bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 19:53:24 +02:00

Author	SHA1	Message	Date
Vincent Li	0e2047f080	linux: enable bootparam hardlockup/softlockup Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2025-02-23 04:36:14 +00:00
Vincent Li	1bfeb4b322	lfs/linux: enable CONFIG_FPROBE for multi kprobe pwru is an utility to trouble shoot network issue, and to speed up pwru kprobe attachement, kernel needs to have CONFIG_FPROBE. running pwru also result in: Opening kprobe-multi: invalid argument \ (missing kernel symbol or prog's AttachType not AttachTraceKprobeMulti?) need following to avoid above invalid argument echo -1 > /proc/sys/kernel/perf_event_paranoid echo 0 > /proc/sys/kernel/kptr_restrict see https://github.com/cilium/pwru/issues/460 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-12-03 02:44:14 +00:00
Vincent Li	20c65fa4ec	kernel: enable signature force config Kernel module signature force is disabled for lunatik kernel module build, enable it for now. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-11-06 20:28:40 +00:00
Vincent Li	1f42b720d0	kernel: upgrade to 6.10.11 upgrade kernel to recent stable release 6.10.11 1, scripts/kconfig/merge_config.sh does not work for 6.10.11 2, vmlinux BTF binary name changed in 6.10.11 3, remove rtl8812au for now since it has compiling error 4, remove 5.15 nfqueue patch since it does not apply cleanly also see [0] [0]: https://github.com/vincentmli/BPFire/issues/41 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-09-21 02:39:49 +00:00
Vincent Li	d544247a53	linux: change kernel NR_CPUS to 512 loxilb MAX_CPUS for cpu_map set to 128, BPFire original NR_CPUS 64 result in error: libbpf: map 'cpu_map': failed to create: Argument list too long see https://github.com/loxilb-io/loxilb/issues/661 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-05-03 16:56:06 +00:00
Vincent Li	d9a8ed29e8	Revert "Enable kernel BPF/BTF" We need to disable BPF trace capability and disallow unprivileged BPF so This reverts commit `d0bd3cc033`. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-04-08 19:32:11 +00:00
Vincent Li	d0bd3cc033	Enable kernel BPF/BTF enable kernel BPF/BTF build for ebpf/XDP program packet filtering see hack in [1] [1] https://community.ipfire.org/t/how-to-customize-config-kernel-kernel-config-x86-64-ipfire/11100/7 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>	2024-03-01 04:08:01 +00:00
Arne Fitzenreiter	8c43d1481a	kernel: update to 6.6.15 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-02-02 07:52:09 +00:00
Arne Fitzenreiter	0722f42ed2	kernel: update to 6.6.13 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-21 19:10:22 +01:00
Peter Müller	bca096b453	linux: Forbid legacy TIOCSTI usage To quote from the kernel documentation: > Historically the kernel has allowed TIOCSTI, which will push > characters into a controlling TTY. This continues to be used > as a malicious privilege escalation mechanism, and provides no > meaningful real-world utility any more. Its use is considered > a dangerous legacy operation, and can be disabled on most > systems. > > Say Y here only if you have confirmed that your system's > userspace depends on this functionality to continue operating > normally. > > Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can > use TIOCSTI even when this is set to N. > > This functionality can be changed at runtime with the > dev.tty.legacy_tiocsti sysctl. This configuration option sets > the default value of the sysctl. This patch therefore proposes to no longer allow legacy TIOCSTI usage in IPFire, given its security implications and the apparent lack of legitimate usage. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-01-16 15:46:37 +00:00
Arne Fitzenreiter	a93525c0ca	kernel: update to 6.6.12 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-16 12:41:08 +01:00
Arne Fitzenreiter	19e66d7e2b	kernel: update to 6.6.11 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-11 10:30:13 +01:00
Arne Fitzenreiter	d303f7c154	kernel: update to 6.6.10 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-07 16:08:31 +01:00
Arne Fitzenreiter	3920ba127f	kernel: update to 6.6.9 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-02 09:54:10 +01:00
Arne Fitzenreiter	bf92e55968	kernel: update to 6.6.8 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-21 13:50:59 +01:00
Arne Fitzenreiter	0108697131	kernel: update to 6.6.6 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-12 21:12:37 +01:00
Arne Fitzenreiter	5109f8ee7f	kernel: update to 6.6.5 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-08 16:12:17 +01:00
Arne Fitzenreiter	a7c9eca495	kernel: update to 6.6.4 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-05 17:17:40 +00:00
Arne Fitzenreiter	941190cb3a	kernel: update to 6.6.3 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-12-05 17:17:35 +00:00
Arne Fitzenreiter	95f9d9350d	kernel: update to 6.6.2 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-05 17:15:48 +00:00
Arne Fitzenreiter	8a37e7f0e3	kernel: update to 6.1.61 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-11-03 14:27:58 +00:00
Arne Fitzenreiter	cfe911bab5	kernel: update to 6.1.60 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-27 08:43:35 +00:00
Arne Fitzenreiter	cce398bca5	kernel: update to 6.1.59 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-25 11:01:30 +00:00
