boards/sim: enable generated passwd for sim:login

Abhishekmishra2808 · Abhishekmishra2808 · commit 3412e4a0892a · 2026-03-16T15:42:01.000Z
Enable build-time /etc/passwd generation in sim:login by setting\nBOARD_ETC_ROMFS_PASSWD_* defaults in the login defconfig.\n\nAdd password validation for build-time generation:\n- reject empty and quoted-empty passwords\n- enforce minimum length of 8 characters\n- preserve special characters when invoking tools/mkpasswd\n\nApply the same minimum-length validation in the CMake ROMFS path\nand in tools/mkpasswd argument validation.\n\nUpdate Kconfig and documentation to describe the required login\nsetting and password constraints.

Signed-off-by: Abhishek Mishra &lt;mishra.abhishek2808@gmail.com&gt;
diff --git a/Documentation/components/tools/index.rst b/Documentation/components/tools/index.rst
@@ -31,6 +31,9 @@ user-supplied plaintext password at build time, each firmware image carries
 unique credentials.  The build will fail if the password is left empty,
 preventing accidental deployments with no credentials.
 
+For improved baseline security, the configured password must be at least
+8 characters long.
+
 How it works
 ~~~~~~~~~~~~
 
@@ -52,8 +55,9 @@ Enable the feature and configure credentials via ``make menuconfig``:
 .. code:: kconfig
 
    CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y
+   CONFIG_NSH_CONSOLE_LOGIN=y                     # required to enforce login prompt
    CONFIG_BOARD_ETC_ROMFS_PASSWD_USER="admin"         # default: admin
-   CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD="<secret>"  # required, build fails if empty
+   CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD="<secret>"  # required, min length 8
    CONFIG_BOARD_ETC_ROMFS_PASSWD_UID=0
    CONFIG_BOARD_ETC_ROMFS_PASSWD_GID=0
    CONFIG_BOARD_ETC_ROMFS_PASSWD_HOME="/"
diff --git a/Documentation/platforms/sim/sim/boards/sim/index.rst b/Documentation/platforms/sim/sim/boards/sim/index.rst
@@ -2015,8 +2015,9 @@ The ``/etc/passwd`` file is auto-generated at build time when
 credentials via ``make menuconfig``:
 
 * ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y``
+* ``CONFIG_NSH_CONSOLE_LOGIN=y`` (required, otherwise login is not enforced)
 * ``CONFIG_BOARD_ETC_ROMFS_PASSWD_USER`` (default: ``admin``)
-* ``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` (required, build fails if empty)
+* ``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` (required, build fails if empty or shorter than 8 characters)
 
 The password is hashed with TEA at build time by the host tool
 ``tools/mkpasswd``; the plaintext is **not** stored in the firmware.
diff --git a/boards/Board.mk b/boards/Board.mk
@@ -39,16 +39,35 @@ ifeq ($(CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE),y)
 ifeq ($(CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD),)
 	$(error CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD must be set when BOARD_ETC_ROMFS_PASSWD_ENABLE is enabled. Run 'make menuconfig' to set a password.)
 endif
+ifeq ($(CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD),"")
+	$(error CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD must be set when BOARD_ETC_ROMFS_PASSWD_ENABLE is enabled. Run 'make menuconfig' to set a password.)
