tlaurion]

Rebasing minimal changes on top of master

[tlaurion]

Btw, time sync was failing because bad dns name.

Its pool.ntp.org, not ntp.pool.org....

@JonathonHall-Purism network-init-recovery is mostly unused as of now, but can now be used with eth0 cable connected without tethering, or when tethering active on phone, be used to sync time and do network related things without the need of wifi networking stack etc.

As we saw before, iphone stack is nearly impossible to integrate here because too heavy. But Librem5 could most probably be!

Let me know if you would want something cleaner as of now. I will amend past commit to add to all maximized boards. As of now, it can only be activated by calling network-init-recovery from recovery shell, but could be integrated in any way we see fit later on to sync time, where this fixes ntp sync over eth0 to pool.ntp.org if local dns provided by dhcp server is not also a ntp server.

[tlaurion]

To test:

• Setup Android phone to use vpn of your choice. Riseup suggested (Donate.)
• Define always on VPN if desired
• Choose if you want to tether GSM data or WIFI (connect to wifi to tether wifi connection)
• Connect Android device to high speed connection port (Blue USB 3 port)
• On Android notification, change USB connected device to "USB tethering"
• Enjoy phone being charging and tethering over USB
• Go to recovery shell
• Type network-init-recovery
• See time being synced over NTP.
• Access Internet.
• When done, reboot. Time was synced.

---

QubesOS

• Note that same process above can be done to have tethering happen over QuebesOS disposable sys-net.
• When android device pops on sys-usb after activating USB tethering on Android device, use sys-usb device manager to assign Android to sys-net.
• See sys-net connecting to internet through your phone. Disconnect USB cable at any moment to simulate wifi-off switch.

[tlaurion]

efbe44f adds additional requirements to all maximized boards and associated linux configs.

[tlaurion]

Analysis of additional required modules consumption will follow successful build for all boards.

[tlaurion]

@daringer: should I add this to nv41/ns50 upstream board configs/linux configs?
@JonathonHall-Purism : Should I add this to all librem laptops?

TLDR: This permits Android 11+ (GrapheneOS 6a) usb tethering support, permitting to sync time over ntp when launching network-init-recovery script from recovery shell as of now. Provides networking without need of ethernet cable/wifi support under firmware. Estimated firmware cost of additional drivers under modules.cpio: 200kb uncompressed.

[tlaurion]

Oups. Rebasing on master to compare only between 1 commit and changes related to added commit here.

[tlaurion]

Comparing new size requirements of this PR.

