boards/sim: enable generated passwd for sim:login

Abhishek Mishra · Abhishek Mishra · commit f9dff1a28124 · 2026-03-17T17:43:31.000Z
Enable build-time /etc/passwd generation in sim:login by setting\nBOARD_ETC_ROMFS_PASSWD_* defaults in the login defconfig.\n\nAdd password validation for build-time generation:\n- reject empty and quoted-empty passwords\n- enforce minimum length of 8 characters\n- preserve special characters when invoking tools/mkpasswd\n\nApply the same minimum-length validation in the CMake ROMFS path\nand in tools/mkpasswd argument validation.\n\nUpdate Kconfig and documentation to describe the required login\nsetting and password constraints.

Signed-off-by: Abhishek Mishra &lt;mishra.abhishek2808@gmail.com&gt;
diff --git a/Documentation/components/tools/index.rst b/Documentation/components/tools/index.rst
@@ -31,6 +31,9 @@ user-supplied plaintext password at build time, each firmware image carries
 unique credentials.  The build will fail if the password is left empty,
 preventing accidental deployments with no credentials.
 
+For improved baseline security, the configured password must be at least
+8 characters long.
+
 How it works
 ~~~~~~~~~~~~
 
@@ -52,8 +55,9 @@ Enable the feature and configure credentials via ``make menuconfig``:
 .. code:: kconfig
 
    CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y
+   CONFIG_NSH_CONSOLE_LOGIN=y                     # required to enforce login prompt
    CONFIG_BOARD_ETC_ROMFS_PASSWD_USER="admin"         # default: admin
-   CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD="<secret>"  # required, build fails if empty
+   CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD="<secret>"  # required, min length 8
    CONFIG_BOARD_ETC_ROMFS_PASSWD_UID=0
    CONFIG_BOARD_ETC_ROMFS_PASSWD_GID=0
    CONFIG_BOARD_ETC_ROMFS_PASSWD_HOME="/"
diff --git a/Documentation/platforms/sim/sim/boards/sim/index.rst b/Documentation/platforms/sim/sim/boards/sim/index.rst
@@ -2015,8 +2015,9 @@ The ``/etc/passwd`` file is auto-generated at build time when
 credentials via ``make menuconfig``:
 
 * ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y``
+* ``CONFIG_NSH_CONSOLE_LOGIN=y`` (required, otherwise login is not enforced)
 * ``CONFIG_BOARD_ETC_ROMFS_PASSWD_USER`` (default: ``admin``)
-* ``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` (required, build fails if empty)
+* ``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` (required, build fails if empty or shorter than 8 characters)
 
 The password is hashed with TEA at build time by the host tool
 ``tools/mkpasswd``; the plaintext is **not** stored in the firmware.
diff --git a/boards/Board.mk b/boards/Board.mk
@@ -30,7 +30,7 @@ $(RCOBJS): $(ETCDIR)$(DELIM)%: %
 	$(Q) mkdir -p $(dir $@)
 	$(call PREPROCESS, $<, $@)
 
-$(ETCSRC): $(foreach raw,$(RCRAWS), $(if $(wildcard $(BOARD_DIR)$(DELIM)src$(DELIM)$(raw)), $(BOARD_DIR)$(DELIM)src$(DELIM)$(raw), $(if $(wildcard $(BOARD_COMMON_DIR)$(DELIM)$(raw)), $(BOARD_COMMON_DIR)$(DELIM)$(raw), $(BOARD_DIR)$(DELIM)src$(DELIM)$(raw)))) $(RCOBJS)
+$(ETCSRC): $(foreach raw,$(RCRAWS), $(if $(wildcard $(BOARD_DIR)$(DELIM)src$(DELIM)$(raw)), $(BOARD_DIR)$(DELIM)src$(DELIM)$(raw), $(if $(wildcard $(BOARD_COMMON_DIR)$(DELIM)$(raw)), $(BOARD_COMMON_DIR)$(DELIM)$(raw), $(BOARD_DIR)$(DELIM)src$(DELIM)$(raw)))) $(RCOBJS) $(TOPDIR)$(DELIM).config $(TOPDIR)$(DELIM)tools$(DELIM)mkpasswd.c
 	$(foreach raw, $(RCRAWS), \
 	  $(shell rm -rf $(ETCDIR)$(DELIM)$(raw)) \
 	  $(shell mkdir -p $(dir $(ETCDIR)$(DELIM)$(raw))) \
@@ -39,7 +39,11 @@ ifeq ($(CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE),y)
 ifeq ($(CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD),)
 	$(error CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD must be set when BOARD_ETC_ROMFS_PASSWD_ENABLE is enabled. Run 'make menuconfig' to set a password.)
