webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 11:43:25 +02:00
Code Issues Packages Projects Releases Wiki Activity
18,923 Commits 2 Branches 1 Tag
0ffba7d4f6dd4e4e3b67c9e35f10cc495d2db3d9
Commit Graph

36 Commits

Author SHA1 Message Date
Peter Müller
883e29630c Kernel: Disable support for RPC dprintk debugging 
This is solely needed for debugging of NFS issues. Due to the attack
surface it introduces, grsecurity recommends to disable it; as we do not
have a strict necessity for this feature, it is best to follow that
recommendation for security reasons.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-06-13 15:39:23 +00:00
Peter Müller
9b28e9d02b Kernel: Enable YAMA support 
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
the upstream rationale. Enabling YAMA gives us the benefit of additional
hardening options available, without any obvious downsides.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-06-13 15:39:08 +00:00
Arne Fitzenreiter
9fa01e4276 kernel: update to 5.15.35 
in kernel 5.15.32 the driver for ATH9K wlan cards is unstable.
This is one of the most used cards so we need this update before
releasing core167 final.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-04-22 12:48:32 +00:00
Peter Müller
250f6efc38 kernel: Do not enforce "integrity" mode of LSM 
LSM was found to render firmware flashing unusable, and patching out LSM
functionality for all features needed (such as /dev/io, direct memory
access and probably raw PCI access for older cards), this would
effectively render much of LSM's functionality useless as well.

For the time being, we do ship LSM, but do not enforce any protection
mode. Users hence can run it in "integrity" or even "confidentiality"
mode by custom commands; hopefully, we will be able to revert this
change at a future point.

Acked-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-04-21 19:30:42 +00:00
Arne Fitzenreiter
1d563665ed kernel: run make oldconfig 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-04-08 00:27:47 +02:00
Peter Müller
8e1a464d12 Kernel: Enable LSM support and set security level to "integrity" 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-04-06 20:04:04 +00:00
Peter Müller
4f4422cc1c Kernel: Do not automatically load TTY line disciplines, only if necessary 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 2022-04-04 19:59:39 +00:00
Peter Müller
bf2d8cb8a0 Kernel: Disable support for tracing block I/O actions 
This is not needed on IPFire systems, and grsecurity recommends to turn
this off.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-04-04 19:59:15 +00:00
Peter Müller
26ca63592d Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits 
This follows a recommendation by ClipOS, making ASLR bypassing attempts
harder.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
 2022-04-04 19:59:08 +00:00
Arne Fitzenreiter
59ec91c171 kernel: update to 5.15.22 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-02-09 12:17:53 +00:00
Arne Fitzenreiter
70c57ed33e kernel: update to 5.15.21 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-02-06 14:09:43 +00:00
Arne Fitzenreiter
d68f875d61 kernel: enable support for compressed firmwares 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-01-28 14:44:03 +00:00
Arne Fitzenreiter
c18dda556b kernel: update to 5.15.16 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2022-01-21 10:06:22 +00:00
Arne Fitzenreiter
65067248d1 kernel: update to 5.15.6 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-12-02 11:34:38 +01:00
Arne Fitzenreiter
ef972dcf7a kernel: update arm config and rootfile (oldconfig) 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-11-29 09:14:33 +00:00
Arne Fitzenreiter
d4a6dc4270 kernel: update to 5.15.3 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-11-21 10:56:26 +00:00
Arne Fitzenreiter
96c83b21b3 kernel: update to 5.15.2 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-11-13 15:25:39 +00:00
Arne Fitzenreiter
db8199076d kernel: increase CMA size to 24MB 
mmc ports need this for DMA transfers.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-11-10 21:58:44 +00:00
Arne Fitzenreiter
9f3286a9c1 kernel: updated armv6 config 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-11-10 07:02:58 +00:00
Arne Fitzenreiter
832490f063 kernel: update to 5.10.76 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-10-28 00:39:07 +02:00
Michael Tremer
cbbed5bc14 kernel: Enable all cgroups on all architectures 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:04:36 +00:00
Michael Tremer
9df49966d6 kernel: Zero-init all stack variables by default 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:04:23 +00:00
Michael Tremer
b7ed5dc817 kernel: Enable support for TPM hardware 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:04:14 +00:00
Michael Tremer
9012cffdb6 kernel: Enable ExFAT on all architectures 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:01:02 +00:00
Michael Tremer
340f155649 kernel: Enable frontswap 
"Frontswap provides a “transcendent memory” interface for swap pages. In
some environments, dramatic performance savings may be obtained because
swapped pages are saved in RAM (or a RAM-like device) instead of a swap
disk."

https://www.kernel.org/doc/html/latest/vm/frontswap.html

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:00:52 +00:00
Michael Tremer
15f53912a1 kernel: Disable network security hooks 
This is a feature we do not use and it should therefore be disabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:00:41 +00:00
Michael Tremer
c913c9862c kernel: Disable OpenvSwitch 
We do not use this and so we should not build it to save space.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:00:31 +00:00
Michael Tremer
fef9a33846 kernel: Disable any runtime testing 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:00:21 +00:00
Michael Tremer
828d3d2525 kernel: Disable SLUB debugging 
This is not necessary on our systems and according to the documentation
will reduce code size of the allocator which will result in better
performance.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 14:00:10 +00:00
Michael Tremer
034a2402fc kernel: Enable Pressure Stall Information 
This is a new type of metric to find out what resource is currently a
bottleneck for the whole system. We might use this for graphs.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 13:59:51 +00:00
Michael Tremer
c0932f8fbe kernel: Disable suspending systems to RAM 
We do not make any use of this functionality

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 13:59:06 +00:00
Michael Tremer
0e83b0d03c kernel: Change timer tick to 1000Hz 
This change is required to make the system respond faster to any
realtime events (sending or receiving data packets).

It will wake up at least one core 1000 times a second which will result
in finer timer granularity and make scheduling smoother. HTB for
example sends large packet bursts on each timer even to keep up data
rates which is not helpful for most applications.

The change might increase resource consumption and overhead slightly on
some systems, but since we are running in an idle-dyntick configuration,
we should not keep awake any cores that have not been awake before.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-09-20 13:58:57 +00:00
Arne Fitzenreiter
52758d52c3 kernel: update to 5.10.55 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-08-01 11:50:25 +02:00
Arne Fitzenreiter
f696f419ad kernel: update to 5.10.46 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-07-05 07:42:40 +02:00
Arne Fitzenreiter
97500acdb8 kernel: update to 5.10.44 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-07-05 07:42:39 +02:00
Arne Fitzenreiter
aafdd71b04 switch arm 32 bit arch from armv5tel to armv6l 
we have no supported armv5tel board left so we can switch to the higher
arch. This now can use the vpu (still in softfp calling convention to
not break existing installations.)
this fix many compile problems, also boost is now working again.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2021-07-05 07:42:39 +02:00