x230-hotp-maximized's size.txt artifact compared between master and 1384

wget -q -O /tmp/master.txt https://output.circle-artifacts.com/output/job/62be6323-2db8-475e-a13c-7e40910b2fe7/artifacts/0/build/x86/x230-hotp-maximized/sizes.txt
wget -q -O /tmp/1384.txt https://output.circle-artifacts.com/output/job/e92699d0-cd4d-444c-9702-3590b7ec47dc/artifacts/0/build/x86/x230-hotp-maximized/sizes.txt
diff -u /tmp/master.txt /tmp/1384.txt
--- /tmp/master.txt	2023-11-22 13:02:42.000000000 -0500
+++ /tmp/1384.txt	2023-11-25 21:13:43.000000000 -0500
@@ -1,6 +1,6 @@
-2023-11-22 12:57:54-05:00 f2f0831a930c1d305709b711811b44dc734998ae clean
- 2488864:/root/project/build/x86/x230-hotp-maximized/bzImage
-  685056:/root/project/build/x86/x230-hotp-maximized/modules.cpio
+2023-11-25 21:09:11-05:00 a70db6dd1a83cb633612981b2decee977e83244b clean
+ 2489088:/root/project/build/x86/x230-hotp-maximized/bzImage
+  829952:/root/project/build/x86/x230-hotp-maximized/modules.cpio
 -----
   304040:./lib/modules/e1000e.ko
    63272:./lib/modules/ehci-hcd.ko
@@ -8,6 +8,12 @@
   165024:./lib/modules/xhci-hcd.ko
    11544:./lib/modules/xhci-pci.ko
   128632:./lib/modules/usb-storage.ko
+    9048:./lib/modules/cdc_eem.ko
+   15680:./lib/modules/rndis_host.ko
+   19968:./lib/modules/cdc_ether.ko
+   48808:./lib/modules/usbnet.ko
+   38016:./lib/modules/cdc_ncm.ko
+   12776:./lib/modules/mii.ko
 -----
 12317184:/root/project/build/x86/x230-hotp-maximized/tools.cpio
 -----
@@ -72,7 +78,7 @@
    35432:./bin/cbmem
      710:./etc/config
 -----
-  379904:/root/project/build/x86/x230-hotp-maximized/heads.cpio
+  380416:/root/project/build/x86/x230-hotp-maximized/heads.cpio
 -----
     1585:./.ash_history
       73:./.gnupg/gpg-agent.conf
@@ -105,7 +111,7 @@
      922:./bin/lock_chip
     2855:./bin/media-scan
     6031:./bin/mount-usb
-    1639:./bin/network-init-recovery
+    2067:./bin/network-init-recovery
      745:./bin/nitropad-shutdown.sh
    55226:./bin/oem-factory-reset
     2345:./bin/oem-system-info-xx30
@@ -153,5 +159,5 @@
      924:./sbin/config-dhcp.sh
     1284:./sbin/insmod
 -----
- 4557312:build/x86/x230-hotp-maximized/initrd.cpio.xz
-12582912:/root/project/build/x86/x230-hotp-maximized/heads-x230-hotp-maximized-v0.2.0-1916-gf2f0831.rom
+ 4586496:build/x86/x230-hotp-maximized/initrd.cpio.xz
+12582912:/root/project/build/x86/x230-hotp-maximized/heads-x230-hotp-maximized-v0.2.0-1917-ga70db6d.rom

Raw changes analysis:

• Kernel (bzimage) slight increase of 2489088-2488864 (compressed): 224 bytes
• modules.cpio (kernel modules) increase of 829952-685056 (uncompressed): 144896 bytes
• heads.cpio (scripts) slight increase of 380416-379904 (uncompressed): 512 bytes

Important changes for ROM size constraints:
- initrd.cpio.xz (changed: heads.cpio, modules.cpio, unchanged: tools.cpio) : 4586496-4557312 (compressed): 29184 bytes

[tlaurion]

@JonathonHall-Purism @daringer:

• Talos-2 not added
• Librems: not added.
• nv41/ns50: not added
• kgpe-d16: not added
• qemu: not added

[tlaurion]

Testing Github integration with matrix. Putting back from draft -> ready for review.

[daringer]

PR itself lgtm

• nv41/ns50: not added

no need to add to them right now, we don't would like them activated as default for our boards.

[tlaurion]

For comparison, Librem 5 uses CDC-NCM, not RNDIS.

For info, newer phones (pixel 6a+) are also using cdc-ncm instead of rndis. But that is not the case for older phones.

If we wanted to have on-demand usb tethering more granular, we could insmod CDC-NCM first and only if usb0 doesn't appear, load rndis which is unneeded in case of CDC-NCM is sufficient to bring up usb0 network interface.
Of course, network-init script as of now is still poc but functional enough to be used for eth0/usb0. I expect this to work for librems as well.

It's more a note for future improvements then nothing else.

@JonathonHall-Purism thoughts? Otherwise please approve.

[JonathonHall-Purism]

Thanks @tlaurion. Just a couple of minor comments, just based on review so let me know if I overlooked something. Otherwise with those minor fixes I think this looks good to merge.

CDC-NCM would be great at some point, but there's no sense holding up this feature for a second feature.

Thanks for adding the compile-time config for the feature as well. You might want to consider locking this out if Restricted Boot is enabled, since RNDIS can (apparently) compromise the host kernel - it'd offer a Restricted Boot bypass if an attacker can enable network recovery, plug in a malicious USB device, and then take over the Heads kernel.

But since it's guarded by a config and not enabled for my boards, I think that's up to you, so I'm OK merging with the two minor fixes if you don't want to add that.

[JonathonHall-Purism]

Can we delete this #other prep needed comment or is this a placeholder for something?