 endif
-	$(Q) if [ ! -f $(TOPDIR)$(DELIM)tools$(DELIM)mkpasswd$(HOSTEXEEXT) ]; then \
+ifeq ($(CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD),"")
+	$(error CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD must be set when BOARD_ETC_ROMFS_PASSWD_ENABLE is enabled. Run 'make menuconfig' to set a password.)
+endif
+	$(Q) if [ ! -f $(TOPDIR)$(DELIM)tools$(DELIM)mkpasswd$(HOSTEXEEXT) ] || \
+		 [ $(TOPDIR)$(DELIM)tools$(DELIM)mkpasswd.c -nt $(TOPDIR)$(DELIM)tools$(DELIM)mkpasswd$(HOSTEXEEXT) ]; then \
 		$(MAKE) -C $(TOPDIR)$(DELIM)tools -f Makefile.host mkpasswd$(HOSTEXEEXT); \
 	fi
 	$(Q) mkdir -p $(ETCDIR)$(DELIM)$(CONFIG_ETC_ROMFSMOUNTPT)
@@ -107,6 +111,17 @@ $(CXXOBJS) $(LINKOBJS): %$(OBJEXT): %.cxx
 
 libboard$(LIBEXT): $(OBJS) $(CXXOBJS)
 	$(call ARCHIVE, $@, $(OBJS) $(CXXOBJS))
+ifeq ($(CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE),y)
+ifeq ($(CONFIG_FSUTILS_PASSWD_KEY1),0x12345678)
+ifeq ($(CONFIG_FSUTILS_PASSWD_KEY2),0x9abcdef0)
+ifeq ($(CONFIG_FSUTILS_PASSWD_KEY3),0x12345678)
+ifeq ($(CONFIG_FSUTILS_PASSWD_KEY4),0x9abcdef0)
+	$(Q) echo ">>>> WARNING: YOU ARE USING DEFAULT PASSWORD KEYS (CONFIG_FSUTILS_PASSWD_KEY1-4)!!! PLEASE CHANGE IT!!! <<<<"
+endif
+endif
+endif
+endif
+endif
 
 .depend: Makefile $(SRCS) $(CXXSRCS) $(RCSRCS) $(TOPDIR)$(DELIM).config
 ifneq ($(ZDSVERSION),)
diff --git a/boards/Kconfig b/boards/Kconfig
@@ -5457,7 +5457,8 @@ config BOARD_ETC_ROMFS_PASSWD_PASSWORD
 		The plaintext password for the auto-generated /etc/passwd entry.
 		This value is hashed with TEA at build time; the plaintext is NOT
 		stored in the firmware image.  The build will fail if this is left
-		empty.  Set this via 'make menuconfig'.
+		empty or shorter than 8 characters.  Set this via
+		'make menuconfig'.
 
 config BOARD_ETC_ROMFS_PASSWD_UID
 	int "Admin user ID"
diff --git a/boards/sim/sim/sim/configs/login/defconfig b/boards/sim/sim/sim/configs/login/defconfig
@@ -5,6 +5,12 @@
 # You can then do "make savedefconfig" to generate a new defconfig file that includes your
 # modifications.
 #
+# NOTE: CONFIG_FSUTILS_PASSWD_KEY1-4 are intentionally excluded by
+# "make savedefconfig" to avoid leaking credentials into mainline.
+# CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD is excluded by default,
+# except for the sim:login example configuration.
+# credentials into mainline. Add them manually in local defconfig if needed.
+#
 # CONFIG_NSH_CMDOPT_HEXDUMP is not set
 CONFIG_ARCH="sim"
 CONFIG_ARCH_BOARD="sim"
@@ -13,6 +19,8 @@ CONFIG_ARCH_CHIP="sim"
 CONFIG_ARCH_SIM=y
 CONFIG_BOARDCTL_APP_SYMTAB=y
 CONFIG_BOARDCTL_POWEROFF=y
+CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y
+CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD="Administrator"
 CONFIG_BOARD_LOOPSPERMSEC=0
 CONFIG_BOOT_RUNFROMEXTSRAM=y
 CONFIG_BUILTIN=y
diff --git a/cmake/nuttx_add_romfs.cmake b/cmake/nuttx_add_romfs.cmake
@@ -292,6 +292,14 @@ function(process_all_directory_romfs)
           " Run 'make menuconfig' to set a password.")
     endif()
 
+    string(LENGTH "${CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD}" PASSWD_LEN)
+    if(PASSWD_LEN LESS 8)
+      message(
+        FATAL_ERROR
+          "CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD must be at least 8 characters."
+      )
+    endif()
+
     # Determine host executable suffix (.exe on Windows, empty elsewhere)
     if(CMAKE_HOST_WIN32)
       set(HOST_EXE_SUFFIX .exe)
@@ -332,6 +340,17 @@ function(process_all_directory_romfs)
       list(APPEND MKPASSWD_KEY_ARGS --key4 ${CONFIG_FSUTILS_PASSWD_KEY4})
     endif()
 
+    if("${CONFIG_FSUTILS_PASSWD_KEY1}" STREQUAL "0x12345678"
+       AND "${CONFIG_FSUTILS_PASSWD_KEY2}" STREQUAL "0x9abcdef0"
+       AND "${CONFIG_FSUTILS_PASSWD_KEY3}" STREQUAL "0x12345678"
+       AND "${CONFIG_FSUTILS_PASSWD_KEY4}" STREQUAL "0x9abcdef0")
+      set(MKPASSWD_DEFAULT_KEYS_WARNING
+          ">>>> WARNING: YOU ARE USING DEFAULT PASSWORD KEYS (CONFIG_FSUTILS_PASSWD_KEY1-4)!!! PLEASE CHANGE IT!!! <<<<"
+      )
+    else()
+      set(MKPASSWD_DEFAULT_KEYS_WARNING "")
+    endif()
+
     set(GENPASSWD_OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/etc/passwd)
     add_custom_command(
       OUTPUT ${GENPASSWD_OUTPUT}
@@ -343,7 +362,8 @@ function(process_all_directory_romfs)
         ${CONFIG_BOARD_ETC_ROMFS_PASSWD_GID} --home
         "${CONFIG_BOARD_ETC_ROMFS_PASSWD_HOME}" ${MKPASSWD_KEY_ARGS} -o
         ${GENPASSWD_OUTPUT}
-      DEPENDS ${MKPASSWD_BIN}
+      COMMAND ${CMAKE_COMMAND} -E echo "${MKPASSWD_DEFAULT_KEYS_WARNING}"
+      DEPENDS ${MKPASSWD_BIN} ${NUTTX_DIR}/.config
       COMMENT "Generating /etc/passwd from Kconfig values")
     add_custom_target(generate_passwd DEPENDS ${GENPASSWD_OUTPUT})
     add_dependencies(generate_passwd build_host_mkpasswd)
diff --git a/cmake/savedefconfig.cmake b/cmake/savedefconfig.cmake
@@ -72,9 +72,18 @@ list(SORT LINES)
 foreach(LINE IN LISTS LINES)
   decode_brackets(LINE)
   decode_semicolon(LINE)
-  file(APPEND ${OUTPUT_FILE} "${LINE}\n")
+  if(NOT "${LINE}" MATCHES "^CONFIG_FSUTILS_PASSWD_KEY[0-9]"
+     AND NOT "${LINE}" MATCHES "^CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD=")
+    file(APPEND ${OUTPUT_FILE} "${LINE}\n")
+  endif()
 endforeach()
 
+message(
+  WARNING "CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD and"
+          " CONFIG_FSUTILS_PASSWD_KEY1-4 were intentionally excluded from"
+          " defconfig by savedefconfig to avoid leaking credentials."