Arne Fitzenreiter	2b834ef42a	kernel: update to 6.1.58 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-25 11:01:30 +00:00
Peter Müller	447d0bf51e	linux: Disable io_uring This subsystem has been a frequent source of security vulnerabilities affecting the Linux kernel; as a result, Google announced on June 14, 2023, that they would disable it in their environment as widely as possible. IPFire does not depend on the availability of io_uring. Therefore, disable this subsystem as well in order to preemptively cut attack surface. See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-20 08:44:26 +00:00
Arne Fitzenreiter	554e339b9e	kernel: update to 6.1.57 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-13 08:13:12 +00:00
Arne Fitzenreiter	e275a07b67	kernel: update to 6.1.56 this also builds the dtb files on riscv64 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-09 08:13:02 +00:00
Arne Fitzenreiter	e5ad33d9ee	kernel: update 6.1.53 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-09-28 09:29:29 +00:00
Arne Fitzenreiter	14bd32221e	kernel: update to 6.1.52 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-09-28 09:29:23 +00:00
Arne Fitzenreiter	162a068448	kernel: update to 6.1.45 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-08-11 23:25:37 +02:00
Arne Fitzenreiter	6084fa89bf	kernel: update to 6.1.42 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-28 16:34:59 +00:00
Arne Fitzenreiter	50c07b4938	kernel: update to 6.1.41 fix for CVE-2023-20593 (Zenbleed) Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-26 16:01:20 +00:00
Arne Fitzenreiter	719864d37e	kernel: update to 6.1.40 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-25 10:39:22 +00:00
Arne Fitzenreiter	f2d5cb7c99	kernel: update to 6.1.39 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-21 09:34:12 +00:00
Peter Müller	e08399ddd3	linux: Trigger a BUG() when corruption of kernel data structures is detected Given that this will merely log such an incident, this can be safely enabled. Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-07-13 14:20:48 +00:00
Peter Müller	c084d8f970	linux: Enable Indirect Branch Tracking by default This became upstream default (see https://www.phoronix.com/news/Linux-IBT-By-Default-Tip for IT news media coverage), and given its security-relevance, we should adopt this setting as well. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-13 14:20:32 +00:00
Arne Fitzenreiter	f7447b1b8e	kernel: update to 6.1.38 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-13 14:20:18 +00:00
Arne Fitzenreiter	1a44c7a638	kernel: update to 6.1.37 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-09 14:57:38 +00:00
Arne Fitzenreiter	25aa552258	kernel: update to 6.1.30 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-30 09:21:34 +00:00
Arne Fitzenreiter	c6c78f8e11	kernel: update to 6.1.29 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-19 12:05:52 +00:00
Arne Fitzenreiter	6a005bd9aa	kernel: update to 6.1.28 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-16 18:53:01 +00:00
Peter Müller	e155e2f999	linux: Compile "Intel XHCI USB Role Switch" as a module on x86_64 From the kernel documentation: > Driver for the internal USB role switch for switching the USB data > lines between the xHCI host controller and the dwc3 gadget controller > found on various Intel SoCs. [...] This may unblock USB-LAN-adaptor usage on certain boards, as reported once in #12750. Overall affected devices seem to be scanty; nevertheless, enabling this as a module only is highly unlikely to cause any harm, so let's give it a try. Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-05-11 20:04:33 +00:00
Arne Fitzenreiter	6a0c5ef65a	kernel: update to 6.1.27 the layer7 patch is rebased to apply without fuzzing. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-03 05:07:17 +00:00
Peter Müller	6aa0837d24	linux: Update to 6.1.24 Compiling the kernel has automatically introduced CONFIG_INIT_STACK_ALL_ZERO=y and removed GCC's structleak plugin (not to be confused with its stackleak counterpart). However, according to related documentation, this neither introduces a security nor performance disadvantage. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-04-19 09:33:38 +00:00
Peter Müller	1296cdc40b	linux: Align kernel configurations after merging 6.1 branch Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-01-18 23:09:22 +00:00
Arne Fitzenreiter	3e066f550b	kernel: update rootfiles and config Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-01-15 09:19:25 +00:00
Arne Fitzenreiter	6535255270	kernel: update to 6.1.3 the kernel-6.1.x series should be the next lts series...	2023-01-08 10:08:33 +00:00
Peter Müller	f46f939827	linux: Update configuration files and x86_64 rootfile Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-01-04 21:26:43 +00:00
Peter Müller	6647dd5c5c	linux: Disable the latent entropy plugin It does not generate cryptographically secure entropy. Backported from IPFire 3.x as 6aea180b26906f001611dcc0c54f494818069d8c. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>	2023-01-03 16:11:56 +00:00
Peter Müller	00efe232b7	linux: Disable syscalls that allows processes to r/w other processes' memory Backported from IPFire 3.x as 48931178ff83911c5bbc86194dea694845ae1608. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>	2023-01-03 16:11:20 +00:00

1 2 3 4 5

212 Commits