[tlaurion]

PR itself lgtm

• nv41/ns50: not added

no need to add to them right now, we don't would like them activated as default for our boards.

@daringer i don't understand what you meant here.

This is on-demand only from recovery shell as of now. Meaning totp related time drift problems could be resolved by asking users to plug nitrokey phone/GrapheneOS/android 11+ burner phone, activate USB tethering on phone and then launch network-recovery-init from recovery shell from now to ntp sync and be done.

While also providing some kind of unified networking possibilities from people wanting network without Heads having to add wifi support or use Ethernet and a Ethernet cable.

As said in OP, Android phone also conveniently compartmentalize privacy/security needs here from advanced needs where users can configure VPN always on if needed on phone and not care about details.

Next step would be to add option from option menu and refactor this into additional functions and have network-recovery-init call those refactored functions if compiled as modules in kernel config and packed under modules.cpio added under initrd per board config settings.

[tlaurion]

• Add reference to https://time.is/UTC in code to help user set date and time in UTC.

[tlaurion]

@JonathonHall-Purism Time has passed and AFAIK, we could push only for Android 13+ supported devices which RNDIS is not a requirement? This PR could only support phone modles not requiring RNDIS (CDC-NCM) in the goal of crafting an automatic NTP sync option on HOTP/TOTP mismatch option as first step here and network-recovery-init left alone but reusing code here exposed on /etc/functions instead to enable what is configured per board options?

[JonathonHall-Purism]

@tlaurion I'd absolutely support omitting RNDIS and shipping CDC drivers only.

I'd also humbly suggest that we could call this CONFIG_MOBILE_TETHERING or something not Android-specific, since there are non-Android phones out there that support these protocols 🙂

[tlaurion]

Todo
- [ ] split fix for ntp from addition of tethering in seperate PR
- [ ] supersede this PR with CDC mobile tethering

Decided against. This is will be CDC NCM only PR with fixes in. Refactoring to be reused into TOTP/HOTP out of sync will happen next so that code here is put into functions and reused.

[tlaurion]

So as of kernel 5.10.x CDC ECM/ECM host tethering is supported and included. Waiting for build of x230-hotp-maximized to complete to make size comparison of compressed initrd for modules.cpio changes and will update.

This PR is ready for review. User experience is as follow once on recovery shell, minus output given to console only (ifconfig output). EDIT: Removed console redirection to earlytty and tty0 since init is supposed to have fixed this since network-recovery-init last revision.

Tethering with supported phones (fails NTP sync to returned DNS by DHCP request)

Loading Ethernet network modules...
New value of PCR[5]: 12ea2655542d7d1a75b8f77fca2f4ccd579c6f95

Please verify that your mobile (CDC NCM/EEM tethering compatible phone) is networked in the desired way (WIFI/mobile + VPN/Orbot/etc)
Please connect mobile phone to this machine's fast USB port (blue identified) through a known working data cable
Please enable USB tethering prior of going further (Android: select 'Charging this device via USB' notification and enable tethering option)
Loading USB tethering network related modules: mii usbnet cdc_ether cdc_ncm cdc_eem...
New value of PCR[5]: 77030641d20cf888957dfb18fcb4cdecbc7d0b69
New value of PCR[5]: 1d5c7c3d01ec5e5a8ae471e69e6640f2881acee5
New value of PCR[5]: 94a757924dbb899896441386ab103527e3b34c77
New value of PCR[5]: 2f6611e09423e203fc00f34e1d6c880e2204b56d
New value of PCR[5]: 1624032632aaf1ef014a0e135ec77fec669a814c
USB tethering network interface detected as usb0
Getting IP from first DHCP server answering. This may take a while...
deleting routers
adding dns 192.168.31.32
Attempting to sync time with NTP server: 192.168.31.32...
NTP sync unsuccessful with DNS server
Attempting NTP time sync with pool.ntp.org...
NTP time sync successful.
Syncing hardware clock with system time in UTC/GMT timezone... NOT LOCAL TIMEZONE!

Time: 2024-02-21 18:52:10 UTC
Starting dropbear ssh server...

