webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
21,722 Commits 2 Branches 1 Tag
main
Commit Graph

587 Commits

Author SHA1 Message Date
Vincent Li
8d0051d8f6 kernel: add kernel config for kdump 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-08-22 16:01:57 +00:00
Vincent Li
25421aed06 logo: add missing bpfire logo 
commit f89feeb19 "kernel: use BPFire logo in kernel" replaced
ipfire logo with bpfire logo, but forgot to add the bpfire logo
file and remove the ipfire logo file

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-05-10 03:38:17 +00:00
Vincent Li
0e2047f080 linux: enable bootparam hardlockup/softlockup 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2025-02-23 04:36:14 +00:00
Vincent Li
1bfeb4b322 lfs/linux: enable CONFIG_FPROBE for multi kprobe 
pwru is an utility to trouble shoot network issue,
and to speed up pwru kprobe attachement, kernel needs
to have CONFIG_FPROBE.

running pwru also result in:

Opening kprobe-multi: invalid argument \
(missing kernel symbol or prog's AttachType not AttachTraceKprobeMulti?)

need following to avoid above invalid argument

    echo -1 > /proc/sys/kernel/perf_event_paranoid
    echo 0 > /proc/sys/kernel/kptr_restrict

see https://github.com/cilium/pwru/issues/460

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-12-03 02:44:14 +00:00
Vincent Li
20c65fa4ec kernel: enable signature force config 
Kernel module signature force is disabled
for lunatik kernel module build, enable it
for now.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-11-06 20:28:40 +00:00
Vincent Li
89baa34b8d Revert "grub: replace ipfire logo with bpfire logo" 
This reverts commit bb773a05d5.

drivers/video/logo/logo_linux_clut224.ppm: Binary PNM is not supported
Use pnmnoraw(1) to convert it to ASCII PNM
make[6]: *** [drivers/video/logo/Makefile:31: drivers/video/logo/logo_linux_clut224.c] Error 1
make[5]: *** [scripts/Makefile.build:485: drivers/video/logo] Error 2
make[4]: *** [scripts/Makefile.build:485: drivers/video] Error 2

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-21 02:41:51 +00:00
Vincent Li
1f42b720d0 kernel: upgrade to 6.10.11 
upgrade kernel to recent stable release 6.10.11

1, scripts/kconfig/merge_config.sh does not work for 6.10.11
2, vmlinux BTF binary name changed in 6.10.11
3, remove rtl8812au for now since it has compiling error
4, remove 5.15 nfqueue patch since it does not apply cleanly

also see [0]

[0]: https://github.com/vincentmli/BPFire/issues/41

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-21 02:39:49 +00:00
Vincent Li
bb773a05d5 grub: replace ipfire logo with bpfire logo 
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-20 21:31:43 +00:00
Vincent Li
7586e5e517 kernel: disable BTF mismatch 
BTF mismatch is not an issue since
we addressed lunatik kernel module
BTF mismatch issue using the same
chroot binary vmlinux BTF.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-18 22:27:39 +00:00
Vincent Li
133baf8fc0 lunatik : kernel config change 
kernel requires module to be signed, disable force
signing for now.

insmod: ERROR: could not insert module /lib/modules/6.6.15-ipfire/lunatik/lunatik.ko: Key was rejected by service

set CONFIG_MODULE_SIG_FORCE=n

failed to validate module [lunatik] BTF: -22

set CONFIG_MODULE_ALLOW_BTF_MISMATCH=y

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-09-15 18:41:35 +00:00
Vincent Li
acc96d0726 kernel: enable CONFIG_DEBUG_FS 
allow syscall tracing with eBPF like
bcc libbpf-tools opensnoop to trouble
shoot open syscall for UI user nobody
unable to run loxicmd save -a -c /var/ipfire/loxilib/

see https://github.com/vincentmli/BPFire/issues/30

mount -t debugfs none /sys/kernel/debug/

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-07-13 02:14:51 +00:00
Vincent Li
49df562431 ebpf: Enable kernel BPF_EVENTS 
loxilb or other ebpf program could use
bpf_printk for debugging, bpf_printk requires
BPF_EVENTS to be enabled, see [0]

[0] https://github.com/loxilb-io/loxilb/issues/666#issuecomment-2097850413

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-05-08 03:26:51 +00:00
Vincent Li
d544247a53 linux: change kernel NR_CPUS to 512 
loxilb MAX_CPUS for cpu_map set to 128, BPFire
original NR_CPUS 64 result in error:

libbpf: map 'cpu_map': failed to create: Argument list too long

see https://github.com/loxilb-io/loxilb/issues/661

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-05-03 16:56:06 +00:00
Vincent Li
d7544e6192 Enable kernel BPF without tracing capability 
enable kernel BPF XDP/TC capability, no tracing

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-04-09 01:50:14 +00:00
Vincent Li
d9a8ed29e8 Revert "Enable kernel BPF/BTF" 
We need to disable BPF trace capability and disallow
unprivileged BPF so

This reverts commit d0bd3cc033.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-04-08 19:32:11 +00:00
Vincent Li
d0bd3cc033 Enable kernel BPF/BTF 
enable kernel BPF/BTF build for ebpf/XDP
program packet filtering

see hack in [1]

[1] https://community.ipfire.org/t/how-to-customize-config-kernel-kernel-config-x86-64-ipfire/11100/7

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
 2024-03-01 04:08:01 +00:00
Arne Fitzenreiter
8c43d1481a kernel: update to 6.6.15 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-02-02 07:52:09 +00:00
Arne Fitzenreiter
0722f42ed2 kernel: update to 6.6.13 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-21 19:10:22 +01:00
Peter Müller
bca096b453 linux: Forbid legacy TIOCSTI usage 
To quote from the kernel documentation:

> Historically the kernel has allowed TIOCSTI, which will push
> characters into a controlling TTY. This continues to be used
> as a malicious privilege escalation mechanism, and provides no
> meaningful real-world utility any more. Its use is considered
> a dangerous legacy operation, and can be disabled on most
> systems.
>
> Say Y here only if you have confirmed that your system's
> userspace depends on this functionality to continue operating
> normally.
>
> Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can
> use TIOCSTI even when this is set to N.
>
> This functionality can be changed at runtime with the
> dev.tty.legacy_tiocsti sysctl. This configuration option sets
> the default value of the sysctl.

