webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 11:13:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-switch-to-libloc

Browse Source
This commit is contained in:
Stefan Schantl
2020-06-10 18:01:14 +02:00
parent d2b364f032 92e828b3b0
commit 304abbae22
65 changed files with 438 additions and 30326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/initscripts/system/firstsetup
View File

@@ -27,14 +27,5 @@ if [ "${?}" == "1" ]; then
reboot -f
fi
# plan install pae kernel at next pakfire update if pae is supported
if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then
if [ ! -e /opt/pakfire/db/installed/meta-linux-pae ]; then
echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae
echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae
echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-pae
fi
fi
/etc/init.d/sysklogd stop
touch /var/ipfire/main/firstsetup_ok

89
src/paks/linux-pae/install.sh
View File

@@ -1,89 +0,0 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007-2016 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
function find_partition() {
local mountpoint="${1}"
local root
local dev mp fs flags rest
while read -r dev mp fs flags rest; do
# Skip unwanted entries
[ "${dev}" = "rootfs" ] && continue
if [ "${mp}" = "${mountpoint}" ] && [ -b "${dev}" ]; then
root="$(basename "${dev}")"
break
fi
done < /proc/mounts
echo ${root}
return 0
}
if [ "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then
rm -f /opt/pakfire/db/installed/meta-linux-pae
/usr/bin/logger -p syslog.emerg -i pakfire \
"linux-pae: no pae support found, aborted!"
exit 1
fi
extract_files
#
KVER=xxxKVERxxx
ROOT=`find_partition /`
#
# Create new module depency
#
depmod -a $KVER-ipfire-pae
#
# Made initramdisk
#
/usr/bin/dracut --force --early-microcode --xz /boot/initramfs-$KVER-ipfire-pae.img $KVER-ipfire-pae
if [ -e /boot/grub/grub.cfg ]; then
#
# Update grub2 config
#
grub-mkconfig > /boot/grub/grub.cfg
fi
if [ -e /boot/grub/grub.conf ]; then
#
# xen pv with pygrub need grub.conf / menu.lst
#
echo "timeout 10" > /boot/grub/grub.conf
echo "default 0" >> /boot/grub/grub.conf
echo "title IPFire (pae-kernel)" >> /boot/grub/grub.conf
echo " root (hd0)" >> /boot/grub/grub.conf
echo " kernel /vmlinuz-$KVER-ipfire-pae root=/dev/$ROOT rootdelay=10 panic=10 console=hvc0" \
>> /boot/grub/grub.conf
echo " initrd /initramfs-$KVER-ipfire-pae.img" >> /boot/grub/grub.conf
echo "# savedefault 0" >> /boot/grub/grub.conf
ln -s grub.conf $MNThdd/boot/grub/menu.lst
fi
# request a reboot
touch /var/run/need_reboot
sync && sync

34
src/paks/linux-pae/uninstall.sh
View File

@@ -1,34 +0,0 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007-2014 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
if [ -f /boot/grub/grub.conf ]; then
echo "Error! Connot remove linux-pae because we are on XEN."
exit 1
fi
remove_files
rm -rf /boot/initramfs-*-pae.img
rm -rf /boot/vmlinuz-*-pae
rm -rf /lib/modules/*-ipfire-pae
grub-mkconfig > /boot/grub/grub.cfg
sync && sync

32
src/paks/linux-pae/update.sh
View File

@@ -1,32 +0,0 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007-2014 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
remove_files
rm -rf /boot/initramfs-*-pae.img
rm -rf /boot/vmlinuz-*-pae
rm -rf /lib/modules/*-ipfire-pae
if [ ! -f /boot/grub/grub.conf ]; then
grub-mkconfig > /boot/grub/grub.cfg
fi
./install.sh

18
src/patches/linux/linux-4.14.x-add_timer_setup_on_stack.patch Normal file
View File

@@ -0,0 +1,18 @@
diff -Naur linux-4.14.173.org/include/linux/timer.h linux-4.14.173/include/linux/timer.h
--- linux-4.14.173.org/include/linux/timer.h 2020-03-11 18:03:09.000000000 +0100
+++ linux-4.14.173/include/linux/timer.h 2020-04-30 19:30:13.956596003 +0200
@@ -180,6 +180,14 @@
(TIMER_DATA_TYPE)timer, flags);
}
+static inline void timer_setup_on_stack(struct timer_list *timer,
+ void (*callback)(struct timer_list *),
+ unsigned int flags)
+{
+ __setup_timer_on_stack(timer, (TIMER_FUNC_TYPE)callback,
+ (TIMER_DATA_TYPE)timer, flags);
+}
+
#define from_timer(var, callback_timer, timer_fieldname) \
container_of(callback_timer, typeof(*var), timer_fieldname)

146
src/patches/linux/linux-random_try_to_actively_add_entropy.patch Normal file
View File