Network setup complete:
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

usb0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX  
          inet addr:192.168.31.95  Bcast:192.168.31.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:5 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1958 (1.9 KiB)  TX bytes:1110 (1.0 KiB)

Tethering with unsupported phone + Ethernet fallback (NTP sync against NTP server returned by DHCP request)

Loading Ethernet network modules...

Please verify that your mobile (CDC NCM/EEM tethering compatible phone) is networked in the desired way (WIFI/mobile + VPN/Orbot/etc)
Please connect mobile phone to this machine's fast USB port (blue identified) through a known working data cable
Please enable USB tethering prior of going further (Android: select 'Charging this device via USB' notification and enable tethering option)
Loading USB tethering network related modules: mii usbnet cdc_ether cdc_ncm cdc_eem...

Tethering USB network interface was NOT detected with loaded kernel modules : mii usbnet cdc_ether cdc_ncm cdc_eem
Please check your phone's linux drivers requirements
Note that RNDIS kernel module inclusion was discussed and rejected due to security implications and planned deprecation under Linux kernel altogether
CDC NCM/CDC EEM support is known to be available on a majority of Android/GrapheneOS as well as Librem phones
Non-exhaustive exeptions: Pixel 4a* known to only tether over RNDIS and won't be supported
Apple phones won't be supported due to size and complexity of the drivers and toolstack required to support tethering
Ethernet network interface detected as eth0
Generating random MAC address...
Assigning randomly generated MAC: 96:ab:8d:2e:eb:e4 to eth0...
Bringing up eth0... Connect a network cable to the eth0 port and make sure status LEDs are on
Getting IP from first DHCP server answering. This may take a while...
deleting routers
adding dns 192.168.3.1
Attempting to sync time with NTP server: 192.168.3.1...
Syncing hardware clock with system time in UTC/GMT timezone... NOT LOCAL TIMEZONE!

Time: 2024-02-21 18:55:02 UTC
Starting dropbear ssh server...

Network setup complete:
eth0      Link encap:Ethernet  HWaddr 96:AB:8D:2E:EB:E4  
          inet addr:192.168.3.137  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2432 (2.3 KiB)  TX bytes:3020 (2.9 KiB)
          Interrupt:17 Memory:83800000-83820000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

[tlaurion]

Here is a small table giving some examples of models supported by different kernel modules. A reminder that this PR supports NCM and ECM only, while rejecting RNDIS altogether.

Protocol	Kernel module	Phone model
RNDIS	kmod-usb-net-rndis	Nexus One, Motorola Moto G
CDC ECM	cdc_ether	Google Pixel 6, OnePlus 9, Sony Xperia 1 III
CDC EEM	kmod-usb-net-cdc-eem	Samsung Galaxy S3, Huawei P40, Xiaomi Mi 11, LG V60 ThinQ
CDC NCM	kmod-usb-net-cdc-ncm	Samsung Galaxy S21, OnePlus Nord 2, Motorola Edge 20
Huawei CDC NCM	kmod-usb-net-huawei-cdc-ncm	Huawei Mate 20, Huawei P30, Huawei Nova 5T

[tlaurion]

Size comparison.