This patch therefore proposes to no longer allow legacy TIOCSTI usage
in IPFire, given its security implications and the apparent lack of
legitimate usage.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2024-01-16 15:46:37 +00:00
Arne Fitzenreiter
a93525c0ca kernel: update to 6.6.12 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-16 12:41:08 +01:00
Arne Fitzenreiter
19e66d7e2b kernel: update to 6.6.11 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-11 10:30:13 +01:00
Arne Fitzenreiter
a2af8c7186 kernel: aarch64: enable CONFIG_SHADOW_CALL_STACK 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-10 06:26:25 +00:00
Arne Fitzenreiter
d303f7c154 kernel: update to 6.6.10 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-07 16:08:31 +01:00
Arne Fitzenreiter
3920ba127f kernel: update to 6.6.9 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2024-01-02 09:54:10 +01:00
Arne Fitzenreiter
bf92e55968 kernel: update to 6.6.8 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-21 13:50:59 +01:00
Arne Fitzenreiter
0108697131 kernel: update to 6.6.6 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-12 21:12:37 +01:00
Arne Fitzenreiter
5109f8ee7f kernel: update to 6.6.5 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-08 16:12:17 +01:00
Arne Fitzenreiter
a7c9eca495 kernel: update to 6.6.4 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-05 17:17:40 +00:00
Arne Fitzenreiter
941190cb3a kernel: update to 6.6.3 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-12-05 17:17:35 +00:00
Arne Fitzenreiter
95f9d9350d kernel: update to 6.6.2 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-12-05 17:15:48 +00:00
Arne Fitzenreiter
8a37e7f0e3 kernel: update to 6.1.61 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-11-03 14:27:58 +00:00
Arne Fitzenreiter
cfe911bab5 kernel: update to 6.1.60 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-27 08:43:35 +00:00
Arne Fitzenreiter
cce398bca5 kernel: update to 6.1.59 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-25 11:01:30 +00:00
Arne Fitzenreiter
2b834ef42a kernel: update to 6.1.58 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-25 11:01:30 +00:00
Peter Müller
7f8b75f8ba linux: Set default IOMMU handling to "strict" on 64-bit ARM 
This has been our default setting on x86_64 for quite some time now,
which is why this patch aligns the aarch64 kernel configuration to that
value.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-20 08:44:26 +00:00
Peter Müller
447d0bf51e linux: Disable io_uring 
This subsystem has been a frequent source of security vulnerabilities
affecting the Linux kernel; as a result, Google announced on June 14,
2023, that they would disable it in their environment as widely as
possible.

IPFire does not depend on the availability of io_uring. Therefore,
disable this subsystem as well in order to preemptively cut attack
surface.

See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-20 08:44:26 +00:00
Arne Fitzenreiter
554e339b9e kernel: update to 6.1.57 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-13 08:13:12 +00:00
Arne Fitzenreiter
e275a07b67 kernel: update to 6.1.56 
this also builds the dtb files on riscv64

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-10-09 08:13:02 +00:00
Arne Fitzenreiter
e5ad33d9ee kernel: update 6.1.53 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-09-28 09:29:29 +00:00
Arne Fitzenreiter
14bd32221e kernel: update to 6.1.52 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-09-28 09:29:23 +00:00
Arne Fitzenreiter
cd78363404 Merge remote-tracking branch 'origin/master' into next 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-08-12 16:48:54 +02:00
Arne Fitzenreiter
162a068448 kernel: update to 6.1.45 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2023-08-11 23:25:37 +02:00
Arne Fitzenreiter
57ae9ba587 kernel: update config for riscv64 
i had disabled CONFIG_GCC_PLUGIN_LATENT_ENTROPY because this
fails to compile on riscv64.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-08-10 06:35:11 +00:00
Arne Fitzenreiter
6084fa89bf kernel: update to 6.1.42 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-28 16:34:59 +00:00
Arne Fitzenreiter
50c07b4938 kernel: update to 6.1.41 
fix for CVE-2023-20593 (Zenbleed)

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-26 16:01:20 +00:00
Arne Fitzenreiter
719864d37e kernel: update to 6.1.40 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-25 10:39:22 +00:00
Arne Fitzenreiter
f2d5cb7c99 kernel: update to 6.1.39 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-21 09:34:12 +00:00
Peter Müller
e08399ddd3 linux: Trigger a BUG() when corruption of kernel data structures is detected 
Given that this will merely log such an incident, this can be safely
enabled.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2023-07-13 14:20:48 +00:00
Peter Müller
c084d8f970 linux: Enable Indirect Branch Tracking by default 
This became upstream default (see
https://www.phoronix.com/news/Linux-IBT-By-Default-Tip for IT news media
coverage), and given its security-relevance, we should adopt this
setting as well.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-13 14:20:32 +00:00
Arne Fitzenreiter
f7447b1b8e kernel: update to 6.1.38 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2023-07-13 14:20:18 +00:00