@@ -0,0 +1,146 @@
From 50ee7529ec4500c88f8664560770a7a1b65db72b Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sat, 28 Sep 2019 16:53:52 -0700
Subject: random: try to actively add entropy rather than passively wait for it
For 5.3 we had to revert a nice ext4 IO pattern improvement, because it
caused a bootup regression due to lack of entropy at bootup together
with arguably broken user space that was asking for secure random
numbers when it really didn't need to.
See commit 72dbcf721566 (Revert "ext4: make __ext4_get_inode_loc plug").
This aims to solve the issue by actively generating entropy noise using
the CPU cycle counter when waiting for the random number generator to
initialize. This only works when you have a high-frequency time stamp
counter available, but that's the case on all modern x86 CPU's, and on
most other modern CPU's too.
What we do is to generate jitter entropy from the CPU cycle counter
under a somewhat complex load: calling the scheduler while also
guaranteeing a certain amount of timing noise by also triggering a
timer.
I'm sure we can tweak this, and that people will want to look at other
alternatives, but there's been a number of papers written on jitter
entropy, and this should really be fairly conservative by crediting one
bit of entropy for every timer-induced jump in the cycle counter. Not
because the timer itself would be all that unpredictable, but because
the interaction between the timer and the loop is going to be.
Even if (and perhaps particularly if) the timer actually happens on
another CPU, the cacheline interaction between the loop that reads the
cycle counter and the timer itself firing is going to add perturbations
to the cycle counter values that get mixed into the entropy pool.
As Thomas pointed out, with a modern out-of-order CPU, even quite simple
loops show a fair amount of hard-to-predict timing variability even in
the absense of external interrupts. But this tries to take that further
by actually having a fairly complex interaction.
This is not going to solve the entropy issue for architectures that have
no CPU cycle counter, but it's not clear how (and if) that is solvable,
and the hardware in question is largely starting to be irrelevant. And
by doing this we can at least avoid some of the even more contentious
approaches (like making the entropy waiting time out in order to avoid
the possibly unbounded waiting).
Cc: Ahmed Darwish <darwish.07@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Nicholas Mc Guire <hofrat@opentech.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Alexander E. Patrakov <patrakov@gmail.com>
Cc: Lennart Poettering <mzxreary@0pointer.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
drivers/char/random.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 61 insertions(+), 1 deletion(-)
(limited to 'drivers/char/random.c')
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 5d5ea4ce1442..2fda6166c1dd 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1731,6 +1731,56 @@ void get_random_bytes(void *buf, int nbytes)
}
EXPORT_SYMBOL(get_random_bytes);
+
+/*
+ * Each time the timer fires, we expect that we got an unpredictable
+ * jump in the cycle counter. Even if the timer is running on another
+ * CPU, the timer activity will be touching the stack of the CPU that is
+ * generating entropy..
+ *
+ * Note that we don't re-arm the timer in the timer itself - we are
+ * happy to be scheduled away, since that just makes the load more
+ * complex, but we do not want the timer to keep ticking unless the
+ * entropy loop is running.
+ *
+ * So the re-arming always happens in the entropy loop itself.
+ */
+static void entropy_timer(struct timer_list *t)
+{
+ credit_entropy_bits(&input_pool, 1);
+}
+
+/*
+ * If we have an actual cycle counter, see if we can
+ * generate enough entropy with timing noise
+ */
+static void try_to_generate_entropy(void)
+{
+ struct {
+ unsigned long now;
+ struct timer_list timer;
+ } stack;
+
+ stack.now = random_get_entropy();
+
+ /* Slow counter - or none. Don't even bother */
+ if (stack.now == random_get_entropy())
+ return;
+
+ timer_setup_on_stack(&stack.timer, entropy_timer, 0);
+ while (!crng_ready()) {
+ if (!timer_pending(&stack.timer))
+ mod_timer(&stack.timer, jiffies+1);
+ mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now));
+ schedule();
+ stack.now = random_get_entropy();
+ }
+
+ del_timer_sync(&stack.timer);
+ destroy_timer_on_stack(&stack.timer);
+ mix_pool_bytes(&input_pool, &stack.now, sizeof(stack.now));
+}
+
/*
* Wait for the urandom pool to be seeded and thus guaranteed to supply
* cryptographically secure random numbers. This applies to: the /dev/urandom
@@ -1745,7 +1795,17 @@ int wait_for_random_bytes(void)
{
if (likely(crng_ready()))
return 0;
- return wait_event_interruptible(crng_init_wait, crng_ready());
+
+ do {
+ int ret;
+ ret = wait_event_interruptible_timeout(crng_init_wait, crng_ready(), HZ);
+ if (ret)
+ return ret > 0 ? 0 : ret;
+
+ try_to_generate_entropy();
+ } while (!crng_ready());
+
+ return 0;
}
EXPORT_SYMBOL(wait_for_random_bytes);
--
cgit 1.2-0.3.lf.el7