Master's 4af7808 vs this PR's 9b69f1b

wget https://output.circle-artifacts.com/output/job/03a0d0db-3e56-48e3-93d5-a23fa112e7a0/artifacts/0/build/x86/x230-hotp-maximized/sizes.txt -O master.txt
wget https://output.circle-artifacts.com/output/job/97f89967-bb86-4a38-8d43-1f196e5be39d/artifacts/0/build/x86/x230-hotp-maximized/sizes.txt -O 1384.txt
diff -u master.txt 1384.txt
[...]
--- master.txt	2024-02-16 13:57:39.000000000 -0500
+++ 1384.txt	2024-02-21 14:18:12.000000000 -0500
@@ -1,6 +1,6 @@
-2024-02-16 13:46:15-05:00 95f9636a1adb26fc061228443ec6910ffe39c02b clean
- 2488800:/root/project/build/x86/x230-hotp-maximized/bzImage
-  685056:/root/project/build/x86/x230-hotp-maximized/modules.cpio
+2024-02-21 14:04:48-05:00 9b69f1b66a29ea90045eabe1d679994810beb17a clean
+ 2489216:/root/project/build/x86/x230-hotp-maximized/bzImage
+  813056:/root/project/build/x86/x230-hotp-maximized/modules.cpio
 -----
   304040:./lib/modules/e1000e.ko
    63272:./lib/modules/ehci-hcd.ko
@@ -8,6 +8,11 @@
   165024:./lib/modules/xhci-hcd.ko
    11544:./lib/modules/xhci-pci.ko
   128632:./lib/modules/usb-storage.ko
+   12776:./lib/modules/mii.ko
+   48808:./lib/modules/usbnet.ko
+   19024:./lib/modules/cdc_ether.ko
+   38016:./lib/modules/cdc_ncm.ko
+    9048:./lib/modules/cdc_eem.ko
 -----
 12572160:/root/project/build/x86/x230-hotp-maximized/tools.cpio
 -----
@@ -71,7 +76,7 @@
    35432:./bin/cbmem
      741:./etc/config
 -----
-  389120:/root/project/build/x86/x230-hotp-maximized/heads.cpio
+  391680:/root/project/build/x86/x230-hotp-maximized/heads.cpio
 -----
     1585:./.ash_history
       73:./.gnupg/gpg-agent.conf
@@ -104,7 +109,7 @@
     2132:./bin/lock_chip
     2836:./bin/media-scan
     6013:./bin/mount-usb
-    1609:./bin/network-init-recovery
+    4204:./bin/network-init-recovery
      745:./bin/nitropad-shutdown.sh
    53851:./bin/oem-factory-reset
     2316:./bin/oem-system-info-xx30
@@ -152,5 +157,5 @@
      924:./sbin/config-dhcp.sh
     1271:./sbin/insmod
 -----
- 4666368:build/x86/x230-hotp-maximized/initrd.cpio.xz
- 8388608:/root/project/build/x86/x230-hotp-maximized/heads-x230-hotp-maximized-v0.2.0-2024-g95f9636-bottom.rom
+ 4691968:build/x86/x230-hotp-maximized/initrd.cpio.xz
+ 8388608:/root/project/build/x86/x230-hotp-maximized/heads-x230-hotp-maximized-v0.2.0-2026-g9b69f1b-bottom.rom

Analysis:

- 4666368:build/x86/x230-hotp-maximized/initrd.cpio.xz
+ 4691968:build/x86/x230-hotp-maximized/initrd.cpio.xz
- 2488800:/root/project/build/x86/x230-hotp-maximized/bzImage
+ 2489216:/root/project/build/x86/x230-hotp-maximized/bzImage

Additional ROM consumed compressed space: (4691968-4666368)+(2489216-2488800)= 26016 bytes (~25Kb)

[JonathonHall-Purism]

This works with Librem 5! It's easy too, just change the wired network's IPv4 mode to Shared with Other Computers, same as for Network Manager on any other device.

I gave a lot of thought to the messages/prompts and commented inline. Also unsure how this interacts with Ethernet tethering and commented on that too.

Overall, great feature and great work. Looking forward to polishing for merge and future features leveraging this functionality 💯

[JonathonHall-Purism]

@tlaurion If you want you can cherry-pick this commit enabling mobile tethering for Librems, or I can PR it after this is merged if you'd rather: JonathonHall-Purism@92346b4

I haven't gone through to enable Ethernet network recovery yet, but I've noted that for the next PB release (can test the relevant devices then when doing the release testing).

Couple of Kconfig FYI notes:

• Enabling USB_NET_CDCETHER on 6.1.8 also enabled USB_RTL8153, but I didn't add it to the modules to ship/load. Apparently this is a sub-driver for a Realtek chipset that got moved out of the cdc_ether driver in 6.0. It's not separately configurable due to some unusual interactions with another RTL driver. At any rate though, this iteration is targeting mobile phones and I don't have one of these devices to test, so I have left it out. If we decide to do USB ethernet too, let's address it in another iteration IMO.
• The 5.10.5 oldconfig got a cleanup change on CONFIG_HW_RANDOM for whatever reason, but the result is the same.

[JonathonHall-Purism]

@tlaurion Thanks, the fixes look great, but xhci is broken on boards that don't ship USB companion controller modules due to having moved those under CONFIG_LINUX_USB_COMPANION_CONTROLLER.