+endif
+	$(Q) passwd=$(CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD); \
+		passwd=$${passwd#\"}; \
+		passwd=$${passwd%\"}; \
+		if [ $${#passwd} -lt 8 ]; then \
+			echo "ERROR: CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD must be at least 8 characters."; \
+			exit 1; \
+		fi
 	$(Q) if [ ! -f $(TOPDIR)$(DELIM)tools$(DELIM)mkpasswd$(HOSTEXEEXT) ]; then \
 		$(MAKE) -C $(TOPDIR)$(DELIM)tools -f Makefile.host mkpasswd$(HOSTEXEEXT); \
 	fi
 	$(Q) mkdir -p $(ETCDIR)$(DELIM)$(CONFIG_ETC_ROMFSMOUNTPT)
-	$(Q) $(TOPDIR)$(DELIM)tools$(DELIM)mkpasswd$(HOSTEXEEXT) \
-		--user $(CONFIG_BOARD_ETC_ROMFS_PASSWD_USER) \
-		--password $(CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD) \
+	$(Q) user=$(CONFIG_BOARD_ETC_ROMFS_PASSWD_USER); \
+		user=$${user#\"}; \
+		user=$${user%\"}; \
+		home=$(CONFIG_BOARD_ETC_ROMFS_PASSWD_HOME); \
+		home=$${home#\"}; \
+		home=$${home%\"}; \
+		passwd=$(CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD); \
+		passwd=$${passwd#\"}; \
+		passwd=$${passwd%\"}; \
+		$(TOPDIR)$(DELIM)tools$(DELIM)mkpasswd$(HOSTEXEEXT) \
+		--user "$${user}" \
+		--password "$${passwd}" \
 		--uid $(CONFIG_BOARD_ETC_ROMFS_PASSWD_UID) \
 		--gid $(CONFIG_BOARD_ETC_ROMFS_PASSWD_GID) \
-		--home $(CONFIG_BOARD_ETC_ROMFS_PASSWD_HOME) \
+		--home "$${home}" \
 		$(if $(CONFIG_FSUTILS_PASSWD_KEY1),--key1 $(CONFIG_FSUTILS_PASSWD_KEY1)) \
 		$(if $(CONFIG_FSUTILS_PASSWD_KEY2),--key2 $(CONFIG_FSUTILS_PASSWD_KEY2)) \
 		$(if $(CONFIG_FSUTILS_PASSWD_KEY3),--key3 $(CONFIG_FSUTILS_PASSWD_KEY3)) \
diff --git a/boards/Kconfig b/boards/Kconfig
@@ -5434,7 +5434,8 @@ config BOARD_ETC_ROMFS_PASSWD_PASSWORD
 		The plaintext password for the auto-generated /etc/passwd entry.
 		This value is hashed with TEA at build time; the plaintext is NOT
 		stored in the firmware image.  The build will fail if this is left
-		empty.  Set this via 'make menuconfig'.
+		empty or shorter than 8 characters.  Set this via
+		'make menuconfig'.
 
 config BOARD_ETC_ROMFS_PASSWD_UID
 	int "Admin user ID"
diff --git a/boards/sim/sim/sim/configs/login/defconfig b/boards/sim/sim/sim/configs/login/defconfig
@@ -11,6 +11,9 @@ CONFIG_ARCH_BOARD="sim"
 CONFIG_ARCH_BOARD_SIM=y
 CONFIG_ARCH_CHIP="sim"
 CONFIG_ARCH_SIM=y
+CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y
+CONFIG_BOARD_ETC_ROMFS_PASSWD_USER="admin"
+CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD="Administrator"
 CONFIG_BOARDCTL_APP_SYMTAB=y
 CONFIG_BOARDCTL_POWEROFF=y
 CONFIG_BOARD_LOOPSPERMSEC=0
diff --git a/cmake/nuttx_add_romfs.cmake b/cmake/nuttx_add_romfs.cmake
@@ -292,6 +292,13 @@ function(process_all_directory_romfs)
           " Run 'make menuconfig' to set a password.")
     endif()
 
+    string(LENGTH "${CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD}" PASSWD_LEN)
+    if(PASSWD_LEN LESS 8)
+      message(
+        FATAL_ERROR
+          "CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD must be at least 8 characters.")
+    endif()
+
     # Determine host executable suffix (.exe on Windows, empty elsewhere)
     if(CMAKE_HOST_WIN32)
       set(HOST_EXE_SUFFIX .exe)
diff --git a/tools/mkpasswd.c b/tools/mkpasswd.c
@@ -23,7 +23,8 @@
 /****************************************************************************
  * Description:
  *   Host build tool that generates a NuttX /etc/passwd entry with a
- *   TEA-encrypted password hash.