+          " Add them manually in local defconfig if needed.")
+
 # Converts the newline style for the output file.
 configure_file(${OUTPUT_FILE} ${OUTPUT_FILE} @ONLY NEWLINE_STYLE LF)
 
diff --git a/tools/Unix.mk b/tools/Unix.mk
@@ -759,6 +759,12 @@ savedefconfig: apps_preconfig
 	$(Q) ${KCONFIG_ENV} ${KCONFIG_SAVEDEFCONFIG}
 	$(Q) $(call kconfig_tweak_disable,defconfig.tmp,CONFIG_APPS_DIR)
 	$(Q) $(call kconfig_tweak_disable,defconfig.tmp,CONFIG_BASE_DEFCONFIG)
+	$(Q) sed -i -e '/^CONFIG_FSUTILS_PASSWD_KEY[0-9]/d' defconfig.tmp
+	$(Q) if ! (grep -q '^CONFIG_ARCH_BOARD_SIM=y' .config && \
+			grep -q '^CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y' .config && \
+			grep -q '^CONFIG_NSH_MOTD_STRING="MOTD: username=admin password=Administrator"' .config); then \
+		sed -i -e '/^CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD=/d' defconfig.tmp; \
+	fi
 	$(Q) grep "CONFIG_ARCH=" .config >> defconfig.tmp
 	$(Q) grep "^CONFIG_ARCH_CHIP_" .config >> defconfig.tmp; true
 	$(Q) grep "CONFIG_ARCH_CHIP=" .config >> defconfig.tmp; true
@@ -774,10 +780,24 @@ savedefconfig: apps_preconfig
 	$(Q) echo "# You can then do \"make savedefconfig\" to generate a new defconfig file that includes your" >> warning.tmp
 	$(Q) echo "# modifications." >> warning.tmp
 	$(Q) echo "#" >> warning.tmp
+	$(Q) echo "# NOTE: CONFIG_FSUTILS_PASSWD_KEY1-4 are intentionally excluded by" >> warning.tmp
+	$(Q) echo "# \"make savedefconfig\" to avoid leaking credentials into mainline." >> warning.tmp
+	$(Q) echo "# CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD is excluded by default," >> warning.tmp
+	$(Q) echo "# except for the sim:login example configuration." >> warning.tmp
+	$(Q) echo "# credentials into mainline. Add them manually in local defconfig if needed." >> warning.tmp
+	$(Q) echo "#" >> warning.tmp
 	$(Q) cat warning.tmp sortedconfig.tmp > defconfig
 	$(Q) rm -f warning.tmp
 	$(Q) rm -f defconfig.tmp
 	$(Q) rm -f sortedconfig.tmp
+	$(Q) if ! (grep -q '^CONFIG_ARCH_BOARD_SIM=y' .config && \
+			grep -q '^CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y' .config && \
+			grep -q '^CONFIG_NSH_MOTD_STRING="MOTD: username=admin password=Administrator"' .config); then \
+		echo "WARNING: CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD was not saved in defconfig."; \
+		echo "WARNING: This is intentional to avoid leaking credentials. Add it manually in local defconfig if needed."; \
+	fi
+	$(Q) echo "WARNING: CONFIG_FSUTILS_PASSWD_KEY1-4 were not saved in defconfig."
+	$(Q) echo "WARNING: This is intentional to avoid leaking credentials. Add them manually in local defconfig if needed."
 
 # export
 #
diff --git a/tools/mkpasswd.c b/tools/mkpasswd.c