Fixup here and a trivial indentation fix (2 commits): https://github.com/JonathonHall-Purism/heads/tree/mobile-tethering-fixup-20240223

[tlaurion]

@tlaurion Thanks, the fixes look great, but xhci is broken on boards that don't ship USB companion controller modules due to having moved those under CONFIG_LINUX_USB_COMPANION_CONTROLLER.

Fixup here and a trivial indentation fix (2 commits): https://github.com/JonathonHall-Purism/heads/tree/mobile-tethering-fixup-20240223

@JonathonHall-Purism Thanks for that (and sorry, last testing were done on qemu and not real hardware, which hid modules loading problems...)!

Added one last commit to make sure dropbear is not running prior of trying to start it.

---

Note that in case of tethering, only the phone can easily connect to the Heads SSH server otherwise further config is needed on the phone itself. This also opens interesting possibilities for the future; ie the phone could be used for attestation if it was the client of Heads... Food for thoughts here (#1307 and other). Phone could push updates etc. Anyway, not in scope for this first step toward on-demand, low firmware footprint networking capabilities (personal desires highlighted under #1384 (comment))

@daringer a reminder that this PR adds ~25Kb of drivers and if you desire adding this feature, you will have to do a seperate PR based on this one to enable the feature both in linux and board configs to have users depend on your nitro phones which should support this out of the box (to be tested of course on your side). To do so, simply take a diff for a linux config and apply to your board linux config, do same for board config and test and create PR. A reminder that activating either ethernet/mobile tethering is currently only offered through calling network-recovery-init per this PR, whic also syncs time from DNS server provided by DHCP answer first and then tried to NTP against ntp pool (to correct TPMTOTP behavior linked to hwclock having fell out of sync because time drift). That feature is guarded behind GPG based authentication when OEM Factory Reset/Re-Ownership is ran in non-default config, accepting to generate key in ram and preparing a USB Thumb drive with key material backup, which enables authentication prior of USB booting and Recovery Shell access. As of now, a user having access to Recovery Shell can call network-recovery-init to temporarily activate Ethernet/Mobile tethering. A reminder that accessing Recovery Shell invalidates unsealing of secrets until the machine is rebooted and the machine is booted in default boot.

I think this is ready for merge!

[tlaurion]

Oh! @JonathonHall-Purism : you might want to reconsider the removal of linux kernel config option:

user@heads-tests-deb12:~/heads$ diff config/linux-x230-maximized.config config/linux-librem_common-6.1.8.config | grep SYN
< CONFIG_SYN_COOKIES=y
> # CONFIG_SYN_COOKIES is not set

Generally speaking, when one enables networking (even on-demand), it is suggested to enable syn flood protection since there is no drawback:

In linux kernel since version 2.6.12
Normal TCP/IP networking is open to an attack known as "SYN
flooding". This denial-of-service attack prevents legitimate remote
users from being able to connect to your computer during an ongoing
attack and requires very little work from the attacker, who can
operate from anywhere on the Internet.

SYN cookies provide protection against this type of attack. If you
say Y here, the TCP/IP stack will use a cryptographic challenge
protocol known as "SYN cookies" to enable legitimate users to
continue to connect, even when your machine is under attack. There
is no need for the legitimate users to change their TCP/IP software;
SYN cookies work transparently to them. For technical information
about SYN cookies, check out https://cr.yp.to/syncookies.html.

If you are SYN flooded, the source address reported by the kernel is
likely to have been forged by the attacker; it is only reported as
an aid in tracing the packets to their actual source and should not
be taken as absolute truth.

SYN cookies may prevent correct error reporting on clients when the
server is really overloaded. If this happens frequently better turn
them off.

If you say Y here, you can disable SYN cookies at run time by
saying Y to "/proc file system support" and
"Sysctl support" below and executing the command

echo 0 > /proc/sys/net/ipv4/tcp_syncookies

after the /proc file system has been mounted.

If unsure, say N.

SRC: https://www.kernelconfig.io/CONFIG_SYN_COOKIES?q=CONFIG_SYN_COOKIES&kernelversion=6.7.5&arch=x86