+ *   TEA-encrypted password hash.  This is a pure C replacement for the
+ *   former tools/mkpasswd.py, removing the Python dependency from the build.
  *
  *   The encryption algorithm and base64 encoding are identical to those
  *   used at runtime by:
@@ -68,7 +69,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
-#include <getopt.h>
 #include <sys/stat.h>
 
 /****************************************************************************
@@ -79,15 +79,13 @@
 
 #define TEA_KEY_SCHEDULE_CONSTANT  0x9e3779b9u
 
-/* Password size limits – must match apps/fsutils/passwd/passwd.h.
- * MAX_ENCRYPTED is the max length of the encrypted hash (ASCII chars).
- * MAX_PASSWORD is the max length of the plaintext password.
- */
+/* Password size limits – must match apps/fsutils/passwd/passwd.h */
 
-#define MAX_ENCRYPTED  48
-#define MAX_PASSWORD   (3 * MAX_ENCRYPTED / 4)
+#define MAX_ENCRYPTED  48          /* Max size of encrypted password (ASCII)  */
+#define MAX_PASSWORD   (3 * MAX_ENCRYPTED / 4)  /* Max plaintext length       */
+#define MIN_PASSWORD   8           /* Minimum plaintext length for security   */
 
-/* Default TEA key values - must match CONFIG_FSUTILS_PASSWD_KEY1-4 defaults
+/* Default TEA key values – must match CONFIG_FSUTILS_PASSWD_KEY1-4 defaults
  * in apps/fsutils/passwd/Kconfig so that the generated hash verifies
  * correctly at runtime when the user has not changed the key config.
  */
@@ -364,20 +362,12 @@ static int mkdir_p(const char *path)
       if (*p == '/')
         {
           *p = '\0';
-#ifdef CONFIG_WINDOWS_NATIVE
-          mkdir(tmp);
-#else
           mkdir(tmp, 0755);
-#endif
           *p = '/';
         }
     }
 
-#ifdef CONFIG_WINDOWS_NATIVE
-  mkdir(tmp);
-#else
   mkdir(tmp, 0755);
-#endif
   free(tmp);
   return 0;
 }
@@ -427,105 +417,81 @@ int main(int argc, char **argv)
 
   char encrypted[MAX_ENCRYPTED + 1];
   FILE *out;
-  int   opt;
+  int   i;
   int   ret;
 
-  static const struct option g_long_options[] =
-    {
-      { "user",     required_argument, NULL, 'u' },
-      { "password", required_argument, NULL, 'p' },
-      { "uid",      required_argument, NULL, 'i' },
-      { "gid",      required_argument, NULL, 'g' },
-      { "home",     required_argument, NULL, 'd' },
-      { "key1",     required_argument, NULL, '1' },
-      { "key2",     required_argument, NULL, '2' },
-      { "key3",     required_argument, NULL, '3' },
-      { "key4",     required_argument, NULL, '4' },
-      { "output",   required_argument, NULL, 'o' },
-      { "help",     no_argument,       NULL, 'h' },
-      { NULL,       0,                 NULL,  0  },
-    };
+  /* Simple long-option parser (avoids getopt_long portability concerns) */
 
-  while ((opt = getopt_long(argc, argv, "u:p:i:g:d:o:h",
-                            g_long_options, NULL)) != -1)
+  for (i = 1; i < argc; i++)
     {
-      switch (opt)
+      if (strcmp(argv[i], "--user") == 0 && i + 1 < argc)
+        {
+          user = argv[++i];
+        }
+      else if (strcmp(argv[i], "--password") == 0 && i + 1 < argc)
+        {
+          password = argv[++i];
+        }
+      else if (strcmp(argv[i], "--uid") == 0 && i + 1 < argc)
+        {
+          uid = atoi(argv[++i]);
+        }
+      else if (strcmp(argv[i], "--gid") == 0 && i + 1 < argc)
+        {
+          gid = atoi(argv[++i]);
+        }
+      else if (strcmp(argv[i], "--home") == 0 && i + 1 < argc)
+        {
+          home = argv[++i];
+        }
+      else if (strcmp(argv[i], "--key1") == 0 && i + 1 < argc)
+        {
+          if (parse_uint32_hex(argv[++i], &key[0]) < 0)
+            {
+              fprintf(stderr, "mkpasswd: invalid --key1 value: %s\n", argv[i]);
+              return 1;
+            }
+        }
+      else if (strcmp(argv[i], "--key2") == 0 && i + 1 < argc)
+        {
+          if (parse_uint32_hex(argv[++i], &key[1]) < 0)
+            {
+              fprintf(stderr, "mkpasswd: invalid --key2 value: %s\n", argv[i]);
+              return 1;
+            }
+        }
+      else if (strcmp(argv[i], "--key3") == 0 && i + 1 < argc)
+        {
+          if (parse_uint32_hex(argv[++i], &key[2]) < 0)
+            {
+              fprintf(stderr, "mkpasswd: invalid --key3 value: %s\n", argv[i]);
+              return 1;
+            }
+        }
+      else if (strcmp(argv[i], "--key4") == 0 && i + 1 < argc)
+        {
+          if (parse_uint32_hex(argv[++i], &key[3]) < 0)
+            {
+              fprintf(stderr, "mkpasswd: invalid --key4 value: %s\n", argv[i]);
+              return 1;
+            }
+        }
+      else if ((strcmp(argv[i], "-o") == 0 ||
+                strcmp(argv[i], "--output") == 0) && i + 1 < argc)
+        {
+          outpath = argv[++i];
+        }
+      else if (strcmp(argv[i], "--help") == 0 ||
+               strcmp(argv[i], "-h") == 0)
+        {
+          show_usage(argv[0]);
+          return 0;
+        }
+      else
         {
-          case 'u':
-            user = optarg;
-            break;
-
-          case 'p':
-            password = optarg;
-            break;
-
-          case 'i':
-            uid = atoi(optarg);
-            break;
-
-          case 'g':
-            gid = atoi(optarg);
-            break;
-
-          case 'd':
-            home = optarg;
-            break;
-
-          case '1':
-            if (parse_uint32_hex(optarg, &key[0]) < 0)
-              {
-                fprintf(stderr,
-                        "mkpasswd: invalid --key1 value: %s\n",
-                        optarg);
-                return 1;
-              }
-
-            break;
-
-          case '2':
-            if (parse_uint32_hex(optarg, &key[1]) < 0)
-              {
-                fprintf(stderr,
-                        "mkpasswd: invalid --key2 value: %s\n",
-                        optarg);
-                return 1;
-              }
-
-            break;
-
-          case '3':
-            if (parse_uint32_hex(optarg, &key[2]) < 0)
-              {
-                fprintf(stderr,
-                        "mkpasswd: invalid --key3 value: %s\n",
-                        optarg);
-                return 1;
-              }
-
-            break;
-
-          case '4':
-            if (parse_uint32_hex(optarg, &key[3]) < 0)
-              {
-                fprintf(stderr,
-                        "mkpasswd: invalid --key4 value: %s\n",
-                        optarg);
-                return 1;
-              }
-
-            break;
-
-          case 'o':
-            outpath = optarg;
-            break;
-
-          case 'h':
-            show_usage(argv[0]);
-            return 0;
-
-          default:
-            show_usage(argv[0]);
-            return 1;
+          fprintf(stderr, "mkpasswd: unknown option: %s\n", argv[i]);
+          show_usage(argv[0]);
+          return 1;
         }
     }
 
@@ -551,6 +517,14 @@ int main(int argc, char **argv)
       return 1;
     }
 
+  if (strlen(password) < MIN_PASSWORD)
+    {
+      fprintf(stderr,
+              "mkpasswd: --password must be at least %d characters\n",
+              MIN_PASSWORD);
+      return 1;
+    }
+
   /* Encrypt the password using TEA + custom base64.
    * Only the hash is written to the output file; the plaintext is never
    * stored in firmware.
